Re: [Freeipa-users] Managing Sudo through FreeIPA
Hi, caching capabilities were not optimal in the tech preview, but it was fully functional (or at least should be, I don't think anyone really tried it in production), unless sssd is configured with multiple domains. I looked at the 6.3 technical notes for sudo, sssd and ipa but couldn't see any reference to sudo support in IPA/SSSD natively (as opposed to LDAP integration) ... the Identity Management guide still refers to the old nslcd.conf file and not sudo-ldap.conf neveremind native integration... Do you have any details on how to go about testing this? ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Managing Sudo through FreeIPA
On Tue, Dec 11, 2012 at 11:25:57AM -0500, Dmitri Pal wrote: The native integration in SSSD was a tech preview in 6.3 and was pretty much broken. It wasn't a TP in 6.3 because the sudo 1.8 package wasn't in 6.3 all. It was rewritten after F-17, because its cache update mechanism was extremely inefficient, but I wouldn't call it broken. The code worked, just slow. If you are interested in SSSD+SUDO integration please see SSSD 1.9 It seems that the feature is not yet documented in the formal doc set. You can try sssd man pages. http://jhrozek.fedorapeople.org/sssd/1.9.3/man/sssd-sudo.5.html There are still couple of known bugs (see https://fedorahosted.org/sssd/report/3 and search for sudo, for instance), but in general the feature is working now. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Managing Sudo through FreeIPA
Dmitri, The SODO integration is evolving so it important to know what OS and version you are on. I would assume you are on RHEL6.3 or equivalent. That's correct. I am on RHEL6.3 equivalent There are two main ways to integrate SUDO with IPA. One with SSSD integration and another without. The one with the SSSD integration was a tech preview in 6.3 and did not work well so we will set is aside for now (but we fixed it and it is coming in 6.4 as a supported feature). Neat, looks forward to 6.4 So the only reasonable option ATM is to setup sudo without SSSD integration. So this solution implies that SUDO will use LDAP to get data from the LDAP server and LDAP server happens to be IPA in this case. You need to configure SUDO with LDAP as one would do following the instructions provided by SUDO package. Please search archives of the last month. There have been couple threads that you can find helpful in your quest. Thank you for the pointer... Looking at the archive now Kee in mind that the location and name of the file used by sudo to configure LDAP connection has changed. The exact names of the files and recommendations you will find in the mentioned threads. Once you configured SUDO and if you still have problems please let us know and we will help to troubleshoot the issue. Thank you aagain William -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Managing Sudo through FreeIPA
Steven, Thanks for the pointers. I remember finding a post on this, but having problem finding it now I assume rhel6.3 by the el6 in the rpm 1) Make sure the host and IPA server are fully patched/updated. I am current already 2) Edit nsswitch.conf to have sudoers: files ldap as the last line, may or may not be there. Done 3) add lines to /etc/sudo-ldap.conf, takes a recent upgrade/patch of 6.3 for that file to appear Im not at work so I odnt have a pastable set Yes, the file was there already. Wonder if you can paste it now. Mine was like this uri ldap://ipa1-yyz-int.example.loc sudoers_base ou=SUDOers,dc=example,dc=loc ssl start_tls tls_checkpeer(yes) tls_cacertfile /etc/ipa/ca.crt 4) Add nisdomainname example.com to /etc/rc.d/rc.local. Done 5) Add or enable the sudo connection user in IPA with a password. ? Lost me here, mind explaining a bit please if you have a chance? 