<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 TRANSITIONAL//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; CHARSET=UTF-8">
<META NAME="GENERATOR" CONTENT="GtkHTML/4.6.6">
</HEAD>
<BODY>
On Fri, 2014-05-09 at 10:28 +0200, Lukas Slebodnik wrote:
<BLOCKQUOTE TYPE=CITE>
<PRE>
On (08/05/14 19:46), Dean Hunter wrote:
<FONT COLOR="#737373">>On Mon, 2014-05-05 at 10:02 -0400, Rob Crittenden wrote:</FONT>
<FONT COLOR="#737373">></FONT>
<FONT COLOR="#737373">>> Dean Hunter wrote:</FONT>
<FONT COLOR="#737373">>> > On Sat, 2014-05-03 at 22:50 +0200, Lukas Slebodnik wrote:</FONT>
<FONT COLOR="#737373">>> >> On (03/05/14 10:39), Dean Hunter wrote:</FONT>
<FONT COLOR="#737373">>> >> >On Sat, 2014-05-03 at 12:36 +0200, Lukas Slebodnik wrote:</FONT>
<FONT COLOR="#737373">>> >> ></FONT>
<FONT COLOR="#737373">>> >> >> On (01/05/14 15:53), Dean Hunter wrote:</FONT>
<FONT COLOR="#737373">>> >> >> >On Thu, 2014-05-01 at 16:32 -0400, Dmitri Pal wrote:</FONT>
<FONT COLOR="#737373">>> >> >> >> On 05/01/2014 04:07 PM, Dean Hunter wrote:</FONT>
<FONT COLOR="#737373">>> >> >> >></FONT>
<FONT COLOR="#737373">>> >> >> >> ></FONT>
<FONT COLOR="#737373">>> >> >> >> > I just noticed that I had been incorrectly setting the NIS domain</FONT>
<FONT COLOR="#737373">>> >> >> >> > name since upgrading to Fedora 20 and FreeIPA 3.3.4, yet I appear to</FONT>
<FONT COLOR="#737373">>> >> >> >> > be successfully retrieving and using sudo rules from FreeIPA. Is</FONT>
<FONT COLOR="#737373">>> >> >> >> > sudo still using NIS-style netgroups? Is there still a requirement</FONT>
<FONT COLOR="#737373">>> >> >> >> > to set the NIS domain name?</FONT>
<FONT COLOR="#737373">>> >> >> >></FONT>
<FONT COLOR="#737373">>> >> >> >></FONT>
<FONT COLOR="#737373">>> >> >> >> I think NIS domain is needed for netgroups. If you are not using</FONT>
<FONT COLOR="#737373">>> >> >> >> netgroups in the sudo rules but just user groups you should be fine.</FONT>
<FONT COLOR="#737373">>> >> >> >> Is this the case with you?</FONT>
<FONT COLOR="#737373">>> >> >> >> If not please provide the logs and config.</FONT>
<FONT COLOR="#737373">>> >> >> >></FONT>
<FONT COLOR="#737373">>> >> >> ></FONT>
<FONT COLOR="#737373">>> >> >> >I am not aware of using netgroups, either the IPA object or any other</FONT>
<FONT COLOR="#737373">>> >> >> >kind. I just remember that when I was first configuring sudo to</FONT>
<FONT COLOR="#737373">>> >> >> >retrieve rules from IPA it would not work until I set nisdomainname</FONT>
<FONT COLOR="#737373">>> >> >> >in /etc/rc.d/rc.local. Here is the quote from section 14.4 of the</FONT>
<FONT COLOR="#737373">>> >> >> >manual:</FONT>
<FONT COLOR="#737373">>> >> >> ></FONT>
<FONT COLOR="#737373">>> >> >> ></FONT>
<FONT COLOR="#737373">>> >> >> > Even though sudo uses NIS-style netgroups, it is not necessary</FONT>
<FONT COLOR="#737373">>> >> >> > to have a NIS server installed. Netgroups require that a NIS</FONT>
<FONT COLOR="#737373">>> >> >> > domain be named in their configuration, so sudo requires that a</FONT>
<FONT COLOR="#737373">>> >> >> > NIS domain be named for netgroups. However, that NIS domain does</FONT>
<FONT COLOR="#737373">>> >> >> > not actually need to exist.</FONT>
<FONT COLOR="#737373">>> >> >> ></FONT>
<FONT COLOR="#737373">>> >> >> ></FONT>
<FONT COLOR="#737373">>> >> >> >With Fedora 20 I can no longer find the emulation of rc.local that</FONT>
