Re: [Freeipa-users] sudo rules user and host group bugs?

Thu, 18 Jul 2013 03:05:10 -0700 

On 07/17/2013 06:39 PM, Tovey, Mark wrote:


     Okay, I get it (pardon my obtuseness).

     host1-> getent netgroup hgroup1
     hgroup1                   (host1.my_domain.com, -, my_domain.com)

     So netgroups are working.  The host group is defined in IPA and getent is 
able to access that information.
     Thanks,
     -Mark


Hi,
can you also paste the output of following commands please?

$ nisdomainname
$ rpm -q sudo

Thanks,
Pavel.




________________________________________________________________
Mark Tovey - UNIX Engineer | Service Strategy & Design
UTi | 400 SW Sixth Ave, Suite 1100 | Portland | Oregon | 97204 | USA
mto...@go2uti.com | O / C +1 503 953-1389


-----Original Message-----
From: Jakub Hrozek [mailto:jhro...@redhat.com]
Sent: Wednesday, July 17, 2013 8:58 AM
To: Tovey, Mark
Cc: d...@redhat.com; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] sudo rules user and host group bugs?

On Wed, Jul 17, 2013 at 03:01:58PM +0000, Tovey, Mark wrote:


     We have sssd-1.5.1-58.el5 and ipa-client-2.1.3-5.el5_9.2 installed.


OK, these are recent enough to support netgroups and the compat tree should be 
configured automatically.


Those came out of the 'latest' repository.  We do not have any netgroups 
defined (there is no /etc/netgroup file), so getent does not return anything.


Every hostgroup is automatically translated into a netgroup on the server side. You said 
you have some host groups present, so does "getent netgroup <name-of-hostgroup> 
return any netgroup data?


     Thanks,
     -Mark





________________________________________________________________
Mark Tovey - UNIX Engineer | Service Strategy & Design UTi | 400 SW
Sixth Ave, Suite 1100 | Portland | Oregon | 97204 | USA
mto...@go2uti.com | O / C +1 503 953-1389


-----Original Message-----
From: Jakub Hrozek [mailto:jhro...@redhat.com]
Sent: Wednesday, July 17, 2013 1:32 AM
To: Tovey, Mark
Cc: d...@redhat.com; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] sudo rules user and host group bugs?

On Tue, Jul 16, 2013 at 09:13:00PM +0000, Tovey, Mark wrote:



     We are using sssd. The sssd.conf file is mostly unchanged from how it was 
installed by the ipa-client-install script:


Hi Mark,

you said your client is OEL *5.5* ? The SSSD first appeared in RHEL (and by 
extension OEL) in 5.6. Are you running the version from EPEL? I'm not sure if 
netgroups were even supported in that old version..

What is the output of "rpm -q sssd" and "rpm -q ipa-client" ?

Does getent netgroup <netgroup-name> work?



[sssd]
config_file_version = 2
services = nss, pam

domains = my_domain.com
[nss]

[pam]

  [domain/my_domain.com]
cache_credentials = True
krb5_store_password_if_offline = True ipa_domain = my_domain.com
id_provider = ipa auth_provider = ipa access_provider = ipa
chpass_provider = ipa ipa_server = _srv_, ipa_server.my_domain.com
ldap_tls_cacert = /etc/ipa/ca.crt debug_level = 6


     And the nsswitch.conf file:

passwd:     files sss
shadow:     files sss
group:      files sss

hosts:      files dns

bootparams: nisplus [NOTFOUND=return] files

ethers:     files
netmasks:   files
networks:   files
protocols:  files
rpc:        files
services:   files

netgroup:   files sss

publickey:  nisplus

automount:  files ldap
aliases:    files

sudoers:    files ldap

     Thanks,
     -Mark



________________________________________________________________
Mark Tovey - UNIX Engineer | Service Strategy & Design UTi | 400 SW
Sixth Ave, Suite 1100 | Portland | Oregon | 97204 | USA
mto...@go2uti.com | O / C +1 503 953-1389 | Skype: mark.tovey2


-----Original Message-----
From: freeipa-users-boun...@redhat.com
[mailto:freeipa-users-boun...@redhat.com] On Behalf Of Dmitri Pal
Sent: Tuesday, July 16, 2013 12:51 PM
To: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] sudo rules user and host group bugs?

