And another interesting behaviour.
Say a user "netuser" is a member of a user group "netstaff",
and a host "bsd.example.com" is a member of a host group "nethosts".
We then create an HBAC rule "netstaff_to_nethosts":
Who: User Groups -> netstaff -- Accessing: Host Groups -> nethosts --
Via Service: Specified Services and Groups -> sshd
And we create a SUDO rule "test":
Who: Specified Users and Groups -> netuser -- Access this host:
bsd.example.com -- Run Commands: Any Command
Expected result is this: user "netuser" should be able to SSH to host
"bsd.example.com" and successfully issue the command "sudo shutdown -r now".
What happens instead: user "netuser" is able to SSH to host
"bsd.example.com", but issuing the command "sudo shutdown -r now"
produces this output (password is entered correctly):
$ shutdown -r now
Password:
Ying Tong Iddle I Po
Password:
Do you think like you type?
Password:
Have you considered trying to match wits with a rutabaga?
This is funny, and you can continue trying sudo and getting funny
outputs; but the only way for the command to work properly is to change
the HBAC rule:
Who: User Groups -> netstaff -- Accessing: Host Groups -> nethosts --
Via Service: Specified Services and Groups -> ANY SERVICE
Is this the correct behavior? I don't remember anything like this in
FreeIPA 3.3.
23-Oct-14 15:21, Orkhan Gasimov пишет:
Yet with FreeIPA v4 we've got another thing to keep in mind regarding
FreeBSD - FreeIPA integration: the cron script proposed at FreeBSD
forums won't work.
Here's what was said in the post:
"The tricky part was gettingsudoto work with host groups. FreeIPA
keeps host groups in netgroups, and FreeBSD's support for netgroups is
limited. One solution would have been to enable NIS services on the
FreeIPA server so that we could use proper netgroups on FreeBSD
clients. We didn't like that solution, so instead we wrote a script
that pulls all netgroup data from FreeIPA and stores it
in/etc/netgroup. We run the script every hour viacron."
The script looks for host groups in
'cn=hostgroups,cn=accounts,dc=<domain>', and that works with FreeIPA
3.3. But in FreeIPA v4 host groups get in
'cn=ng,cn=compat,dc=<domain>'. So the script needs modification.
23-Oct-14 12:09, Orkhan Gasimov пишет:
I already deployed FreeIPA 4.1 on Fedora 21 server alpha-release.
Everything is good as far as FreeIPA server operation is concerned.
23-Oct-14 01:06, William Graboyes пишет:
3) am I insane for wanting to introduce FC21 into my environment?
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project
