Learn more about these different git repos.
Other Git URLs
Setup: IPA server: srv.server.com IPA client: cl.client.com configure both ipa-server and ipa-client before following steps
How to reproduce:
[server] # ipa user-add testuser1 --first Test --last User1 [server] # ipa hostgroup-add testhostgroup [server] # ipa hostgroup-add-member testhostgroup --hosts cl.client.com [server] # ipa sudorule-add testrule --usercat=all --cmdcat=all --runasusercat=all --runasgroupcat=all [server] # ipa sudorule-add-option testrule --sudooption !authenticate [server] # ipa sudorule-add-host testrule --hostgroups testhostgroup # on client, clear SSSD cache [client] # systemctl stop sssd [client] # find /var/lib/sss/db -name '*.ldb' | xargs rm -fv [client] # rm -fv /var/lib/sss/mc/group [client] # rm -fv /var/lib/sss/mc/passwd [client] # systemctl start sssd # verify that sudo allows access from client [client] # su -c "sudo -l" testuser1
Expected result:
Prints list of allowed commands.
Actual results:
Rejects access:
We trust you have received the usual lecture from the local System Administrator. It usually boils down to these three things: #1) Respect the privacy of others. #2) Think before you type. #3) With great power comes great responsibility. sudo: no tty present and no askpass program specified
Clone of FreeIPA ticket: https://fedorahosted.org/freeipa/ticket/6211
Please add logs as described in https://fedorahosted.org/sssd/wiki/HOWTO_Troubleshoot_SUDO
cc: => pbrezina
attachment sudo_debug
Attached sudo log from client as described in the link. Other logs had no events with corresponding timestamp.
Fields changed
owner: somebody => pbrezina status: new => assigned
Hi, if you use -l option, you still need to authenticate (unless cn=defaults rule says otherwise). Authentication needs terminal or askpass program.
You need to either add a rule named defaults with option !authenticate or you need to alter your test in a way that it executes a specific program instead of listing allowed commands.
resolution: => invalid status: assigned => closed
Metadata Update from @lryznaro: - Issue assigned to pbrezina - Issue set to the milestone: NEEDS_TRIAGE
SSSD is moving from Pagure to Github. This means that new issues and pull requests will be accepted only in SSSD's github repository.
This issue has been cloned to Github and is available here: - https://github.com/SSSD/sssd/issues/4185
If you want to receive further updates on the issue, please navigate to the github issue and click on subscribe button.
subscribe
Thank you for understanding. We apologize for all inconvenience.
Login to comment on this ticket.