subject:"\[Freeipa\-users\] Setting up sudo clients"

[Freeipa-users] Setting up sudo clients

2012-06-06 Thread Joe Linoff

Hi Folks:

 

I am trying to configure sudo clients using FreeIPA 2.1.3 on CentOS 6.2
but it I am running into a problem that I do not know how to debug. I
used the instructions provided here:
http://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/example
-configuring-sudo.html. 

 

The server installation went fine and I even did a sudo client
installation on the server which worked well. Unfortunately, when I did
the same client setup on another host in the network I got the message:
user not in sudoers files when I tried to execute a command.

 

Here is the output from /var/log/secure on the client. I didn't see
anything strange on the server. The user name is bigbob.

 

Jun  6 10:38:35 docs unix_chkpwd[8737]: password check failed for user
(bigbob)

Jun  6 10:38:35 docs sudo: pam_unix(sudo:auth): authentication failure;
logname=bigbob uid=0 euid=0 tty=/dev/pts/2 ruser=bigbob rhost=
user=bigbob

Jun  6 10:38:36 docs sudo: pam_sss(sudo:auth): authentication success;
logname=bigbob uid=0 euid=0 tty=/dev/pts/2 ruser=bigbob rhost=
user=bigbob

Jun  6 10:38:36 docs sudo:   bigbob : user NOT in sudoers ; TTY=pts/2 ;
PWD=/home/bigbob ; USER=root ; COMMAND=/bin/ls

Jun  6 10:44:09 docs unix_chkpwd[8767]: password check failed for user
(bigbob)

Jun  6 10:44:09 docs sudo: pam_unix(sudo:auth): authentication failure;
logname=bigbob uid=0 euid=0 tty=/dev/pts/2 ruser=bigbob rhost=
user=bigbob

Jun  6 10:44:10 docs sudo: pam_sss(sudo:auth): authentication success;
logname=bigbob uid=0 euid=0 tty=/dev/pts/2 ruser=bigbob rhost=
user=bigbob

Jun  6 10:44:10 docs sudo:   bigbob : user NOT in sudoers ; TTY=pts/2 ;
PWD=/home/bigbob ; USER=root ; COMMAND=/bin/pwd

 

The command /bin/pwd is in the sudo commands and in the sudo command
group.

 

Any help would be greatly appreciated.

 

Here are the setup steps that I performed on the client. The domain is
foo.example.com.

 

# CITATION:
http://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/example
-configuring-sudo.html 

 

# 

# Update /etc/nsswitch.conf

# 

cat /etc/nsswitch.conf EOF

 

# 

# FreeIPA sudo support

# 

sudoers:  files ldap

sudoers_debug: 1

EOF

 

# 

# Insert this just after the ipa_server line and restart sssd:

# ldap_netgroup_search_base = cn=ng,cn=compat,dc=foo,dc=example,dc=com

# 

cat /etc/sssd/sssd.conf | \

awk '{print $0;if($1==ipa_server){printf(ldap_netgroup_search_base =
cn=ng,cn=compat,dc=foo,dc=example,dc=com\n);}}' /tmp/x

cp /tmp/x /etc/sssd/sssd.conf

rm -f /tmp/x

service sssd restart

 

# 

# Create the /etc/nslcd.conf file

# 

ls /etc/nslcd.conf

cat /etc/nslcd.conf EOF

binddn uid=sudo,cn=sysaccounts,cn=etc,dc=foo,dc=example,dc=com

bindpw pwd/sudo

 

ssl start_tls

tls_cacertfile /etc/ipa/ca.crt

tls_checkpeer yes

 

bind_timelimit 5

timelimit 15

 

uri ldap://cuthbert.foo.example.com

sudoers_base ou=SUDOers,dc=foo,dc=example,dc=com

EOF

 

# 

# Set the NIS domain name (even though NIS is not used)

# 

nisdomainname foo.example.com

 

Thank you,

 

Joe

 

 

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Setting up sudo clients

2012-06-06 Thread Dmitri Pal

On 06/06/2012 01:59 PM, Joe Linoff wrote:

 Hi Folks:

  

 I am trying to configure sudo clients using FreeIPA 2.1.3 on CentOS
 6.2 but it I am running into a problem that I do not know how to
 debug. I used the instructions provided here:
 http://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/example-configuring-sudo.html.


