Re: [Freeipa-devel] ipa-client-sudo

2011-02-19 Thread Simo Sorce 
On Fri, 18 Feb 2011 23:09:21 -0500
Adam Young ayo...@redhat.com wrote:

 Here's a rough hack.  It follows the steps  in the test script. I
 tested it out and it works.

Truly  a hack :)

Just one thing, do not change rc.local, it's wrong, if you really need
to set the NIS domain (what for ?) then you set it like this:
NISDOMAIN=example.com
in /etc/sysconfig.network

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] ipa-client-sudo

2011-02-19 Thread JR Aquino 
On 2/19/11 7:33 AM, Simo Sorce sso...@redhat.com wrote:

On Fri, 18 Feb 2011 23:09:21 -0500
Adam Young ayo...@redhat.com wrote:

 Here's a rough hack.  It follows the steps  in the test script. I
 tested it out and it works.

Truly  a hack :)

More specifically:

The script looks like it will functionally address RHEL6 + Fedora 14/15.
You'll want to be mindful of systems that need to use nss_ldap.conf due to
incompatibility with SSSD. (I believe in RHEL5 ipa-client-install actually
configures nss_ldap and not SSSD)
The script as it is, will stomp on the contents of the nss_ldap.conf file.



Just one thing, do not change rc.local, it's wrong, if you really need
to set the NIS domain (what for ?)

The domain must be set because the netgroup (and compat pieces of FreeIPA)
populate the nisDomain attribute in the nisNetgroupTriple.

Thus when sudo does a netgroup look up to verify that the current host is
part of a netgroup, it will fail the match because the nisdomain of the
client must match that of this nisNetgroupTriple.

 then you set it like this:
NISDOMAIN=example.com
in /etc/sysconfig.network

There is actually a bug filed against fedora about /etc/sysconfig.network
being broken.
https://bugzilla.redhat.com/show_bug.cgi?id=665465

(I will be opening another against RHEL through support this morning as
the fedora ticket has languished.)

It only works if the system is utilizing the NIS Client as a whole
(ypbind, portmap, yp.conf) ... Which is completely unnecessary.
nss_ldap/sssd provide lookups into ldap for the nisNetgroupTriple required
to enumerate net groups in Linux.


It only works if the system is utilizing the NIS Client as a whole
(ypbind, portmap, yp.conf) ... Which is completely unnecessary.
nss_ldap/sssd provide lookups into ldap for the nisNetgroupTriple required
to enumerate net groups in Linux.



Simo.


___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] ipa-client-sudo

2011-02-19 Thread Adam Young 

On 02/19/2011 12:00 PM, JR Aquino wrote:

On 2/19/11 7:33 AM, Simo Sorcesso...@redhat.com  wrote:


On Fri, 18 Feb 2011 23:09:21 -0500
Adam Youngayo...@redhat.com  wrote:


Here's a rough hack.  It follows the steps  in the test script. I
tested it out and it works.

Truly  a hack :)

More specifically:

The script looks like it will functionally address RHEL6 + Fedora 14/15.
You'll want to be mindful of systems that need to use nss_ldap.conf due to
incompatibility with SSSD. (I believe in RHEL5 ipa-client-install actually
configures nss_ldap and not SSSD)
The script as it is, will stomp on the contents of the nss_ldap.conf file.



Just one thing, do not change rc.local, it's wrong, if you really need
to set the NIS domain (what for ?)

The domain must be set because the netgroup (and compat pieces of FreeIPA)
populate the nisDomain attribute in the nisNetgroupTriple.

Thus when sudo does a netgroup look up to verify that the current host is
part of a netgroup, it will fail the match because the nisdomain of the
client must match that of this nisNetgroupTriple.


then you set it like this:
NISDOMAIN=example.com
in /etc/sysconfig.network


Yeah, that is better.  I think also that authconfig supports it, via:

 --nisdomain=domain  default NIS domain

But this was a direct translation of the SUDO test script.



There is actually a bug filed against fedora about /etc/sysconfig.network
being broken.
https://bugzilla.redhat.com/show_bug.cgi?id=665465

(I will be opening another against RHEL through support this morning as
the fedora ticket has languished.)

It only works if the system is utilizing the NIS Client as a whole
(ypbind, portmap, yp.conf) ... Which is completely unnecessary.
nss_ldap/sssd provide lookups into ldap for the nisNetgroupTriple required
to enumerate net groups in Linux.


