Re: [Freeipa-users] Setting up sudo

2014-02-17 Thread Andrew Holway 
It actually took me a long time to find this information. It is poorly
documented but this mailing list post works. :)

https://www.redhat.com/archives/freeipa-users/2013-June/msg00064.html



On 13 February 2014 23:17, Todd Maugh  wrote:
> the documentation is kinda vague on some parts
>
> from the documentation:
>
> Because the sudo information is not available anonymously over LDAP by
> default, Identity Management defines a default sudo user,
> uid=sudo,cn=sysaccounts,cn=etc,$SUFFIX, which can be set in the LDAP/sudo
> configuration file, /etc/sud-ldap.conf.
>
> so is this user supposed to already pre defined. or do I need to create the
> user, and then modify them
>
> thanks
>
> -Todd
>
> ___
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Setting up sudo

2014-02-17 Thread Jakub Hrozek 
On Thu, Feb 13, 2014 at 06:30:37PM -0500, Dmitri Pal wrote:
> On 02/13/2014 06:23 PM, Todd Maugh wrote:
> >and If I am configuring the sud-ldap.conf
> >
> >
> >what should it look like does any one have an example?
> >
> 
> You have two options. Sudo can be integrated with SSSD or not.
> If you want SUDO to be integrated then this should help: 
> http://www.freeipa.org/images/7/77/Freeipa30_SSSD_SUDO_Integration.pdf

Also man sssd-sudo should have some examples.

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Setting up sudo

2014-02-13 Thread Dmitri Pal 

On 02/13/2014 06:23 PM, Todd Maugh wrote:

and If I am configuring the sud-ldap.conf


what should it look like does any one have an example?



You have two options. Sudo can be integrated with SSSD or not.
If you want SUDO to be integrated then this should help: 
http://www.freeipa.org/images/7/77/Freeipa30_SSSD_SUDO_Integration.pdf


If you want to use SUDO independently from sssd and connect directly to 
IPA from SUDO you need to configure sudo -ldap.conf and use some user to 
bind to IPA. This user should be configured in the file.
See more details in the IPA docs: 
https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html-single/Identity_Management_Guide/index.html#config-sudo-clients






*From:* freeipa-users-boun...@redhat.com 
[freeipa-users-boun...@redhat.com] on behalf of Todd Maugh 
[tma...@boingo.com]

*Sent:* Thursday, February 13, 2014 3:17 PM
*To:* freeipa-users@redhat.com
*Subject:* [Freeipa-users] Setting up sudo

the documentation is kinda vague on some parts

from the documentation:

Because the |sudo| information is not available anonymously over LDAP 
by default, Identity Management defines a default |sudo| user, 
|uid=sudo,cn=sysaccounts,cn=etc,$SUFFIX|, which can be set in the 
LDAP/|sudo| configuration file, |/etc/sud-ldap.conf|.


so is this user supposed to already pre defined. or do I need to 
create the user, and then modify them


thanks

-Todd


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users



--
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.


---
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Setting up sudo

2014-02-13 Thread Todd Maugh 
and If I am configuring the sud-ldap.conf


what should it look like does any one have an example?



From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on 
behalf of Todd Maugh [tma...@boingo.com]
Sent: Thursday, February 13, 2014 3:17 PM
To: freeipa-users@redhat.com
Subject: [Freeipa-users] Setting up sudo

the documentation is kinda vague on some parts

from the documentation:

Because the sudo information is not available anonymously over LDAP by default, 
Identity Management defines a default sudo user, 
uid=sudo,cn=sysaccounts,cn=etc,$SUFFIX, which can be set in the LDAP/sudo 
configuration file, /etc/sud-ldap.conf.

so is this user supposed to already pre defined. or do I need to create the 
user, and then modify them

thanks

-Todd
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] Setting up sudo

2014-02-13 Thread Todd Maugh 
the documentation is kinda vague on some parts

from the documentation:

Because the sudo information is not available anonymously over LDAP by default, 
Identity Management defines a default sudo user, 
uid=sudo,cn=sysaccounts,cn=etc,$SUFFIX, which can be set in the LDAP/sudo 
configuration file, /etc/sud-ldap.conf.

so is this user supposed to already pre defined. or do I need to create the 
user, and then modify them

thanks

-Todd
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Setting up sudo in FreeIPA v2.2