<FONT COLOR="#737373">>> >> >> >existed in Fedora 19. I did find fedora-domainname.service and started</FONT>
<FONT COLOR="#737373">>> >> >> >and enabled it but neglected to configure /etc/sysconfig/network. Yet</FONT>
<FONT COLOR="#737373">>> >> >> >IPA sudo rules appear to work.</FONT>
<FONT COLOR="#737373">>> >> >> ></FONT>
<FONT COLOR="#737373">>> >> >> Hope It helps you</FONT>
<FONT COLOR="#737373">>> >> >><A HREF="http://www.redhat.com/archives/freeipa-users/2014-April/msg00248.html">http://www.redhat.com/archives/freeipa-users/2014-April/msg00248.html</A></FONT>
<FONT COLOR="#737373">>> >> >></FONT>
<FONT COLOR="#737373">>> >> >> LS</FONT>
<FONT COLOR="#737373">>> >> ></FONT>
<FONT COLOR="#737373">>> >> ></FONT>
<FONT COLOR="#737373">>> >> >Thank you. Now that you point it out, I remember that this thread is</FONT>
<FONT COLOR="#737373">>> >> >where I first learned about fedora-domainname.service. I see:</FONT>
<FONT COLOR="#737373">>> >> ></FONT>
<FONT COLOR="#737373">>> >> > You would also need to set NIS domain name, otherwise SUDO will</FONT>
<FONT COLOR="#737373">>> >> > not correctly recognize SUDO rules targeted on host groups,</FONT>
<FONT COLOR="#737373">>> >> ^^^^^^^^^^^^^^</FONT>
<FONT COLOR="#737373">>> >> This is important part</FONT>
<FONT COLOR="#737373">>> >> > instead of hosts:</FONT>
<FONT COLOR="#737373">>> >> ></FONT>
<FONT COLOR="#737373">>> >> >which explains when sudo would need the NIS domain name. Since my sudo</FONT>
<FONT COLOR="#737373">>> >> >rules address user groups I guess there is no requirement for NIS domain</FONT>
<FONT COLOR="#737373">>> >> >name since they are working just fine:</FONT>
<FONT COLOR="#737373">>> >> Your sudo rules use host groups.</FONT>
<FONT COLOR="#737373">>> >></FONT>
<FONT COLOR="#737373">>> >> ></FONT>
<FONT COLOR="#737373">>> >> > ipa sudorule-add desktop-admins --desc "Desktop</FONT>
<FONT COLOR="#737373">>> >> > Administrators"</FONT>
<FONT COLOR="#737373">>> >> > ipa sudorule-mod desktop-admins --cmdcat all</FONT>
<FONT COLOR="#737373">>> >> > ipa sudorule-add-host desktop-admins --hostgroups desktops</FONT>
<FONT COLOR="#737373">>> >> > ipa sudorule-add-option desktop-admins --sudooption "!</FONT>
<FONT COLOR="#737373">>> >> > authenticate"</FONT>
<FONT COLOR="#737373">>> >> > ipa sudorule-add-runasuser desktop-admins --users root</FONT>
<FONT COLOR="#737373">>> >> > ipa sudorule-add-runasgroup desktop-admins --groups root</FONT>
<FONT COLOR="#737373">>> >> > ipa sudorule-add-user desktop-admins --groups</FONT>
<FONT COLOR="#737373">>> >> > desktop-admins</FONT>
<FONT COLOR="#737373">>> >> ></FONT>
<FONT COLOR="#737373">>> >> > ipa sudorule-add server-admins --desc "Server</FONT>
<FONT COLOR="#737373">>> >> > Administrators"</FONT>
<FONT COLOR="#737373">>> >> > ipa sudorule-mod server-admins --cmdcat all</FONT>
<FONT COLOR="#737373">>> >> > ipa sudorule-add-host server-admins --hostgroups servers</FONT>
<FONT COLOR="#737373">>> >> hostgroups are reason why you need to configure NIS domain name.</FONT>
<FONT COLOR="#737373">>> >> hostgroups are also available as netgroups in compat tree and sudo reads</FONT>
<FONT COLOR="#737373">>> >> information from netgroups.</FONT>
<FONT COLOR="#737373">>> >></FONT>
<FONT COLOR="#737373">>> >> > ipa sudorule-add-option server-admins --sudooption "!</FONT>
<FONT COLOR="#737373">>> >> > authenticate"</FONT>
<FONT COLOR="#737373">>> >> > ipa sudorule-add-runasuser server-admins --users root</FONT>
