On Fri, 2014-05-09 at 10:28 +0200, Lukas Slebodnik wrote: > On (08/05/14 19:46), Dean Hunter wrote: > >On Mon, 2014-05-05 at 10:02 -0400, Rob Crittenden wrote: > > > >> Dean Hunter wrote: > >> > On Sat, 2014-05-03 at 22:50 +0200, Lukas Slebodnik wrote: > >> >> On (03/05/14 10:39), Dean Hunter wrote: > >> >> >On Sat, 2014-05-03 at 12:36 +0200, Lukas Slebodnik wrote: > >> >> > > >> >> >> On (01/05/14 15:53), Dean Hunter wrote: > >> >> >> >On Thu, 2014-05-01 at 16:32 -0400, Dmitri Pal wrote: > >> >> >> >> On 05/01/2014 04:07 PM, Dean Hunter wrote: > >> >> >> >> > >> >> >> >> > > >> >> >> >> > I just noticed that I had been incorrectly setting the NIS > >> >> >> >> > domain > >> >> >> >> > name since upgrading to Fedora 20 and FreeIPA 3.3.4, yet I > >> >> >> >> > appear to > >> >> >> >> > be successfully retrieving and using sudo rules from FreeIPA. > >> >> >> >> > Is > >> >> >> >> > sudo still using NIS-style netgroups? Is there still a > >> >> >> >> > requirement > >> >> >> >> > to set the NIS domain name? > >> >> >> >> > >> >> >> >> > >> >> >> >> I think NIS domain is needed for netgroups. If you are not using > >> >> >> >> netgroups in the sudo rules but just user groups you should be > >> >> >> >> fine. > >> >> >> >> Is this the case with you? > >> >> >> >> If not please provide the logs and config. > >> >> >> >> > >> >> >> > > >> >> >> >I am not aware of using netgroups, either the IPA object or any > >> >> >> >other > >> >> >> >kind. I just remember that when I was first configuring sudo to > >> >> >> >retrieve rules from IPA it would not work until I set nisdomainname > >> >> >> >in /etc/rc.d/rc.local. Here is the quote from section 14.4 of the > >> >> >> >manual: > >> >> >> > > >> >> >> > > >> >> >> > Even though sudo uses NIS-style netgroups, it is not > >> >> >> > necessary > >> >> >> > to have a NIS server installed. Netgroups require that a NIS > >> >> >> > domain be named in their configuration, so sudo requires > >> >> >> > that a > >> >> >> > NIS domain be named for netgroups. However, that NIS domain > >> >> >> > does > >> >> >> > not actually need to exist. > >> >> >> > > >> >> >> > > >> >> >> >With Fedora 20 I can no longer find the emulation of rc.local that > >> >> >> >existed in Fedora 19. I did find fedora-domainname.service and > >> >> >> >started > >> >> >> >and enabled it but neglected to configure /etc/sysconfig/network. > >> >> >> >Yet > >> >> >> >IPA sudo rules appear to work. > >> >> >> > > >> >> >> Hope It helps you > >> >> >>http://www.redhat.com/archives/freeipa-users/2014-April/msg00248.html > >> >> >> > >> >> >> LS > >> >> > > >> >> > > >> >> >Thank you. Now that you point it out, I remember that this thread is > >> >> >where I first learned about fedora-domainname.service. I see: > >> >> > > >> >> > You would also need to set NIS domain name, otherwise SUDO will > >> >> > not correctly recognize SUDO rules targeted on host groups, > >> >> ^^^^^^^^^^^^^^ > >> >> This is important part > >> >> > instead of hosts: > >> >> > > >> >> >which explains when sudo would need the NIS domain name. Since my sudo > >> >> >rules address user groups I guess there is no requirement for NIS > >> >> >domain > >> >> >name since they are working just fine: > >> >> Your sudo rules use host groups. > >> >> > >> >> > > >> >> > ipa sudorule-add desktop-admins --desc "Desktop > >> >> > Administrators" > >> >> > ipa sudorule-mod desktop-admins --cmdcat all > >> >> > ipa sudorule-add-host desktop-admins --hostgroups > >> >> > desktops > >> >> > ipa sudorule-add-option desktop-admins --sudooption "! > >> >> > authenticate" > >> >> > ipa sudorule-add-runasuser desktop-admins --users root > >> >> > ipa sudorule-add-runasgroup desktop-admins --groups root > >> >> > ipa sudorule-add-user desktop-admins --groups > >> >> > desktop-admins > >> >> > > >> >> > ipa sudorule-add server-admins --desc "Server > >> >> > Administrators" > >> >> > ipa sudorule-mod server-admins --cmdcat all > >> >> > ipa sudorule-add-host server-admins --hostgroups servers > >> >> hostgroups are reason why you need to configure NIS domain name. > >> >> hostgroups are also available as netgroups in compat tree and sudo reads > >> >> information from netgroups. > >> >> > >> >> > ipa sudorule-add-option server-admins --sudooption "! > >> >> > authenticate" > >> >> > ipa sudorule-add-runasuser server-admins --users root > >> >> > ipa sudorule-add-runasgroup server-admins --groups