Re: [Freeipa-devel] ipa-client-sudo
On Fri, 18 Feb 2011 23:09:21 -0500 Adam Young ayo...@redhat.com wrote: Here's a rough hack. It follows the steps in the test script. I tested it out and it works. Truly a hack :) Just one thing, do not change rc.local, it's wrong, if you really need to set the NIS domain (what for ?) then you set it like this: NISDOMAIN=example.com in /etc/sysconfig.network Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] ipa-client-sudo
On 2/19/11 7:33 AM, Simo Sorce sso...@redhat.com wrote: On Fri, 18 Feb 2011 23:09:21 -0500 Adam Young ayo...@redhat.com wrote: Here's a rough hack. It follows the steps in the test script. I tested it out and it works. Truly a hack :) More specifically: The script looks like it will functionally address RHEL6 + Fedora 14/15. You'll want to be mindful of systems that need to use nss_ldap.conf due to incompatibility with SSSD. (I believe in RHEL5 ipa-client-install actually configures nss_ldap and not SSSD) The script as it is, will stomp on the contents of the nss_ldap.conf file. Just one thing, do not change rc.local, it's wrong, if you really need to set the NIS domain (what for ?) The domain must be set because the netgroup (and compat pieces of FreeIPA) populate the nisDomain attribute in the nisNetgroupTriple. Thus when sudo does a netgroup look up to verify that the current host is part of a netgroup, it will fail the match because the nisdomain of the client must match that of this nisNetgroupTriple. then you set it like this: NISDOMAIN=example.com in /etc/sysconfig.network There is actually a bug filed against fedora about /etc/sysconfig.network being broken. https://bugzilla.redhat.com/show_bug.cgi?id=665465 (I will be opening another against RHEL through support this morning as the fedora ticket has languished.) It only works if the system is utilizing the NIS Client as a whole (ypbind, portmap, yp.conf) ... Which is completely unnecessary. nss_ldap/sssd provide lookups into ldap for the nisNetgroupTriple required to enumerate net groups in Linux. It only works if the system is utilizing the NIS Client as a whole (ypbind, portmap, yp.conf) ... Which is completely unnecessary. nss_ldap/sssd provide lookups into ldap for the nisNetgroupTriple required to enumerate net groups in Linux. Simo. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] ipa-client-sudo
On 02/19/2011 12:00 PM, JR Aquino wrote: On 2/19/11 7:33 AM, Simo Sorcesso...@redhat.com wrote: On Fri, 18 Feb 2011 23:09:21 -0500 Adam Youngayo...@redhat.com wrote: Here's a rough hack. It follows the steps in the test script. I tested it out and it works. Truly a hack :) More specifically: The script looks like it will functionally address RHEL6 + Fedora 14/15. You'll want to be mindful of systems that need to use nss_ldap.conf due to incompatibility with SSSD. (I believe in RHEL5 ipa-client-install actually configures nss_ldap and not SSSD) The script as it is, will stomp on the contents of the nss_ldap.conf file. Just one thing, do not change rc.local, it's wrong, if you really need to set the NIS domain (what for ?) The domain must be set because the netgroup (and compat pieces of FreeIPA) populate the nisDomain attribute in the nisNetgroupTriple. Thus when sudo does a netgroup look up to verify that the current host is part of a netgroup, it will fail the match because the nisdomain of the client must match that of this nisNetgroupTriple. then you set it like this: NISDOMAIN=example.com in /etc/sysconfig.network Yeah, that is better. I think also that authconfig supports it, via: --nisdomain=domain default NIS domain But this was a direct translation of the SUDO test script. There is actually a bug filed against fedora about /etc/sysconfig.network being broken. https://bugzilla.redhat.com/show_bug.cgi?id=665465 (I will be opening another against RHEL through support this morning as the fedora ticket has languished.) It only works if the system is utilizing the NIS Client as a whole (ypbind, portmap, yp.conf) ... Which is completely unnecessary. nss_ldap/sssd provide lookups into ldap for the nisNetgroupTriple required to enumerate net groups in Linux. It only works if the system is utilizing the NIS Client as a whole (ypbind, portmap, yp.conf) ... Which is completely unnecessary. nss_ldap/sssd provide lookups into ldap for the nisNetgroupTriple required to enumerate net groups in Linux. Simo. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] ipa-client-sudo
On 02/19/2011 10:33 AM, Simo Sorce wrote: On Fri, 18 Feb 2011 23:09:21 -0500 Adam Youngayo...@redhat.com wrote: Here's a rough hack. It follows the steps in the test script. I tested it out and it works. Truly a hack :) Yeah, I really just wanted something to make sure that SUDO was working for me, that was reproducable. Long term, SSSD should be the solution, and in the medium term (2.1) it should go into ipa-client-install. That said, I think it shows pretty clearly where the config values come from and where they need to go. But yeah, its a hack. Just one thing, do not change rc.local, it's wrong, if you really need to set the NIS domain (what for ?) then you set it like this: NISDOMAIN=example.com in /etc/sysconfig.network Simo. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] ipa-client-sudo
Here's a rough hack. It follows the steps in the test script. I tested it out and it works. BASEDN=`awk '/basedn/ {print $3}' /etc/ipa/default.conf` IPASERVER=`awk '/server/ {print $3}' /etc/ipa/default.conf` DOMAIN=`awk '/domain/ {print $3}' /etc/ipa/default.conf` CONFDIR=`mktemp -d` BACKUPDIR=/tmp/etcbackup mkdir -p $CONFDIR/etc/sssd mkdir -p $CONFDIR/etc/rc.d/ cp /etc/sssd/sssd.conf $CONFDIR/etc/sssd cp /etc/nsswitch.conf $CONFDIR/etc cp /etc/rc.d/rc.local $CONFDIR/etc/rc.d/rc.local mkdir -p $BACKUPDIR/etc/sssd mkdir -p $BACKUPDIR/etc/rc.d/ cp /etc/sssd/sssd.conf $BACKUPDIR/etc/sssd cp /etc/nsswitch.conf $BACKUPDIR/etc cp /etc/rc.d/rc.local $BACKUPDIR/etc/rc.d/rc.local BINDUID=$1 BINDPASS=$2 usage(){ echo usage $0 uid password } if [ -z $BINDUID ] || [ -z $BINDPASS ] then usage exit 1 fi # this will go into /etc/nsswitch.conf echosudoers:ldap $CONFDIR/etc/nsswitch.conf #this will go into sssd.conf awk -v basedn=$BASEDN '{print $0 } /^ipa_server/ { print ldap_netgroup_search_base = cn=ng,cn=compat,basedn }' $CONFDIR/etc/sssd/sssd.conf $CONFDIR/etc/sssd/sssd.conf.new mv $CONFDIR/etc/sssd/sssd.conf.new $CONFDIR/etc/sssd/sssd.conf #this will go in /etc/nss_ldap.conf cat $CONFDIR/etc/nss_ldap.conf END_TEXT sudoers_base ou=SUDOers,$BASEDN binddn uid=$BINDUID,cn=users,cn=accounts,$BASEDN bindpw $BINDPASS ssl start_tls tls_cacertfile /etc/ipa/ca.crt tls_checkpeer yes bind_timelimit 5 timelimit 15 uri ldap://$IPASERVER END_TEXT ln -s $CONFDIR/etc/nss_ldap.conf $CONFDIR/etc/ldap.conf echo nisdomainname $DOMAIN $CONFDIR/etc/rc.d/rc.local cp $CONFDIR/etc/sssd/sssd.conf /etc/sssd cp $CONFDIR/etc/nsswitch.conf /etc cp $CONFDIR/etc/rc.d/rc.local /etc/rc.d/rc.local cp $CONFDIR/etc/nss_ldap.conf /etc cp $CONFDIR/etc/ldap.conf /etc rm -rf $CONFDIR echo execute these commands: echo nisdomainname $DOMAIN echo service sssd restart ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel