On 02/23/2017 03:43 PM, Auerbach, Steven wrote:
Yes, I implemented in Policy -> Sudo -> Sudo Commands as:
Sudo Command: NOPASSWD: /sbin/vgs
NOPASSWD is used in /etc/sudoers. In IPA, create a sudo option
"!authenticate" instead.
The script (executed by a non-root, administra
On 02/08/2017 04:03 PM, Nathanaël Blanchet wrote:
Le 08/02/2017 à 13:00, Pavel Březina a écrit :
On 02/08/2017 11:59 AM, Nathanaël Blanchet wrote:
Hello,
on latest IPA, when adding a command to a rule or a sudo option for
example, the change is not active on the user session.
For example
On 02/08/2017 11:59 AM, Nathanaël Blanchet wrote:
Hello,
on latest IPA, when adding a command to a rule or a sudo option for
example, the change is not active on the user session.
For example, after removing !authenticate option, I still can execute
sudo commands without password.
I tried to logo
On 08/30/2016 05:08 PM, Ryan Whalen wrote:
Hi All,
Im having an issue getting a command to run properly, and the issue
seems to be with Freeipa sudo permissions. Specifically 'sudo su -
app_user -c ""' prompts for a password when run.
However if I 'sudo su - app_user' and then run the '' as
app
On 08/26/2016 02:15 PM, Jeff Goddard wrote:
Pavel,
I appreciate that you're busy and thank you for taking time to look at
this. Here is the output:
[root@id-management-1 ~]# ipa sudorule-show
Rule name: all
Rule name: All
Description: Full sudo access for Developer group in office environ
On 08/25/2016 08:01 PM, Jeff Goddard wrote:
I'm still hoping someone can offer additional help. I see in the apt
term.log these errors when downloading the freeipa-client package. Could
this be the problem?
Hi,
I'm sorry, I somehow overlooked this thread. Can you provide output of
ipa sudorule
On 08/23/2016 01:55 PM, Tony Brian Albers wrote:
Here you are:
[root ~]# ldapsearch -Y GSSAPI -b $dc
'(ou=*)' -s onelevel
# profile, $domain
dn: ou=profile,$dc
objectClass: top
objectClass: organizationalUnit
ou: profiles
ou: profile
# search result
search: 4
result: 0 Success
# numRespons
On 08/23/2016 11:26 AM, Tony Brian Albers wrote:
Thanks Jakub,
I've attached a file with the output from looking in the log files
mentioned in the link you gave me.
I'm not sure exactly what is wrong, I don't know how to interpret
messages like: name 'tba-sadm' matched without domain, user is t
On 05/31/2016 11:19 AM, Tony Brian Albers wrote:
Hi guys,
I'm implementing FreeIPA to auhenticate users on a small HPC cluster
here. For a few of these I need a sudo rule that in essence does the
same as the standard ALL(ALL) rule. How do I implement that in FreeIPA?
I've found some links/guide
On 11/11/2015 03:24 PM, Branden Coates wrote:
I have a few issues with sudo rules(FreeIPA 4.1.4-4 on Fedora 22) that I
would greatly appreciate some help with. The core of the issue is that
sudo rules fail to work when using ldap instead of ipa when you assign
user groups and host groups to the s
will fail).
On Thu, Oct 8, 2015 at 5:26 PM, Pavel Březina wrote:
On 10/08/2015 04:26 PM, Karl Forner wrote:
Hi,
you are prompted for password because (ALL) ALL rule is applied because
of last-match rule. > > > See:
http://www.sudo.ws/man/1.8.13/sudoers.ldap.man.html s
.
Thanks a lot.
Thanks. Please, keep in mind that we changed the default to the correct
order in sssd 1.13.1. Therefore if you update sssd you will either have
to invert the order again or set sudo_inverse_order = true in [sudo] in
/etc/sssd/sssd.conf.
On Thu, Oct 8, 2015 at 5:26 PM, Pavel
Hi,
I just submitted a sudo troubleshooting guide [1]. If you find anything
missing, please, let me know.
[1] https://fedorahosted.org/sssd/wiki/HOWTO_Troubleshoot_SUDO
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to h
On 10/08/2015 04:26 PM, Karl Forner wrote:
Hi,
you are prompted for password because (ALL) ALL rule is applied because of last-match
rule. > > > See: http://www.sudo.ws/man/1.8.13/sudoers.ldap.man.html sudoOrder.