2012-10-17 Thread Toasted Penguin 
On Tue, Oct 16, 2012 at 10:50 PM, JR Aquino  wrote:

> On the host in question Run the command: domainname
>
> That wants to match whatever your domain is. If it doesn't it will fail
> even if you have all the server rules configured correctly. This is a sudo
> + netgroups/hostgroups 'feature'
>
> ~
> Jr Aquino | Sr. Information Security Specialist
> GIAC Certified Incident Handler | GIAC WebApp Penetration Tester
> Citrix Online | 7408 Hollister Avenue | Goleta, CA 93117
> T:  +1 805.690.3478
> C: +1 805.717.0365
> jr.aqu...@citrixonline.com
> http://www.citrixonline.com
>
> On Oct 16, 2012, at 2:26 PM, "Toasted Penguin" <
> toastedpenguini...@gmail.com> wrote:
>
> > I have the server setup to manage sudo and I configured a target client
> to use the IPA server for sudo.  When a user tries to use sudo (in this
> case "sudo su -") it fails and they get the error "user is not allowed to
> run sudo on client-host.  This incident will be reported." I verified via
> the log files that the client is making requests to the IPA server when the
> user is attemping to use sudo and it fails.  I temporarily disabled using
> the IPA server for sudo and I get the standard "User not in the sudoers
> file"
> >
> > Its starting to look like the server rules maybe the issue but I believe
> I have the sudo rule setup correctly.  I created a sudo command "/bin/su",
> created a sudo rule "Sudo to root" , added the group the user in question
> is a part of to the WHO-->User Groups; Added the Host Group the target
> client host is part of to Access This Host-->Host Groups and added the sudo
> command to the sudo rule via Allow-->Sudo Allow Commands.  When I delete
> the sudo rule I get the same result as I did when I temporarily disbled the
> client host using tghe IPA server for sudo verification.
> >
> > Any ideas why or where to look to figure out this issue?
> >
> > Thanks,
> > David
> > ___
> > Freeipa-users mailing list
> > Freeipa-users@redhat.com
> > https://www.redhat.com/mailman/listinfo/freeipa-users
>
Executing domainname results in the correct domain for theFreeIPA service.
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Setting up sudo in FreeIPA v2.2

2012-10-16 Thread JR Aquino 
On the host in question Run the command: domainname

That wants to match whatever your domain is. If it doesn't it will fail even if 
you have all the server rules configured correctly. This is a sudo + 
netgroups/hostgroups 'feature'

~
Jr Aquino | Sr. Information Security Specialist
GIAC Certified Incident Handler | GIAC WebApp Penetration Tester
Citrix Online | 7408 Hollister Avenue | Goleta, CA 93117
T:  +1 805.690.3478
C: +1 805.717.0365
jr.aqu...@citrixonline.com
http://www.citrixonline.com

On Oct 16, 2012, at 2:26 PM, "Toasted Penguin"  
wrote:

> I have the server setup to manage sudo and I configured a target client to 
> use the IPA server for sudo.  When a user tries to use sudo (in this case 
> "sudo su -") it fails and they get the error "user is not allowed to run sudo 
> on client-host.  This incident will be reported." I verified via the log 
> files that the client is making requests to the IPA server when the user is 
> attemping to use sudo and it fails.  I temporarily disabled using the IPA 
> server for sudo and I get the standard "User not in the sudoers file" 
>  
> Its starting to look like the server rules maybe the issue but I believe I 
> have the sudo rule setup correctly.  I created a sudo command "/bin/su", 
> created a sudo rule "Sudo to root" , added the group the user in question is 
> a part of to the WHO-->User Groups; Added the Host Group the target client 
> host is part of to Access This Host-->Host Groups and added the sudo command 
> to the sudo rule via Allow-->Sudo Allow Commands.  When I delete the sudo 
> rule I get the same result as I did when I temporarily disbled the client 
> host using tghe IPA server for sudo verification.
>  
> Any ideas why or where to look to figure out this issue?
>  
> Thanks,
> David 
> ___
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Setting up sudo in FreeIPA v2.2