6) reboot the host If it doesnt work set the debug level in sudo-ldap.conf to 2 and re-try to see the output..restart sssd. sh-4.1$ sudo less /var/log/secure LDAP Config Summary === uri ldap://ipa1-yyz-int.example.loc ldap_version 3 sudoers_base ou=SUDOers,dc=example,dc=loc binddn (anonymous) bindpw (anonymous) ssl start_tls tls_checkpeer(no) tls_cacertfile /etc/ipa/ca.crt === sudo: ldap_set_option: debug - 0 sudo: ldap_set_option: tls_checkpeer - 0 sudo: ldap_set_option: tls_cacertfile - /etc/ipa/ca.crt sudo: ldap_set_option: tls_cacert - /etc/ipa/ca.crt sudo: ldap_initialize(ld, ldap://ipa1-yyz-int.example.loc) sudo: ldap_set_option: ldap_version - 3 sudo: ldap_start_tls_s() ok sudo: ldap_sasl_bind_s() ok sudo: no default options found in ou=SUDOers,dc=example,dc=loc sudo: ldap search '(|(sudoUser=williamm)(sudoUser=%williamm)(sudoUser=%operations)(sudoUser=ALL))' sudo: ldap search 'sudoUser=+*' sudo: user_matches=0 sudo: host_matches=0 sudo: sudo_ldap_lookup(0)=0x60 [sudo] password for williamm: williamm is not in the sudoers file. This incident will be reported. Thank you again for your help Regards, William regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of William Muriithi [william.murii...@gmail.com] Sent: Thursday, 8 November 2012 10:28 a.m. To: freeipa-users@redhat.com Subject: [Freeipa-users] Managing Sudo through FreeIPA Hello I have been trying to setup user access through sudo file managed by FreeIPA and it don't seem to be working. I am not sure how to go about fixing it, but I guess the best place to start is ask what I should expect the IPA installation script should set up and what should be done manually [root@demo2 wmuriithi]# rpm -qa | grep sssd sssd-client-1.8.0-32.el6.x86_64 sssd-1.8.0-32.el6.x86_64 [root@demo2 wmuriithi]# [root@demo2 wmuriithi]# rpm -qa | grep sudo sudo-1.7.4p5-13.el6_3.x86_64 The only errors related to sudo that I can find is on apache error logs [Wed Nov 07 13:16:18 2012] [error] ipa: INFO: ad...@example.loc: sudorule_add_user(u'read_only_viewiers', all=False, raw=False, version=u'2.34', group=(u'operations',)): SUCCESS [Wed Nov 07 13:54:44 2012] [error] ipa: ERROR: release_ipa_ccache: ccache_name (FILE:/var/run/ipa_memcached/krbcc_3988) != KRB5CCNAME environment variable (FILE:/tmp/krb5cc_apache_NB7pph) [Wed Nov 07 13:54:44 2012] [error] ipa: INFO: ad...@example.loc: sudorule_find(None, sizelimit=0, pkey_only=True): SUCCESS [Wed Nov 07 13:54:44 2012] [error] ipa: INFO: ad...@example.loc: batch: sudorule_show(u'Full_Access', all=True): SUCCESS [Wed Nov 07 13:54:44 2012] [error] ipa: INFO: ad...@example.loc: batch: sudorule_show(u'read_only_viewiers', all=True): SUCCESS [Wed Nov 07 13:54:44 2012] [error] ipa: INFO: ad...@example.loc: batch: sudorule_show(u'developers', all=True): SUCCESS [Wed Nov 07 13:54:44 2012] [error] ipa: INFO: ad...@example.loc: batch: sudorule_show(u'operation', all=True): SUCCESS [Wed Nov 07 13:54:44 2012] [error] ipa: INFO: ad...@example.loc: batch(({u'params': [[u'Full_Access'], {u'all': True}], u'method': u'sudorule_show'}, {u'params': [[u'read_only_viewiers'], {u'all': True}], u'method': u'sudorule_show'}, {u'params': [[u'developers'], {u'all': True}], u'method': u'sudorule_show'}, {u'params': [[u'operation'], {u'all': True}], u'method': u'sudorule_show'})): SUCCESS [Wed Nov 07 13:54:50 2012] [error] ipa: INFO: ad...@example.loc: sudorule_show(u'read_only_viewiers', rights=True, all=True): SUCCESS I created the user as below and associated it with a group, which I then allowed to use less for reading file. As you can see below, it seem to does not work. Nov 7 16:05:42 demo2 sudo: pam_sss(sudo:auth): authentication success; logname=williamm uid=0 euid=0 tty=/dev/pts/2
Re: [Freeipa-users] Managing Sudo through FreeIPA
If you go to the CLI on the FreeIPA server and type: ipa sudorule enter It will give you some useful info. I believe you asked about the sudo user (which your log shows as currently unset, and configured as anonymous) Here is a snipit: -=-=-=-=-=- ... FreeIPA provides a designated binddn to use with Sudo located at: uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com To enable the binddn run the following command to set the password: LDAPTLS_CACERT=/etc/ipa/ca.crt /usr/bin/ldappasswd -S -W -h ipa.example.comhttp://ipa.example.com -ZZ -D cn=Directory Manager uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com For more information, see the FreeIPA Documentation to Sudo. -=-=-=-=-=- The resulting user needs to be configured in your sudo-ldap.conf with: binddn uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com bindpw password Keeping your head in the cloud ~ Jr Aquino | Sr. Information Security Specialist GIAC Certified Incident Handler | GIAC WebApp Penetration Tester Citrix Online | 7408 Hollister Avenue | Goleta, CA 93117x-apple-data-detectors://0/0 T: +1 805.690.3478tel:+1%C2%A0805.690.3478 C: +1 805.717.0365tel:+1%20805.717.0365 jr.aqu...@citrix.commailto:jr.aqu...@citrixonline.com http://www.citrixonline.comhttp://www.citrixonline.com/ On Nov 8, 2012, at 9:11 AM, William Muriithi william.murii...@gmail.commailto:william.murii...@gmail.com wrote: Steven, Thanks for the pointers. I remember finding a post on this, but having problem finding it now I assume rhel6.3 by the el6 in the rpm 1) Make sure the host and IPA server are fully patched/updated. I am current already 2) Edit nsswitch.conf to have sudoers: files ldap as the last line, may or may not be there. Done 3) add lines to /etc/sudo-ldap.conf, takes a recent upgrade/patch of 6.3 for that file to appear Im not at work so I odnt have a pastable set Yes, the file was there already. Wonder if you can paste it now. Mine was like this uri ldap://ipa1-yyz-int.example.loc sudoers_base ou=SUDOers,dc=example,dc=loc ssl start_tls tls_checkpeer(yes) tls_cacertfile /etc/ipa/ca.crt 4) Add nisdomainname example.comhttp://example.com to /etc/rc.d/rc.local. Done 5) Add or enable the sudo connection user in IPA with a password. ? Lost me here, mind explaining a bit please if you have a chance? 6) reboot the host If it doesnt work set the debug level in sudo-ldap.conf to 2 and re-try to see the output..restart sssd. sh-4.1$ sudo less /var/log/secure LDAP Config Summary === uri ldap://ipa1-yyz-int.example.loc ldap_version 3 sudoers_base ou=SUDOers,dc=example,dc=loc binddn (anonymous) bindpw (anonymous) ssl start_tls tls_checkpeer(no) tls_cacertfile /etc/ipa/ca.crt === sudo: ldap_set_option: debug - 0 sudo: ldap_set_option: tls_checkpeer - 0 sudo: ldap_set_option: tls_cacertfile - /etc/ipa/ca.crt sudo: ldap_set_option: tls_cacert - /etc/ipa/ca.crt sudo: ldap_initialize(ld, ldap://ipa1-yyz-int.example.loc) sudo: ldap_set_option: ldap_version - 3 sudo: ldap_start_tls_s() ok sudo: ldap_sasl_bind_s() ok sudo: no default options found in ou=SUDOers,dc=example,dc=loc sudo: ldap search '(|(sudoUser=williamm)(sudoUser=%williamm)(sudoUser=%operations)(sudoUser=ALL))' sudo: ldap search 'sudoUser=+*' sudo: user_matches=0 sudo: host_matches=0 sudo: sudo_ldap_lookup(0)=0x60 [sudo] password for williamm: williamm is not in the sudoers file. This incident will be reported. Thank you again for your help Regards, William regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: freeipa-users-boun...@redhat.commailto:freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.commailto:freeipa-users-boun...@redhat.com] on behalf of William Muriithi [william.murii...@gmail.commailto:william.murii...