On Tue, Aug 04, 2015 at 10:57:34AM +0100, Innes, Duncan wrote: > Hi folks, > > Struggling with creating a sudo rule in IPA that will allow my > foreman-proxy to run specific commands. When I put the following into > /etc/sudoers.d/foreman: > > [root@puppet01 ~]# cat /etc/sudoers.d/foreman > foreman-proxy ALL = NOPASSWD: /usr/bin/puppet cert *, /usr/bin/puppet > kick * > Defaults:foreman-proxy !requiretty > innesd ALL = NOPASSWD: /usr/bin/puppet cert *, /usr/bin/puppet kick * > Defaults:innesd !requiretty > [root@puppet01 ~]# > > [innesd@puppet01 ~]$ sudo -l > Matching Defaults entries for innesd on this host: > !requiretty > > User innesd may run the following commands on this host: > (root) NOPASSWD: /usr/bin/puppet cert *, (root) /usr/bin/puppet kick > * > (root) /bin/su > [innesd@puppet01 ~]$ > > Both my user and the foreman-proxy can run the relevant commands both on > the command line and remotely. > > IT Security are not happy with local sudo rules being condifured around > the network, so I'm trying to create the same configuration via IPA. > > When I try to get the same rule into IPA, my user can run the command in > a tty, but the foreman-proxy user is refused. This looks to be down to > the lack of !requiretty coming through for the users: > > [root@ipa01 ~]# ipa sudorule-show foreman-proxy > Rule name: foreman-proxy > Enabled: TRUE > User category: all > Hosts: puppet02.example.com, puppet01.example.com, > puppet03.example.com, puppet04.example.com > Sudo Allow Commands: /usr/bin/puppet cert *, /usr/bin/puppet kick * > Sudo Option: !authenticate, !requiretty > [root@ipa01 ~]#
I'm adding Pavel Brezina who might have some hints. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