2012-10-16 Thread Dmitri Pal 
On 10/16/2012 06:04 PM, Rob Crittenden wrote:
> Toasted Penguin wrote:
>> I have the server setup to manage sudo and I configured a target client
>> to use the IPA server for sudo.  When a user tries to use sudo (in this
>> case "sudo su -") it fails and they get the error "user is not allowed
>> to run sudo on client-host.  This incident will be reported." I verified
>> via the log files that the client is making requests to the IPA server
>> when the user is attemping to use sudo and it fails.  I temporarily
>> disabled using the IPA server for sudo and I get the standard "User not
>> in the sudoers file"
>> Its starting to look like the server rules maybe the issue but I believe
>> I have the sudo rule setup correctly.  I created a sudo command
>> "/bin/su", created a sudo rule "Sudo to root" , added the group the user
>> in question is a part of to the WHO-->User Groups; Added the Host Group
>> the target client host is part of to Access This Host-->Host Groups
>> and added the sudo command to the sudo rule via Allow-->Sudo Allow
>> Commands.  When I delete the sudo rule I get the same result as I did
>> when I temporarily disbled the client host using tghe IPA server for
>> sudo verification.
>> Any ideas why or where to look to figure out this issue?
>> Thanks,
>> David
>
> I took a look at the docs and they state to edit /etc/nscld.conf. You
> want /etc/ldap.conf for the configuration. Can you give that a try?
>
> Adding sudoers_debug 2 should provide copious information on stdout.
>

Also following another thread might help
https://www.redhat.com/archives/freeipa-users/2012-October/msg00097.html

> rob
>
> ___
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.


---
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Setting up sudo in FreeIPA v2.2

2012-10-16 Thread Rob Crittenden 

Toasted Penguin wrote:

I have the server setup to manage sudo and I configured a target client
to use the IPA server for sudo.  When a user tries to use sudo (in this
case "sudo su -") it fails and they get the error "user is not allowed
to run sudo on client-host.  This incident will be reported." I verified
via the log files that the client is making requests to the IPA server
when the user is attemping to use sudo and it fails.  I temporarily
disabled using the IPA server for sudo and I get the standard "User not
in the sudoers file"
Its starting to look like the server rules maybe the issue but I believe
I have the sudo rule setup correctly.  I created a sudo command
"/bin/su", created a sudo rule "Sudo to root" , added the group the user
in question is a part of to the WHO-->User Groups; Added the Host Group
the target client host is part of to Access This Host-->Host Groups
and added the sudo command to the sudo rule via Allow-->Sudo Allow
Commands.  When I delete the sudo rule I get the same result as I did
when I temporarily disbled the client host using tghe IPA server for
sudo verification.
Any ideas why or where to look to figure out this issue?
Thanks,
David


I took a look at the docs and they state to edit /etc/nscld.conf. You 
want /etc/ldap.conf for the configuration. Can you give that a try?


Adding sudoers_debug 2 should provide copious information on stdout.

rob

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Setting up sudo in FreeIPA v2.2

2012-10-16 Thread Steven Jones 
Can you turn on debugging?

"sudoers_debug2"

to /etc/sudo-ldap.conf (assumes RHEL6.3)

Also you could try adding the host directly to the sudo rule and not via a host 
group as that seems buggy


regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272


From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on 
behalf of Toasted Penguin [toastedpenguini...@gmail.com]
Sent: Wednesday, 17 October 2012 10:24 a.m.
To: freeipa-users@redhat.com
Subject: [Freeipa-users] Setting up sudo in FreeIPA v2.2

I have the server setup to manage sudo and I configured a target client to use 
the IPA server for sudo.  When a user tries to use sudo (in this case "sudo su 
-") it fails and they get the error "user is not allowed to run sudo on 
client-host.  This incident will be reported." I verified via the log files 
that the client is making requests to the IPA server when the user is attemping 
to use sudo and it fails.  I temporarily disabled using the IPA server for sudo 
and I get the standard "User not in the sudoers file"

Its starting to look like the server rules maybe the issue but I believe I have 
the sudo rule setup correctly.  I created a sudo command "/bin/su", created a 
sudo rule "Sudo to root" , added the group the user in question is a part of to 
the WHO-->User Groups; Added the Host Group the target client host is part of 
to Access This Host-->Host Groups and added the sudo command to the sudo rule 
via Allow-->Sudo Allow Commands.  When I delete the sudo rule I get the same 
result as I did when I temporarily disbled the client host using tghe IPA 
server for sudo verification.

