[Freeipa-users] sudo and NIS domain name
Rob Crittenden
rcritten at redhat.com
Mon May 5 14:02:45 UTC 2014
Dean Hunter wrote:
> On Sat, 2014-05-03 at 22:50 +0200, Lukas Slebodnik wrote:
>> On (03/05/14 10:39), Dean Hunter wrote:
>> >On Sat, 2014-05-03 at 12:36 +0200, Lukas Slebodnik wrote:
>> >
>> >> On (01/05/14 15:53), Dean Hunter wrote:
>> >> >On Thu, 2014-05-01 at 16:32 -0400, Dmitri Pal wrote:
>> >> >> On 05/01/2014 04:07 PM, Dean Hunter wrote:
>> >> >>
>> >> >> >
>> >> >> > I just noticed that I had been incorrectly setting the NIS domain
>> >> >> > name since upgrading to Fedora 20 and FreeIPA 3.3.4, yet I appear to
>> >> >> > be successfully retrieving and using sudo rules from FreeIPA. Is
>> >> >> > sudo still using NIS-style netgroups? Is there still a requirement
>> >> >> > to set the NIS domain name?
>> >> >>
>> >> >>
>> >> >> I think NIS domain is needed for netgroups. If you are not using
>> >> >> netgroups in the sudo rules but just user groups you should be fine.
>> >> >> Is this the case with you?
>> >> >> If not please provide the logs and config.
>> >> >>
>> >> >
>> >> >I am not aware of using netgroups, either the IPA object or any other
>> >> >kind. I just remember that when I was first configuring sudo to
>> >> >retrieve rules from IPA it would not work until I set nisdomainname
>> >> >in /etc/rc.d/rc.local. Here is the quote from section 14.4 of the
>> >> >manual:
>> >> >
>> >> >
>> >> > Even though sudo uses NIS-style netgroups, it is not necessary
>> >> > to have a NIS server installed. Netgroups require that a NIS
>> >> > domain be named in their configuration, so sudo requires that a
>> >> > NIS domain be named for netgroups. However, that NIS domain does
>> >> > not actually need to exist.
>> >> >
>> >> >
>> >> >With Fedora 20 I can no longer find the emulation of rc.local that
>> >> >existed in Fedora 19. I did find fedora-domainname.service and started
>> >> >and enabled it but neglected to configure /etc/sysconfig/network. Yet
>> >> >IPA sudo rules appear to work.
>> >> >
>> >> Hope It helps you
>> >>http://www.redhat.com/archives/freeipa-users/2014-April/msg00248.html
>> >>
>> >> LS
>> >
>> >
>> >Thank you. Now that you point it out, I remember that this thread is
>> >where I first learned about fedora-domainname.service. I see:
>> >
>> > You would also need to set NIS domain name, otherwise SUDO will
>> > not correctly recognize SUDO rules targeted on host groups,
>> ^^^^^^^^^^^^^^
>> This is important part
>> > instead of hosts:
>> >
>> >which explains when sudo would need the NIS domain name. Since my sudo
>> >rules address user groups I guess there is no requirement for NIS domain
>> >name since they are working just fine:
>> Your sudo rules use host groups.
>>
>> >
>> > ipa sudorule-add desktop-admins --desc "Desktop
>> > Administrators"
>> > ipa sudorule-mod desktop-admins --cmdcat all
>> > ipa sudorule-add-host desktop-admins --hostgroups desktops
>> > ipa sudorule-add-option desktop-admins --sudooption "!
>> > authenticate"
>> > ipa sudorule-add-runasuser desktop-admins --users root
>> > ipa sudorule-add-runasgroup desktop-admins --groups root
>> > ipa sudorule-add-user desktop-admins --groups
>> > desktop-admins
>> >
>> > ipa sudorule-add server-admins --desc "Server
>> > Administrators"
>> > ipa sudorule-mod server-admins --cmdcat all
>> > ipa sudorule-add-host server-admins --hostgroups servers
>> hostgroups are reason why you need to configure NIS domain name.
>> hostgroups are also available as netgroups in compat tree and sudo reads
>> information from netgroups.
>>
>> > ipa sudorule-add-option server-admins --sudooption "!
>> > authenticate"
>> > ipa sudorule-add-runasuser server-admins --users root
>> > ipa sudorule-add-runasgroup server-admins --groups root
>> > ipa sudorule-add-user server-admins --groups
>> > server-admins
>> >
>> >However, I was really asking whether there had been a change in
>> >sssd/sudo behavior as it was my recollection that my sudo rules did not
>> >work at all in early IPA 3.n releases unless the NIS domain name was
>> >configured.
>> >
>>
>> LS
>
> I hear you and that is what I expected. However, the actual behavior
> seems to have changed with 3.3.4 and now 3.3.5.
>
> [dean at desktop <mailto:dean at desktop> ~]$ domainname --nis
> domainname: Local domain name not set
>
> [dean at desktop <mailto:dean at desktop> ~]$ sudo -l
> Matching Defaults entries for dean on desktop:
> requiretty, env_reset, env_keep="COLORS DISPLAY HOSTNAME
> HISTSIZE INPUTRC
> KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG
> LC_ADDRESS
> LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT
> LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER
> LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS
> _XKB_CHARSET
> XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin
>
> User dean may run the following commands on desktop:
> (root : root) NOPASSWD: ALL
>
> [dean at desktop <mailto:dean at desktop> ~]$
>
> I think this is a good thing. I would just like to confirm that this is
> the new expected behavior and that I have not done something wrong.
We'd need to see your sudo rules to know for sure.
I don't think anything changed in the IPA code to change this behavior,
but we herd a lot of cats so something in another package may be different.
rob
More information about the Freeipa-users
mailing list