<FONT COLOR="#737373">>> >> > ipa sudorule-add-runasgroup server-admins --groups root</FONT>
<FONT COLOR="#737373">>> >> > ipa sudorule-add-user server-admins --groups</FONT>
<FONT COLOR="#737373">>> >> > server-admins</FONT>
<FONT COLOR="#737373">>> >> ></FONT>
<FONT COLOR="#737373">>> >> >However, I was really asking whether there had been a change in</FONT>
<FONT COLOR="#737373">>> >> >sssd/sudo behavior as it was my recollection that my sudo rules did not</FONT>
<FONT COLOR="#737373">>> >> >work at all in early IPA 3.n releases unless the NIS domain name was</FONT>
<FONT COLOR="#737373">>> >> >configured.</FONT>
<FONT COLOR="#737373">>> >> ></FONT>
<FONT COLOR="#737373">>> >></FONT>
<FONT COLOR="#737373">>> >> LS</FONT>
<FONT COLOR="#737373">>> ></FONT>
<FONT COLOR="#737373">>> > I hear you and that is what I expected. However, the actual behavior</FONT>
<FONT COLOR="#737373">>> > seems to have changed with 3.3.4 and now 3.3.5.</FONT>
<FONT COLOR="#737373">>> ></FONT>
<FONT COLOR="#737373">>> > [dean@desktop <<A HREF="mailto:dean@desktop">mailto:dean@desktop</A>> ~]$ domainname --nis</FONT>
<FONT COLOR="#737373">>> > domainname: Local domain name not set</FONT>
<FONT COLOR="#737373">>> ></FONT>
<FONT COLOR="#737373">>> > [dean@desktop <<A HREF="mailto:dean@desktop">mailto:dean@desktop</A>> ~]$ sudo -l</FONT>
<FONT COLOR="#737373">>> > Matching Defaults entries for dean on desktop:</FONT>
<FONT COLOR="#737373">>> > requiretty, env_reset, env_keep="COLORS DISPLAY HOSTNAME</FONT>
<FONT COLOR="#737373">>> > HISTSIZE INPUTRC</FONT>
<FONT COLOR="#737373">>> > KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG</FONT>
<FONT COLOR="#737373">>> > LC_ADDRESS</FONT>
<FONT COLOR="#737373">>> > LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT</FONT>
<FONT COLOR="#737373">>> > LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER</FONT>
<FONT COLOR="#737373">>> > LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS</FONT>
<FONT COLOR="#737373">>> > _XKB_CHARSET</FONT>
<FONT COLOR="#737373">>> > XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin</FONT>
<FONT COLOR="#737373">>> ></FONT>
<FONT COLOR="#737373">>> > User dean may run the following commands on desktop:</FONT>
<FONT COLOR="#737373">>> > (root : root) NOPASSWD: ALL</FONT>
<FONT COLOR="#737373">>> ></FONT>
<FONT COLOR="#737373">>> > [dean@desktop <<A HREF="mailto:dean@desktop">mailto:dean@desktop</A>> ~]$</FONT>
<FONT COLOR="#737373">>> ></FONT>
<FONT COLOR="#737373">>> > I think this is a good thing. I would just like to confirm that this is</FONT>
<FONT COLOR="#737373">>> > the new expected behavior and that I have not done something wrong.</FONT>
<FONT COLOR="#737373">>> </FONT>
<FONT COLOR="#737373">>> We'd need to see your sudo rules to know for sure.</FONT>
<FONT COLOR="#737373">>> </FONT>
<FONT COLOR="#737373">>> I don't think anything changed in the IPA code to change this behavior, </FONT>
<FONT COLOR="#737373">>> but we herd a lot of cats so something in another package may be different.</FONT>
<FONT COLOR="#737373">>> </FONT>
<FONT COLOR="#737373">>> rob</FONT>
<FONT COLOR="#737373">></FONT>
<FONT COLOR="#737373">></FONT>
<FONT COLOR="#737373">>The sudo rules are listed above.</FONT>
<FONT COLOR="#737373">></FONT>
FYI
[root ~]# ipa sudorule-add-host --help
Usage: ipa [global-options] sudorule-add-host SUDORULE-NAME [options]
Add hosts and hostgroups affected by Sudo Rule.