Any ideas why or where to look to figure out this issue?

Thanks,
David
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] Setting up sudo in FreeIPA v2.2

2012-10-16 Thread Toasted Penguin 
I have the server setup to manage sudo and I configured a target client to
use the IPA server for sudo.  When a user tries to use sudo (in this case
"sudo su -") it fails and they get the error "user is not allowed to run
sudo on client-host.  This incident will be reported." I verified via the
log files that the client is making requests to the IPA server when the
user is attemping to use sudo and it fails.  I temporarily disabled using
the IPA server for sudo and I get the standard "User not in the sudoers
file"

Its starting to look like the server rules maybe the issue but I believe I
have the sudo rule setup correctly.  I created a sudo command "/bin/su",
created a sudo rule "Sudo to root" , added the group the user in question
is a part of to the WHO-->User Groups; Added the Host Group the target
client host is part of to Access This Host-->Host Groups and added the sudo
command to the sudo rule via Allow-->Sudo Allow Commands.  When I delete
the sudo rule I get the same result as I did when I temporarily disbled the
client host using tghe IPA server for sudo verification.

Any ideas why or where to look to figure out this issue?

Thanks,
David
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Setting up sudo clients

2012-06-06 Thread Dmitri Pal 
On 06/06/2012 01:59 PM, Joe Linoff wrote:
>
> Hi Folks:
>
>  
>
> I am trying to configure sudo clients using FreeIPA 2.1.3 on CentOS
> 6.2 but it I am running into a problem that I do not know how to
> debug. I used the instructions provided here:
> http://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/example-configuring-sudo.html.
>
>
>  
>
> The server installation went fine and I even did a sudo client
> installation on the server which worked well. Unfortunately, when I
> did the same client setup on another host in the network I got the
> message:  not in sudoers files when I tried to execute a command.
>
>  
>
> Here is the output from /var/log/secure on the client. I didn't see
> anything strange on the server. The user name is bigbob.
>
>  
>
> Jun  6 10:38:35 docs unix_chkpwd[8737]: password check failed for user
> (bigbob)
>
> Jun  6 10:38:35 docs sudo: pam_unix(sudo:auth): authentication
> failure; logname=bigbob uid=0 euid=0 tty=/dev/pts/2 ruser=bigbob
> rhost=  user=bigbob
>
> Jun  6 10:38:36 docs sudo: pam_sss(sudo:auth): authentication success;
> logname=bigbob uid=0 euid=0 tty=/dev/pts/2 ruser=bigbob rhost= user=bigbob
>
> Jun  6 10:38:36 docs sudo:   bigbob : user NOT in sudoers ; TTY=pts/2
> ; PWD=/home/bigbob ; USER=root ; COMMAND=/bin/ls
>
> Jun  6 10:44:09 docs unix_chkpwd[8767]: password check failed for user
> (bigbob)
>
> Jun  6 10:44:09 docs sudo: pam_unix(sudo:auth): authentication
> failure; logname=bigbob uid=0 euid=0 tty=/dev/pts/2 ruser=bigbob
> rhost=  user=bigbob
>
> Jun  6 10:44:10 docs sudo: pam_sss(sudo:auth): authentication success;
> logname=bigbob uid=0 euid=0 tty=/dev/pts/2 ruser=bigbob rhost= user=bigbob
>
> Jun  6 10:44:10 docs sudo:   bigbob : user NOT in sudoers ; TTY=pts/2
> ; PWD=/home/bigbob ; USER=root ; COMMAND=/bin/pwd
>
>  
>

Looks like sudo utility is not going over the ldap and tries to find
user in the local file.
Can you bind to the ldap server? Is firewall port open?


> The command "/bin/pwd" is in the sudo commands and in the sudo command
> group.
>
>  
>
> Any help would be greatly appreciated.
>
>  
>
> Here are the setup steps that I performed on the client. The domain is
> foo.example.com.
>
>  
>
> # CITATION:
> http://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/example-configuring-sudo.html
>
>
>  
>
> # 
>
> # Update /etc/nsswitch.conf
>
> # 
>
> cat>/etc/nsswitch.conf <
>  
>
> # 
>
> # FreeIPA sudo support
>
> # 
>
> sudoers:  files ldap
>
> sudoers_debug: 1
>
> EOF
>
>  
>
> # 
>
> # Insert this just after the ipa_server line and restart sssd:
>
> # ldap_netgroup_search_base = cn=ng,cn=compat,dc=foo,dc=example,dc=com
>
> # 
>
> cat/etc/sssd/sssd.conf | \
>
> awk'{print $0;if($1=="ipa_server"){printf("ldap_netgroup_search_base =
> cn=ng,cn=compat,dc=foo,dc=example,dc=com\n");}}'>/tmp/x
>
> cp/tmp/x/etc/sssd/sssd.conf
>
> rm-f /tmp/x
>
> service sssd restart
>
>  
>
> # 
>
> # Create the /etc/nslcd.conf file
>
> # 
>
> ls/etc/nslcd.conf
>
> cat>/etc/nslcd.conf <
> binddn uid=sudo,cn=sysaccounts,cn=etc,dc=foo,dc=example,dc=com
>
> bindpw pwd/sudo
>
>  
>
> ssl start_tls
>
> tls_cacertfile /etc/ipa/ca.crt
>
> tls_checkpeer yes
>
>  
>
> bind_timelimit 5
>
> timelimit 15
>
>  
>
> uri ldap://cuthbert.foo.example.com
>
> sudoers_base ou=SUDOers,dc=foo,dc=example,dc=com
>
> EOF
>
>  
>
> # 
>
> # Set the NIS domain name (even though NIS is not used)
>
> # 
>
> nisdomainname foo.example.com
>
>  
>
> Thank you,
>
>  
>
> Joe
>
>  
>
>  
>
>
> ___
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.


---
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] Setting up sudo clients

2012-06-06 Thread Joe Linoff 
Hi Folks:

 

I am trying to configure sudo clients using FreeIPA 2.1.3 on CentOS 6.2
but it I am running into a problem that I do not know how to debug. I
used the instructions provided here:
http://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/example
-configuring-sudo.html. 

 

The server installation went fine and I even did a sudo client
installation on the server which worked well. Unfortunately, when I did
the same client setup on another host in the network I got the message:
 not in sudoers files when I tried to execute a command.

 

Here is the output from /var/log/secure on the client. I didn't see
anything strange on the server. The user name is bigbob.

 

Jun  6 10:38:35 docs unix_chkpwd[8737]: password check failed for user
(bigbob)

Jun  6 10:38:35 docs sudo: pam_unix(sudo:auth): authentication failure;
logname=bigbob uid=0 euid=0 tty=/dev/pts/2 ruser=bigbob rhost=
user=bigbob

Jun  6 10:38:36 docs sudo: pam_sss(sudo:auth): authentication success;
logname=bigbob uid=0 euid=0 tty=/dev/pts/2 ruser=bigbob rhost=
user=bigbob

Jun  6 10:38:36 docs sudo:   bigbob : user NOT in sudoers ; TTY=pts/2 ;
PWD=/home/bigbob ; USER=root ; COMMAND=/bin/ls

Jun  6 10:44:09 docs unix_chkpwd[8767]: password check failed for user
(bigbob)

Jun  6 10:44:09 docs sudo: pam_unix(sudo:auth): authentication failure;
logname=bigbob uid=0 euid=0 tty=/dev/pts/2 ruser=bigbob rhost=
user=bigbob

Jun  6 10:44:10 docs sudo: pam_sss(sudo:auth): authentication success;
logname=bigbob uid=0 euid=0 tty=/dev/pts/2 ruser=bigbob rhost=
user=bigbob

Jun  6 10:44:10 docs sudo:   bigbob : user NOT in sudoers ; TTY=pts/2 ;
PWD=/home/bigbob ; USER=root ; COMMAND=/bin/pwd

 

The command "/bin/pwd" is in the sudo commands and in the sudo command
group.

 

Any help would be greatly appreciated.

 

Here are the setup steps that I performed on the client. The domain is
foo.example.com.

 

# CITATION:
http://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/example
-configuring-sudo.html 

 

# 

# Update /etc/nsswitch.conf

# 

cat >/etc/nsswitch.conf /etc/nslcd.conf