On 07/16/2013 02:11 PM, Tovey, Mark wrote:

     My environment consists of OEL 5.5 clients with ipa-client-2.1.3 and the 
server is OEL 6.4 with ipa-server-3.0.0.  We chose these because we were able 
to find RPM packages for them.  We would prefer to go with the latest versions, 
but we did not want to spend the time building installation packages just yet.  
Again, we are just evaluating at this point.  So far, so good, except for this 
one point.
     The doman name, host name, and nsswitch.conf files are all properly configured.  But I do not have any 
netgroups defined (the getent command doesn't return anything and there is no /etc/netgroup file).  After you 
asked about that, I started looking into the documentation on netgroups.  The IPA documentation for sudo 
states that "Identity Management creates two groups, a visible host group and a shadow netgroup. sudo 
itself only supports NIS-style netgroups for group formats."  But when I look in the Netgroups area, I 
do not see any netgroups defined.  I used Apache Directory Studio to look around the Directory Server, and I 
can see "cn=hgroup1,cn=ng,cn=alt,dc=my_domain,dc=com", along with 
"cn=hgroup1,cn=hostgroups,cn=accounts,dc=my_domain,dc=com".  This seems to reflect what was stated 
in the documentation.
     But I am still stumped.  I cannot get sudo to work with host groups; I 
have to directly add each server to the sudo rule.
     Thanks,
     -Mark


So can it seems that the first thing you need to to do is to make sure your 
netgroups work.
If domain and host are properly set then it might be the wrong base in your 
LDAP search for the netgroups.
Are you using SSSD for netgroups or something else?
Can you please share your sssd.conf and area where it configures netgroups?
Also is sss in the nsswitch.conf for netgroups map?




________________________________________________________________
Mark Tovey - UNIX Engineer | Service Strategy & Design UTi | 400
SW Sixth Ave, Suite 1100 | Portland | Oregon | 97204 | USA
mto...@go2uti.com | O / C +1 503 953-1389 | Skype: mark.tovey2

-----Original Message-----
From: Martin Kosek [mailto:mko...@redhat.com]
Sent: Tuesday, July 16, 2013 12:34 AM
To: Tovey, Mark
Cc: Steven Jones; James Hogarth; Freeipa-users@redhat.com; Pavel
Brezina
Subject: Re: [Freeipa-users] sudo rules user and host group bugs?

Just checking, did you try troubleshooting hints from JR I found at the top of 
the thread? I did not find an information about that.

~~~~
Can you confirm that the output of the following commands:
1. $ domainname
* does it match your domain?
2. $ hostname
* does match match your fqdn?
3. $ getent netgroup esolutions-sandbox-hosts
* does this list your host?
4. Does /etc/nsswitch.conf contain the line: "netgroup:   files sss"?


Another important Sudo Troubleshooting step is to edit: /etc/sudo-ldap.conf (or 
/etc/ldap.conf, depending on what version of RHEL/Sudo you're running):

At the top, add the line: sudoers_debug 2

Then try another sudo command. sudo -l for example.
~~~~

For example, it would help to know that netgroup list (step 3) works or 
domainname is set correctly (step 1).

Martin


On 07/16/2013 06:09 AM, Tovey, Mark wrote:



     Okay, I stopped sssd on the client and deleted the cache
files, removed the sudo rule, started sssd and verified that the
rule was gone, stopped sssd and deleted the files again, added
the rule back in, restarted sssd, and still it does not work.
One note, when I enter the hosts into the sudo rule in place of
the host group, the effect is immediate; I do not need to restart
sssd.  And the opposite is true too: if I put the host group
back, the rule immediately stops working.  I don't think the
issue is cache related; it seems to be something else.  The serv_account that 
we are accessing with the sudo rule is external.  I wouldn't expect that to 
matter, but perhaps it does?