Options:
-h, --help show this help message and exit
--all Retrieve and print all attributes from the server. Affects
command output.
//will work without nisdomainname configured
--raw Print entries as stored on the server. Only affects output
format.
--hosts=STR hosts to add
//will work without nisdomainname configured
--hostgroups=STR host groups to add
//will *NOT* work without nisdomainname configured
LS
</PRE>
</BLOCKQUOTE>
<BR>
Lukas and Rob, <BR>
<BR>
I thank you for your responses. I believe I understand what you are trying to say. As near as I understand it, I AM using host groups in my sudo rules. I do NOT have an NIS domain name configured. Yet, the rules are working.<BR>
<BLOCKQUOTE>
<TT><FONT SIZE="2">ipa group-add</FONT></TT><TT><FONT SIZE="2"> </FONT></TT><TT><FONT SIZE="2"> desktop-admins --desc "Desktop Administrators"</FONT></TT><BR>
<TT><FONT SIZE="2">ipa group-add </FONT></TT><TT><FONT SIZE="2"> </FONT></TT><TT><FONT SIZE="2">server-admins --desc "Server Administrators"</FONT></TT><BR>
<BR>
<TT><FONT SIZE="2">ipa group-add-member </FONT></TT><TT><FONT SIZE="2"> </FONT></TT><TT><FONT SIZE="2">desktop-admins --users dean</FONT></TT><BR>
<TT><FONT SIZE="2">ipa group-add-member </FONT></TT><TT><FONT SIZE="2"> </FONT></TT><TT><FONT SIZE="2">server-admins --users dean</FONT></TT><BR>
<BR>
<TT><FONT SIZE="2">ipa hostgroup-add desktops </FONT></TT><TT><FONT SIZE="2"> </FONT></TT><TT><FONT SIZE="2">--desc Desktops</FONT></TT><BR>
<TT><FONT SIZE="2">ipa hostgroup-add servers </FONT></TT><TT><FONT SIZE="2"> </FONT></TT><TT><FONT SIZE="2">--desc Servers</FONT></TT><BR>
<BR>
<TT><FONT SIZE="2">ipa hostgroup-add-member </FONT></TT><TT><FONT SIZE="2"> </FONT></TT><TT><FONT SIZE="2">desktops </FONT></TT><TT><FONT SIZE="2"> </FONT></TT><TT><FONT SIZE="2">--hosts desktop.hunter.org</FONT></TT><BR>
<TT><FONT SIZE="2">ipa hostgroup-add-member </FONT></TT><TT><FONT SIZE="2"> </FONT></TT><TT><FONT SIZE="2">desktops </FONT></TT><TT><FONT SIZE="2"> </FONT></TT><TT><FONT SIZE="2">--hosts test.hunter.org</FONT></TT><BR>
<TT><FONT SIZE="2">ipa hostgroup-add-member servers --hosts host.hunter.org</FONT></TT><BR>
<TT><FONT SIZE="2">ipa hostgroup-add-member </FONT></TT><TT><FONT SIZE="2"> </FONT></TT><TT><FONT SIZE="2">servers </FONT></TT><TT><FONT SIZE="2"> </FONT></TT><TT><FONT SIZE="2">--hosts ipa.hunter.org</FONT></TT><BR>
<TT><FONT SIZE="2">ipa hostgroup-add-member </FONT></TT><TT><FONT SIZE="2"> </FONT></TT><TT><FONT SIZE="2">servers</FONT></TT><TT><FONT SIZE="2"> </FONT></TT><TT><FONT SIZE="2"> --hosts lamp.hunter.org</FONT></TT><BR>