It only works if the system is utilizing the NIS Client as a whole
(ypbind, portmap, yp.conf) ... Which is completely unnecessary.
nss_ldap/sssd provide lookups into ldap for the nisNetgroupTriple required
to enumerate net groups in Linux.



Simo.


___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] ipa-client-sudo

2011-02-19 Thread Adam Young 

On 02/19/2011 10:33 AM, Simo Sorce wrote:

On Fri, 18 Feb 2011 23:09:21 -0500
Adam Youngayo...@redhat.com  wrote:


Here's a rough hack.  It follows the steps  in the test script. I
tested it out and it works.

Truly  a hack :)


Yeah, I really just wanted something to make sure that SUDO was working 
for me, that was reproducable.  Long term, SSSD should be the solution, 
and in the medium term (2.1) it should go into ipa-client-install.


That said, I think it shows pretty clearly where the config values come 
from and where they need to go.


But yeah, its a hack.


Just one thing, do not change rc.local, it's wrong, if you really need
to set the NIS domain (what for ?) then you set it like this:
NISDOMAIN=example.com
in /etc/sysconfig.network

Simo.



___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

[Freeipa-devel] ipa-client-sudo

2011-02-18 Thread Adam Young 
Here's a rough hack.  It follows the steps  in the test script. I tested 
it out and it works.
BASEDN=`awk '/basedn/ {print $3}'  /etc/ipa/default.conf` 
IPASERVER=`awk '/server/ {print $3}'  /etc/ipa/default.conf` 
DOMAIN=`awk '/domain/ {print $3}'  /etc/ipa/default.conf` 


CONFDIR=`mktemp -d`
BACKUPDIR=/tmp/etcbackup

mkdir -p $CONFDIR/etc/sssd
mkdir -p $CONFDIR/etc/rc.d/
cp  /etc/sssd/sssd.conf $CONFDIR/etc/sssd 
cp  /etc/nsswitch.conf  $CONFDIR/etc
cp  /etc/rc.d/rc.local $CONFDIR/etc/rc.d/rc.local

mkdir -p $BACKUPDIR/etc/sssd
mkdir -p $BACKUPDIR/etc/rc.d/
cp  /etc/sssd/sssd.conf $BACKUPDIR/etc/sssd 
cp  /etc/nsswitch.conf  $BACKUPDIR/etc
cp  /etc/rc.d/rc.local  $BACKUPDIR/etc/rc.d/rc.local

BINDUID=$1
BINDPASS=$2


usage(){
echo  usage $0 uid password
}

if [ -z $BINDUID ] ||  [ -z $BINDPASS ]
then
usage
exit 1
fi



# this will go into /etc/nsswitch.conf
echosudoers:ldap $CONFDIR/etc/nsswitch.conf



#this will go into sssd.conf

awk -v basedn=$BASEDN '{print $0 } /^ipa_server/ { print 
ldap_netgroup_search_base = cn=ng,cn=compat,basedn  }'
$CONFDIR/etc/sssd/sssd.conf  $CONFDIR/etc/sssd/sssd.conf.new

mv $CONFDIR/etc/sssd/sssd.conf.new $CONFDIR/etc/sssd/sssd.conf

#this will go in /etc/nss_ldap.conf
cat  $CONFDIR/etc/nss_ldap.conf  END_TEXT
   sudoers_base ou=SUDOers,$BASEDN
   binddn uid=$BINDUID,cn=users,cn=accounts,$BASEDN
   bindpw $BINDPASS
   ssl start_tls
   tls_cacertfile /etc/ipa/ca.crt
   tls_checkpeer yes
   bind_timelimit 5
   timelimit 15
   uri ldap://$IPASERVER 
END_TEXT


ln -s $CONFDIR/etc/nss_ldap.conf $CONFDIR/etc/ldap.conf

echo nisdomainname $DOMAIN  $CONFDIR/etc/rc.d/rc.local


cp  $CONFDIR/etc/sssd/sssd.conf /etc/sssd
cp  $CONFDIR/etc/nsswitch.conf  /etc
cp  $CONFDIR/etc/rc.d/rc.local  /etc/rc.d/rc.local
cp  $CONFDIR/etc/nss_ldap.conf  /etc
cp  $CONFDIR/etc/ldap.conf  /etc


rm -rf $CONFDIR 

echo execute these commands:
echo nisdomainname $DOMAIN 
echo service sssd restart

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel