subject:"\[Freeipa\-users\] sudo rules question on ubuntu 16.0.1"

Re: [Freeipa-users] sudo rules question on ubuntu 16.0.1

2016-08-30 Thread Jeff Goddard

Cory,

Thanks for the update and link. And a big thanks to everyone else for their
time looking at this. I also was able to install  the referenced .deb and
now sudo works as expected.

Jeff

On Tue, Aug 30, 2016 at 12:46 PM, Cory Francis Myers <
c...@trinitymobilenetworks.com> wrote:

> Pavel Březina | Tue, 30 Aug 2016 02:59:55 -0700:
> > unfortunately sudo 1.8.16 introduced a bug in sssd plugin. 1.8.16
> > contains a new option called netgroup_tuple, which tells whether a
> > full netgroup tuply is check or only the host/user part in host/user
> > check. However, the patch didn't make the sssd plugin to obey this
> > option and it always check both hostname and username.
> >
> > It is fixed in 1.8.17 by this patch:
> > https://www.sudo.ws/repos/sudo/rev/2eab4070dcf7
> >
> > Please, report bug against Ubuntu sudo to backport this patch or rebase
> > sudo.
>
> Already open on Launchpad, it looks like:
>
> https://bugs.launchpad.net/ubuntu/+source/sudo/+bug/1607666
>
>
> sudo 1.8.17 installed from "sudo_1.8.17-2_amd64.deb"[1] is working for
> us now.  Thank you for the suggestion.
>
> Jeff, I hope you have the same good luck.
>
>
> --- cfm.
>
>
> [1] https://www.sudo.ws/download.html
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] sudo rules question on ubuntu 16.0.1

2016-08-30 Thread Cory Francis Myers

Pavel Březina | Tue, 30 Aug 2016 02:59:55 -0700:
> unfortunately sudo 1.8.16 introduced a bug in sssd plugin. 1.8.16
> contains a new option called netgroup_tuple, which tells whether a
> full netgroup tuply is check or only the host/user part in host/user
> check. However, the patch didn't make the sssd plugin to obey this
> option and it always check both hostname and username.
> 
> It is fixed in 1.8.17 by this patch:
> https://www.sudo.ws/repos/sudo/rev/2eab4070dcf7
> 
> Please, report bug against Ubuntu sudo to backport this patch or rebase
> sudo.

Already open on Launchpad, it looks like:

https://bugs.launchpad.net/ubuntu/+source/sudo/+bug/1607666


sudo 1.8.17 installed from "sudo_1.8.17-2_amd64.deb"[1] is working for
us now.  Thank you for the suggestion.

Jeff, I hope you have the same good luck.


--- cfm.


[1] https://www.sudo.ws/download.html


pgp0l_vD9YkKB.pgp
Description: PGP signature
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] sudo rules question on ubuntu 16.0.1

2016-08-30 Thread Cory Francis Myers

Pavel Březina | Tue, 30 Aug 2016 02:59:55 -0700:
> unfortunately sudo 1.8.16 introduced a bug in sssd plugin. 1.8.16
> contains a new option called netgroup_tuple, which tells whether a
> full netgroup tuply is check or only the host/user part in host/user
> check. However, the patch didn't make the sssd plugin to obey this
> option and it always check both hostname and username.
> 
> It is fixed in 1.8.17 by this patch:
> https://www.sudo.ws/repos/sudo/rev/2eab4070dcf7
> 
> Please, report bug against Ubuntu sudo to backport this patch or rebase
> sudo.

Already open on Launchpad, it looks like:

https://bugs.launchpad.net/ubuntu/+source/sudo/+bug/1607666


sudo 1.8.17 installed from "sudo_1.8.17-2_amd64.deb"[1] is working for
us now.  Thank you for the suggestion.

Jeff, I hope you have the same good luck.


--- cfm.


