[Freeipa-users] Freeipa Sudo / sudoers.d / nopasswd

Christophe TREFOIS christophe.trefois at uni.lu
Thu Mar 24 20:51:14 UTC 2016 

Hi,

Are you not missing “sudo” in [sssd] and did you restard the services on the machine? We found quite a significant cache, which sometimes lead to asking passwords.

https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Deployment_Guide/sssd-ldap-sudo.html


You might even have to delete /var/lib/sss/db/ contents and restart sssd.



Best,

From: freeipa-users-bounces at redhat.com [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Ash Alam
Sent: jeudi 24 mars 2016 19:50
To: Jakub Hrozek <jhrozek at redhat.com>
Cc: freeipa-users at redhat.com
Subject: Re: [Freeipa-users] Freeipa Sudo / sudoers.d / nopasswd

Based on (How to troubleshoot Sudo)

- Maybe i miss spoke when i said it fails completely. Rather it keeps asking for the users password which it does not accept.
- I do not have sudo in sssd.conf
- I do not have sudoers: sss defined in nsswitch.conf
- Per Fedora/Freeipa doc (Defining Sudo), its not immediately clear if these needs to be defined
- If this is the case then adding them might resolve my issues.
- for the special sudo rule(s). is there any way to track it via the gui? I am trying to keep track of all the configs so its not a blackhole for the next person.

- This is what it looks like on the web gui
[Inline image 1]


- This is what a clients sssd.conf looks like
[domain/xxxxx]

cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = pp
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = xxxxxx
chpass_provider = ipa
ipa_server = _srv_, xxxxx
ldap_tls_cacert = /etc/ipa/ca.crt
[sssd]
services = nss, pam, ssh
config_file_version = 2

domains = XXXXX
[nss]
homedir_substring = /home

[pam]
[sudo]
[autofs]
[ssh]
[pac]
[ifp]

On Thu, Mar 24, 2016 at 1:01 PM, Jakub Hrozek <jhrozek at redhat.com<mailto:jhrozek at redhat.com>> wrote:

> On 24 Mar 2016, at 17:21, Ash Alam <aalam at paperlesspost.com<mailto:aalam at paperlesspost.com>> wrote:
>
> Hello
>
> I am looking for some guidance on how to properly do sudo with Freeipa. I have read up on what i need to do but i cant seem to get to work correctly. Now with sudoers.d i can accomplish this fairly quickly.
>
> Example:
>
> %dev ALL=(ALL) NOPASSWD:/usr/bin/chef-client
>
> What i have configured in Freeipa Sudo Rules:
>
> Sudo Option: !authenticate
> Who: dev (group)
> Access this host: testing (group)
> Run Commands: set of commands that are defined.
>
> Now when i apply this, it still does not work as it asks for a password for the user and then fails. I am hoping to allow a group to only run certain commands without requiring password.
>

You should first find out why sudo fails completely. We have this guide that should help you:
https://fedorahosted.org/sssd/wiki/HOWTO_Troubleshoot_SUDO

About asking for passwords -- defining a special sudo rule called 'defaults' and then adding '!authenticate' should help:
 Add a special Sudo rule for default Sudo server configuration:
   ipa sudorule-add defaults

 Set a default Sudo option:
   ipa sudorule-add-option defaults --sudooption '!authenticate'

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160324/f08ba580/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 14858 bytes
Desc: image001.png
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160324/f08ba580/attachment.png>

More information about the Freeipa-users mailing list