Ok. I updated the rules to use a sudoorder attribute of 100 for the
/usr/bin/l
On 10/08/2015 04:09 PM, Karl Forner wrote:
Sorry I had disabled the emailing, just was your answers in the archives.
How can I debug this ?
Pavel (CC) has a nice sudo debug howto, maybe it would be helpful?
Where is it ? Do you mean the slide
"FreeIPA Training Series: Obtaining debugging
On 10/07/2015 10:03 AM, Jakub Hrozek wrote:
On Tue, Oct 06, 2015 at 06:28:14PM +0200, Karl Forner wrote:
Hello,
I had assumed sudo rules worked because I have an "allow_all for admins"
sudo rule that seemed to work, but I wonder if there is an implicit rule
for the special group admins ?
Beca
On 10/05/2015 10:58 AM, Andreas Calminder wrote:
Hi,
guessing this is a quite frequent question, but I can't find any solid
information about the topic.
I want to specify a set of default sudo options so I don't have to
specify these options for every other sudo rule I create.
There's supposed to
On 09/30/2015 09:04 PM, Andy Thompson wrote:
On Wed, Sep 30, 2015 at 12:17:22PM +, Andy Thompson wrote:
On 09/21/2015 10:42 PM, Andy Thompson wrote:
On Mon, Sep 21, 2015 at 07:39:01PM +, Andy Thompson wrote:
-Original Message-
From: Jakub Hrozek [mailto:jhro...@redhat.com]
Sent
On 09/21/2015 10:42 PM, Andy Thompson wrote:
On Mon, Sep 21, 2015 at 07:39:01PM +, Andy Thompson wrote:
-Original Message-
From: Jakub Hrozek [mailto:jhro...@redhat.com]
Sent: Monday, September 21, 2015 3:29 PM
To: Andy Thompson
Cc: freeipa-users@redhat.com; pbrez...@redhat.com
Subj
On 09/15/2015 09:10 AM, Molnár Domokos wrote:
"Molnár Domokos" írta:
On 09/14/2015 03:08 PM, Pavel Březina wrote:
On 09/11/2015 02:40 PM, Molnár Domokos wrote:
Full log attached.
"Molnár Domokos" írta:
"Pavel Březina" írta:
On 09/25/2015 01:12 PM, Jakub Hrozek wrote:
On Fri, Sep 25, 2015 at 11:48:27AM +0200, Pavel Březina wrote:
On 09/25/2015 10:06 AM, Jakub Hrozek wrote:
On Thu, Sep 24, 2015 at 03:39:48PM +0200, Christoph Kaminski wrote:
Hi
I have 3 problems/questions with ipa and sudo...
1. How to make a
On 09/25/2015 10:06 AM, Jakub Hrozek wrote:
On Thu, Sep 24, 2015 at 03:39:48PM +0200, Christoph Kaminski wrote:
Hi
I have 3 problems/questions with ipa and sudo...
1. How to make a GLOBAL sudo rule with all the options what I want to
have? (e.g. !authenticate). I have tried to make a sudo rule
On 09/11/2015 02:40 PM, Molnár Domokos wrote:
Full log attached.
"Molnár Domokos" írta:
"Pavel Březina" írta:
On 09/09/2015 09:31 PM, Molnár Domokos wrote:
> I have a working IPA server and a working client config on an
OpenSuse
&g
On 09/09/2015 09:31 PM, Molnár Domokos wrote:
I have a working IPA server and a working client config on an OpenSuse
13.2 with the following versions:
nappali:~ # rpm -qa |grep sssd
sssd-tools-1.12.2-3.4.1.i586
sssd-krb5-1.12.2-3.4.1.i586
python-sssd-config-1.12.2-3.4.1.i586
sssd-ipa-1.12.2-3.4.1
On 08/04/2015 11:57 AM, Innes, Duncan wrote:
Hi folks,
Struggling with creating a sudo rule in IPA that will allow my
foreman-proxy to run specific commands. When I put the following into
/etc/sudoers.d/foreman:
[root@puppet01 ~]# cat /etc/sudoers.d/foreman
foreman-proxy ALL = NOPASSWD: /usr/bin
On 06/05/2015 03:14 PM, Sina Owolabi wrote:
Odd, sssd sudo up and started working properly after I added debug to
the clients I was interested in.
I didnt see any errors in the logs at all.
This may indicate a race condition. Does it hang up again if you disable
debugging?
