Re: [Freeipa-users] Setting up sudo
It actually took me a long time to find this information. It is poorly documented but this mailing list post works. :) https://www.redhat.com/archives/freeipa-users/2013-June/msg00064.html On 13 February 2014 23:17, Todd Maugh wrote: > the documentation is kinda vague on some parts > > from the documentation: > > Because the sudo information is not available anonymously over LDAP by > default, Identity Management defines a default sudo user, > uid=sudo,cn=sysaccounts,cn=etc,$SUFFIX, which can be set in the LDAP/sudo > configuration file, /etc/sud-ldap.conf. > > so is this user supposed to already pre defined. or do I need to create the > user, and then modify them > > thanks > > -Todd > > ___ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Setting up sudo
On Thu, Feb 13, 2014 at 06:30:37PM -0500, Dmitri Pal wrote: > On 02/13/2014 06:23 PM, Todd Maugh wrote: > >and If I am configuring the sud-ldap.conf > > > > > >what should it look like does any one have an example? > > > > You have two options. Sudo can be integrated with SSSD or not. > If you want SUDO to be integrated then this should help: > http://www.freeipa.org/images/7/77/Freeipa30_SSSD_SUDO_Integration.pdf Also man sssd-sudo should have some examples. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Setting up sudo
On 02/13/2014 06:23 PM, Todd Maugh wrote: and If I am configuring the sud-ldap.conf what should it look like does any one have an example? You have two options. Sudo can be integrated with SSSD or not. If you want SUDO to be integrated then this should help: http://www.freeipa.org/images/7/77/Freeipa30_SSSD_SUDO_Integration.pdf If you want to use SUDO independently from sssd and connect directly to IPA from SUDO you need to configure sudo -ldap.conf and use some user to bind to IPA. This user should be configured in the file. See more details in the IPA docs: https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html-single/Identity_Management_Guide/index.html#config-sudo-clients *From:* freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Todd Maugh [tma...@boingo.com] *Sent:* Thursday, February 13, 2014 3:17 PM *To:* freeipa-users@redhat.com *Subject:* [Freeipa-users] Setting up sudo the documentation is kinda vague on some parts from the documentation: Because the |sudo| information is not available anonymously over LDAP by default, Identity Management defines a default |sudo| user, |uid=sudo,cn=sysaccounts,cn=etc,$SUFFIX|, which can be set in the LDAP/|sudo| configuration file, |/etc/sud-ldap.conf|. so is this user supposed to already pre defined. or do I need to create the user, and then modify them thanks -Todd ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Setting up sudo
and If I am configuring the sud-ldap.conf what should it look like does any one have an example? From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Todd Maugh [tma...@boingo.com] Sent: Thursday, February 13, 2014 3:17 PM To: freeipa-users@redhat.com Subject: [Freeipa-users] Setting up sudo the documentation is kinda vague on some parts from the documentation: Because the sudo information is not available anonymously over LDAP by default, Identity Management defines a default sudo user, uid=sudo,cn=sysaccounts,cn=etc,$SUFFIX, which can be set in the LDAP/sudo configuration file, /etc/sud-ldap.conf. so is this user supposed to already pre defined. or do I need to create the user, and then modify them thanks -Todd ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Setting up sudo
the documentation is kinda vague on some parts from the documentation: Because the sudo information is not available anonymously over LDAP by default, Identity Management defines a default sudo user, uid=sudo,cn=sysaccounts,cn=etc,$SUFFIX, which can be set in the LDAP/sudo configuration file, /etc/sud-ldap.conf. so is this user supposed to already pre defined. or do I need to create the user, and then modify them thanks -Todd ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Setting up sudo in FreeIPA v2.2
On Tue, Oct 16, 2012 at 10:50 PM, JR Aquino wrote: > On the host in question Run the command: domainname > > That wants to match whatever your domain is. If it doesn't it will fail > even if you have all the server rules configured correctly. This is a sudo > + netgroups/hostgroups 'feature' > > ~ > Jr Aquino | Sr. Information Security Specialist > GIAC Certified Incident Handler | GIAC WebApp Penetration Tester > Citrix Online | 7408 Hollister Avenue | Goleta, CA 93117 > T: +1 805.690.3478 > C: +1 805.717.0365 > jr.aqu...@citrixonline.com > http://www.citrixonline.com > > On Oct 16, 2012, at 2:26 PM, "Toasted Penguin" < > toastedpenguini...