  

 The server installation went fine and I even did a sudo client
 installation on the server which worked well. Unfortunately, when I
 did the same client setup on another host in the network I got the
 message: user not in sudoers files when I tried to execute a command.

  

 Here is the output from /var/log/secure on the client. I didn't see
 anything strange on the server. The user name is bigbob.

  

 Jun  6 10:38:35 docs unix_chkpwd[8737]: password check failed for user
 (bigbob)

 Jun  6 10:38:35 docs sudo: pam_unix(sudo:auth): authentication
 failure; logname=bigbob uid=0 euid=0 tty=/dev/pts/2 ruser=bigbob
 rhost=  user=bigbob

 Jun  6 10:38:36 docs sudo: pam_sss(sudo:auth): authentication success;
 logname=bigbob uid=0 euid=0 tty=/dev/pts/2 ruser=bigbob rhost= user=bigbob

 Jun  6 10:38:36 docs sudo:   bigbob : user NOT in sudoers ; TTY=pts/2
 ; PWD=/home/bigbob ; USER=root ; COMMAND=/bin/ls

 Jun  6 10:44:09 docs unix_chkpwd[8767]: password check failed for user
 (bigbob)

 Jun  6 10:44:09 docs sudo: pam_unix(sudo:auth): authentication
 failure; logname=bigbob uid=0 euid=0 tty=/dev/pts/2 ruser=bigbob
 rhost=  user=bigbob

 Jun  6 10:44:10 docs sudo: pam_sss(sudo:auth): authentication success;
 logname=bigbob uid=0 euid=0 tty=/dev/pts/2 ruser=bigbob rhost= user=bigbob

 Jun  6 10:44:10 docs sudo:   bigbob : user NOT in sudoers ; TTY=pts/2
 ; PWD=/home/bigbob ; USER=root ; COMMAND=/bin/pwd

  


Looks like sudo utility is not going over the ldap and tries to find
user in the local file.
Can you bind to the ldap server? Is firewall port open?


 The command /bin/pwd is in the sudo commands and in the sudo command
 group.

  

 Any help would be greatly appreciated.

  

 Here are the setup steps that I performed on the client. The domain is
 foo.example.com.

  

 # CITATION:
 http://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/example-configuring-sudo.html


  

 # 

 # Update /etc/nsswitch.conf

 # 

 cat/etc/nsswitch.conf EOF

  

 # 

 # FreeIPA sudo support

 # 

 sudoers:  files ldap

 sudoers_debug: 1

 EOF

  

 # 

 # Insert this just after the ipa_server line and restart sssd:

 # ldap_netgroup_search_base = cn=ng,cn=compat,dc=foo,dc=example,dc=com

 # 

 cat/etc/sssd/sssd.conf | \

 awk'{print $0;if($1==ipa_server){printf(ldap_netgroup_search_base =
 cn=ng,cn=compat,dc=foo,dc=example,dc=com\n);}}'/tmp/x

 cp/tmp/x/etc/sssd/sssd.conf

 rm-f /tmp/x

 service sssd restart

  

 # 

 # Create the /etc/nslcd.conf file

 # 

 ls/etc/nslcd.conf

 cat/etc/nslcd.conf EOF

 binddn uid=sudo,cn=sysaccounts,cn=etc,dc=foo,dc=example,dc=com

 bindpw pwd/sudo

  

 ssl start_tls

 tls_cacertfile /etc/ipa/ca.crt

 tls_checkpeer yes

  

 bind_timelimit 5

 timelimit 15

  

 uri ldap://cuthbert.foo.example.com

 sudoers_base ou=SUDOers,dc=foo,dc=example,dc=com

 EOF

  

 # 

 # Set the NIS domain name (even though NIS is not used)

 # 

 nisdomainname foo.example.com

  

 Thank you,

  

 Joe

  

  


 ___
 Freeipa-users mailing list
 Freeipa-users@redhat.com
 https://www.redhat.com/mailman/listinfo/freeipa-users


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.


---
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] Setting up sudo clients

Re: [Freeipa-users] Setting up sudo clients

2 matches

Site Navigation

Mail list logo

Footer information