@gmail.com] Sent: Thursday, 8 November 2012 10:28 a.m. To: freeipa-users@redhat.commailto:freeipa-users@redhat.com Subject: [Freeipa-users] Managing Sudo through FreeIPA Hello I have been trying to setup user access through sudo file managed by FreeIPA and it don't seem to be working. I am not sure how to go about fixing it, but I guess the best place to start is ask what I should expect the IPA installation script should set up and what should be done manually [root@demo2 wmuriithi]# rpm -qa | grep sssd sssd-client-1.8.0-32.el6.x86_64 sssd-1.8.0-32.el6.x86_64 [root@demo2 wmuriithi]# [root@demo2 wmuriithi]# rpm -qa | grep sudo sudo-1.7.4p5-13.el6_3.x86_64 The only errors related to sudo that I can find is on apache error logs [Wed Nov 07 13:16:18 2012] [error] ipa: INFO: ad...@example.locmailto:ad...@example.loc: sudorule_add_user(u'read_only_viewiers', all=False, raw=False, version=u'2.34', group=(u'operations',)): SUCCESS [Wed Nov 07 13:54:44 2012] [error] ipa: ERROR: release_ipa_ccache
Re: [Freeipa-users] Managing Sudo through FreeIPA
FYI Got it working, credit to JR for pointing I need to assign a password to sudo account on LDAP and use it for binding. Thanks a lot William On 8 November 2012 12:11, William Muriithi william.murii...@gmail.com wrote: Steven, Thanks for the pointers. I remember finding a post on this, but having problem finding it now I assume rhel6.3 by the el6 in the rpm 1) Make sure the host and IPA server are fully patched/updated. I am current already 2) Edit nsswitch.conf to have sudoers: files ldap as the last line, may or may not be there. Done 3) add lines to /etc/sudo-ldap.conf, takes a recent upgrade/patch of 6.3 for that file to appear Im not at work so I odnt have a pastable set Yes, the file was there already. Wonder if you can paste it now. Mine was like this uri ldap://ipa1-yyz-int.example.loc sudoers_base ou=SUDOers,dc=example,dc=loc ssl start_tls tls_checkpeer(yes) tls_cacertfile /etc/ipa/ca.crt 4) Add nisdomainname example.com to /etc/rc.d/rc.local. Done 5) Add or enable the sudo connection user in IPA with a password. ? Lost me here, mind explaining a bit please if you have a chance? 6) reboot the host If it doesnt work set the debug level in sudo-ldap.conf to 2 and re-try to see the output..restart sssd. sh-4.1$ sudo less /var/log/secure LDAP Config Summary === uri ldap://ipa1-yyz-int.example.loc ldap_version 3 sudoers_base ou=SUDOers,dc=example,dc=loc binddn (anonymous) bindpw (anonymous) ssl start_tls tls_checkpeer(no) tls_cacertfile /etc/ipa/ca.crt === sudo: ldap_set_option: debug - 0 sudo: ldap_set_option: tls_checkpeer - 0 sudo: ldap_set_option: tls_cacertfile - /etc/ipa/ca.crt sudo: ldap_set_option: tls_cacert - /etc/ipa/ca.crt sudo: ldap_initialize(ld, ldap://ipa1-yyz-int.example.loc) sudo: ldap_set_option: ldap_version - 3 sudo: ldap_start_tls_s() ok sudo: ldap_sasl_bind_s() ok sudo: no default options found in ou=SUDOers,dc=example,dc=loc sudo: ldap search '(|(sudoUser=williamm)(sudoUser=%williamm)(sudoUser=%operations)(sudoUser=ALL))' sudo: ldap search 'sudoUser=+*' sudo: user_matches=0 sudo: host_matches=0 sudo: sudo_ldap_lookup(0)=0x60 [sudo] password for williamm: williamm is not in the sudoers file. This incident will be reported. Thank you again for your help Regards, William regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of William Muriithi [william.murii...@gmail.com] Sent: Thursday, 8 November 2012 10:28 a.m. To: freeipa-users@redhat.com Subject: [Freeipa-users] Managing Sudo through FreeIPA Hello I have been trying to setup user access through sudo file managed by FreeIPA and it don't seem to be working. I am not sure how to go about fixing it, but I guess the best place to start is ask what I should expect the IPA installation script should set up and what should be done manually [root@demo2 wmuriithi]# rpm -qa | grep sssd sssd-client-1.8.0-32.el6.x86_64 sssd-1.8.0-32.el6.x86_64 [root@demo2 wmuriithi]# [root@demo2 wmuriithi]# rpm -qa | grep sudo sudo-1.7.4p5-13.el6_3.x86_64 The only errors related to sudo that I can find is on apache error logs [Wed Nov 07 13:16:18 2012] [error] ipa: INFO: ad...