Re: [Freeipa-users] sudo rules user and host group bugs?

[Tovey, Mark]

    Okay, I stopped sssd on the client and deleted the cache files, removed the 
sudo rule, started sssd and verified that the rule was gone, stopped sssd and 
deleted the files again, added the rule back in, restarted sssd, and still it 
does not work.  One note, when I enter the hosts into the sudo rule in place of 
the host group, the effect is immediate; I do not need to restart sssd.  And 
the opposite is true too: if I put the host group back, the rule immediately 
stops working.  I don't think the issue is cache related; it seems to be 
something else.  The serv_account that we are accessing with the sudo rule is 
external.  I wouldn't expect that to matter, but perhaps it does?

    I like your idea for the labels; they make sense.  Right now we are just 
evaluating this to see if we want to go this route.  So far we like it, but 
this could be a problem because we have a several hundred hosts that we need to 
manage.  Having to enter each one individually will be problematic.
    Thanks,
    -Mark


________________________________________________________________
Mark Tovey - UNIX Engineer | Service Strategy & Design
UTi<http://www.go2uti.com/> | 400 SW Sixth Ave, Suite 1100 | Portland | Oregon 
| 97204 | USA
mto...@go2uti.com<mailto:mto...@go2uti.com> | O / C +1 503 953-1389 | Skype: 
mark.tovey2

From: Steven Jones [mailto:steven.jo...@vuw.ac.nz]
Sent: Monday, July 15, 2013 4:44 PM
To: Tovey, Mark; James Hogarth
Cc: Freeipa-users@redhat.com
Subject: RE: [Freeipa-users] sudo rules user and host group bugs?

option b) delete the rule totally and redo it from scratch.

I label rules like this,

hb-xxxx   for a hbac rule

su-xxxx for a sudo rule

sc-xxxx for a sudo command group

ug-xxxx for a user group

hg-xxxx for a host groups

etc

etc

It makes the logic easier when you go into command line which I find easier to 
trace with than the gui at time.


regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272

________________________________
From: Tovey, Mark [mto...@go2uti.com]
Sent: Tuesday, 16 July 2013 11:34 a.m.
To: Steven Jones; James Hogarth
Cc: Freeipa-users@redhat.com<mailto:Freeipa-users@redhat.com>
Subject: RE: [Freeipa-users] sudo rules user and host group bugs?

    That didn't work either.  I set up the host group in my sudo rule, stopped 
sssd, renamed /var/lib/sss/db and created a new db directory, then restarted 
sssd.  New files were created in the db directory, but it still refuses to work 
unless the hosts are directly specified in the sudo rule.
    Thanks,
    -Mark


________________________________________________________________
Mark Tovey - UNIX Engineer | Service Strategy & Design
UTi<http://www.go2uti.com/> | 400 SW Sixth Ave, Suite 1100 | Portland | Oregon 
| 97204 | USA
mto...@go2uti.com<mailto:mto...@go2uti.com> | O / C +1 503 953-1389 | Skype: 
mark.tovey2

From: Steven Jones [mailto:steven.jo...@vuw.ac.nz]
Sent: Monday, July 15, 2013 4:15 PM
To: Tovey, Mark; James Hogarth
Cc: Freeipa-users@redhat.com<mailto:Freeipa-users@redhat.com>
Subject: RE: [Freeipa-users] sudo rules user and host group bugs?

Hi,

This is a known issue Ive suffered a long time with.  What would be interesting 
is adding another host to the host group could well work fine, that will really 
make you bang your head against the wall..

2 possibilities, stop the sssd daemon on the problem host, delete its cache and 
start it, that might fix it.

Otherwise best to,

All RH support could come up with is delete the HBAC rule, sudo rule, user 
group and host group and re-do it, then it will probably work fine.


regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272

________________________________
From: freeipa-users-boun...@redhat.com<mailto:freeipa-users-boun...@redhat.com> 
[freeipa-users-boun...@redhat.com] on behalf of Tovey, Mark [mto...@go2uti.com]
Sent: Tuesday, 16 July 2013 10:54 a.m.
To: James Hogarth
Cc: Freeipa-users@redhat.com<mailto:Freeipa-users@redhat.com>
Subject: Re: [Freeipa-users] sudo rules user and host group bugs?


