[Freeipa-users] Freeipa Sudo / sudoers.d / nopasswd

Thu Mar 24 20:22:06 UTC 2016

I should clarify. I was just following the fedora/ipa docs. My Ipa servers
are Centos 7.2 and Ipa 4.2. Clients are Centos 6.6 and 3.0.0

$ rpm -q sssd ipa-client
sssd-1.11.6-30.el6_6.3.x86_64
ipa-client-3.0.0-42.el6.centos.x86_64

On Thu, Mar 24, 2016 at 3:04 PM, Rob Crittenden <rcritten at redhat.com> wrote:

> Ash Alam wrote:
>
>> Based on (How to troubleshoot Sudo)
>>
>> - Maybe i miss spoke when i said it fails completely. Rather it keeps
>> asking for the users password which it does not accept.
>> - I do not have sudo in sssd.conf
>> - I do not have sudoers: sss defined in nsswitch.conf
>> - Per Fedora/Freeipa doc (Defining Sudo), its not immediately clear if
>> these needs to be defined
>> - If this is the case then adding them might resolve my issues.
>> - for the special sudo rule(s). is there any way to track it via the
>> gui? I am trying to keep track of all the configs so its not a blackhole
>> for the next person.
>>
>
> It would help to know the release of Fedora you're using, the rpm version
> of ipa-client and sssd.
>
> If you are using Fedora freeipa docs they are extremely old, at best F-18.
> Use the RHEL docs.
>
> rob
>
>
>> - This is what it looks like on the web gui
>> Inline image 1
>>
>>
>> - This is what a clients sssd.conf looks like
>> [domain/xxxxx]
>>
>> cache_credentials = True
>> krb5_store_password_if_offline = True
>> ipa_domain = pp
>> id_provider = ipa
>> auth_provider = ipa
>> access_provider = ipa
>> ipa_hostname = xxxxxx
>> chpass_provider = ipa
>> ipa_server = _srv_, xxxxx
>> ldap_tls_cacert = /etc/ipa/ca.crt
>> [sssd]
>> services = nss, pam, ssh
>> config_file_version = 2
>>
>> domains = XXXXX
>> [nss]
>> homedir_substring = /home
>>
>> [pam]
>> [sudo]
>> [autofs]
>> [ssh]
>> [pac]
>> [ifp]
>>
>> On Thu, Mar 24, 2016 at 1:01 PM, Jakub Hrozek <jhrozek at redhat.com
>> <mailto:jhrozek at redhat.com>> wrote:
>>
>>
>>     > On 24 Mar 2016, at 17:21, Ash Alam <aalam at paperlesspost.com
>> <mailto:aalam at paperlesspost.com>> wrote:
>>     >
>>     > Hello
>>     >
>>     > I am looking for some guidance on how to properly do sudo with
>> Freeipa. I have read up on what i need to do but i cant seem to get to work
>> correctly. Now with sudoers.d i can accomplish this fairly quickly.
>>     >
>>     > Example:
>>     >
>>     > %dev ALL=(ALL) NOPASSWD:/usr/bin/chef-client
>>     >
>>     > What i have configured in Freeipa Sudo Rules:
>>     >
>>     > Sudo Option: !authenticate
>>     > Who: dev (group)
>>     > Access this host: testing (group)
>>     > Run Commands: set of commands that are defined.
>>     >
>>     > Now when i apply this, it still does not work as it asks for a
>> password for the user and then fails. I am hoping to allow a group to only
>> run certain commands without requiring password.
>>     >
>>
>>     You should first find out why sudo fails completely. We have this
>>     guide that should help you:
>>     https://fedorahosted.org/sssd/wiki/HOWTO_Troubleshoot_SUDO
>>
>>     About asking for passwords -- defining a special sudo rule called
>>     'defaults' and then adding '!authenticate' should help:
>>       Add a special Sudo rule for default Sudo server configuration:
>>         ipa sudorule-add defaults
>>
>>       Set a default Sudo option:
>>         ipa sudorule-add-option defaults --sudooption '!authenticate'
>>
>>
>>
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160324/654a7174/attachment.htm>