Hi - reply at bottom -----Original Message----- From: Martin Kosek [mailto:mko...@redhat.com] Sent: Monday, January 05, 2015 4:33 AM To: Craig White; freeipa-users@redhat.com; Pavel Brezina Subject: Re: [Freeipa-users] sudo !requiretty !authenticate
On 01/02/2015 07:47 PM, Craig White wrote: > Subject pretty much says it all. > > Starting to play around with rundeck and was thinking it would be nice if I > could create a user that had the ability to sudo, without password, a public > key and the ability to run commands. > > But the use of 'sudo' gets me an error that says it requires a tty to run > sudo. So I tried by creating a sudo rule that has options '!requiretty > !authenticate' but it still complains that I need a tty. Is there a FreeIPA > method that I am lacking? > > Craig White > System Administrator > O 623-201-8179 M 602-377-9752 > > [cid:image001.png@01CF86FE.42D51630] > > SkyTouch Technology 4225 E. Windrose Dr. Phoenix, AZ 85032 CCing Pavel to advise. >From top of my head - did you try clearing SSSD cache before calling the sudo >command again? Did you enter the options in the FreeIPA SUDO entry correctly? Maybe the problem is that each option should be filed as a separate attribute value and you entered it as one combined attribute value. Martin ---- Thanks Martin Unclear how to 'clear SSSD cache' so I restarted SSSD service on the testing box but it didn't help. $ ipa sudorule-show --all Rule name: rundeck dn: ipaUniqueID=XXXXXX,cn=sudorules,cn=sudo,dc=stt,dc=local Rule name: rundeck Enabled: TRUE Host category: all Command category: all RunAs User category: all Users: rundeck Sudo Option: !requiretty, !authenticate ipauniqueid: XXXXXX objectclass: ipaassociation, ipasudorule At this point, !requiretty and !authenticate are separate options but I have previously tried them as a bundle together but the results are the same... sudo: sorry, you must have a tty to run sudo :-( (client system) # rpm -qa | egrep 'ipa|sssd' sssd-ldap-1.11.6-30.el6.x86_64 libipa_hbac-1.11.6-30.el6.x86_64 python-sssdconfig-1.11.6-30.el6.noarch sssd-ipa-1.11.6-30.el6.x86_64 sssd-client-1.11.6-30.el6.x86_64 sssd-common-1.11.6-30.el6.x86_64 sssd-ad-1.11.6-30.el6.x86_64 sssd-1.11.6-30.el6.x86_64 python-iniparse-0.3.1-2.1.el6.noarch libipa_hbac-python-1.11.6-30.el6.x86_64 sssd-krb5-common-1.11.6-30.el6.x86_64 sssd-krb5-1.11.6-30.el6.x86_64 sssd-common-pac-1.11.6-30.el6.x86_64 ipa-python-3.0.0-42.el6.x86_64 sssd-proxy-1.11.6-30.el6.x86_64 ipa-client-3.0.0-42.el6.x86_64 -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project