Very strange. Th
On 05/05/2015 10:53 AM, Martin Kosek wrote:
On 05/05/2015 03:37 AM, Megan . wrote:
Good Evening!
I'm running 3.0.0-42 on Centos 6.6.
I setup a number of sudo commands today with regular expressions and
now users seem to be having issues running any sudo command. Are
there any known issues wit
On 01/08/2015 07:54 PM, Craig White wrote:
-Original Message-
From: Rob Crittenden [mailto:rcrit...@redhat.com]
Sent: Thursday, January 08, 2015 9:33 AM
To: Craig White; Martin Kosek; Pavel Březina; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] sudo !requiretty !authenticate
pa-users] sudo !requiretty !authenticate
On (06/01/15 10:21), Pavel Březina wrote:
On 01/05/2015 07:32 PM, Craig White wrote:
Hi - reply at bottom
-Original Message-
From: Martin Kosek [mailto:mko...@redhat.com]
Sent: Monday, January 05, 2015 4:33 AM
To: Craig White; freeipa-users
On 01/05/2015 07:32 PM, Craig White wrote:
Hi - reply at bottom
-Original Message-
From: Martin Kosek [mailto:mko...@redhat.com]
Sent: Monday, January 05, 2015 4:33 AM
To: Craig White; freeipa-users@redhat.com; Pavel Brezina
Subject: Re: [Freeipa-users] sudo !requiretty !authenticate
On
recipient, please delete the e-mail and any
attachments and notify us immediately.
On Tue, Feb 18, 2014 at 5:27 AM, Pavel Březina mailto:pbrez...@redhat.com>> wrote:
On 02/17/2014 10:29 PM, Steve Dainard wrote:
I can't reproduce consistently on any OS including Fedor
On 02/17/2014 10:29 PM, Steve Dainard wrote:
I can't reproduce consistently on any OS including Fedora 20, but I was
able to trigger the issue on a Ubuntu 13.10 client.
sssd: 1.11.1
sudo: 1.8.6p3-0ubuntu3
I have only just enabled the sudo logging so it should only contain the
events below:
sd
On 02/16/2014 01:19 AM, Steve Dainard wrote:
Just experienced the same issue on Fedora 20:
[sdainard-ad...@miovision.corp@fed20 ~]$ sudo systemctl stop firewalld
[sudo] password for sdainard-ad...@miovision.corp:
sdainard-ad...@miovision.corp is not allowed to run sudo on fed20. This
incident w
On 11/13/2013 05:40 PM, Jakub Hrozek wrote:
On Wed, Nov 13, 2013 at 05:26:32PM +0100, David Kreuter wrote:
During our evaluation phase we're facing following problem. One particular user
were granted sudo permission with the help of a sudo rule. The user can
successfully access the host via SS
On 09/11/2013 11:21 AM, Pavel Březina wrote:
On 09/09/2013 07:32 PM, Dean Hunter wrote:
On Mon, 2013-09-09 at 11:23 +0200, Pavel Březina wrote:
On 09/08/2013 01:35 AM, Dmitri Pal wrote:
On 09/07/2013 02:11 PM, Christian Horn wrote:
On Sat, Sep 07, 2013 at 12:06:37PM -0500, Dean Hunter wrote
On 09/09/2013 05:53 PM, Dean Hunter wrote:
On Mon, 2013-09-09 at 11:35 +0200, Pavel Březina wrote:
On 09/09/2013 12:26 AM, Dean Hunter wrote:
> On Sun, 2013-09-08 at 23:11 +0200, Jakub Hrozek wrote:
>> On Sun, Sep 08, 2013 at 03:42:16PM -0500, Dean Hunter wrote:
>> > On Sat, 2
On 09/09/2013 07:32 PM, Dean Hunter wrote:
On Mon, 2013-09-09 at 11:23 +0200, Pavel Březina wrote:
On 09/08/2013 01:35 AM, Dmitri Pal wrote:
On 09/07/2013 02:11 PM, Christian Horn wrote:
On Sat, Sep 07, 2013 at 12:06:37PM -0500, Dean Hunter wrote:
Are [1] and[2] still the current and best
On 09/09/2013 12:26 AM, Dean Hunter wrote:
On Sun, 2013-09-08 at 23:11 +0200, Jakub Hrozek wrote:
On Sun, Sep 08, 2013 at 03:42:16PM -0500, Dean Hunter wrote:
> On Sat, 2013-09-07 at 19:35 -0400, Dmitri Pal wrote:
>
> > On 09/07/2013 02:11 PM, Christian Horn wrote:
> > > On Sat, Sep 07, 2013 at
On 09/08/2013 11:11 PM, Jakub Hrozek wrote:
On Sun, Sep 08, 2013 at 03:42:16PM -0500, Dean Hunter wrote:
On Sat, 2013-09-07 at 19:35 -0400, Dmitri Pal wrote:
On 09/07/2013 02:11 PM, Christian Horn wrote:
On Sat, Sep 07, 2013 at 12:06:37PM -0500, Dean Hunter wrote:
Are [1] and[2] still the cu
On 09/08/2013 01:35 AM, Dmitri Pal wrote:
On 09/07/2013 02:11 PM, Christian Horn wrote:
On Sat, Sep 07, 2013 at 12:06:37PM -0500, Dean Hunter wrote:
Are [1] and[2] still the current and best sources of information for
configuring sudo for use with the current release of FreeIPA on Fedora
19?