root > >> >> > ipa sudorule-add-user server-admins --groups > >> >> > server-admins > >> >> > > >> >> >However, I was really asking whether there had been a change in > >> >> >sssd/sudo behavior as it was my recollection that my sudo rules did not > >> >> >work at all in early IPA 3.n releases unless the NIS domain name was > >> >> >configured. > >> >> > > >> >> > >> >> LS > >> > > >> > I hear you and that is what I expected. However, the actual behavior > >> > seems to have changed with 3.3.4 and now 3.3.5. > >> > > >> > [dean@desktop <mailto:dean@desktop> ~]$ domainname --nis > >> > domainname: Local domain name not set > >> > > >> > [dean@desktop <mailto:dean@desktop> ~]$ sudo -l > >> > Matching Defaults entries for dean on desktop: > >> > requiretty, env_reset, env_keep="COLORS DISPLAY HOSTNAME > >> > HISTSIZE INPUTRC > >> > KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG > >> > LC_ADDRESS > >> > LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION > >> > LC_MEASUREMENT > >> > LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER > >> > LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS > >> > _XKB_CHARSET > >> > XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin > >> > > >> > User dean may run the following commands on desktop: > >> > (root : root) NOPASSWD: ALL > >> > > >> > [dean@desktop <mailto:dean@desktop> ~]$ > >> > > >> > I think this is a good thing. I would just like to confirm that this is > >> > the new expected behavior and that I have not done something wrong. > >> > >> We'd need to see your sudo rules to know for sure. > >> > >> I don't think anything changed in the IPA code to change this behavior, > >> but we herd a lot of cats so something in another package may be different. > >> > >> rob > > > > > >The sudo rules are listed above. > > > FYI > [root ~]# ipa sudorule-add-host --help > Usage: ipa [global-options] sudorule-add-host SUDORULE-NAME [options] > > Add hosts and hostgroups affected by Sudo Rule. > Options: > -h, --help show this help message and exit > --all Retrieve and print all attributes from the server. Affects > command output. > //will work without nisdomainname configured > > --raw Print entries as stored on the server. Only affects output > format. > --hosts=STR hosts to add > //will work without nisdomainname configured > > --hostgroups=STR host groups to add > //will *NOT* work without nisdomainname configured > > LS
Lukas and Rob, I thank you for your responses. I believe I understand what you are trying to say. As near as I understand it, I AM using host groups in my sudo rules. I do NOT have an NIS domain name configured. Yet, the rules are working. ipa group-add desktop-admins --desc "Desktop Administrators" ipa group-add server-admins --desc "Server Administrators" ipa group-add-member desktop-admins --users dean ipa group-add-member server-admins --users dean ipa hostgroup-add desktops --desc Desktops ipa hostgroup-add servers --desc Servers ipa hostgroup-add-member desktops --hosts desktop.hunter.org ipa hostgroup-add-member desktops --hosts test.hunter.org ipa hostgroup-add-member servers --hosts host.hunter.org ipa hostgroup-add-member servers --hosts ipa.hunter.org ipa hostgroup-add-member servers --hosts lamp.hunter.org ipa sudorule-add desktop-admins --desc "Desktop Administrators" ipa sudorule-mod desktop-admins --cmdcat all ipa sudorule-add-host desktop-admins --hostgroups desktops ipa sudorule-add-option desktop-admins --sudooption "! authenticate" ipa sudorule-add-runasuser desktop-admins --users root ipa sudorule-add-runasgroup desktop-admins --groups root ipa sudorule-add-user desktop-admins --groups desktop-admins ipa sudorule-add server-admins --desc "Server Administrators" ipa sudorule-mod server-admins --cmdcat all ipa sudorule-add-host server-admins --hostgroups servers ipa sudorule-add-option server-admins --sudooption "! authenticate" ipa sudorule-add-runasuser server-admins --users root ipa sudorule-add-runasgroup server-admins --groups root ipa sudorule-add-user server-admins --groups server-admins [dean@host ~]$ domainname --nis domainname: Local domain name not set [dean@host ~]$ sudo -l Matching Defaults entries for dean on host: requiretty, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin User dean may run the following commands on host: (root : root) NOPASSWD: ALL [dean@host ~]$
_______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users