On 11/01/2012 08:26 AM, Bret Wortman wrote: > To close the loop: > > I did the following to clear the credential problem. I suspect that I > hadn't properly run kinit before doing these steps the first time: > > -sh-4.2$ kinit > Password for br...@wedgeofli.me <mailto:br...@wedgeofli.me>: > -sh-4.2$ sudo su - > sudo: ldap_sasl_bind_s(): Invalid credentials > [sudo] password for bretw: > bretw is not in the sudoers file. This incident will be reported.
This seems to suggest that it tries to use sudoers file instead of LDAP. > -sh-4.2$ ldapsearch -x ou=SUDOers,dc=wedgeofli,dc=me > # extended LDIF > # > # LDAPv3 > # base <dc=wedgeofli,dc=me> (default) with scope subtree > # filter: ou=SUDOers,dc=wedgeofli,dc=me > # requesting: ALL > # > > # search result > search: 2 > result: 0 Success > > # numResponses: 1 If you used kinit you then can use -Y GSSAPI to use kerberos credential for the authentication. > -sh-4.2$ ldapsearch ou=SUDOers,dc=wedgeofli,dc=me > SASL/EXTERNAL authentication started > ldap_sasl_interactive_bind_s: Unknown authentication method (-6) > additional info: SASL(-4): no mechanism available: > -sh-4.2$ ldapsearch -x ou=SUDOers,dc=wedgeofli,dc=me > # extended LDIF > # > # LDAPv3 > # base <dc=wedgeofli,dc=me> (default) with scope subtree > # filter: ou=SUDOers,dc=wedgeofli,dc=me > # requesting: ALL > # > > # search result > search: 2 > result: 0 Success > > # numResponses: 1 > -sh-4.2$ ldapsearch -D > uid=sudo,cn=sysaccounts,cn=etc,dc=wedgeofli,dc=me -w password > ou=SUDOers,dc=wedgeofli,dc=me > ldap_bind: Invalid credentials (49) > > -sh-4.2$ ldappasswd -Y GSSAPI -S -h fs1.wedgeofli.me > <http://fs1.wedgeofli.me> > uid=sudo,cn=sysaccounts,cn=etc,dc=wedgeofli,dc=me > New password: > Re-enter new password: > SASL/GSSAPI authentication started > SASL username: br...@wedgeofli.me <mailto:br...@wedgeofli.me> > SASL SSF: 56 > SASL data security layer installed. > -sh-4.2$ ldapsearch -D > uid=sudo,cn=sysaccounts,cn=etc,dc=wedgeofli,dc=me -w password > ou=SUDOers,dc=wedgeofli,dc=me > # extended LDIF > # > # LDAPv3 > # base <dc=wedgeofli,dc=me> (default) with scope subtree > # filter: ou=SUDOers,dc=wedgeofli,dc=me > # requesting: ALL > # > > # search result > search: 2 > result: 0 Success > > # numResponses: 1 > -sh-4.2$ sudo su - > [sudo] password for bretw: > [root@fs1 ~]# > > On Thu, Nov 1, 2012 at 7:58 AM, Bret Wortman > <bret.wort...@damascusgrp.com <mailto:bret.wort...@damascusgrp.com>> > wrote: > > That's got me closer now, as I'm at least getting an error message > on stdout: > > [root@fs1 etc]# more nslcd.conf > binddn uid=sudo,cn=sysaccounts,cn=etc,dc=wedgeofli,dc=me > bindpw password > > ssl start_tls > tls_cacertfile /etc/ipa/ca.crt > tls_checkpeer yes > > bind_timelimit 5 > timelimit 15 > > uri ldap://fs1.wedgeofli.me <http://fs1.wedgeofli.me> > sudoers_base ou=SUDOers,dc=wedgeofli,dc=me > [root@fs1 etc]# sudo su - > sudo: ldap_sasl_bind_s(): Invalid credentials > [root@fs1 ~]# > > So I'm off to figure out where my credentials are wrong. Thanks > again, Rob, Stephen & Pavel. > > > Bret > > On Wed, Oct 31, 2012 at 2:39 PM, Rob Crittenden > <rcrit...@redhat.com <mailto:rcrit...@redhat.com>> wrote: > > Bret Wortman wrote: > > [root@fs1 etc]# more /etc/ldap.conf > sudoers_debug: 1 > [root@fs1 etc]# ls -l /etc/ldap.conf > -rw-r--r--. 1 root root 17 Oct 19 14:54 /etc/ldap.conf > > Where should I see the extra output? I've had this set > since last Friday > and I'm not seeing any difference. > > > Move the contents of /etc/nslcd.conf to this file and add ldap > to sudoers in /etc/nsswitch.conf. > > rob > > > On Wed, Oct 31, 2012 at 2:20 PM, Rob Crittenden > <rcrit...@redhat.com <mailto:rcrit...@redhat.com> > <mailto:rcrit...@redhat.com <mailto:rcrit...@redhat.com>>> > wrote: > > Bret Wortman wrote: > > F17. > > > I think you want /etc/ldap.conf then. The easiest way > to be sure the > right file is being used is to add sudoers_debug 1 to > the file. This > will present a lot of extra output so you'll know the > file is being > read. > > rob > > > On Wed, Oct 31, 2012 at 2:04 PM, Rob Crittenden > <rcrit...@redhat.com <mailto:rcrit...@redhat.com> > <mailto:rcrit...@redhat.com <mailto:rcrit...@redhat.com>> > <mailto:rcrit...@redhat.com > <mailto:rcrit...@redhat.com> <mailto:rcrit...@redhat.com > <mailto:rcrit...