<BR>
<TT><FONT SIZE="2">ipa sudorule-add desktop-admins --desc "Desktop Administrators"</FONT></TT><BR>
<TT><FONT SIZE="2">ipa sudorule-mod desktop-admins --cmdcat all</FONT></TT><BR>
<TT><FONT SIZE="2">ipa sudorule-add-host desktop-admins --hostgroups desktops</FONT></TT><BR>
<TT><FONT SIZE="2">ipa sudorule-add-option desktop-admins --sudooption "!authenticate"</FONT></TT><BR>
<TT><FONT SIZE="2">ipa sudorule-add-runasuser desktop-admins --users root </FONT></TT><BR>
<TT><FONT SIZE="2">ipa sudorule-add-runasgroup desktop-admins --groups root</FONT></TT><BR>
<TT><FONT SIZE="2">ipa sudorule-add-user desktop-admins --groups desktop-admins</FONT></TT><BR>
<BR>
<TT><FONT SIZE="2">ipa sudorule-add server-admins --desc "Server Administrators"</FONT></TT><BR>
<TT><FONT SIZE="2">ipa sudorule-mod server-admins --cmdcat all</FONT></TT><BR>
<TT><FONT SIZE="2">ipa sudorule-add-host server-admins --hostgroups servers</FONT></TT><BR>
<TT><FONT SIZE="2">ipa sudorule-add-option server-admins --sudooption "!authenticate"</FONT></TT><BR>
<TT><FONT SIZE="2">ipa sudorule-add-runasuser server-admins --users root </FONT></TT><BR>
<TT><FONT SIZE="2">ipa sudorule-add-runasgroup server-admins --groups root</FONT></TT><BR>
<TT><FONT SIZE="2">ipa sudorule-add-user server-admins --groups server-admins</FONT></TT><BR>
</BLOCKQUOTE>
<BR>
<BLOCKQUOTE>
<TT><FONT SIZE="2">[<A HREF="mailto:dean@host">dean@host</A> ~]$ domainname --nis</FONT></TT><BR>
<TT><FONT SIZE="2">domainname: Local domain name not set</FONT></TT><BR>
<BR>
<TT><FONT SIZE="2">[<A HREF="mailto:dean@host">dean@host</A> ~]$ sudo -l</FONT></TT><BR>
<TT><FONT SIZE="2">Matching Defaults entries for dean on host:</FONT></TT><BR>
<TT><FONT SIZE="2"> requiretty, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC</FONT></TT><BR>
<TT><FONT SIZE="2"> KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS</FONT></TT><BR>
<TT><FONT SIZE="2"> LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT</FONT></TT><BR>
<TT><FONT SIZE="2"> LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER</FONT></TT><BR>
<TT><FONT SIZE="2"> LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET</FONT></TT><BR>
<TT><FONT SIZE="2"> XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin</FONT></TT><BR>
<BR>
<TT><FONT SIZE="2">User dean may run the following commands on host:</FONT></TT><BR>
<TT><FONT SIZE="2"> (root : root) NOPASSWD: ALL</FONT></TT><BR>
<BR>
<TT><FONT SIZE="2">[<A HREF="mailto:dean@host">dean@host</A> ~]$ </FONT></TT><BR>
</BLOCKQUOTE>
<BR>
<BR>
</BODY>
</HTML>