To close the loop: I did the following to clear the credential problem. I suspect that I hadn't properly run kinit before doing these steps the first time:
-sh-4.2$ kinit Password for br...@wedgeofli.me: -sh-4.2$ sudo su - sudo: ldap_sasl_bind_s(): Invalid credentials [sudo] password for bretw: bretw is not in the sudoers file. This incident will be reported. -sh-4.2$ ldapsearch -x ou=SUDOers,dc=wedgeofli,dc=me # extended LDIF # # LDAPv3 # base <dc=wedgeofli,dc=me> (default) with scope subtree # filter: ou=SUDOers,dc=wedgeofli,dc=me # requesting: ALL # # search result search: 2 result: 0 Success # numResponses: 1 -sh-4.2$ ldapsearch ou=SUDOers,dc=wedgeofli,dc=me SASL/EXTERNAL authentication started ldap_sasl_interactive_bind_s: Unknown authentication method (-6) additional info: SASL(-4): no mechanism available: -sh-4.2$ ldapsearch -x ou=SUDOers,dc=wedgeofli,dc=me # extended LDIF # # LDAPv3 # base <dc=wedgeofli,dc=me> (default) with scope subtree # filter: ou=SUDOers,dc=wedgeofli,dc=me # requesting: ALL # # search result search: 2 result: 0 Success # numResponses: 1 -sh-4.2$ ldapsearch -D uid=sudo,cn=sysaccounts,cn=etc,dc=wedgeofli,dc=me -w password ou=SUDOers,dc=wedgeofli,dc=me ldap_bind: Invalid credentials (49) -sh-4.2$ ldappasswd -Y GSSAPI -S -h fs1.wedgeofli.meuid=sudo,cn=sysaccounts,cn=etc,dc=wedgeofli,dc=me New password: Re-enter new password: SASL/GSSAPI authentication started SASL username: br...@wedgeofli.me SASL SSF: 56 SASL data security layer installed. -sh-4.2$ ldapsearch -D uid=sudo,cn=sysaccounts,cn=etc,dc=wedgeofli,dc=me -w password ou=SUDOers,dc=wedgeofli,dc=me # extended LDIF # # LDAPv3 # base <dc=wedgeofli,dc=me> (default) with scope subtree # filter: ou=SUDOers,dc=wedgeofli,dc=me # requesting: ALL # # search result search: 2 result: 0 Success # numResponses: 1 -sh-4.2$ sudo su - [sudo] password for bretw: [root@fs1 ~]# On Thu, Nov 1, 2012 at 7:58 AM, Bret Wortman <bret.wort...@damascusgrp.com>wrote: > That's got me closer now, as I'm at least getting an error message on > stdout: > > [root@fs1 etc]# more nslcd.conf > binddn uid=sudo,cn=sysaccounts,cn=etc,dc=wedgeofli,dc=me > bindpw password > > ssl start_tls > tls_cacertfile /etc/ipa/ca.crt > tls_checkpeer yes > > bind_timelimit 5 > timelimit 15 > > uri ldap://fs1.wedgeofli.me > sudoers_base ou=SUDOers,dc=wedgeofli,dc=me > [root@fs1 etc]# sudo su - > sudo: ldap_sasl_bind_s(): Invalid credentials > [root@fs1 ~]# > > So I'm off to figure out where my credentials are wrong. Thanks again, > Rob, Stephen & Pavel. > > > Bret > > On Wed, Oct 31, 2012 at 2:39 PM, Rob Crittenden <rcrit...@redhat.com>wrote: > >> Bret Wortman wrote: >> >>> [root@fs1 etc]# more /etc/ldap.conf >>> sudoers_debug: 1 >>> [root@fs1 etc]# ls -l /etc/ldap.conf >>> -rw-r--r--. 1 root root 17 Oct 19 14:54 /etc/ldap.conf >>> >>> Where should I see the extra output? I've had this set since last Friday >>> and I'm not seeing any difference. >>> >> >> Move the contents of /etc/nslcd.conf to this file and add ldap to sudoers >> in /etc/nsswitch.conf. >> >> rob >> >> >>> On Wed, Oct 31, 2012 at 2:20 PM, Rob Crittenden <rcrit...@redhat.com >>> <mailto:rcrit...@redhat.com>> wrote: >>> >>> Bret Wortman wrote: >>> >>> F17. >>> >>> >>> I think you want /etc/ldap.conf then. The easiest way to be sure the >>> right file is being used is to add sudoers_debug 1 to the file. This >>> will present a lot of extra output so you'll know the file is being >>> read. >>> >>> rob >>> >>> >>> On Wed, Oct 31, 2012 at 2:04 PM, Rob Crittenden >>> <rcrit...@redhat.com <mailto:rcrit...@redhat.com> >>> <mailto:rcrit...@redhat.com <mailto:rcrit...@redhat.com>>> >>> wrote: >>> >>> Bret Wortman wrote: >>> >>> I had enabled debugging of sudo but am not clear on >>> where that >>> debugging >>> is going. It's not stdout, and I'm not seeing anything >>> in >>> /var/log/messages. >>> >>> I'll try switching to SSS and see what that gets me. >>> >>> >>> What distro is this? If it is RHEL 6.3 then put the >>> configuration >>> into /etc/sudo-ldap.conf instead of /etc/nslcd. The docs are >>> incorrect (we are working on getting them fixed). >>> >>> rob >>> >>> >>> >>> On Wed, Oct 31, 2012 at 1:33 PM, Stephen Gallagher >>> <sgall...@redhat.com <mailto:sgall...@redhat.com> >>> <mailto:sgall...@redhat.com <mailto:sgall...