On Wed, Jul 17, 2013 at 03:01:58PM +0000, Tovey, Mark wrote: > > We have sssd-1.5.1-58.el5 and ipa-client-2.1.3-5.el5_9.2 installed.
OK, these are recent enough to support netgroups and the compat tree should be configured automatically. >Those came out of the 'latest' repository. We do not have any netgroups >defined (there is no /etc/netgroup file), so getent does not return anything. Every hostgroup is automatically translated into a netgroup on the server side. You said you have some host groups present, so does "getent netgroup <name-of-hostgroup> return any netgroup data? > Thanks, > -Mark > > > ________________________________________________________________ > Mark Tovey - UNIX Engineer | Service Strategy & Design > UTi | 400 SW Sixth Ave, Suite 1100 | Portland | Oregon | 97204 | USA > mto...@go2uti.com | O / C +1 503 953-1389 > > > -----Original Message----- > From: Jakub Hrozek [mailto:jhro...@redhat.com] > Sent: Wednesday, July 17, 2013 1:32 AM > To: Tovey, Mark > Cc: d...@redhat.com; freeipa-users@redhat.com > Subject: Re: [Freeipa-users] sudo rules user and host group bugs? > > On Tue, Jul 16, 2013 at 09:13:00PM +0000, Tovey, Mark wrote: > > > > > > We are using sssd. The sssd.conf file is mostly unchanged from how it > > was installed by the ipa-client-install script: > > Hi Mark, > > you said your client is OEL *5.5* ? The SSSD first appeared in RHEL (and by > extension OEL) in 5.6. Are you running the version from EPEL? I'm not sure if > netgroups were even supported in that old version.. > > What is the output of "rpm -q sssd" and "rpm -q ipa-client" ? > > Does getent netgroup <netgroup-name> work? > > > > > [sssd] > > config_file_version = 2 > > services = nss, pam > > > > domains = my_domain.com > > [nss] > > > > [pam] > > > > [domain/my_domain.com] > > cache_credentials = True > > krb5_store_password_if_offline = True > > ipa_domain = my_domain.com > > id_provider = ipa > > auth_provider = ipa > > access_provider = ipa > > chpass_provider = ipa > > ipa_server = _srv_, ipa_server.my_domain.com ldap_tls_cacert = > > /etc/ipa/ca.crt debug_level = 6 > > > > > > And the nsswitch.conf file: > > > > passwd: files sss > > shadow: files sss > > group: files sss > > > > hosts: files dns > > > > bootparams: nisplus [NOTFOUND=return] files > > > > ethers: files > > netmasks: files > > networks: files > > protocols: files > > rpc: files > > services: files > > > > netgroup: files sss > > > > publickey: nisplus > > > > automount: files ldap > > aliases: files > > > > sudoers: files ldap > > > > Thanks, > > -Mark > > > > > > > > ________________________________________________________________ > > Mark Tovey - UNIX Engineer | Service Strategy & Design UTi | 400 SW > > Sixth Ave, Suite 1100 | Portland | Oregon | 97204 | USA > > mto...@go2uti.com | O / C +1 503 953-1389 | Skype: mark.tovey2 > > > > > > -----Original Message----- > > From: freeipa-users-boun...@redhat.com > > [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Dmitri Pal > > Sent: Tuesday, July 16, 2013 12:51 PM > > To: freeipa-users@redhat.com > > Subject: Re: [Freeipa-users] sudo rules user and host group bugs? > > > > On 07/16/2013 02:11 PM, Tovey, Mark wrote: > > > My environment consists of OEL 5.5 clients with ipa-client-2.1.3 and > > > the server is OEL 6.4 with ipa-server-3.0.0. We chose these because we > > > were able to find RPM packages for them. We would prefer to go with the > > > latest versions, but we did not want to spend the time building > > > installation packages just yet. Again, we are just evaluating at this > > > point. So far, so good, except for this one point. > > > The doman name, host name, and nsswitch.conf files are all properly > > > configured. But I do not have any netgroups defined (the getent command > > > doesn't return anything and there is no /etc/netgroup file). After you > > > asked about that, I started looking into the documentation on netgroups. > > > The IPA documentation for sudo states that "Identity Management creates > > > two groups, a visible host group and a shadow netgroup. sudo itself only > > > supports NIS-style netgroups for group formats." But when I look in the > > > Netgroups area, I do not see any netgroups defined. I used Apache > > > Directory Studio to look around the Directory Server, and I can see > > > "cn=hgroup1,cn=ng,cn=alt,dc=my_domain,dc=com", along with > > > "cn=hgroup1,cn=hostgroups,cn=accounts,dc=my_domain,dc=com". This seems > > > to reflect what was stated in the documentation. > > > But I am still stumped. I cannot get sudo to work with host groups; > > > I have to directly add each server to the sudo rule. > > > Thanks, > > > -Mark > > > > So can it seems that the first thing you need to to do is to make sure your > > netgroups work. > > If domain and host are properly set then it might be the wrong base in your > > LDAP search for the netgroups. > > Are you using SSSD for netgroups or something else? > > Can you please share your sssd.conf and area where it configures netgroups? > > Also is sss in the nsswitch.conf for netgroups map? > > > > > > > > > > > ________________________________________________________________ > > > Mark Tovey - UNIX Engineer | Service Strategy & Design UTi | 400 SW > > > Sixth Ave, Suite 1100 | Portland | Oregon | 97204 | USA > > > mto...@go2uti.com | O / C +1 503 953-1389 | Skype: mark.tovey2 > > > > > > -----Original Message----- > > > From: Martin Kosek [mailto:mko...@redhat.com] > > > Sent: Tuesday, July 16, 2013 12:34 AM > > > To: Tovey, Mark > > > Cc: Steven Jones; James Hogarth; Freeipa-users@redhat.com; Pavel > > > Brezina > > > Subject: Re: [Freeipa-users] sudo rules user and host group bugs? > > > > > > Just checking, did you try troubleshooting hints from JR I found at the > > > top of the thread? I did not find an information about that. > > > > > > ~~~~ > > > Can you confirm that the output of the following commands: > > > 1. $ domainname > > > * does it match your domain? > > > 2. $ hostname > > > * does match match your fqdn? > > > 3. $ getent netgroup esolutions-sandbox-hosts > > > * does this list your host? > > > 4. Does /etc/nsswitch.conf contain the line: "netgroup: files sss"? > > > > > > > > > Another important Sudo Troubleshooting step is to edit: > > > /etc/sudo-ldap.conf (or /etc/ldap.conf, depending on what version of > > > RHEL/Sudo you're running): > > > > > > At the top, add the line: sudoers_debug 2 > > > > > > Then try another sudo command. sudo -l for example. > > > ~~~~ > > > > > > For example, it would help to know that netgroup list (step 3) works or > > > domainname is set correctly (step 1). > > > > > > Martin > > > > > > > > > On 07/16/2013 06:09 AM, Tovey, Mark wrote: > > >> > > >> > > >> Okay, I stopped sssd on the client and deleted the cache files, > > >> removed the sudo rule, started sssd and verified that the rule was > > >> gone, stopped sssd and deleted the files again, added the rule back > > >> in, restarted sssd, and still it does not work. One note, when I > > >> enter the hosts into the sudo rule in place of the host group, the > > >> effect is immediate; I do not need to restart sssd. And the > > >> opposite is true too: if I put the host group back, the rule > > >> immediately stops working. I don't think the issue is cache > > >> related; it seems to be something else. The serv_account that we are > > >> accessing with the sudo rule is external. I wouldn't expect that to > > >> matter, but perhaps it does? > > >> > > >> > > >> > > >> I like your idea for the labels; they make sense. Right now we > > >> are just evaluating this to see if we want to go this route. So > > >> far we like it, but this could be a problem because we have a > > >> several hundred hosts that we need to manage. Having to enter each one > > >> individually will be problematic. > > >> > > >> Thanks, > > >> > > >> -Mark > > >> > > >> > > >> > > >> * * > > >> > > >> *________________________________________________________________* > > >> > > >> *Mark Tovey - UNIX Engineer | Service Strategy & Design* > > >> > > >> UTi <http://www.go2uti.com/> | 400 SW Sixth Ave, Suite 1100 | > > >> Portland > > >> | Oregon > > >> | 97204 | USA > > >> > > >> mto...@go2uti.com <mailto:mto...@go2uti.com> | O / C +1 503 953-1389 | > > >> Skype: > > >> mark.tovey2 > > >> > > >> > > >> > > >> *From:*Steven Jones [mailto:steven.jo...@vuw.ac.nz] > > >> *Sent:* Monday, July 15, 2013 4:44 PM > > >> *To:* Tovey, Mark; James Hogarth > > >> *Cc:* Freeipa-users@redhat.com > > >> *Subject:* RE: [Freeipa-users] sudo rules user and host group bugs? > > >> > > >> > > >> > > >> option b) delete the rule totally and redo it from scratch. > > >> > > >> I label rules like this, > > >> > > >> hb-xxxx for a hbac rule > > >> > > >> su-xxxx for a sudo rule > > >> > > >> sc-xxxx for a sudo command group > > >> > > >> ug-xxxx for a user group > > >> > > >> hg-xxxx for a host groups > > >> > > >> etc > > >> > > >> etc > > >> > > >> It makes the logic easier when you go into command line which I > > >> find easier to trace with than the gui at time. > > >> > > >> > > >> > > >> regards > > >> > > >> Steven Jones > > >> > > >> Technical Specialist - Linux RHCE > > >> > > >> Victoria University, Wellington, NZ > > >> > > >> 0064 4 463 6272 > > >> > > >> ------------------------------------------------------------------- > > >> -- > > >> - > > >> --------- > > >> > > >> *From:*Tovey, Mark [mto...@go2uti.com] > > >> *Sent:* Tuesday, 16 July 2013 11:34 a.m. > > >> *To:* Steven Jones; James Hogarth > > >> *Cc:* Freeipa-users@redhat.com <mailto:Freeipa-users@redhat.com> > > >> *Subject:* RE: [Freeipa-users] sudo rules user and host group bugs? > > >> > > >> > > >> > > >> That didn't work either. I set up the host group in my sudo > > >> rule, stopped sssd, renamed /var/lib/sss/db and created a new db > > >> directory, then restarted sssd. New files were created in the db > > >> directory, but it still refuses to work unless the hosts are directly > > >> specified in the sudo rule. > > >> > > >> Thanks, > > >> > > >> -Mark > > >> > > >> > > >> > > >> * * > > >> > > >> *________________________________________________________________* > > >> > > >> *Mark Tovey - UNIX Engineer | Service Strategy & Design* > > >> > > >> UTi <http://www.go2uti.com/> | 400 SW Sixth Ave, Suite 1100 | > > >> Portland > > >> | Oregon > > >> | 97204 | USA > > >> > > >> mto...@go2uti.com <mailto:mto...@go2uti.com> | O / C +1 503 953-1389 | > > >> Skype: > > >> mark.tovey2 > > >> > > >> > > >> > > >> *From:*Steven Jones [mailto:steven.jo...@vuw.ac.nz] > > >> *Sent:* Monday, July 15, 2013 4:15 PM > > >> *To:* Tovey, Mark; James Hogarth > > >> *Cc:* Freeipa-users@redhat.com <mailto:Freeipa-users@redhat.com> > > >> *Subject:* RE: [Freeipa-users] sudo rules user and host group bugs? > > >> > > >> > > >> > > >> Hi, > > >> > > >> This is a known issue Ive suffered a long time with. What would be > > >> interesting is adding another host to the host group could well > > >> work fine, that will really make you bang your head against the wall.. > > >> > > >> 2 possibilities, stop the sssd daemon on the problem host, delete > > >> its cache and start it, that might fix it. > > >> > > >> Otherwise best to, > > >> > > >> All RH support could come up with is delete the HBAC rule, sudo > > >> rule, user group and host group and re-do it, then it will probably work > > >> fine. > > >> > > >> > > >> > > >> regards > > >> > > >> Steven Jones > > >> > > >> Technical Specialist - Linux RHCE > > >> > > >> Victoria University, Wellington, NZ > > >> > > >> 0064 4 463 6272 > > >> > > >> ------------------------------------------------------------------- > > >> -- > > >> - > > >> --------- > > >> > > >> *From:*freeipa-users-boun...@redhat.com > > >> <mailto:freeipa-users-boun...@redhat.com> > > >> [freeipa-users-boun...@redhat.com] on behalf of Tovey, Mark > > >> [mto...@go2uti.com] > > >> *Sent:* Tuesday, 16 July 2013 10:54 a.m. > > >> *To:* James Hogarth > > >> *Cc:* Freeipa-users@redhat.com <mailto:Freeipa-users@redhat.com> > > >> *Subject:* Re: [Freeipa-users] sudo rules user and host group bugs? > > >> > > >> > > >> > > >> > > >> > > >> I checked that and it is set correctly: > > >> > > >> > > >> > > >> [user1@host1 ~]$ nisdomainname > > >> > > >> my_domain.com > > >> > > >> > > >> > > >> If I try to run a command with the hosts specified indirectly > > >> through a host group, it fails: > > >> > > >> > > >> > > >> [user1@host1 ~]$ sudo -i -u serv_account > > >> > > >> LDAP Config Summary > > >> > > >> =================== > > >> > > >> uri ldap://ipa_server.my_domain.com > > >> > > >> ldap_version 3 > > >> > > >> sudoers_base ou=SUDOers,dc=my_domain,dc=com > > >> > > >> binddn uid=sudo,cn=sysaccounts,cn=etc,dc=my_domain,dc=com > > >> > > >> bindpw ********** > > >> > > >> bind_timelimit 5000 > > >> > > >> timelimit 15 > > >> > > >> ssl start_tls > > >> > > >> tls_checkpeer (yes) > > >> > > >> tls_cacertfile /etc/ipa/ca.crt > > >> > > >> =================== > > >> > > >> sudo: ldap_initialize(ld, ldap://ipa_server.my_domain.com) > > >> > > >> sudo: ldap_set_option: debug -> 0 > > >> > > >> sudo: ldap_set_option: ldap_version -> 3 > > >> > > >> sudo: ldap_set_option: tls_checkpeer -> 1 > > >> > > >> sudo: ldap_set_option: tls_cacertfile -> /etc/ipa/ca.crt > > >> > > >> sudo: ldap_set_option: timelimit -> 15 > > >> > > >> sudo: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT, 5) > > >> > > >> > > >> > > >> sudo: ldap_start_tls_s() ok > > >> > > >> sudo: ldap_sasl_bind_s() ok > > >> > > >> sudo: no default options found! > > >> > > >> sudo: ldap search > > >> '(|(sudoUser=user1)(sudoUser=%user1)(sudoUser=%user1s)(sudoUser=ALL))' > > >> > > >> sudo: found:cn=my_sudo_rule,ou=sudoers,dc=my_domain,dc=com > > >> > > >> sudo: ldap sudoHost '+hgroup1' ... not > > >> > > >> sudo: ldap search 'sudoUser=+*' > > >> > > >> sudo: user_matches=1 > > >> > > >> sudo: host_matches=0 > > >> > > >> sudo: sudo_ldap_lookup(0)=0x40 > > >> > > >> [sudo] password for user1: > > >> > > >> Sorry, try again. > > >> > > >> [sudo] password for user1: > > >> > > >> sudo: 1 incorrect password attempt > > >> > > >> > > >> > > >> > > >> > > >> But if I remove the host group from the sudo rule and directly > > >> add the hosts that were in the host group, it works fine: > > >> > > >> > > >> > > >> <snip> > > >> > > >> > > >> > > >> sudo: ldap_start_tls_s() ok > > >> > > >> sudo: ldap_sasl_bind_s() ok > > >> > > >> sudo: no default options found! > > >> > > >> sudo: ldap search > > >> '(|(sudoUser=user1)(sudoUser=%user1)(sudoUser=%user1s)(sudoUser=ALL))' > > >> > > >> sudo: found:cn=my_sudo_rule,ou=sudoers,dc=my_domain,dc=com > > >> > > >> sudo: ldap sudoHost 'host1.my_domain.com' ... MATCH! > > >> > > >> sudo: ldap sudoRunAsUser 'serv_account' ... MATCH! > > >> > > >> sudo: ldap sudoCommand 'ALL' ... MATCH! > > >> > > >> sudo: Command allowed > > >> > > >> sudo: user_matches=1 > > >> > > >> sudo: host_matches=1 > > >> > > >> sudo: sudo_ldap_lookup(0)=0x02 > > >> > > >> [sudo] password for user1: > > >> > > >> [serv_account@host1 ~]$ > > >> > > >> > > >> > > >> > > >> > > >> So something isn't lining up correctly with host groups in sudo > > >> rules somewhere. I just haven't been able to track it down. > > >> > > >> Thanks, > > >> > > >> -Mark > > >> > > >> > > >> > > >> > > >> > > >> * * > > >> > > >> *________________________________________________________________* > > >> > > >> *Mark Tovey - UNIX Engineer | Service Strategy & Design* > > >> > > >> UTi <http://www.go2uti.com/> | 400 SW Sixth Ave, Suite 1100 | > > >> Portland > > >> | Oregon > > >> | 97204 | USA > > >> > > >> mto...@go2uti.com <mailto:mto...@go2uti.com> | O / C +1 503 953-1389 | > > >> Skype: > > >> mark.tovey2 > > >> > > >> > > >> > > >> *From:*James Hogarth [mailto:james.hoga...@gmail.com] > > >> *Sent:* Monday, July 15, 2013 1:11 PM > > >> *To:* Tovey, Mark > > >> *Subject:* Re: [Freeipa-users] sudo rules user and host group bugs? > > >> > > >> > > >> > > >> > > >>> > > >>> > > >>> Did anyone find a solution for this? I am having the same > > >>> experience. > > >>> > > >>> > > >>> > > >> Wow that was a mess... > > >> > > >> To use hostgroups for sudo ensure nisdomainname is set on the hosts > > >> to the IPA domain. > > >> > > >> > > >> > > >> _______________________________________________ > > >> Freeipa-users mailing list > > >> Freeipa-users@redhat.com > > >> https://www.redhat.com/mailman/listinfo/freeipa-users > > >> > > > > > > _______________________________________________ > > > Freeipa-users mailing list > > > Freeipa-users@redhat.com > > > https://www.redhat.com/mailman/listinfo/freeipa-users > > > > > > -- > > Thank you, > > Dmitri Pal > > > > Sr. Engineering Manager for IdM portfolio Red Hat Inc. > > > > > > ------------------------------- > > Looking to carve out IT costs? > > www.redhat.com/carveoutcosts/ > > > > > > > > _______________________________________________ > > Freeipa-users mailing list > > Freeipa-users@redhat.com > > https://www.redhat.com/mailman/listinfo/freeipa-users > > > > _______________________________________________ > > Freeipa-users mailing list > > Freeipa-users@redhat.com > > https://www.redhat.com/mailman/listinfo/freeipa-users _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users