subject:"\[Freeipa\-users\] Re\: sudo and hostnames"

[Freeipa-users] Re: sudo and hostnames

2023-06-29 Thread Rob Crittenden via FreeIPA-users

Ronald Wimmer via FreeIPA-users wrote:
> On 29.06.23 09:52, Sam Morris via FreeIPA-users wrote:
>> On 29/06/2023 07:31, Ronald Wimmer via FreeIPA-users wrote:
>>> Is a correct hostname (FQDN) required for sudo rules to work properly?
>>>
>>> I do have a host where the hostname is set to its shortname. My user
>>> is allowed to perform sudo on this host (as it is a member of the
>>> admin group which is allowed to do everything on every host) but
>>> another user (who is not member of the admin group) cannot perform
>>> sudo on this particular host. (according to IPA this user should be
>>> able to use sudo)
>>>
>>> My suspicion is that this might have to do with the hostname
>>> incorrectly set to its shortname and not to its FQDN.
>>
>> See https://docs.pagure.org/sssd.sssd/users/sudo_troubleshooting.html
>> for how to enable sudo and sssd-sudo logs - you should be able to see
>> how sudo evaluates the rules recieved from the directory with the
>> information from the logs.
> 
> In this particular case it does not help me as the IPA client is an AIX
> 7.3 machine that does not have SSSD.

I'm afraid there isn't a lot we can do then. You'll need to see what
debugging capabilities AIX sudo-ldap has.

A typical sudoers entry with one command and a host will look like:

dn: cn=test,ou=sudoers,dc=example,dc=test
objectClass: sudoRole
objectClass: top
sudoHost: ipa.example.test
sudoCommand: /usr/bin/less
cn: test

I think your suspicion about the non-qualified hostname is probably
right. I have no idea on how to work around it other than changing the
hostname.

The ou=sudoers entry is generated in the compat tree so not directly
modifiable. The sudorule entry uses memberof (ipa treats it as
memberhost) to point to a host entry which by definition is a fqdn.

If you're feeling ambitious then you might be able to add an IPA host
with fqdn=shortname using ldapmodify. I don't know if that would cause
other problems like being able to manage that host in the API. If there
is already an IPA host with the FQDN this will not work as the API
expects to get only one entry back on some searches and will fail
spectacularly if you search on shortname.

So at first glance your choices are:

1. change the hostname
2. do a lot of weird, unsupported changes to IPA LDAP in hopes that this
one host works. And remember when and why you did them.

rob
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

[Freeipa-users] Re: sudo and hostnames

2023-06-29 Thread Ronald Wimmer via FreeIPA-users


On 29.06.23 09:52, Sam Morris via FreeIPA-users wrote:

On 29/06/2023 07:31, Ronald Wimmer via FreeIPA-users wrote:

Is a correct hostname (FQDN) required for sudo rules to work properly?

I do have a host where the hostname is set to its shortname. My user 
is allowed to perform sudo on this host (as it is a member of the 
admin group which is allowed to do everything on every host) but 
another user (who is not member of the admin group) cannot perform 
sudo on this particular host. (according to IPA this user should be 
able to use sudo)


My suspicion is that this might have to do with the hostname 
incorrectly set to its shortname and not to its FQDN.


See https://docs.pagure.org/sssd.sssd/users/sudo_troubleshooting.html 
for how to enable sudo and sssd-sudo logs - you should be able to see 
how sudo evaluates the rules recieved from the directory with the 
information from the logs.


In this particular case it does not help me as the IPA client is an AIX 
7.3 machine that does not have SSSD.


___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

[Freeipa-users] Re: sudo and hostnames

2023-06-29 Thread Sam Morris via FreeIPA-users


On 29/06/2023 07:31, Ronald Wimmer via FreeIPA-users wrote:

Is a correct hostname (FQDN) required for sudo rules to work properly?

I do have a host where the hostname is set to its shortname. My user is 
allowed to perform sudo on this host (as it is a member of the admin 
group which is allowed to do everything on every host) but another user 
(who is not member of the admin group) cannot perform sudo on this 
particular host. (according to IPA this user should be able to use sudo)


My suspicion is that this might have to do with the hostname incorrectly 
set to its shortname and not to its FQDN.


See https://docs.pagure.org/sssd.sssd/users/sudo_troubleshooting.html 
for how to enable sudo and sssd-sudo logs - you should be able to see 
how sudo evaluates the rules recieved from the directory with the 
information from the logs.


--
Sam Morris 
PGP: rsa4096/CAAA AA1A CA69 A83A 892B  1855 D20B 4202 5CDA 27B9
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

[Freeipa-users] Re: sudo and hostnames

2023-06-29 Thread Ronald Wimmer via FreeIPA-users


On 29.06.23 08:31, Ronald Wimmer via FreeIPA-users wrote:

Is a correct hostname (FQDN) required for sudo rules to work properly?

I do have a host where the hostname is set to its shortname. My user is 
allowed to perform sudo on this host (as it is a member of the admin 
group which is allowed to do everything on every host) but another user 
(who is not member of the admin group) cannot perform sudo on this 
particular host. (according to IPA this user should be able to use sudo)


My suspicion is that this might have to do with the hostname incorrectly 
set to its shortname and not to its FQDN.


In IPA's LDAP directory I can see cn and fqdn set to the server's FQDN 
but the serverHostName attribute is the server's shortname.

___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

[Freeipa-users] Re: sudo and hostnames

[Freeipa-users] Re: sudo and hostnames

[Freeipa-users] Re: sudo and hostnames

[Freeipa-users] Re: sudo and hostnames

4 matches

Site Navigation

Mail list logo

Footer information