On 11/08/2012 01:15 PM, William Muriithi wrote: > FYI > > Got it working, credit to JR for pointing I need to assign a password > to sudo account on LDAP and use it for binding.
Great to hear! > Thanks a lot > > William > > On 8 November 2012 12:11, William Muriithi <william.murii...@gmail.com> wrote: >> Steven, >> >> Thanks for the pointers. I remember finding a post on this, but having >> problem finding it now >>> I assume rhel6.3 by the el6 in the rpm.... >>> >>> 1) Make sure the host and IPA server are fully patched/updated. >> I am current already >> >>> 2) Edit nsswitch.conf to have "sudoers: files ldap" as the last line, may >>> or may not be there. >> Done >> >>> 3) add lines to /etc/sudo-ldap.conf, takes a recent upgrade/patch of 6.3 >>> for that file to "appear" Im not at work so I odnt have a pastable set >> Yes, the file was there already. Wonder if you can paste it now. >> Mine was like this >> >> uri ldap://ipa1-yyz-int.example.loc >> >> sudoers_base ou=SUDOers,dc=example,dc=loc >> >> ssl start_tls >> tls_checkpeer (yes) >> tls_cacertfile /etc/ipa/ca.crt >> >> >>> 4) Add "nisdomainname example.com" to /etc/rc.d/rc.local. >> Done >>> 5) Add or enable the sudo "connection" user in IPA with a password. >> ? Lost me here, mind explaining a bit please if you have a chance? >>> 6) reboot the host >>> >>> If it doesnt work set the debug level in sudo-ldap.conf to 2 and re-try to >>> see the output..restart sssd. >>> >> sh-4.1$ sudo less /var/log/secure >> LDAP Config Summary >> =================== >> uri ldap://ipa1-yyz-int.example.loc >> ldap_version 3 >> sudoers_base ou=SUDOers,dc=example,dc=loc >> binddn (anonymous) >> bindpw (anonymous) >> ssl start_tls >> tls_checkpeer (no) >> tls_cacertfile /etc/ipa/ca.crt >> =================== >> sudo: ldap_set_option: debug -> 0 >> sudo: ldap_set_option: tls_checkpeer -> 0 >> sudo: ldap_set_option: tls_cacertfile -> /etc/ipa/ca.crt >> sudo: ldap_set_option: tls_cacert -> /etc/ipa/ca.crt >> sudo: ldap_initialize(ld, ldap://ipa1-yyz-int.example.loc) >> sudo: ldap_set_option: ldap_version -> 3 >> sudo: ldap_start_tls_s() ok >> sudo: ldap_sasl_bind_s() ok >> sudo: no default options found in ou=SUDOers,dc=example,dc=loc >> sudo: ldap search >> '(|(sudoUser=williamm)(sudoUser=%williamm)(sudoUser=%operations)(sudoUser=ALL))' >> sudo: ldap search 'sudoUser=+*' >> sudo: user_matches=0 >> sudo: host_matches=0 >> sudo: sudo_ldap_lookup(0)=0x60 >> [sudo] password for williamm: >> williamm is not in the sudoers file. This incident will be reported. >> >> >> Thank you again for your help >> >> Regards, >> >> William >>> regards >>> Steven Jones >>> Technical Specialist - Linux RHCE >>> Victoria University, Wellington, NZ >>> 0064 4 463 6272 >>> >>> >>> >>> ________________________________________ >>> From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] >>> on behalf of William Muriithi [william.murii...@gmail.com] >>> Sent: Thursday, 8 November 2012 10:28 a.m. >>> To: freeipa-users@redhat.com >>> Subject: [Freeipa-users] Managing Sudo through FreeIPA >>> >>> Hello >>> >>> I have been trying to setup user access through sudo file managed by >>> FreeIPA and it don't seem to be working. I am not sure how to go >>> about fixing it, but I guess the best place to start is ask what I >>> should expect the IPA installation script should set up and what >>> should be done manually >>> >>> [root@demo2 wmuriithi]# rpm -qa | grep sssd >>> sssd-client-1.8.0-32.el6.x86_64 >>> sssd-1.8.0-32.el6.x86_64 >>> [root@demo2 wmuriithi]# >>> >>> >>> >>> [root@demo2 wmuriithi]# rpm -qa | grep sudo >>> sudo-1.7.4p5-13.el6_3.x86_64 >>> >>> The only errors related to sudo that I can find is on apache error logs >>> >>> [Wed Nov 07 13:16:18 2012] [error] ipa: INFO: ad...