    I checked that and it is set correctly:

[user1@host1 ~]$ nisdomainname
my_domain.com

    If I try to run a command with the hosts specified indirectly through a 
host group, it fails:

[user1@host1 ~]$ sudo -i -u serv_account
LDAP Config Summary
===================
uri              ldap://ipa_server.my_domain.com
ldap_version     3
sudoers_base     ou=SUDOers,dc=my_domain,dc=com
binddn           uid=sudo,cn=sysaccounts,cn=etc,dc=my_domain,dc=com
bindpw           **********
bind_timelimit   5000
timelimit        15
ssl              start_tls
tls_checkpeer    (yes)
tls_cacertfile   /etc/ipa/ca.crt
===================
sudo: ldap_initialize(ld, ldap://ipa_server.my_domain.com)
sudo: ldap_set_option: debug -> 0
sudo: ldap_set_option: ldap_version -> 3
sudo: ldap_set_option: tls_checkpeer -> 1
sudo: ldap_set_option: tls_cacertfile -> /etc/ipa/ca.crt
sudo: ldap_set_option: timelimit -> 15
sudo: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT, 5)

sudo: ldap_start_tls_s() ok
sudo: ldap_sasl_bind_s() ok
sudo: no default options found!
sudo: ldap search 
'(|(sudoUser=user1)(sudoUser=%user1)(sudoUser=%user1s)(sudoUser=ALL))'
sudo: found:cn=my_sudo_rule,ou=sudoers,dc=my_domain,dc=com
sudo: ldap sudoHost '+hgroup1' ... not
sudo: ldap search 'sudoUser=+*'
sudo: user_matches=1
sudo: host_matches=0
sudo: sudo_ldap_lookup(0)=0x40
[sudo] password for user1:
Sorry, try again.
[sudo] password for user1:
sudo: 1 incorrect password attempt


    But if I remove the host group from the sudo rule and directly add the 
hosts that were in the host group, it works fine:

<snip>

sudo: ldap_start_tls_s() ok
sudo: ldap_sasl_bind_s() ok
sudo: no default options found!
sudo: ldap search 
'(|(sudoUser=user1)(sudoUser=%user1)(sudoUser=%user1s)(sudoUser=ALL))'
sudo: found:cn=my_sudo_rule,ou=sudoers,dc=my_domain,dc=com
sudo: ldap sudoHost 'host1.my_domain.com' ... MATCH!
sudo: ldap sudoRunAsUser 'serv_account' ... MATCH!
sudo: ldap sudoCommand 'ALL' ... MATCH!
sudo: Command allowed
sudo: user_matches=1
sudo: host_matches=1
sudo: sudo_ldap_lookup(0)=0x02
[sudo] password for user1:
[serv_account@host1 ~]$


    So something isn't lining up correctly with host groups in sudo rules 
somewhere.  I just haven't been able to track it down.
    Thanks,
    -Mark



________________________________________________________________
Mark Tovey - UNIX Engineer | Service Strategy & Design
UTi<http://www.go2uti.com/> | 400 SW Sixth Ave, Suite 1100 | Portland | Oregon 
| 97204 | USA
mto...@go2uti.com<mailto:mto...@go2uti.com> | O / C +1 503 953-1389 | Skype: 
mark.tovey2

From: James Hogarth [mailto:james.hoga...@gmail.com]
Sent: Monday, July 15, 2013 1:11 PM
To: Tovey, Mark
Subject: Re: [Freeipa-users] sudo rules user and host group bugs?


>
>
>     Did anyone find a solution for this?  I am having the same experience.
>
>
>

Wow that was a mess...

To use hostgroups for sudo ensure nisdomainname is set on the hosts to the IPA 
domain.

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users