Re: [Freeipa-users] Sudo not working

Wed, 31 Oct 2012 11:06:52 -0700 

Bret Wortman wrote:

I had enabled debugging of sudo but am not clear on where that debugging
is going. It's not stdout, and I'm not seeing anything in /var/log/messages.

I'll try switching to SSS and see what that gets me.
What distro is this? If it is RHEL 6.3 then put the configuration into /etc/sudo-ldap.conf instead of /etc/nslcd. The docs are incorrect (we are working on getting them fixed). 

rob




On Wed, Oct 31, 2012 at 1:33 PM, Stephen Gallagher <sgall...@redhat.com
<mailto:sgall...@redhat.com>> wrote:

    On Wed 31 Oct 2012 11:53:15 AM EDT, Bret Wortman wrote:

        I'm pretty certain there's a painfully simple solution to this that
        I'm not seeing, but my current configuration isn't picking up the
        freeipa sudoer rule that I've set.

        /etc/nsswitch.conf specifies:
          sudoers:    files ldap

        /etc/nslcd.conf contains:

        binddn uid=sudo,cn=sysaccounts,cn=__etc,dc=wedgeofli,dc=me
        bindpw password

        ssl start_tls
        tls_cacertfile /etc/ipa/ca.crt
        tls_checkpeer yes

        bind_timelimit 5
        timelimit 15

        uri ldap://fs1.wedgeofli.me <http://fs1.wedgeofli.me>
        <http://fs1.wedgeofli.me>

        sudoers_base ou=SUDOers,dc=wedgeofli,dc=me


        The sssd_DOMAIN.log file contains this when I try to sudo:


    <snip>

    The SSSD logs aren't showing anything wrong because they have
    nothing to do with the execution of the SUDO rules in this
    situation. All the SSSD is doing is verifying the authentication
    (when sudo prompts you for your password).

    The problem with the rule is most likely happening inside SUDO
    itself. When you specify 'sudoers: files, ldap' in nsswitch.conf,
    it's telling SUDO to use its own internal LDAP driver to look up the
    rules. So you need to check sudo logs to see what's happening
    (probably you will need to enable debug logging in /etc/sudo.conf).

    Recent versions of SUDO (1.8.6 and later) have support for setting
    'sudoers: files, sss' in nsswitch.conf which DOES use SSSD (1.9.0
    and later) for lookups (and caching) of sudo rules.




--
Bret Wortman
The Damascus Group
Fairfax, VA
http://bretwortman.com/
http://twitter.com/BretWortman




--
Bret Wortman
The Damascus Group
Fairfax, VA
http://bretwortman.com/
http://twitter.com/BretWortman



_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users



_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to