1
04 | USA
mto...@go2uti.com | O / C +1 503 953-1389
-Original Message-
From: Pavel Březina [mailto:pbrez...@redhat.com]
Sent: Friday, July 19, 2013 11:01 AM
To: Tovey, Mark
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] sudo rules user and host group bugs?
Hi,
hostname command ou
-
From: freeipa-users-boun...@redhat.com
[mailto:freeipa-users-boun...@redhat.com] On Behalf Of Tovey, Mark
Sent: Thursday, July 18, 2013 11:06 AM
To: Pavel Březina; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] sudo rules user and host group bugs?
host1-> nisdomainname
my_domain.co
On 07/17/2013 06:39 PM, Tovey, Mark wrote:
Okay, I get it (pardon my obtuseness).
host1-> getent netgroup hgroup1
hgroup1 (host1.my_domain.com, -, my_domain.com)
So netgroups are working. The host group is defined in IPA and getent is
able to access that
On 06/12/2013 02:51 PM, Pavel Březina wrote:
On 06/12/2013 02:37 PM, Jakub Hrozek wrote:
On Wed, Jun 12, 2013 at 11:22:35AM +0200, Matt . wrote:
Hi,
The package as you described is installed, the configlines are set as
you
show it.
This is what I see in auth.log, my sssd_sudo does not show a
On 06/12/2013 02:37 PM, Jakub Hrozek wrote:
On Wed, Jun 12, 2013 at 11:22:35AM +0200, Matt . wrote:
Hi,
The package as you described is installed, the configlines are set as you
show it.
This is what I see in auth.log, my sssd_sudo does not show a thing:
Jun 12 11:19:16 server sudo: pam_unix(
-devel list.
Thx for the help
Aly
Thanks Pavel,
Very much appreciated
Aly
On Tue, Apr 30, 2013 at 1:41 PM, Pavel Brezina mailto:pbrez...@redhat.com>> wrote:
- Original Message -
> From: "Pavel Březina" mailto:pbrez...@redhat.com>>
> To:
On 04/29/2013 08:31 PM, Aly Khimji wrote:
Hey Pavel/Guys,
Do you see anything in the new logs that might help?
I saw this bug https://bugzilla.redhat.com/show_bug.cgi?id=871160 that
reports this issue exactly.
However its reported as fixed but I am still having the same issue. I am
building out
On 04/24/2013 07:20 PM, Aly Khimji wrote:
(Wed Apr 24 13:07:35 2013) [sssd[be[nix.corpnonprd..com]]]
[be_pam_handler_callback] (0x0100): Backend returned: (0, 0, ) [Success]
(Wed Apr 24 13:07:35 2013) [sssd[be[nix.corpnonprd..com]]]
[sss_selinux_extract_user] (0x0040): sysdb_search_user
On 11/08/2012 01:13 AM, Dmitri Pal wrote:
On 11/07/2012 04:28 PM, William Muriithi wrote:
Hello
I have been trying to setup user access through sudo file managed by
FreeIPA and it don't seem to be working. I am not sure how to go
about fixing it, but I guess the best place to start is ask what
On 10/31/2012 07:20 PM, Rob Crittenden wrote:
Bret Wortman wrote:
F17.
I think you want /etc/ldap.conf then. The easiest way to be sure the
right file is being used is to add sudoers_debug 1 to the file. This
will present a lot of extra output so you'll know the file is being read.
rob
Hi,
50 matches
Mail list logo