@redhat.com>>>> wrote: > > Bret Wortman wrote: > > I had enabled debugging of sudo but am > not clear on > where that > debugging > is going. It's not stdout, and I'm not > seeing anything in > /var/log/messages. > > I'll try switching to SSS and see what > that gets me. > > > What distro is this? If it is RHEL 6.3 then > put the > configuration > into /etc/sudo-ldap.conf instead of > /etc/nslcd. The docs are > incorrect (we are working on getting them fixed). > > rob > > > > On Wed, Oct 31, 2012 at 1:33 PM, Stephen > Gallagher > <sgall...@redhat.com > <mailto:sgall...@redhat.com> <mailto:sgall...@redhat.com > <mailto:sgall...@redhat.com>> > <mailto:sgall...@redhat.com > <mailto:sgall...@redhat.com> <mailto:sgall...@redhat.com > <mailto:sgall...@redhat.com>>> > <mailto:sgall...@redhat.com > <mailto:sgall...@redhat.com> > <mailto:sgall...@redhat.com > <mailto:sgall...@redhat.com>> <mailto:sgall...@redhat.com > <mailto:sgall...@redhat.com> > <mailto:sgall...@redhat.com > <mailto:sgall...@redhat.com>>>>> wrote: > > On Wed 31 Oct 2012 11:53:15 AM EDT, > Bret Wortman > wrote: > > I'm pretty certain there's a > painfully simple > solution > to this that > I'm not seeing, but my current > configuration isn't > picking up the > freeipa sudoer rule that I've set. > > /etc/nsswitch.conf specifies: > sudoers: files ldap > > /etc/nslcd.conf contains: > > binddn > > uid=sudo,cn=sysaccounts,cn=______etc,dc=wedgeofli,dc=me > > > > bindpw password > > ssl start_tls > tls_cacertfile /etc/ipa/ca.crt > tls_checkpeer yes > > bind_timelimit 5 > timelimit 15 > > uri ldap://fs1.wedgeofli.me > <http://fs1.wedgeofli.me> > <http://fs1.wedgeofli.me> <http://fs1.wedgeofli.me> > <http://fs1.wedgeofli.me> > <http://fs1.wedgeofli.me> > > sudoers_base > ou=SUDOers,dc=wedgeofli,dc=me > > > The sssd_DOMAIN.log file > contains this when I > try to sudo: > > > <snip> > > The SSSD logs aren't showing > anything wrong > because they have > nothing to do with the execution of > the SUDO rules > in this > situation. All the SSSD is doing is > verifying the > authentication > (when sudo prompts you for your > password). > > The problem with the rule is most > likely happening > inside SUDO > itself. When you specify 'sudoers: > files, ldap' in > nsswitch.conf, > it's telling SUDO to use its own > internal LDAP > driver to > look up the > rules. So you need to check sudo > logs to see > what's happening > (probably you will need to enable > debug logging in > /etc/sudo.conf). > > Recent versions of SUDO (1.8.6 and > later) have > support for > setting > 'sudoers: files, sss' in > nsswitch.conf which DOES > use SSSD > (1.9.0 > and later) for lookups (and caching) > of sudo rules. > > > > > -- > Bret Wortman > The Damascus Group > Fairfax, VA > http://bretwortman.com/ > http://twitter.com/BretWortman > > > > > -- > Bret Wortman > The Damascus Group > Fairfax, VA > http://bretwortman.com/ > http://twitter.com/BretWortman > > > > > ___________________________________________________ > > Freeipa-users mailing list > Freeipa-users@redhat.com > <mailto:Freeipa-users@redhat.com> > <mailto:Freeipa-users@redhat.com > <mailto:Freeipa-users@redhat.com>> > <mailto:Freeipa-users@redhat. > <mailto:Freeipa-users@redhat.>__com > <mailto:Freeipa-users@redhat.com > <mailto:Freeipa-users@redhat.com>>> > > https://www.redhat.com/____mailman/listinfo/freeipa-users > > <https://www.redhat.com/__mailman/listinfo/freeipa-users> > > > > <https://www.redhat.com/__mailman/listinfo/freeipa-users > > <https://www.redhat.com/mailman/listinfo/freeipa-users>__> > > > > > > > -- > Bret Wortman > The Damascus Group > Fairfax, VA > http://bretwortman.com/ > http://twitter.com/BretWortman > > > > _________________________________________________ > Freeipa-users mailing list > Freeipa-users@redhat.com > <mailto:Freeipa-users@redhat.com> > <mailto:Freeipa-users@redhat.com > <mailto:Freeipa-users@redhat.com>> > > https://www.redhat.com/__mailman/listinfo/freeipa-users > > <https://www.redhat.com/mailman/listinfo/freeipa-users> > > > > > > -- > Bret Wortman > The Damascus Group > Fairfax, VA > http://bretwortman.com/ > http://twitter.com/BretWortman > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users@redhat.com <mailto:Freeipa-users@redhat.com> > https://www.redhat.com/mailman/listinfo/freeipa-users > > > > > > -- > Bret Wortman > The Damascus Group > Fairfax, VA > http://bretwortman.com/ > http://twitter.com/BretWortman > > > > > -- > Bret Wortman > The Damascus Group > Fairfax, VA > http://bretwortman.com/ > http://twitter.com/BretWortman > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/
_______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users