[Freeipa-users] Freeipa Sudo / sudoers.d / nopasswd
Rob Crittenden
rcritten at redhat.com
Thu Mar 24 19:04:02 UTC 2016
Ash Alam wrote:
> Based on (How to troubleshoot Sudo)
>
> - Maybe i miss spoke when i said it fails completely. Rather it keeps
> asking for the users password which it does not accept.
> - I do not have sudo in sssd.conf
> - I do not have sudoers: sss defined in nsswitch.conf
> - Per Fedora/Freeipa doc (Defining Sudo), its not immediately clear if
> these needs to be defined
> - If this is the case then adding them might resolve my issues.
> - for the special sudo rule(s). is there any way to track it via the
> gui? I am trying to keep track of all the configs so its not a blackhole
> for the next person.
It would help to know the release of Fedora you're using, the rpm
version of ipa-client and sssd.
If you are using Fedora freeipa docs they are extremely old, at best
F-18. Use the RHEL docs.
rob
>
> - This is what it looks like on the web gui
> Inline image 1
>
>
> - This is what a clients sssd.conf looks like
> [domain/xxxxx]
>
> cache_credentials = True
> krb5_store_password_if_offline = True
> ipa_domain = pp
> id_provider = ipa
> auth_provider = ipa
> access_provider = ipa
> ipa_hostname = xxxxxx
> chpass_provider = ipa
> ipa_server = _srv_, xxxxx
> ldap_tls_cacert = /etc/ipa/ca.crt
> [sssd]
> services = nss, pam, ssh
> config_file_version = 2
>
> domains = XXXXX
> [nss]
> homedir_substring = /home
>
> [pam]
> [sudo]
> [autofs]
> [ssh]
> [pac]
> [ifp]
>
> On Thu, Mar 24, 2016 at 1:01 PM, Jakub Hrozek <jhrozek at redhat.com
> <mailto:jhrozek at redhat.com>> wrote:
>
>
> > On 24 Mar 2016, at 17:21, Ash Alam <aalam at paperlesspost.com <mailto:aalam at paperlesspost.com>> wrote:
> >
> > Hello
> >
> > I am looking for some guidance on how to properly do sudo with Freeipa. I have read up on what i need to do but i cant seem to get to work correctly. Now with sudoers.d i can accomplish this fairly quickly.
> >
> > Example:
> >
> > %dev ALL=(ALL) NOPASSWD:/usr/bin/chef-client
> >
> > What i have configured in Freeipa Sudo Rules:
> >
> > Sudo Option: !authenticate
> > Who: dev (group)
> > Access this host: testing (group)
> > Run Commands: set of commands that are defined.
> >
> > Now when i apply this, it still does not work as it asks for a password for the user and then fails. I am hoping to allow a group to only run certain commands without requiring password.
> >
>
> You should first find out why sudo fails completely. We have this
> guide that should help you:
> https://fedorahosted.org/sssd/wiki/HOWTO_Troubleshoot_SUDO
>
> About asking for passwords -- defining a special sudo rule called
> 'defaults' and then adding '!authenticate' should help:
> Add a special Sudo rule for default Sudo server configuration:
> ipa sudorule-add defaults
>
> Set a default Sudo option:
> ipa sudorule-add-option defaults --sudooption '!authenticate'
>
>
>
>
More information about the Freeipa-users
mailing list