@example.loc: >>> sudorule_add_user(u'read_only_viewiers', all=False, raw=False, >>> version=u'2.34', group=(u'operations',)): SUCCESS >>> [Wed Nov 07 13:54:44 2012] [error] ipa: ERROR: release_ipa_ccache: >>> ccache_name (FILE:/var/run/ipa_memcached/krbcc_3988) != KRB5CCNAME >>> environment variable (FILE:/tmp/krb5cc_apache_NB7pph) >>> [Wed Nov 07 13:54:44 2012] [error] ipa: INFO: ad...@example.loc: >>> sudorule_find(None, sizelimit=0, pkey_only=True): SUCCESS >>> [Wed Nov 07 13:54:44 2012] [error] ipa: INFO: ad...@example.loc: >>> batch: sudorule_show(u'Full_Access', all=True): SUCCESS >>> [Wed Nov 07 13:54:44 2012] [error] ipa: INFO: ad...@example.loc: >>> batch: sudorule_show(u'read_only_viewiers', all=True): SUCCESS >>> [Wed Nov 07 13:54:44 2012] [error] ipa: INFO: ad...@example.loc: >>> batch: sudorule_show(u'developers', all=True): SUCCESS >>> [Wed Nov 07 13:54:44 2012] [error] ipa: INFO: ad...@example.loc: >>> batch: sudorule_show(u'operation', all=True): SUCCESS >>> [Wed Nov 07 13:54:44 2012] [error] ipa: INFO: ad...@example.loc: >>> batch(({u'params': [[u'Full_Access'], {u'all': True}], u'method': >>> u'sudorule_show'}, {u'params': [[u'read_only_viewiers'], {u'all': >>> True}], u'method': u'sudorule_show'}, {u'params': [[u'developers'], >>> {u'all': True}], u'method': u'sudorule_show'}, {u'params': >>> [[u'operation'], {u'all': True}], u'method': u'sudorule_show'})): >>> SUCCESS >>> [Wed Nov 07 13:54:50 2012] [error] ipa: INFO: ad...@example.loc: >>> sudorule_show(u'read_only_viewiers', rights=True, all=True): SUCCESS >>> >>> >>> I created the user as below and associated it with a group, which I >>> then allowed to use less for reading file. As you can see below, it >>> seem to does not work. >>> >>> Nov 7 16:05:42 demo2 sudo: pam_sss(sudo:auth): authentication >>> success; logname=williamm uid=0 euid=0 tty=/dev/pts/2 ruser=williamm >>> rhost= user=williamm >>> Nov 7 16:05:43 demo2 sudo: williamm : user NOT in sudoers ; TTY=pts/2 >>> ; PWD=/home/wmuriithi ; USER=root ; COMMAND=/usr/bin/less >>> /var/log/secure >>> >>> >>> - My question is, does the client install script take care of sudo >>> configuration or is that done manually? I don't see any sudo related >>> flag on the client installation script. >>> >>> - I have tried configuring sssd for sudo use and it didn't go well. >>> Last time I messed around with LDAP managed sudo, I have to install a >>> LDAP capable sudo package. The ipa-client install did not install >>> this package. Does IPA sudo management work differently? >>> >>> - Where would I check for logs? I checked sssd logs and they are empty. >>> >>> - I am missing the basedn configuration on sssd configuration. From >>> this bug, it should have been setup by installer, oddly though it was >>> not setup and the bug is closed. I attempted to fix it by adding the >>> line below but it make sudo completely unusable. It could not find >>> any valid users apparently >>> >>> https://fedorahosted.org/freeipa/ticket/932 >>> >>> ldap_netgroup_search_base = cn=ng,cn=compat,dc=example,dc=loc >>> >>> Nov 7 16:05:42 demo2 sudo: pam_sss(sudo:auth): authentication >>> success; logname=williamm uid=0 euid=0 tty=/dev/pts/2 ruser=williamm >>> rhost= user=williamm >>> Nov 7 16:05:43 demo2 sudo: williamm : user NOT