@example.loc: sudorule_add_user(u'read_only_viewiers', all=False, raw=False, version=u'2.34', group=(u'operations',)): SUCCESS [Wed Nov 07 13:54:44 2012] [error] ipa: ERROR: release_ipa_ccache: ccache_name (FILE:/var/run/ipa_memcached/krbcc_3988) != KRB5CCNAME environment variable (FILE:/tmp/krb5cc_apache_NB7pph) [Wed Nov 07 13:54:44 2012] [error] ipa: INFO: ad...@example.loc: sudorule_find(None, sizelimit=0, pkey_only=True): SUCCESS [Wed Nov 07 13:54:44 2012] [error] ipa: INFO: ad...@example.loc: batch: sudorule_show(u'Full_Access', all=True): SUCCESS [Wed Nov 07 13:54:44 2012] [error] ipa: INFO: ad...@example.loc: batch: sudorule_show(u'read_only_viewiers', all=True): SUCCESS [Wed Nov 07 13:54:44 2012] [error] ipa: INFO: ad...@example.loc: batch: sudorule_show(u'developers', all=True): SUCCESS [Wed Nov 07 13:54:44 2012] [error] ipa: INFO: ad...@example.loc: batch: sudorule_show(u'operation', all=True): SUCCESS [Wed Nov 07 13:54:44 2012] [error] ipa: INFO: ad...@example.loc: batch(({u'params': [[u'Full_Access'], {u'all': True}], u'method': u'sudorule_show'}, {u'params': [[u'read_only_viewiers'], {u'all': True}], u'method': u'sudorule_show'}, {u'params': [[u'developers'], {u'all': True}], u'method': u'sudorule_show'}, {u'params': [[u'operation'], {u'all': True}], u'method': u'sudorule_show'})): SUCCESS [Wed Nov 07 13:54:50 2012] [error] ipa: INFO: ad...@example.loc: sudorule_show(u'read_only_viewiers', rights=True, all=True): SUCCESS I created
Re: [Freeipa-users] Managing Sudo through FreeIPA
On 11/08/2012 01:15 PM, William Muriithi wrote: FYI Got it working, credit to JR for pointing I need to assign a password to sudo account on LDAP and use it for binding. Great to hear! Thanks a lot William On 8 November 2012 12:11, William Muriithi william.murii...@gmail.com wrote: Steven, Thanks for the pointers. I remember finding a post on this, but having problem finding it now I assume rhel6.3 by the el6 in the rpm 1) Make sure the host and IPA server are fully patched/updated. I am current already 2) Edit nsswitch.conf to have sudoers: files ldap as the last line, may or may not be there. Done 3) add lines to /etc/sudo-ldap.conf, takes a recent upgrade/patch of 6.3 for that file to appear Im not at work so I odnt have a pastable set Yes, the file was there already. Wonder if you can paste it now. Mine was like this uri ldap://ipa1-yyz-int.example.loc sudoers_base ou=SUDOers,dc=example,dc=loc ssl start_tls tls_checkpeer(yes) tls_cacertfile /etc/ipa/ca.crt 4) Add nisdomainname example.com to /etc/rc.d/rc.local. Done 5) Add or enable the sudo connection user in IPA with a password. ? Lost me here, mind explaining a bit please if you have a chance? 6) reboot the host If it doesnt work set the debug level in sudo-ldap.conf to 2 and re-try to see the output..restart sssd. sh-4.1$ sudo less /var/log/secure LDAP Config Summary === uri ldap://ipa1-yyz-int.example.loc ldap_version 3 sudoers_base ou=SUDOers,dc=example,dc=loc binddn (anonymous) bindpw (anonymous) ssl start_tls tls_checkpeer(no) tls_cacertfile /etc/ipa/ca.crt === sudo: ldap_set_option: debug - 0 sudo: ldap_set_option: tls_checkpeer - 0 sudo: ldap_set_option: tls_cacertfile - /etc/ipa/ca.crt sudo: ldap_set_option: tls_cacert - /etc/ipa/ca.crt sudo: ldap_initialize(ld, ldap://ipa1-yyz-int.example.loc) sudo: ldap_set_option: ldap_version - 3 sudo: ldap_start_tls_s() ok sudo: ldap_sasl_bind_s() ok sudo: no default options found in ou=SUDOers,dc=example,dc=loc sudo: ldap search '(|(sudoUser=williamm)(sudoUser=%williamm)(sudoUser=%operations)(sudoUser=ALL))' sudo: ldap search 'sudoUser=+*' sudo: user_matches=0 sudo: host_matches=0 sudo: sudo_ldap_lookup(0)=0x60 [sudo] password for williamm: williamm is not in the sudoers file. This incident will be reported. Thank you again for your help Regards, William regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of William Muriithi [william.murii...@gmail.com] Sent: Thursday, 8 November 2012 10:28 a.m. To: freeipa-users@redhat.com Subject: [Freeipa-users] Managing Sudo through FreeIPA Hello I have been trying to setup user access through sudo file managed by FreeIPA and it don't seem to be working. I am not sure how to go about fixing it, but I guess the best place to start is ask what I should expect the IPA installation script should set up and what should be done manually [root@demo2 wmuriithi]# rpm -qa | grep sssd sssd-client-1.8.0-32.el6.x86_64 sssd-1.8.0-32.el6.x86_64 [root@demo2 wmuriithi]# [root@demo2 wmuriithi]# rpm -qa | grep sudo sudo-1.7.4p5-13.el6_3.x86_64 The only errors related to sudo that I can find is on apache error logs [Wed Nov 07 13:16:18 2012] [error] ipa: INFO: ad...@example.loc: sudorule_add_user(u'read_only_viewiers', all=False, raw=False, version=u'2.34', group=(u'operations',)): SUCCESS [Wed Nov 07 13:54:44 2012] [error] ipa: ERROR: release_ipa_ccache: ccache_name (FILE:/var/run/ipa_memcached/krbcc_3988) != KRB5CCNAME environment variable (FILE:/tmp/krb5cc_apache_NB7pph) [Wed Nov 07 13:54:44 2012] [error] ipa: INFO: ad...@example.loc: sudorule_find(None, sizelimit=0, pkey_only=True): SUCCESS [Wed Nov 07 13:54:44 2012] [error] ipa: INFO: ad...@example.loc: batch: sudorule_show(u'Full_Access', all=True): SUCCESS [Wed Nov 07 13:54:44 2012] [error] ipa: INFO: ad...@example.loc: batch: sudorule_show(u'read_only_viewiers', all=True): SUCCESS [Wed Nov 07 13:54:44 2012] [error] ipa: INFO: ad...@example.loc: batch: sudorule_show(u'developers', all=True): SUCCESS [Wed Nov 07 13:54:44 2012] [error] ipa: INFO: ad...@example.loc: batch: sudorule_show(u'operation', all=True): SUCCESS [Wed Nov 07 13:54:44 2012] [error] ipa: INFO: ad...@example.loc: batch(({u'params': [[u'Full_Access'], {u'all': True}], u'method': u'sudorule_show'}, {u'params': [[u'read_only_viewiers'], {u'all': True}], u'method': u'sudorule_show'}, {u'params': [[u'developers'], {u'all': True}], u'method': u'sudorule_show'}, {u'params': [[u'operation'], {u'all': True}], u'method': u'sudorule_show'})): SUCCESS [Wed Nov 07 13:54:50 2012] [error] ipa: INFO: ad...@example.loc: sudorule_show
Re: [Freeipa-users] Managing Sudo through FreeIPA
On 11/07/2012 04:28 PM, William Muriithi wrote: Hello I have been trying to setup user access through sudo file managed by FreeIPA and it don't seem to be working. I am not sure how to go about fixing it, but I guess the best place to start is ask what I should expect the IPA installation script should set up and what should be done manually [root@demo2 wmuriithi]# rpm -qa | grep sssd sssd-client-1.8.0-32.el6.x86_64 sssd-1.8.0-32.el6.x86_64 [root@demo2 wmuriithi]# [root@demo2 wmuriithi]# rpm -qa | grep sudo sudo-1.7.4p5-13.el6_3.x86_64 The only errors related to sudo that I can find is on apache error logs [Wed Nov 07 13:16:18 2012] [error] ipa: INFO: ad...@example.loc: sudorule_add_user(u'read_only_viewiers', all=False, raw=False, version=u'2.34', group=(u'operations',)): SUCCESS [Wed Nov 07 13:54:44 2012] [error] ipa: ERROR: release_ipa_ccache: ccache_name (FILE:/var/run/ipa_memcached/krbcc_3988) != KRB5CCNAME environment variable (FILE:/tmp/krb5cc_apache_NB7pph) [Wed Nov 07 13:54:44 2012] [error] ipa: INFO: ad...@example.loc: sudorule_find(None, sizelimit=0, pkey_only=True): SUCCESS [Wed Nov 07 13:54:44 2012] [error] ipa: INFO: ad...@example.loc: batch: sudorule_show(u'Full_Access', all=True): SUCCESS [Wed Nov 07 13:54:44 2012] [error] ipa: INFO: ad...@example.loc: batch: sudorule_show(u'read_only_viewiers', all=True): SUCCESS [Wed Nov 07 13:54:44 2012] [error] ipa: INFO: ad...@example.loc: batch: sudorule_show(u'developers', all=True): SUCCESS [Wed Nov 07 13:54:44 2012] [error] ipa: INFO: ad...@example.loc: batch: sudorule_show(u'operation', all=True): SUCCESS [Wed Nov 07 13:54:44 2012] [error] ipa: INFO: ad...@example.loc: batch(({u'params': [[u'Full_Access'], {u'all': True}], u'method': u'sudorule_show'}, {u'params': [[u'read_only_viewiers'], {u'all': True}], u'method': u'sudorule_show'}, {u'params': [[u'developers'], {u'all': True}], u'method': u'sudorule_show'}, {u'params': [[u'operation'], {u'all': True}], u'method': u'sudorule_show'})): SUCCESS [Wed Nov 07 13:54:50 2012] [error] ipa: INFO: ad...@example.loc: sudorule_show(u'read_only_viewiers', rights=True, all=True): SUCCESS I created the user as below and associated it with a group, which I then allowed to use less for reading file. As you can see below, it seem to does not work. Nov 7 16:05:42 demo2 sudo: pam_sss(sudo:auth): authentication success; logname=williamm uid=0 euid=0 tty=/dev/pts/2 ruser=williamm rhost= user=williamm Nov 7 16:05:43 demo2 sudo: williamm : user NOT in sudoers ; TTY=pts/2 ; PWD=/home/wmuriithi ; USER=root ; COMMAND=/usr/bin/less /var/log/secure - My question is, does the client install script take care of sudo configuration or is that done manually? I don't see any sudo related flag on the client installation script. - I have tried configuring sssd for sudo use and it didn't go well. Last time I messed around with LDAP managed sudo, I have to install a LDAP capable sudo package. The ipa-client install did not install this package. Does IPA sudo management work differently? - Where would I check for logs? I checked sssd logs and they are empty. - I am missing the basedn configuration on sssd configuration. From this bug, it should have been setup by installer, oddly though it was not setup and the bug is closed. I attempted to fix it by adding the line below but it make sudo completely unusable. It could not find any valid users apparently https://fedorahosted.org/freeipa/ticket/932 ldap_netgroup_search_base = cn=ng,cn=compat,dc=example,dc=loc Nov 7 16:05:42 demo2 sudo: pam_sss(sudo:auth): authentication success; logname=williamm uid=0 euid=0 tty=/dev/pts/2 ruser=williamm rhost= user=williamm Nov 7 16:05:43 demo2 sudo: williamm : user NOT in sudoers ; TTY=pts/2 ; PWD=/home/wmuriithi ; USER=root ; COMMAND=/usr/bin/less /var/log/secure Any pointers on why we are going? Thank you a lot in advance. William [root@ipa1-yyz-int wmuriithi]# ipa sudocmd-add --desc='For reading log files' '/usr/bin/less' -- Added Sudo Command /usr/bin/less -- Sudo Command: /usr/bin/less Description: For reading log files [root@ipa1-yyz-int wmuriithi]# ipa sudocmdgroup-add --desc='Read Only Commands' readonly --- Added Sudo Command Group readonly --- Sudo Command Group: readonly Description: Read Only Commands [root@ipa1-yyz-int wmuriithi]# ipa sudocmdgroup-add-member --sudocmds='/usr/bin/less' readonly Sudo Command Group: readonly Description: Read Only Commands Member Sudo commands: /usr/bin/less - Number of members added 1 - [root@ipa1-yyz-int wmuriithi]# ipa sudorule-add testing_viewiers --- Added Sudo Rule testing_viewiers ---
Re: [Freeipa-users] Managing Sudo through FreeIPA
Hi, I assume rhel6.3 by the el6 in the rpm 1) Make sure the host and IPA server are fully patched/updated. 2) Edit nsswitch.conf to have sudoers: files ldap as the last line, may or may not be there. 3) add lines to /etc/sudo-ldap.conf, takes a recent upgrade/patch of 6.3 for that file to appear Im not at work so I odnt have a pastable set 4) Add nisdomainname example.com to /etc/rc.d/rc.local. 5) Add or enable the sudo connection user in IPA with a password. 6) reboot the host If it doesnt work set the debug level in sudo-ldap.conf to 2 and re-try to see the output..restart sssd. regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of William Muriithi [william.murii...