[Freeipa-users] UPDATE: NOT Resolved After All -- sudo NOPASSWD for a single command

Auerbach, Steven Steven.Auerbach at flbog.edu
Thu Feb 23 18:29:16 UTC 2017 

Yes, I implemented in Policy -> Sudo -> Sudo Commands as:
Sudo Command:              NOPASSWD: /sbin/vgs

The script (executed by a non-root, administrative group user on an enrolled host) specifies:
….
hostname >> statresults.txt
cat /etc/redhat-release >> statresults.txt
uname -r >> statresults.txt
printf "\n " >> statresults.txt
sudo vgs >> statresults.txt
…..
Running the script I still was prompted for a password.

RESEARCH AND CORRECTION:
In the sssd.conf file on the enrolled host I found an invalid pointer to “ipa_server=”  directive which I corrected and added sudo to the “services=” directive.  One or both of those changes corrected the situation and vgs runs under sudo without a password prompt.

FURTHER CORRECTION:
The sssd.conf changes did NOT resolve the issue.  The password must have been cached from a prior script run when I re-ran it. I am being prompted for password by the sudo line again.


From: Jason B. Nance [mailto:jason at tresgeek.net]
Sent: Wednesday, February 22, 2017 11:59 AM
To: Auerbach, Steven <Steven.Auerbach at flbog.edu>
Cc: freeipa-users at redhat.com
Subject: Re: [Freeipa-users] sudo NOPASSWD for a single command


We have a script stored on a particular server in our realm that executes a number of non-privileged commands and are wanting to add /sbin/vgs command. The script uses SSH to then execute the same set of commands on all the servers in the realm.
The owner of the script is in the administrator group and there are sudoer commands for the administrator group in general.  We need to place a rule for this one command for either this group or the script owner to run NOPASSWD.
Where and how would I specify that in the IPA admin console?
Have you tried creating your command in IPA as "NOPASSWD: /sbin/vgs" (Policy -> Sudo -> Sudo Commands)?

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20170223/7f1bb6ae/attachment.htm>

More information about the Freeipa-users mailing list