Nethserver-delegation needs testers

dnutan (Marc) 2017-08-14 14:42:54 UTC #84

Tested and also working on NethServer 6.x

Just a note about sudo delegation for both versions: by default users have no shell unless they are assigned ssh access.

# getent passwd user1    # ssh access allowed
user1:x:5000:5000:User One:/var/lib/nethserver/home/user1:/bin/bash

# getent passwd user2    # default (no shell)
user2:x:5002:5002:User Two:/var/lib/nethserver/home/user2:/bin/false

stephdl (Stéphane de Labrusse) 2017-08-17 07:49:22 UTC #85

Yes marc it is a good remark i made myself when i found that once you created a user with the sambaAD you cannot add anymore the shell access.

You have to destroy the user account (and all its data) then recreate it with the shell access enabled)

@davidep said that a new feature with gpo must be created for this

So for ns7 a this point we cannot do something except documenting it in the module that sudo needs (of course) a shell access.

For ns6 I can add an action to the db accounts and set the shell property to enabled if the sudo is enabled.

User's Remote shell (SSH) access

hector (Hector Perez) 2017-09-06 13:20:34 UTC #87

I can't install from:

yum install http://mirror.de-labrusse.fr/NethDev/nethserver-delegation/nethserver-delegation-0.1.3-1.ns7.sdl.noarch.rpm

Where to download de lastest version?

Thanks.

mrmarkuz (Markus) 2017-09-06 14:40:12 UTC #88

Hi,
yum install http://mirror.de-labrusse.fr/NethServer/7/x86_64/nethserver-stephdl-1.0.5-1.ns7.sdl.noarch.rpm
yum install nethserver-delegation
Then you should get nethserver-delegation 0.1.5-1.ns7.sdl...

hector (Hector Perez) 2017-09-06 14:55:45 UTC #89

Hi it worked fine, but is posible to block the user to change the admin account?

It works fine but si so buggy, in few months willbe perfect

stephdl (Stéphane de Labrusse) 2017-09-06 15:05:34 UTC #90

please follow https://wiki.nethserver.org/doku.php?id=delegation_of_authority

stephdl (Stéphane de Labrusse) 2017-09-06 15:07:24 UTC #91

what do you mean ?

you must trust the user with the delegation

please what is buggy, what enhancements we can bring

hector (Hector Perez) 2017-09-06 15:31:35 UTC #92

Excuse my English is so bad.

First: is that the delegated user can change admin account settings, how is posible to block the admin account so the delegated user can not touch the admin settings.

So I can delegate safely to a user to add and delete acounts for mail (is an example)

The bug was the browser, I changed de URL adress from zero, and now is working so well.

alefattorini (Alessio Fattorini) 2017-09-06 15:37:39 UTC #93

How can we move modules like this out of "testing" stage? So we can call them "stable" and close this topic?
@dev_team any hint?

stephdl (Stéphane de Labrusse) 2017-09-06 15:45:20 UTC #94

not (yet) possible, I just change the Json authorisation of nethgui, you use all the official modules but delegated to your user. In fact it could be a new feature request that the admin & the administrator users are not deletable however this modification is out of my hand, because there are official modules.

giacomo (Giacomo Sanchietti) 2017-09-06 15:47:47 UTC #95

I think moving the package in nethforge repository (http://packages.nethserver.org/nethserver/7.3.1611/nethforge/) should be enough.

stephdl (Stéphane de Labrusse) 2017-09-09 09:50:36 UTC #96

new version of nethserver-delegation

yum install http://mirror.de-labrusse.fr/NethDev/nethserver-delegation/nethserver-delegation-0.1.7-1.ns7.sdl.noarch.rpm

the new features are

* Sat Sep 09 2017 stephane de LAbrusse <stephdl@de-labrusse.fr> 0.1.7-1.ns7
- ldif file creation with a random name
- chmod ldif file 0600
- remove the key name when the user/group is deleted

* Fri Sep 08 2017 stephane de Labrusse <stephdl@de-labrusse.fr> 0.1.6-1.ns7
- Automatic activation of the shell access if the sudo power is enabled

Now when you set the sudo privilege, automatically you activate the user's shell access, it works but I would confirm it on several servers before to release it.

Kudo to @mrmarkuz

What is the most awesome module/feature for NethServer, that does not yet exist?

mrmarkuz (Markus) 2017-09-09 11:27:22 UTC #97

Awesome! I can confirm that it works on 2 of my Nethservers. But it only works in one direction: Enabling sudo changes users shell to /bin/bash, but disabling does not change it back. A user sudoenabled once has SSH access forever, even if disabling sudo. So I think what's missing is the possibility to change SSH access in "Users and Groups". So delegate module would be able to revert to the default setting in "Users and Groups" but may override it when user is delegated. Just in idea...

stephdl (Stéphane de Labrusse) 2017-09-09 11:33:13 UTC #98

Yeah it is the official behaviour, if the shell access is allowed to a user, you cannot remove it when you use the samba AD accoount provider, or you must delete the user and recreate it.

It makes me think that it is something not finished @dev_team

Indeed I could remove the bash access myself in the module, or wait to see if a PR is needed in the core

mrmarkuz (Markus) 2017-09-09 12:19:32 UTC #99

This would be the fastest solution and ok for me, but when I really think about it the best approach would be to change it in "Users and Groups" module, because it is not logical or intuitive to say: "When creating a user you are able to set SSH access once, but for disabling you have to install another module."
Another approach would be to have the ability to change SSH access only in your delegation module...so a newly created user has no SSH access per default. Again just ideas...

giacomo (Giacomo Sanchietti) 2017-09-11 15:24:58 UTC #100

It's the desired behavior, since we do not want to directly edit the AD using any LDAP client.
Actually it is a limitation of samba-tool.

By the way, I just added a card to NethServer project, but we need to review it and decide if it worth implementing it.

stephdl (Stéphane de Labrusse) 2017-09-16 07:58:25 UTC #101

Please more tests needed also with openldap (nethserver-directory)

mrmarkuz (Markus) 2017-09-17 23:45:42 UTC #102

Did another test with Samba AD(ldap will follow) and noticed just 2 points:

A not sudo delegated user gets a "403 - Forbidden" error window, when entering NetworkAdapter page. I had to close the error window. Clicking OK shows the error again.
If you logout a delegated user, the url is kept, and if you login with a not delegated user for that specific page afterwards you get an empty "403 - Forbidden" page. Maybe redirect users to profile page per default?

stephdl (Stéphane de Labrusse) 2017-09-18 16:37:26 UTC #103

good catch the 'Admin todo messages' must be delegated also, probably I need to delegate it by default. WHen you delegate all panels you don't have this bug (because 'Admin todo messages' is delegated)

stephdl (Stéphane de Labrusse) 2017-09-20 20:15:53 UTC #104

Un message a été déplacé vers un nouveau sujet : Redirect the user logout to the Dashboard