@gmail.com] Sent: Thursday, 8 November 2012 10:28 a.m. To: freeipa-users@redhat.com Subject: [Freeipa-users] Managing Sudo through FreeIPA Hello I have been trying to setup user access through sudo file managed by FreeIPA and it don't seem to be working. I am not sure how to go about fixing it, but I guess the best place to start is ask what I should expect the IPA installation script should set up and what should be done manually [root@demo2 wmuriithi]# rpm -qa | grep sssd sssd-client-1.8.0-32.el6.x86_64 sssd-1.8.0-32.el6.x86_64 [root@demo2 wmuriithi]# [root@demo2 wmuriithi]# rpm -qa | grep sudo sudo-1.7.4p5-13.el6_3.x86_64 The only errors related to sudo that I can find is on apache error logs [Wed Nov 07 13:16:18 2012] [error] ipa: INFO: ad...@example.loc: sudorule_add_user(u'read_only_viewiers', all=False, raw=False, version=u'2.34', group=(u'operations',)): SUCCESS [Wed Nov 07 13:54:44 2012] [error] ipa: ERROR: release_ipa_ccache: ccache_name (FILE:/var/run/ipa_memcached/krbcc_3988) != KRB5CCNAME environment variable (FILE:/tmp/krb5cc_apache_NB7pph) [Wed Nov 07 13:54:44 2012] [error] ipa: INFO: ad...@example.loc: sudorule_find(None, sizelimit=0, pkey_only=True): SUCCESS [Wed Nov 07 13:54:44 2012] [error] ipa: INFO: ad...@example.loc: batch: sudorule_show(u'Full_Access', all=True): SUCCESS [Wed Nov 07 13:54:44 2012] [error] ipa: INFO: ad...@example.loc: batch: sudorule_show(u'read_only_viewiers', all=True): SUCCESS [Wed Nov 07 13:54:44 2012] [error] ipa: INFO: ad...@example.loc: batch: sudorule_show(u'developers', all=True): SUCCESS [Wed Nov 07 13:54:44 2012] [error] ipa: INFO: ad...@example.loc: batch: sudorule_show(u'operation', all=True): SUCCESS [Wed Nov 07 13:54:44 2012] [error] ipa: INFO: ad...@example.loc: batch(({u'params': [[u'Full_Access'], {u'all': True}], u'method': u'sudorule_show'}, {u'params': [[u'read_only_viewiers'], {u'all': True}], u'method': u'sudorule_show'}, {u'params': [[u'developers'], {u'all': True}], u'method': u'sudorule_show'}, {u'params': [[u'operation'], {u'all': True}], u'method': u'sudorule_show'})): SUCCESS [Wed Nov 07 13:54:50 2012] [error] ipa: INFO: ad...@example.loc: sudorule_show(u'read_only_viewiers', rights=True, all=True): SUCCESS I created the user as below and associated it with a group, which I then allowed to use less for reading file. As you can see below, it seem to does not work. Nov 7 16:05:42 demo2 sudo: pam_sss(sudo:auth): authentication success; logname=williamm uid=0 euid=0 tty=/dev/pts/2 ruser=williamm rhost= user=williamm Nov 7 16:05:43 demo2 sudo: williamm : user NOT in sudoers ; TTY=pts/2 ; PWD=/home/wmuriithi ; USER=root ; COMMAND=/usr/bin/less /var/log/secure - My question is, does the client install script take care of sudo configuration or is that done manually? I don't see any sudo related flag on the client installation script. - I have tried configuring sssd for sudo use and it didn't go well. Last time I messed around with LDAP managed sudo, I have to install a LDAP capable sudo package. The ipa-client install did not install this package. Does IPA sudo management work differently? - Where would I check for logs? I checked sssd logs and they are empty. - I am missing the basedn configuration on sssd configuration. From this bug, it should have been setup by installer, oddly though it was not setup and the bug is closed. I attempted to fix it by adding the line below but it make sudo completely unusable. It could not find any valid users apparently https://fedorahosted.org/freeipa/ticket/932 ldap_netgroup_search_base = cn=ng,cn=compat,dc=example,dc=loc Nov 7 16:05:42 demo2 sudo: pam_sss(sudo:auth): authentication success; logname=williamm uid=0 euid=0 tty=/dev/pts/2 ruser=williamm rhost= user=williamm Nov 7 16:05:43 demo2 sudo: williamm : user NOT in sudoers ; TTY=pts/2 ; PWD=/home/wmuriithi ; USER=root ; COMMAND=/usr/bin/less /var/log/secure Any pointers on why we are going? Thank you a lot in advance. William [root@ipa1-yyz-int wmuriithi]# ipa sudocmd-add --desc='For reading log files' '/usr/bin/less