<div dir="ltr">Martin,<div><br></div><div>Sorry for the late reply.</div><div><br></div><div>Thanks for spotting this. I suspect I cannot "just" change ldap in our IPA. This is part of a production environment consisting solely of supported RHEL 6.4 servers. I can snapshot the IPA servers (they are VM's) to be able to roll back in case of trouble, but I am not sure such a change is "supported".</div> <div class="gmail_extra"><br clear="all"><div><div dir="ltr"><div>Fred</div></div></div> <br><br><div class="gmail_quote">On Fri, Jan 10, 2014 at 5:28 PM, Martin Kosek <span dir="ltr"><<a href="mailto:mkosek@redhat.com" target="_blank">mkosek@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> Ah, I think I found the root cause. Our sudoers compat tree configuration<br> missed out the sudoOrder attribute. The order was thus missing in LDAP sudoers<br> and thus ineffective. I filed an upstream ticket to fix it:<br> <a href="https://fedorahosted.org/freeipa/ticket/4107" target="_blank">https://fedorahosted.org/freeipa/ticket/4107</a><br> <br> However, to hotfix it in your environment, could you try manually fixing the<br> configuration on your FreeIPA server?<br> <br> $ ldapmodify -h `hostname` -D "cn=Directory Manager" -x -W<br> dn: cn=sudoers,cn=Schema Compatibility,cn=plugins,cn=config<br> changetype: modify<br> add: schema-compat-entry-attribute<br> schema-compat-entry-attribute: sudoOrder=%{sudoOrder}<br> <br> <br> This should do the trick.<br> <span class="HOEnZb"><font color="#888888"><br> Martin<br> </font></span><div class="HOEnZb"><div class="h5"><br> On 01/10/2014 05:17 PM, Martin Kosek wrote:<br> > On 01/10/2014 04:52 PM, Fred van Zwieten wrote:<br> >> Yes, you would expect that to help, wouldn't you :-)<br> ><br> > Yes, I would :-)<br> ><br> >><br> >> Didn't even know this existed. Thanks for that.<br> >><br> >> User has 3 sudo rules. I have set the allow_all rule to 1, the second rule<br> >> to 2 and the cobbler (with the "!authenticate" option) rule to 99:<br> ><br> > What is the version of the SUDO on your system? According to<br> > <a href="http://www.sudo.ws/sudoers.ldap.man.html" target="_blank">http://www.sudo.ws/sudoers.ldap.man.html</a><br> > it was implemented in SUDO 1.7.5.<br> ><br> > Martin<br> ><br> >><br> >> User ******** may run the following commands on this host:<br> >> (root) ALL<br> >> (root) /bin/cat, /bin/egrep, /bin/find, /bin/grep, /bin/ls, /bin/more,<br> >> /usr/bin/less, !/bin/su<br> >> (root) NOPASSWD: /usr/bin/cobbler<br> >> (root) !/bin/su<br> >><br> >> Nope. Didn't help.<br> >><br> >> Fred<br> >><br> >> On Fri, Jan 10, 2014 at 3:59 PM, Martin Kosek <<a href="mailto:mkosek@redhat.com">mkosek@redhat.com</a>> wrote:<br> >><br> >>> On 01/10/2014 11:52 AM, Fred van Zwieten wrote:<br> >>>> Hi,<br> >>>><br> >>>> I have a sudo rule in IPA that has the !authenticate option added to<br> >>> enable<br> >>>> admins to execute certain programs as root without authentication.<br> >>>><br> >>>> It doesn't work. There is another rule for the admins that allow all<br> >>>> commands as long as they give their password.<br> >>>><br> >>>> In a sudoers file, you can solve this by specifing the nopasswd rule as<br> >>>> last.<br> >>>><br> >>>> sudo -l from an IPA-client gives me this:<br> >>>><br> >>>> *******@svr001 ~]$ sudo -l<br> >>>> Matching Defaults entries for ******* on this host:<br> >>>> requiretty, !visiblepw, always_set_home, env_reset, env_keep="COLORS<br> >>>> DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS", env_keep+="MAIL<br> >>> PS1<br> >>>> PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE<br> >>>> LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY<br> >>>> LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL<br> >>>> LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY",<br> >>>> secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin<br> >>>><br> >>>> User ******** may run the following commands on this host:<br> >>>> (root) NOPASSWD: ALL<br> >>>> (root) /bin/cat, /bin/egrep, /bin/find, /bin/grep, /bin/ls,<br> >>> /bin/more,<br> >>>> /usr/bin/less, !/bin/su<br> >>>> (root) NOPASSWD: /usr/bin/cobbler<br> >>>> (root) !/bin/su<br> >>>><br> >>>> I want the cobbler command to run without password authentication. What<br> >>> am<br> >>>> I doing wrong?<br> >>>><br> >>><br> >>> Would setting SUDO rule order help?<br> >>><br> >>> # ipa sudorule-mod -h<br> >>> ...<br> >>> --order=INT integer to order the Sudo rules<br> >>> ...<br> >>><br> >>> Martin<br> >>><br> >>><br> >><br> ><br> <br> </div></div></blockquote></div><br></div></div>