On Tue, Jul 17, 2012 at 11:06 AM, Dmitri Pal <d...@redhat.com> wrote: > On 07/17/2012 11:50 AM, KodaK wrote: >> I've been banging my head on this for a couple of days, and I can't >> find anything in the docs or by searching. >> >> I'm trying to do what I think should be pretty simple: I have a group >> of users and an application account, all in IPA. I want users in that >> group to be able to "sudo su - appacct". >> >> What I've found is that I probably can't do it exactly like that, so >> now I'm trying "sudo -i appacct", but I can't get that to work either. >> >> My rule is set up like this: >> >> rule name: become-appacct >> sudo option: -i appacct (I'm not sure this is right.) >> user groups: admins, appgroup >> host groups: apphostgroup >> >> Everything else is blank. Note that this is just the current >> configuration, I've tried a bunch of iterations. >> >> Any help? >> >> Thanks, >> >> --Jason >> > If you are using IPA it internally has a different schema for sudo than > the one published on the sudo web site > http://git.fedorahosted.org/git/?p=freeipa.git;a=blob;f=install/share/65ipasudo.ldif;h=7a85c8659c33794d3127d208452dcb54ad34d59e;hb=HEAD > > It is then transformed into a traditional sudo schema using the compat tree. > > So what you need to do is make sure you create the right sudo rule. > > Your sudo rule should use: > user groups: admins, appgroup > host groups: apphostgroup > command: sudo -i
Thanks. I had some fighting to do to get sudo to talk to ldap on this box, but I have that going now. If I understand you correctly, I've created a rule like you've suggested. however, I get: Sorry, user jebalicki is not allowed to execute '/bin/bash -c cdcadmin' as root on slncdcl01.unix.magellanhealth.com. (I've given up on obfuscation.) Here's the debug output: [jebalicki@slncdcl01 ~]$ sudo -i cdcadmin LDAP Config Summary =================== uri ldap://slpidml01.unix.magellanhealth.com ldap://slpidml02.unix.magellanhealth.com ldap_version 3 sudoers_base ou=SUDOers,dc=unix,dc=magellanhealth,dc=com binddn uid=sudo,cn=sysaccounts,cn=etc,dc=unix,dc=magellanhealth,dc=com bindpw xxxxxxxxxxxxxxx bind_timelimit 5000 timelimit 15 ssl start_tls tls_checkpeer (yes) tls_cacertfile /etc/ipa/ca.crt =================== sudo: ldap_initialize(ld, ldap://slpidml01.unix.magellanhealth.com ldap://slpidml02.unix.magellanhealth.com) sudo: ldap_set_option: debug -> 0 sudo: ldap_set_option: ldap_version -> 3 sudo: ldap_set_option: tls_checkpeer -> 1 sudo: ldap_set_option: tls_cacertfile -> /etc/ipa/ca.crt sudo: ldap_set_option: timelimit -> 15 sudo: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT, 5) sudo: ldap_start_tls_s() ok sudo: ldap_sasl_bind_s() ok sudo: no default options found! sudo: ldap search '(|(sudoUser=jebalicki)(sudoUser=%jebalicki)(sudoUser=%admins)(sudoUser=%ipausers)(sudoUser=%unixadmins)(sudoUser=ALL))' sudo: found:cn=become-cdcadmin,ou=sudoers,dc=unix,dc=magellanhealth,dc=com sudo: ldap sudoHost '+cdchosts' ... MATCH! sudo: ldap sudoRunAsUser 'cdcadmin' ... not sudo: found:cn=test rule,ou=sudoers,dc=unix,dc=magellanhealth,dc=com sudo: ldap sudoHost '+tdswebhosts' ... not sudo: ldap sudoHost '+cdchosts' ... MATCH! sudo: ldap sudoCommand '/bin/cat' ... not sudo: found:cn=tds-web-restart,ou=sudoers,dc=unix,dc=magellanhealth,dc=com sudo: ldap sudoHost '+tdswebhosts' ... not sudo: ldap search 'sudoUser=+*' sudo: user_matches=1 sudo: host_matches=1 sudo: sudo_ldap_lookup(0)=0x00 [sudo] password for jebalicki: Sorry, user jebalicki is not allowed to execute '/bin/bash -c cdcadmin' as root on slncdcl01.unix.magellanhealth.com. [jebalicki@slncdcl01 ~]$ And here's the rule: [root@slpidml01 ~]# ipa sudorule-show become-cdcadmin ipa: INFO: trying https://slpidml01.unix.magellanhealth.com/ipa/xml ipa: INFO: Forwarding 'sudorule_show' to server u'http://slpidml01.unix.magellanhealth.com/ipa/xml' Rule name: become-cdcadmin Enabled: TRUE User Groups: admins, stsg Host Groups: cdchosts Sudo Allow Commands: sudo -i RunAs Users: cdcadmin [root@slpidml01 ~]# > If appacct is a user managed by IPA then he should be selected as "run > as" user. > If this account is not managed by IPA it should be an "external" user > > Use UI or CLI to add it. Doing it via ldap would not work unless you use > the internal schema. > > objectClasses: (2.16.840.1.113730.3.8.8.1 NAME 'ipaSudoRule' SUP > ipaAssociation > > > STRUCTURAL MAY ( externalUser $ externalHost $ hostMask $ memberAllowCmd $ > memberDenyCmd $ > > > cmdCategory $ ipaSudoOpt $ ipaSudoRunAs $ ipaSudoRunAsExtUser $ > ipaSudoRunAsUserCategory $ > > > ipaSudoRunAsGroup $ ipaSudoRunAsExtGroup $ ipaSudoRunAsGroupCategory $ > sudoNotBefore $ sudoNotAfter $$ sudoOrder ) X-ORIGIN 'IPA v2' ) > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager for IdM portfolio > Red Hat Inc. > > > ------------------------------- > Looking to carve out IT costs? > www.redhat.com/carveoutcosts/ > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- The government is going to read our mail anyway, might as well make it tough for them. GPG Public key ID: B6A1A7C6 _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users