Re: [Freeipa-users] FreeIPA sudo configuration on FreeIPA, version: 4.1.0
Thanx for the feedback ,let me read a bit and will share how I managed to resolve it -Original Message- From: Lukas Slebodnik [mailto:lsleb...@redhat.com] Sent: Tuesday, April 07, 2015 2:16 PM To: Jakub Hrozek Cc: Chamambo Martin; freeipa-users@redhat.com Subject: Re: [Freeipa-users] FreeIPA sudo configuration on FreeIPA, version: 4.1.0 On (07/04/15 12:57), Jakub Hrozek wrote: >On Tue, Apr 07, 2015 at 12:48:37PM +0200, Chamambo Martin wrote: >> Sorry for the confusion about that one ,that client I used to >> aunthenticate to a pure 389 directory server and I have since changed >> it to free ipa and below is the correct configuration. >> >> I managed to add the line sudo_provider = ipa and im getting the >> below error on my client > >I don't see it added to the config. > It's not necessary to add "sudo_provider = ipa" into domain section. because if sudo_provider is not specified then it is automatically inherited from "id_provider". It is described in documentation [1] (point 4) and also in the manual page sssd-sudo. IIRC ipa-client-install should configure all necessary things on rhel 7.1 >If it's added, the next steps would be to add debug_level to the sudo >and domain sections. https://fedorahosted.org/sssd/wiki/Troubleshooting >has some notes on gathering the debug logs. > +1 LS [1] https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System-Level_Authentication_Guide/Configuring_Services.html#configuring-sssd-sudo -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] FreeIPA sudo configuration on FreeIPA, version: 4.1.0
On (07/04/15 12:57), Jakub Hrozek wrote: >On Tue, Apr 07, 2015 at 12:48:37PM +0200, Chamambo Martin wrote: >> Sorry for the confusion about that one ,that client I used to aunthenticate >> to a pure 389 directory server and I have since changed it to free ipa and >> below is the correct configuration. >> >> I managed to add the line sudo_provider = ipa and im getting the below error >> on my client > >I don't see it added to the config. > It's not necessary to add "sudo_provider = ipa" into domain section. because if sudo_provider is not specified then it is automatically inherited from "id_provider". It is described in documentation [1] (point 4) and also in the manual page sssd-sudo. IIRC ipa-client-install should configure all necessary things on rhel 7.1 >If it's added, the next steps would be to add debug_level to the sudo >and domain sections. https://fedorahosted.org/sssd/wiki/Troubleshooting >has some notes on gathering the debug logs. > +1 LS [1] https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System-Level_Authentication_Guide/Configuring_Services.html#configuring-sssd-sudo -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] FreeIPA sudo configuration on FreeIPA, version: 4.1.0
On Tue, Apr 07, 2015 at 01:55:43PM +0200, Chamambo Martin wrote: > Thanx Jakub for pointing me to the right direction .This is what I have now > and I have increased the debug level during troubleshooting > > [domain/ai.co.zw] > > debug_level=3 > cache_credentials = True > krb5_store_password_if_offline = True > ipa_domain = ai.co.zw > id_provider = ipa > sudo_provider = ipa > auth_provider = ipa > access_provider = ipa > ipa_hostname = ironhide.ai.co.zw > chpass_provider = ipa > ipa_server = _srv_, cyclops.ai.co.zw > ldap_tls_cacert = /etc/ipa/ca.crt > [sssd] > services = nss, sudo, pam, ssh > config_file_version = 2 > > > domains = ai.co.zw > [nss] > homedir_substring = /home > > [pam] > > [sudo] > > [autofs] > > [ssh] > > Error messages from /var/log/sssd/sssd_ai.co.zw when debug level is set at 4 This snippet just shows successfull authentication, which I guess is when sudo asked for the password. Anything interesting in the sudo log? /var/log/sssd/sssd_sudo.log You might need a higher debug_level, though (6?) -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] FreeIPA sudo configuration on FreeIPA, version: 4.1.0
(Tue Apr 7 13:53:59 2015) [sssd[be[ai.co.zw]]] [pam_print_data] (0x0100): cli_pid: 2377 (Tue Apr 7 13:53:59 2015) [sssd[be[ai.co.zw]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'IPA' (Tue Apr 7 13:54:00 2015) [sssd[be[ai.co.zw]]] [fo_set_port_status] (0x0100): Marking port 0 of server 'cyclops.ai.co.zw' as 'working' (Tue Apr 7 13:54:00 2015) [sssd[be[ai.co.zw]]] [set_server_common_status] (0x0100): Marking server 'cyclops.ai.co.zw' as 'working' (Tue Apr 7 13:54:00 2015) [sssd[be[ai.co.zw]]] [be_pam_handler_callback] (0x0100): Backend returned: (0, 0, ) [Success] (Tue Apr 7 13:54:00 2015) [sssd[be[ai.co.zw]]] [be_pam_handler_callback] (0x0100): Sending result [0][ai.co.zw] (Tue Apr 7 13:54:00 2015) [sssd[be[ai.co.zw]]] [be_pam_handler_callback] (0x0100): Sent result [0][ai.co.zw] (Tue Apr 7 13:54:00 2015) [sssd[be[ai.co.zw]]] [child_sig_handler] (0x0100): child [2379] finished successfully. (Tue Apr 7 13:54:00 2015) [sssd[be[ai.co.zw]]] [be_pam_handler] (0x0100): Got request with the following data (Tue Apr 7 13:54:00 2015) [sssd[be[ai.co.zw]]] [pam_print_data] (0x0100): command: PAM_ACCT_MGMT (Tue Apr 7 13:54:00 2015) [sssd[be[ai.co.zw]]] [pam_print_data] (0x0100): domain: ai.co.zw (Tue Apr 7 13:54:00 2015) [sssd[be[ai.co.zw]]] [pam_print_data] (0x0100): user: admin (Tue Apr 7 13:54:00 2015) [sssd[be[ai.co.zw]]] [pam_print_data] (0x0100): service: sudo (Tue Apr 7 13:54:00 2015) [sssd[be[ai.co.zw]]] [pam_print_data] (0x0100): tty: /dev/pts/1 (Tue Apr 7 13:54:00 2015) [sssd[be[ai.co.zw]]] [pam_print_data] (0x0100): ruser: admin (Tue Apr 7 13:54:00 2015) [sssd[be[ai.co.zw]]] [pam_print_data] (0x0100): rhost: (Tue Apr 7 13:54:00 2015) [sssd[be[ai.co.zw]]] [pam_print_data] (0x0100): authtok type: 0 (Tue Apr 7 13:54:00 2015) [sssd[be[ai.co.zw]]] [pam_print_data] (0x0100): newauthtok type: 0 (Tue Apr 7 13:54:00 2015) [sssd[be[ai.co.zw]]] [pam_print_data] (0x0100): priv: 0 (Tue Apr 7 13:54:00 2015) [sssd[be[ai.co.zw]]] [pam_print_data] (0x0100): cli_pid: 2377 (Tue Apr 7 13:54:01 2015) [sssd[be[ai.co.zw]]] [ipa_hbac_evaluate_rules] (0x0080): Access granted by HBAC rule [allow_all] (Tue Apr 7 13:54:01 2015) [sssd[be[ai.co.zw]]] [be_pam_handler_callback] (0x0100): Backend returned: (0, 0, ) [Success] (Tue Apr 7 13:54:01 2015) [sssd[be[ai.co.zw]]] [be_pam_handler_callback] (0x0100): Backend returned: (0, 0, Success) [Success] (Tue Apr 7 13:54:01 2015) [sssd[be[ai.co.zw]]] [be_pam_handler_callback] (0x0100): Sending result [0][ai.co.zw] (Tue Apr 7 13:54:01 2015) [sssd[be[ai.co.zw]]] [be_pam_handler_callback] (0x0100): Sent result [0][ai.co.zw] ^C -Original Message- From: Jakub Hrozek [mailto:jhro...@redhat.com] Sent: Tuesday, April 07, 2015 12:58 PM To: Chamambo Martin Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] FreeIPA sudo configuration on FreeIPA, version: 4.1.0 On Tue, Apr 07, 2015 at 12:48:37PM +0200, Chamambo Martin wrote: > Sorry for the confusion about that one ,that client I used to > aunthenticate to a pure 389 directory server and I have since changed > it to free ipa and below is the correct configuration. > > I managed to add the line sudo_provider = ipa and im getting the below > error on my client I don't see it added to the config. If it's added, the next steps would be to add debug_level to the sudo and domain sections. https://fedorahosted.org/sssd/wiki/Troubleshooting has some notes on gathering the debug logs. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] FreeIPA sudo configuration on FreeIPA, version: 4.1.0
On Tue, Apr 07, 2015 at 12:48:37PM +0200, Chamambo Martin wrote: > Sorry for the confusion about that one ,that client I used to aunthenticate > to a pure 389 directory server and I have since changed it to free ipa and > below is the correct configuration. > > I managed to add the line sudo_provider = ipa and im getting the below error > on my client I don't see it added to the config. If it's added, the next steps would be to add debug_level to the sudo and domain sections. https://fedorahosted.org/sssd/wiki/Troubleshooting has some notes on gathering the debug logs. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] FreeIPA sudo configuration on FreeIPA, version: 4.1.0
Sorry for the confusion about that one ,that client I used to aunthenticate to a pure 389 directory server and I have since changed it to free ipa and below is the correct configuration. I managed to add the line sudo_provider = ipa and im getting the below error on my client [admin@ironhide postfix]$ sudo vim access [sudo] password for admin: Sorry, user admin is not allowed to execute '/usr/bin/vim access' as root on ironhide.ai.co.zw. [admin@ironhide postfix]$ [root@ironhide ~]# cat /etc/sssd/sssd.conf [domain/ai.co.zw] cache_credentials = True krb5_store_password_if_offline = True ipa_domain = ai.co.zw id_provider = ipa auth_provider = ipa access_provider = ipa ipa_hostname = ironhide.ai.co.zw chpass_provider = ipa ipa_server = _srv_, cyclops.ai.co.zw ldap_tls_cacert = /etc/ipa/ca.crt [sssd] services = nss, sudo, pam, ssh config_file_version = 2 domains = ai.co.zw [nss] homedir_substring = /home [pam] [sudo] [autofs] [ssh] [pac] [ifp] [root@ironhide ~]# -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] FreeIPA sudo configuration on FreeIPA, version: 4.1.0
On Tue, Apr 07, 2015 at 11:58:35AM +0200, Chamambo Martin wrote: > I have deployed FreeIPA on RedHat 7 and everything is working perfectly fine > except when I try to configure SUDO. All my clients are all centos 6 and > RedHat 6 clients and have the below config . I have followed every how-to > and I just can't seem to get it.I have configured the sudo commands and > rules mostly for reading files /usr/bin/vim and /usr/bin/less for reading > log files > > > > /etc/nssswitch > > > > sudoers: files sss > > > > cat /etc/sssd/sssd.conf > > > > > > [root@nemo ~]# cat /etc/sssd/sssd.conf > > [domain/default] it is really strange that you have a domain called default (that's the name authconfig normally uses) set to ldap provider. Where does this come from, did you add it manually? This really sounds wrong and I would suggest to remove this domain, but I'd also like to know why did you add it in the first place? > > > > autofs_provider = ldap > > cache_credentials = True > > krb5_realm = XX.XX.XX > > krb5_server = XX.XX.XX.XX:88 > > id_provider = ldap > > auth_provider = ldap > > chpass_provider = ldap > > ldap_id_use_start_tls = False > > ldap_tls_cacertdir = /etc/openldap/cacerts > > [domain/ai.co.zw] > > > > debug_level = 0x07F0 > > cache_credentials = True > > krb5_store_password_if_offline = True > > ipa_domain = ai.co.zw > > id_provider = ipa > > auth_provider = ipa > > access_provider = ipa > > ipa_hostname = XX.XX.XX.XX > > chpass_provider = ipa > > ipa_server = _srv_, XX.XX.XX.XX > > ldap_tls_cacert = /etc/ipa/ca.crt What RHEL/CentOS version are you running in particular? Starting with 6.6, it should be enough to do: sudo_provider = ipa > > > > [sssd] > > services = nss, sudo, pam, autofs, ssh > > config_file_version = 2 > > > > domains = default, XX.XX.XX > > [nss] > > > > homedir_substring = /home > > > > [pam] > > > > [sudo] > > > > [autofs] > > > > [ssh] > > > > [pac] > > > > > > > > > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] FreeIPA sudo configuration on FreeIPA, version: 4.1.0
I have deployed FreeIPA on RedHat 7 and everything is working perfectly fine except when I try to configure SUDO. All my clients are all centos 6 and RedHat 6 clients and have the below config . I have followed every how-to and I just can't seem to get it.I have configured the sudo commands and rules mostly for reading files /usr/bin/vim and /usr/bin/less for reading log files /etc/nssswitch sudoers: files sss cat /etc/sssd/sssd.conf [root@nemo ~]# cat /etc/sssd/sssd.conf [domain/default] autofs_provider = ldap cache_credentials = True krb5_realm = XX.XX.XX krb5_server = XX.XX.XX.XX:88 id_provider = ldap auth_provider = ldap chpass_provider = ldap ldap_id_use_start_tls = False ldap_tls_cacertdir = /etc/openldap/cacerts [domain/ai.co.zw] debug_level = 0x07F0 cache_credentials = True krb5_store_password_if_offline = True ipa_domain = ai.co.zw id_provider = ipa auth_provider = ipa access_provider = ipa ipa_hostname = XX.XX.XX.XX chpass_provider = ipa ipa_server = _srv_, XX.XX.XX.XX ldap_tls_cacert = /etc/ipa/ca.crt [sssd] services = nss, sudo, pam, autofs, ssh config_file_version = 2 domains = default, XX.XX.XX [nss] homedir_substring = /home [pam] [sudo] [autofs] [ssh] [pac] -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