     I like your idea for the labels; they make sense.  Right now
we are just evaluating this to see if we want to go this route.
So far we like it, but this could be a problem because we have a
several hundred hosts that we need to manage.  Having to enter each one 
individually will be problematic.

     Thanks,

     -Mark



* *

*________________________________________________________________
*

*Mark Tovey - UNIX Engineer | Service Strategy & Design*

UTi <http://www.go2uti.com/> | 400 SW Sixth Ave, Suite 1100 |
Portland
| Oregon
| 97204 | USA

mto...@go2uti.com <mailto:mto...@go2uti.com> | O / C +1 503 953-1389 | Skype:
mark.tovey2



*From:*Steven Jones [mailto:steven.jo...@vuw.ac.nz]
*Sent:* Monday, July 15, 2013 4:44 PM
*To:* Tovey, Mark; James Hogarth
*Cc:* Freeipa-users@redhat.com
*Subject:* RE: [Freeipa-users] sudo rules user and host group bugs?



option b) delete the rule totally and redo it from scratch.

I label rules like this,

hb-xxxx   for a hbac rule

su-xxxx for a sudo rule

sc-xxxx for a sudo command group

ug-xxxx for a user group

hg-xxxx for a host groups

etc

etc

It makes the logic easier when you go into command line which I
find easier to trace with than the gui at time.



regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272

-----------------------------------------------------------------
--
--
-
---------

*From:*Tovey, Mark [mto...@go2uti.com]
*Sent:* Tuesday, 16 July 2013 11:34 a.m.
*To:* Steven Jones; James Hogarth
*Cc:* Freeipa-users@redhat.com <mailto:Freeipa-users@redhat.com>
*Subject:* RE: [Freeipa-users] sudo rules user and host group bugs?



     That didn't work either.  I set up the host group in my sudo
rule, stopped sssd, renamed /var/lib/sss/db and created a new db
directory, then restarted sssd.  New files were created in the db
directory, but it still refuses to work unless the hosts are directly specified 
in the sudo rule.

     Thanks,

     -Mark



* *

*________________________________________________________________
*

*Mark Tovey - UNIX Engineer | Service Strategy & Design*

UTi <http://www.go2uti.com/> | 400 SW Sixth Ave, Suite 1100 |
Portland
| Oregon
| 97204 | USA

mto...@go2uti.com <mailto:mto...@go2uti.com> | O / C +1 503 953-1389 | Skype:
mark.tovey2



*From:*Steven Jones [mailto:steven.jo...@vuw.ac.nz]
*Sent:* Monday, July 15, 2013 4:15 PM
*To:* Tovey, Mark; James Hogarth
*Cc:* Freeipa-users@redhat.com <mailto:Freeipa-users@redhat.com>
*Subject:* RE: [Freeipa-users] sudo rules user and host group bugs?



Hi,

This is a known issue Ive suffered a long time with.  What would
be interesting is adding another host to the host group could
well work fine, that will really make you bang your head against the wall..

2 possibilities, stop the sssd daemon on the problem host, delete
its cache and start it, that might fix it.

Otherwise best to,

All RH support could come up with is delete the HBAC rule, sudo
rule, user group and host group and re-do it, then it will probably work fine.



regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272

-----------------------------------------------------------------
--
--
-
---------

*From:*freeipa-users-boun...@redhat.com
<mailto:freeipa-users-boun...@redhat.com>
[freeipa-users-boun...@redhat.com] on behalf of Tovey, Mark
[mto...@go2uti.com]
*Sent:* Tuesday, 16 July 2013 10:54 a.m.
*To:* James Hogarth
*Cc:* Freeipa-users@redhat.com <mailto:Freeipa-users@redhat.com>
*Subject:* Re: [Freeipa-users] sudo rules user and host group bugs?