@redhat.com>> >>> <mailto:sgall...@redhat.com >>> <mailto:sgall...@redhat.com> <mailto:sgall...@redhat.com >>> <mailto:sgall...@redhat.com>>>**> wrote: >>> >>> On Wed 31 Oct 2012 11:53:15 AM EDT, Bret Wortman >>> wrote: >>> >>> I'm pretty certain there's a painfully simple >>> solution >>> to this that >>> I'm not seeing, but my current configuration >>> isn't >>> picking up the >>> freeipa sudoer rule that I've set. >>> >>> /etc/nsswitch.conf specifies: >>> sudoers: files ldap >>> >>> /etc/nslcd.conf contains: >>> >>> binddn >>> uid=sudo,cn=sysaccounts,cn=___** >>> ___etc,dc=wedgeofli,dc=me >>> >>> >>> >>> bindpw password >>> >>> ssl start_tls >>> tls_cacertfile /etc/ipa/ca.crt >>> tls_checkpeer yes >>> >>> bind_timelimit 5 >>> timelimit 15 >>> >>> uri ldap://fs1.wedgeofli.me >>> <http://fs1.wedgeofli.me> <http://fs1.wedgeofli.me> >>> <http://fs1.wedgeofli.me> >>> <http://fs1.wedgeofli.me> >>> >>> sudoers_base ou=SUDOers,dc=wedgeofli,dc=me >>> >>> >>> The sssd_DOMAIN.log file contains this when I >>> try to sudo: >>> >>> >>> <snip> >>> >>> The SSSD logs aren't showing anything wrong >>> because they have >>> nothing to do with the execution of the SUDO rules >>> in this >>> situation. All the SSSD is doing is verifying the >>> authentication >>> (when sudo prompts you for your password). >>> >>> The problem with the rule is most likely happening >>> inside SUDO >>> itself. When you specify 'sudoers: files, ldap' in >>> nsswitch.conf, >>> it's telling SUDO to use its own internal LDAP >>> driver to >>> look up the >>> rules. So you need to check sudo logs to see >>> what's happening >>> (probably you will need to enable debug logging in >>> /etc/sudo.conf). >>> >>> Recent versions of SUDO (1.8.6 and later) have >>> support for >>> setting >>> 'sudoers: files, sss' in nsswitch.conf which DOES >>> use SSSD >>> (1.9.0 >>> and later) for lookups (and caching) of sudo rules. >>> >>> >>> >>> >>> -- >>> Bret Wortman >>> The Damascus Group >>> Fairfax, VA >>> http://bretwortman.com/ >>> http://twitter.com/BretWortman >>> >>> >>> >>> >>> -- >>> Bret Wortman >>> The Damascus Group >>> Fairfax, VA >>> http://bretwortman.com/ >>> http://twitter.com/BretWortman >>> >>> >>> >>> ______________________________**_____________________ >>> >>> Freeipa-users mailing list >>> Freeipa-users@redhat.com >>> <mailto:Freeipa-users@redhat.**com<Freeipa-users@redhat.com> >>> > >>> <mailto:Freeipa-users@redhat._**_com >>> <mailto:Freeipa-users@redhat.**com <Freeipa-users@redhat.com>>> >>> >>> https://www.redhat.com/____**mailman/listinfo/freeipa-users<https://www.redhat.com/____mailman/listinfo/freeipa-users> >>> >>> <https://www.redhat.com/__**mailman/listinfo/freeipa-users<https://www.redhat.com/__mailman/listinfo/freeipa-users> >>> **> >>> >>> >>> >>> <https://www.redhat.com/__**mailman/listinfo/freeipa-users<https://www.redhat.com/__mailman/listinfo/freeipa-users> >>> >>> <https://www.redhat.com/**mailman/listinfo/freeipa-users<https://www.redhat.com/mailman/listinfo/freeipa-users> >>> **>__> >>> >>> >>> >>> >>> >>> >>> -- >>> Bret Wortman >>> The Damascus Group >>> Fairfax, VA >>> http://bretwortman.com/ >>> http://twitter.com/BretWortman >>> >>> >>> >>> ______________________________**___________________ >>> Freeipa-users mailing list >>> Freeipa-users@redhat.com >>> <mailto:Freeipa-users@redhat.**com<Freeipa-users@redhat.com> >>> > >>> >>> https://www.redhat.com/__**mailman/listinfo/freeipa-users<https://www.redhat.com/__mailman/listinfo/freeipa-users> >>> >>> <https://www.redhat.com/**mailman/listinfo/freeipa-users<https://www.redhat.com/mailman/listinfo/freeipa-users> >>> **> >>> >>> >>> >>> >>> >>> -- >>> Bret Wortman >>> The Damascus Group >>> Fairfax, VA >>> http://bretwortman.com/ >>> http://twitter.com/BretWortman >>> >>> >>> >>> ______________________________**_________________ >>> Freeipa-users mailing list >>> Freeipa-users@redhat.com >>> https://www.redhat.com/**mailman/listinfo/freeipa-users<https://www.redhat.com/mailman/listinfo/freeipa-users> >>> >>> >> > > > -- > Bret Wortman > The Damascus Group > Fairfax, VA > http://bretwortman.com/ > http://twitter.com/BretWortman > > -- Bret Wortman The Damascus Group Fairfax, VA http://bretwortman.com/ http://twitter.com/BretWortman
_______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