@gmail.com> wrote: > > > I have the server setup to manage sudo and I configured a target client > to use the IPA server for sudo. When a user tries to use sudo (in this > case "sudo su -") it fails and they get the error "user is not allowed to > run sudo on client-host. This incident will be reported." I verified via > the log files that the client is making requests to the IPA server when the > user is attemping to use sudo and it fails. I temporarily disabled using > the IPA server for sudo and I get the standard "User not in the sudoers > file" > > > > Its starting to look like the server rules maybe the issue but I believe > I have the sudo rule setup correctly. I created a sudo command "/bin/su", > created a sudo rule "Sudo to root" , added the group the user in question > is a part of to the WHO-->User Groups; Added the Host Group the target > client host is part of to Access This Host-->Host Groups and added the sudo > command to the sudo rule via Allow-->Sudo Allow Commands. When I delete > the sudo rule I get the same result as I did when I temporarily disbled the > client host using tghe IPA server for sudo verification. > > > > Any ideas why or where to look to figure out this issue? > > > > Thanks, > > David > > ___ > > Freeipa-users mailing list > > Freeipa-users@redhat.com > > https://www.redhat.com/mailman/listinfo/freeipa-users > Executing domainname results in the correct domain for theFreeIPA service. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Setting up sudo in FreeIPA v2.2
On the host in question Run the command: domainname That wants to match whatever your domain is. If it doesn't it will fail even if you have all the server rules configured correctly. This is a sudo + netgroups/hostgroups 'feature' ~ Jr Aquino | Sr. Information Security Specialist GIAC Certified Incident Handler | GIAC WebApp Penetration Tester Citrix Online | 7408 Hollister Avenue | Goleta, CA 93117 T: +1 805.690.3478 C: +1 805.717.0365 jr.aqu...@citrixonline.com http://www.citrixonline.com On Oct 16, 2012, at 2:26 PM, "Toasted Penguin" wrote: > I have the server setup to manage sudo and I configured a target client to > use the IPA server for sudo. When a user tries to use sudo (in this case > "sudo su -") it fails and they get the error "user is not allowed to run sudo > on client-host. This incident will be reported." I verified via the log > files that the client is making requests to the IPA server when the user is > attemping to use sudo and it fails. I temporarily disabled using the IPA > server for sudo and I get the standard "User not in the sudoers file" > > Its starting to look like the server rules maybe the issue but I believe I > have the sudo rule setup correctly. I created a sudo command "/bin/su", > created a sudo rule "Sudo to root" , added the group the user in question is > a part of to the WHO-->User Groups; Added the Host Group the target client > host is part of to Access This Host-->Host Groups and added the sudo command > to the sudo rule via Allow-->Sudo Allow Commands. When I delete the sudo > rule I get the same result as I did when I temporarily disbled the client > host using tghe IPA server for sudo verification. > > Any ideas why or where to look to figure out this issue? > > Thanks, > David > ___ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Setting up sudo in FreeIPA v2.2
On 10/16/2012 06:04 PM, Rob Crittenden wrote: > Toasted Penguin wrote: >> I have the server setup to manage sudo and I configured a target client >> to use the IPA server for sudo. When a user tries to use sudo (in this >> case "sudo su -") it fails and they get the error "user is not allowed >> to run sudo on client-host. This incident will be reported." I verified >> via the log files that the client is making requests to the IPA server >> when the user is attemping to use sudo and it fails. I temporarily >> disabled using the IPA server for sudo and I get the standard "User not >> in the sudoers file" >> Its starting to look like the server rules maybe the issue but I believe >> I have the sudo rule setup correctly. I created a sudo command >> "/bin/su", created a sudo rule "Sudo to root" , added the group the user >> in question is a part of to the WHO-->User Groups; Added the Host Group >> the target client host is part of to Access This Host-->Host Groups >> and added the sudo command to the sudo rule via Allow-->Sudo Allow >> Commands. When I delete the sudo rule I get the same result as I did >> when I temporarily disbled the client host using tghe IPA server for >> sudo verification. >> Any ideas why or where to look to figure out this issue? >> Thanks, >> David > > I took a look at the docs and they state to edit /etc/nscld.conf. You > want /etc/ldap.conf for the configuration. Can you give that a try? > > Adding sudoers_debug 2 should provide copious information on stdout. > Also following another thread might help https://www.redhat.com/archives/freeipa-users/2012-October/msg00097.html > rob > > ___ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Setting up sudo in FreeIPA v2.2
