On 12/04/2017 09:15 PM, Max DiOrio wrote:
Hi,
We use Active Directory to manage our Linux access including SUDO
permissions.
We need to have a particular account run a passwordless command. I
created a new sudoRule in AD, added the following:
sudoCommand /bin/systemctl restart wildfly.service
sudoHost +DevTestLinuxServer (our group of servers)
sudoOption !authenticate
sudoOrder 1
sudoUser svc_Jenkins_DTS
From what I'm reading, sudoOrder should be 0 when not defined, which it
isn't in the other sudoRoles. So with this having a sudoOrder 1, it
should take precedence when there's more than one match for the
command. The other sudoRole is ALL:ALL, but requires a password, and
that one works fine.
On the client side, logged in as svc_Jenkins_DTS, I see the following in
the sudo log:
(Mon Dec 4 14:58:55 2017) [sssd[sudo]] [sort_sudo_rules] (0x0400):
Sorting rules with higher-wins logic
(Mon Dec 4 14:58:55 2017) [sssd[sudo]] [sudosrv_fetch_rules] (0x0400):
Returning 2 rules for
[svc_jenkins_...@internal.ieeeglobalspec.com@internal.ieeeglobalspec.com
<http://internal.ieeeglobalspec.com>]
(Mon Dec 4 14:58:55 2017) [sssd[sudo]] [sudosrv_build_response]
(0x2000): error: [0]
(Mon Dec 4 14:58:55 2017) [sssd[sudo]] [sudosrv_build_response]
(0x2000): rules_num: [0]
(Mon Dec 4 14:58:55 2017) [sssd[sudo]] [sudosrv_build_response]
(0x2000): rule [1]/[2]
(Mon Dec 4 14:58:55 2017) [sssd[sudo]] [sudosrv_response_append_attr]
(0x2000): cn:jenkins
(Mon Dec 4 14:58:55 2017) [sssd[sudo]] [sudosrv_response_append_attr]
(0x2000): objectClass:sudoRule
(Mon Dec 4 14:58:55 2017) [sssd[sudo]] [sudosrv_response_append_attr]
(0x2000): sudoCommand:/bin/systemctl restart wildfly.service
(Mon Dec 4 14:58:55 2017) [sssd[sudo]] [sudosrv_response_append_attr]
(0x2000): sudoHost:+DevTestLinuxServer
(Mon Dec 4 14:58:55 2017) [sssd[sudo]] [sudosrv_response_append_attr]
(0x2000): sudoOption:!authenticate
(Mon Dec 4 14:58:55 2017) [sssd[sudo]] [sudosrv_response_append_attr]
(0x2000): sudoOrder:1
(Mon Dec 4 14:58:55 2017) [sssd[sudo]] [sudosrv_response_append_attr]
(0x2000): sudoRunAsUser:ALL
(Mon Dec 4 14:58:55 2017) [sssd[sudo]] [sudosrv_response_append_attr]
(0x2000): sudoUser:#1002202276
(Mon Dec 4 14:58:55 2017) [sssd[sudo]] [sudosrv_build_response]
(0x2000): rule [2]/[2]
(Mon Dec 4 14:58:55 2017) [sssd[sudo]] [sudosrv_response_append_attr]
(0x2000): cn:DevTest
(Mon Dec 4 14:58:55 2017) [sssd[sudo]] [sudosrv_response_append_attr]
(0x2000): objectClass:sudoRule
(Mon Dec 4 14:58:55 2017) [sssd[sudo]] [sudosrv_response_append_attr]
(0x2000): sudoCommand:ALL
(Mon Dec 4 14:58:55 2017) [sssd[sudo]] [sudosrv_response_append_attr]
(0x2000): sudoHost:+DevTestLinuxServers
(Mon Dec 4 14:58:55 2017) [sssd[sudo]] [sudosrv_response_append_attr]
(0x2000): sudoRunAsUser:ALL
(Mon Dec 4 14:58:55 2017) [sssd[sudo]] [sudosrv_response_append_attr]
(0x2000): sudoUser:#1002202276
So it knows of both rules, and sorted them properly.
But doing a sudo -l showing the following:
[svc_jenkins_dts@la-1dglsesgap01 ~]$ sudo -l
[sudo] password for svc_jenkins_dts:
Matching Defaults entries for svc_jenkins_dts on la-1dglsesgap01:
!visiblepw, always_set_home, match_group_by_gid, env_reset,
env_keep="COLORS DISPLAY HOSTNAME
HISTSIZE KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME
LANG LC_ADDRESS LC_CTYPE",
env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES",
env_keep+="LC_MONETARY
LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL
LANGUAGE LINGUAS
_XKB_CHARSET XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin
User svc_jenkins_dts may run the following commands on la-1dglsesgap01:
(ALL) ALL
So
1) why does it not show in the list it can run the command
2) why does it keep prompting for a password when I try to run the command
Thanks!
Hi Max,
what sssd version do you use? Also, can you send us sudo logs? [1] is a
guide how to obtain them.
[1] https://pagure.io/SSSD/docs/blob/master/f/users/sudo_troubleshooting.rst
_______________________________________________
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org