     I checked that and it is set correctly:



[user1@host1 ~]$ nisdomainname

my_domain.com



     If I try to run a command with the hosts specified indirectly
through a host group, it fails:



[user1@host1 ~]$ sudo -i -u serv_account

LDAP Config Summary

===================

uri              ldap://ipa_server.my_domain.com

ldap_version     3

sudoers_base     ou=SUDOers,dc=my_domain,dc=com

binddn           uid=sudo,cn=sysaccounts,cn=etc,dc=my_domain,dc=com

bindpw           **********

bind_timelimit   5000

timelimit        15

ssl              start_tls

tls_checkpeer    (yes)

tls_cacertfile   /etc/ipa/ca.crt

===================

sudo: ldap_initialize(ld, ldap://ipa_server.my_domain.com)

sudo: ldap_set_option: debug -> 0

sudo: ldap_set_option: ldap_version -> 3

sudo: ldap_set_option: tls_checkpeer -> 1

sudo: ldap_set_option: tls_cacertfile -> /etc/ipa/ca.crt

sudo: ldap_set_option: timelimit -> 15

sudo: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT, 5)



sudo: ldap_start_tls_s() ok

sudo: ldap_sasl_bind_s() ok

sudo: no default options found!

sudo: ldap search
'(|(sudoUser=user1)(sudoUser=%user1)(sudoUser=%user1s)(sudoUser=ALL))'

sudo: found:cn=my_sudo_rule,ou=sudoers,dc=my_domain,dc=com

sudo: ldap sudoHost '+hgroup1' ... not

sudo: ldap search 'sudoUser=+*'

sudo: user_matches=1

sudo: host_matches=0

sudo: sudo_ldap_lookup(0)=0x40

[sudo] password for user1:

Sorry, try again.

[sudo] password for user1:

sudo: 1 incorrect password attempt





     But if I remove the host group from the sudo rule and
directly add the hosts that were in the host group, it works fine:



<snip>



sudo: ldap_start_tls_s() ok

sudo: ldap_sasl_bind_s() ok

sudo: no default options found!

sudo: ldap search
'(|(sudoUser=user1)(sudoUser=%user1)(sudoUser=%user1s)(sudoUser=ALL))'

sudo: found:cn=my_sudo_rule,ou=sudoers,dc=my_domain,dc=com

sudo: ldap sudoHost 'host1.my_domain.com' ... MATCH!

sudo: ldap sudoRunAsUser 'serv_account' ... MATCH!

sudo: ldap sudoCommand 'ALL' ... MATCH!

sudo: Command allowed

sudo: user_matches=1

sudo: host_matches=1

sudo: sudo_ldap_lookup(0)=0x02

[sudo] password for user1:

[serv_account@host1 ~]$





     So something isn't lining up correctly with host groups in
sudo rules somewhere.  I just haven't been able to track it down.

     Thanks,

     -Mark





* *

*________________________________________________________________
*

*Mark Tovey - UNIX Engineer | Service Strategy & Design*

UTi <http://www.go2uti.com/> | 400 SW Sixth Ave, Suite 1100 |
Portland
| Oregon
| 97204 | USA

mto...@go2uti.com <mailto:mto...@go2uti.com> | O / C +1 503 953-1389 | Skype:
mark.tovey2



*From:*James Hogarth [mailto:james.hoga...@gmail.com]
*Sent:* Monday, July 15, 2013 1:11 PM
*To:* Tovey, Mark
*Subject:* Re: [Freeipa-users] sudo rules user and host group bugs?







     Did anyone find a solution for this?  I am having the same experience.




Wow that was a mess...

To use hostgroups for sudo ensure nisdomainname is set on the
hosts to the IPA domain.



_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users



_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users



--
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users



_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users




























					Reply via email to