Toasted Penguin wrote: I have the server setup to manage sudo and I configured a target client to use the IPA server for sudo. When a user tries to use sudo (in this case "sudo su -") it fails and they get the error "user is not allowed to run sudo on client-host. This incident will be reported." I verified via the log files that the client is making requests to the IPA server when the user is attemping to use sudo and it fails. I temporarily disabled using the IPA server for sudo and I get the standard "User not in the sudoers file" Its starting to look like the server rules maybe the issue but I believe I have the sudo rule setup correctly. I created a sudo command "/bin/su", created a sudo rule "Sudo to root" , added the group the user in question is a part of to the WHO-->User Groups; Added the Host Group the target client host is part of to Access This Host-->Host Groups and added the sudo command to the sudo rule via Allow-->Sudo Allow Commands. When I delete the sudo rule I get the same result as I did when I temporarily disbled the client host using tghe IPA server for sudo verification. Any ideas why or where to look to figure out this issue? Thanks, David I took a look at the docs and they state to edit /etc/nscld.conf. You want /etc/ldap.conf for the configuration. Can you give that a try? Adding sudoers_debug 2 should provide copious information on stdout. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Setting up sudo in FreeIPA v2.2
Can you turn on debugging? "sudoers_debug2" to /etc/sudo-ldap.conf (assumes RHEL6.3) Also you could try adding the host directly to the sudo rule and not via a host group as that seems buggy regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Toasted Penguin [toastedpenguini...@gmail.com] Sent: Wednesday, 17 October 2012 10:24 a.m. To: freeipa-users@redhat.com Subject: [Freeipa-users] Setting up sudo in FreeIPA v2.2 I have the server setup to manage sudo and I configured a target client to use the IPA server for sudo. When a user tries to use sudo (in this case "sudo su -") it fails and they get the error "user is not allowed to run sudo on client-host. This incident will be reported." I verified via the log files that the client is making requests to the IPA server when the user is attemping to use sudo and it fails. I temporarily disabled using the IPA server for sudo and I get the standard "User not in the sudoers file" Its starting to look like the server rules maybe the issue but I believe I have the sudo rule setup correctly. I created a sudo command "/bin/su", created a sudo rule "Sudo to root" , added the group the user in question is a part of to the WHO-->User Groups; Added the Host Group the target client host is part of to Access This Host-->Host Groups and added the sudo command to the sudo rule via Allow-->Sudo Allow Commands. When I delete the sudo rule I get the same result as I did when I temporarily disbled the client host using tghe IPA server for sudo verification. Any ideas why or where to look to figure out this issue? Thanks, David ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Setting up sudo in FreeIPA v2.2
I have the server setup to manage sudo and I configured a target client to use the IPA server for sudo. When a user tries to use sudo (in this case "sudo su -") it fails and they get the error "user is not allowed to run sudo on client-host. This incident will be reported." I verified via the log files that the client is making requests to the IPA server when the user is attemping to use sudo and it fails. I temporarily disabled using the IPA server for sudo and I get the standard "User not in the sudoers file" Its starting to look like the server rules maybe the issue but I believe I have the sudo rule setup correctly. I created a sudo command "/bin/su", created a sudo rule "Sudo to root" , added the group the user in question is a part of to the WHO-->User Groups; Added the Host Group the target client host is part of to Access This Host-->Host Groups and added the sudo command to the sudo rule via Allow-->Sudo Allow Commands. When I delete the sudo rule I get the same result as I did when I temporarily disbled the client host using tghe IPA server for sudo verification. Any ideas why or where to look to figure out this issue? Thanks, David ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Setting up sudo clients
On 06/06/2012 01:59 PM, Joe Linoff wrote: > > Hi Folks: > > > > I am trying to configure sudo clients using FreeIPA 2.1.3 on CentOS > 6.2 but it I am running into a problem that I do not know how to > debug. I used the instructions provided here: > http://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/example-configuring-sudo.html. > > > > > The server installation went fine and I even did a sudo client > installation on the server which worked well. Unfortunately, when I > did the same client setup on another host in the network I got the > message: not in sudoers files when I tried to execute a command. > > > > Here is the output from /var/log/secure on the client. I didn't see > anything strange on the server. The user name is bigbob. > > > > Jun 6 10:38:35 docs unix_chkpwd[8737]: password check failed for user > (bigbob) > > Jun 6 10:38:35 docs sudo: pam_unix(sudo:auth): authentication > failure; logname=bigbob uid=0 euid=0 tty=/dev/pts/2 ruser=bigbob > rhost= user=bigbob > > Jun 6 10:38:36 docs sudo: pam_sss(sudo:auth): authentication success; > logname=bigbob uid=0 euid=0 tty=/dev/pts/2 ruser=bigbob rhost= user=bigbob > > Jun 6 10:38:36 docs sudo: bigbob : user NOT in sudoers ; TTY=pts/2 > ; PWD=/home/bigbob ; USER=root ; COMMAND=/bin/ls > > Jun 6 10:44:09 docs unix_chkpwd[8767]: password check failed for user > (bigbob) > > Jun 6 10:44:09 docs sudo: pam_unix(sudo:auth): authentication > failure; logname=bigbob uid=0 euid=0 tty=/dev/pts/2 ruser=bigbob > rhost= user=bigbob > > Jun 6 10:44:10 docs sudo: pam_sss(sudo:auth): authentication success; > logname=bigbob uid=0 euid=0 tty=/dev/pts/2 ruser=bigbob rhost= user=bigbob > > Jun 6 10:44:10 docs sudo: bigbob : user NOT in sudoers ; TTY=pts/2 > ; PWD=/home/bigbob ; USER=root ; COMMAND=/bin/pwd > > > Looks like sudo utility is not going over the ldap and tries to find user in the local file. Can you bind to the ldap server? Is firewall port open? > The command "/bin/pwd" is in the sudo commands and in the sudo command > group. > > > > Any help would be greatly appreciated. > > > > Here are the setup steps that I performed on the client. The domain is > foo.example.com. > > > > # CITATION: > http://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/example-configuring-sudo.html > > > > > # > > # Update /etc/nsswitch.conf > > # > > cat>/etc/nsswitch.conf < > > > # > > # FreeIPA sudo support > > # > > sudoers: files ldap > > sudoers_debug: 1 > > EOF > > > > # > > # Insert this just after the ipa_server line and restart sssd: > > # ldap_netgroup_search_base = cn=ng,cn=compat,dc=foo,dc=example,dc=com > > # > > cat/etc/sssd/sssd.conf | \ > > awk'{print $0;if($1=="ipa_server"){printf("ldap_netgroup_search_base = > cn=ng,cn=compat,dc=foo,dc=example,dc=com\n");}}'>/tmp/x > > cp/tmp/x/etc/sssd/sssd.conf > > rm-f /tmp/x > > service sssd restart > > > > # > > # Create the /etc/nslcd.conf file > > # > > ls/etc/nslcd.conf > > cat>/etc/nslcd.conf < > binddn uid=sudo,cn=sysaccounts,cn=etc,dc=foo,dc=example,dc=com > > bindpw pwd/sudo > > > > ssl start_tls > > tls_cacertfile /etc/ipa/ca.crt > > tls_checkpeer yes > > > > bind_timelimit 5 > > timelimit 15 > > > > uri ldap://cuthbert.foo.example.com > > sudoers_base ou=SUDOers,dc=foo,dc=example,dc=com > > EOF > > > > # > > # Set the NIS domain name (even though NIS is not used) > > # > > nisdomainname foo.example.com > > > > Thank you, > > > > Joe > > > > > > > ___ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Setting up sudo clients
Hi Folks: I am trying to configure sudo clients using FreeIPA 2.1.3 on CentOS 6.2 but it I am running into a problem that I do not know how to debug. I used the instructions provided here: http://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/example -configuring-sudo.html. The server installation went fine and I even did a sudo client installation on the server which worked well. Unfortunately, when I did the same client setup on another host in the network I got the message: not in sudoers files when I tried to execute a command. Here is the output from /var/log/secure on the client. I didn't see anything strange on the server. The user name is bigbob. Jun 6 10:38:35 docs unix_chkpwd[8737]: password check failed for user (bigbob) Jun 6 10:38:35 docs sudo: pam_unix(sudo:auth): authentication failure; logname=bigbob uid=0 euid=0 tty=/dev/pts/2 ruser=bigbob rhost= user=bigbob Jun 6 10:38:36 docs sudo: pam_sss(sudo:auth): authentication success; logname=bigbob uid=0 euid=0 tty=/dev/pts/2 ruser=bigbob rhost= user=bigbob Jun 6 10:38:36 docs sudo: bigbob : user NOT in sudoers ; TTY=pts/2 ; PWD=/home/bigbob ; USER=root ; COMMAND=/bin/ls Jun 6 10:44:09 docs unix_chkpwd[8767]: password check failed for user (bigbob) Jun 6 10:44:09 docs sudo: pam_unix(sudo:auth): authentication failure; logname=bigbob uid=0 euid=0 tty=/dev/pts/2 ruser=bigbob rhost= user=bigbob Jun 6 10:44:10 docs sudo: pam_sss(sudo:auth): authentication success; logname=bigbob uid=0 euid=0 tty=/dev/pts/2 ruser=bigbob rhost= user=bigbob Jun 6 10:44:10 docs sudo: bigbob : user NOT in sudoers ; TTY=pts/2 ; PWD=/home/bigbob ; USER=root ; COMMAND=/bin/pwd The command "/bin/pwd" is in the sudo commands and in the sudo command group. Any help would be greatly appreciated. Here are the setup steps that I performed on the client. The domain is foo.example.com. # CITATION: http://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/example -configuring-sudo.html # # Update /etc/nsswitch.conf # cat >/etc/nsswitch.conf /etc/nslcd.conf