in sudoers ; TTY=pts/2 >>> ; PWD=/home/wmuriithi ; USER=root ; COMMAND=/usr/bin/less >>> /var/log/secure >>> >>> >>> Any pointers on why we are going? >>> >>> Thank you a lot in advance. >>> >>> William >>> >>> ---------------------------- >>> [root@ipa1-yyz-int wmuriithi]# ipa sudocmd-add --desc='For reading log >>> files' '/usr/bin/less' >>> ---------------------------------- >>> Added Sudo Command "/usr/bin/less" >>> ---------------------------------- >>> Sudo Command: /usr/bin/less >>> Description: For reading log files >>> [root@ipa1-yyz-int wmuriithi]# ipa sudocmdgroup-add --desc='Read Only >>> Commands' readonly >>> ----------------------------------- >>> Added Sudo Command Group "readonly" >>> ----------------------------------- >>> Sudo Command Group: readonly >>> Description: Read Only Commands >>> [root@ipa1-yyz-int wmuriithi]# ipa sudocmdgroup-add-member >>> --sudocmds='/usr/bin/less' readonly >>> Sudo Command Group: readonly >>> Description: Read Only Commands >>> Member Sudo commands: /usr/bin/less >>> ------------------------- >>> Number of members added 1 >>> ------------------------- >>> [root@ipa1-yyz-int wmuriithi]# ipa sudorule-add testing_viewiers >>> ----------------------------------- >>> Added Sudo Rule "testing_viewiers" >>> ----------------------------------- >>> Rule name: testing_viewiers >>> Enabled: TRUE >>> [root@ipa1-yyz-int wmuriithi]# ipa sudorule-add-allow-command >>> --sudocmdgroups=readonly testing_viewiers >>> Rule name: testing_viewiers >>> Enabled: TRUE >>> Sudo Allow Command Groups: readonly >>> ------------------------- >>> Number of members added 1 >>> ------------------------- >>> [root@ipa1-yyz-int wmuriithi]# ipa hostgroup-add demo >>> Description: Demonstration systems >>>>>> Description: Leading and trailing spaces are not allowed >>> Description: Demonstration system >>> ---------------------- >>> Added hostgroup "demo" >>> ---------------------- >>> Host-group: demo >>> Description: Demonstration system >>> [root@ipa1-yyz-int wmuriithi]# ipa hostgroup-add-member >>> --hosts=demo2.yyz.int.testing.com demo >>> Host-group: demo >>> Description: Demonstration system >>> Member hosts: demo2.yyz.int.testing.com >>> ------------------------- >>> Number of members added 1 >>> ------------------------- >>> [root@ipa1-yyz-int wmuriithi]# ipa sudorule-add-host --hostgroups=demo >>> testing_viewiers >>> Rule name: testing_viewiers >>> Enabled: TRUE >>> Host Groups: demo >>> Sudo Allow Command Groups: readonly >>> ------------------------- >>> Number of members added 1 >>> ------------------------- >>> [root@ipa1-yyz-int wmuriithi]# ipa sudorule-add-user >>> --groups=operations testing_viewiers >>> Rule name: testing_viewiers >>> Enabled: TRUE >>> User Groups: operations >>> Host Groups: demo >>> Sudo Allow Command Groups: readonly >>> ------------------------- >>> Number of members added 1 >>> ------------------------- >>> >>> _______________________________________________ >>> Freeipa-users mailing list >>> Freeipa-users@redhat.com >>> https://www.redhat.com/mailman/listinfo/freeipa-users >>> >>> >>> >>> ------------------------------ >>> >>> _______________________________________________ >>> Freeipa-users mailing list >>> Freeipa-users@redhat.com >>> https://www.redhat.com/mailman/listinfo/freeipa-users >>> >>> End of Freeipa-users Digest, Vol 52, Issue 18 >>> ********************************************* > _______________________________________________ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users