[1] https://www.sudo.ws/download.html


pgpEKGKXxc0MF.pgp
Description: PGP signature
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] sudo rules question on ubuntu 16.0.1

2016-08-30 Thread Pavel Březina


On 08/26/2016 02:15 PM, Jeff Goddard wrote:

Pavel,

I appreciate that you're busy and thank you for taking time to look at
this. Here is the output:

[root@id-management-1 ~]# ipa sudorule-show
Rule name: all
   Rule name: All
   Description: Full sudo access for Developer group in office environment
   Enabled: TRUE
   Command category: all
   RunAs User category: all
   RunAs Group category: all
   User Groups: developers
   Host Groups: office
[root@id-management-1 ~]#


Hi,
unfortunately sudo 1.8.16 introduced a bug in sssd plugin. 1.8.16 
contains a new option called netgroup_tuple, which tells whether a full 
netgroup tuply is check or only the host/user part in host/user check. 
However, the patch didn't make the sssd plugin to obey this option and 
it always check both hostname and username.


It is fixed in 1.8.17 by this patch:
https://www.sudo.ws/repos/sudo/rev/2eab4070dcf7

Please, report bug against Ubuntu sudo to backport this patch or rebase 
sudo.


--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] sudo rules question on ubuntu 16.0.1

2016-08-26 Thread Jeff Goddard

Pavel,

I appreciate that you're busy and thank you for taking time to look at
this. Here is the output:

[root@id-management-1 ~]# ipa sudorule-show
Rule name: all
  Rule name: All
  Description: Full sudo access for Developer group in office environment
  Enabled: TRUE
  Command category: all
  RunAs User category: all
  RunAs Group category: all
  User Groups: developers
  Host Groups: office
[root@id-management-1 ~]#



On Fri, Aug 26, 2016 at 5:34 AM, Pavel Březina  wrote:

> On 08/25/2016 08:01 PM, Jeff Goddard wrote:
>
>> I'm still hoping someone can offer additional help. I see in the apt
>> term.log these errors when downloading the freeipa-client package. Could
>> this be the problem?
>>
>
> Hi,
> I'm sorry, I somehow overlooked this thread. Can you provide output of ipa
> sudorule-show please?
>
> Thank you.
>
>
>


Jeff
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] sudo rules question on ubuntu 16.0.1

2016-08-26 Thread Pavel Březina


On 08/25/2016 08:01 PM, Jeff Goddard wrote:

I'm still hoping someone can offer additional help. I see in the apt
term.log these errors when downloading the freeipa-client package. Could
this be the problem?


Hi,
I'm sorry, I somehow overlooked this thread. Can you provide output of 
ipa sudorule-show please?


Thank you.


--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] sudo rules question on ubuntu 16.0.1

2016-08-26 Thread Cory Francis Myers

We are seeing the same problem (correct group membership; matching HBAC
rules retrieved by sssd and rejected by sudo) on a new Ubuntu 16.04
client joining a realm of existing (and working) Ubuntu 15.10 hosts,
despite identical "/etc/sssd/sssd.conf" files.

Master:

root@hades:~# cat /etc/lsb-release
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=15.10
DISTRIB_CODENAME=wily
DISTRIB_DESCRIPTION="Ubuntu 15.10"
root@hades:~# ipa --version
VERSION: 4.1.4, API_VERSION: 2.114


Existing (working) client:

root@orange1:~# cat /etc/lsb-release
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=15.10
DISTRIB_CODENAME=wily
DISTRIB_DESCRIPTION="Ubuntu 15.10"
root@orange1:~# ipa-client-install --version
4.1.4
root@orange1:~# sssd --version
1.12.5


New (broken) client:

root@orange4:~# cat /etc/lsb-release
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=16.04
DISTRIB_CODENAME=xenial
DISTRIB_DESCRIPTION="Ubuntu 16.04.1 LTS"
root@orange4:~# ipa-client-install --version
4.3.1
root@orange4:~# sssd --version
1.13.4


I too would be grateful for any advice.  The relevant parts of our logs
corroborate what John has reported in this thread, but I can provide
excerpts if that would be helpful.


--- Cory.


-- 
Cory Myers
Systems Engineer
Trinity Mobile Networks


pgpX5YwGdSuZp.pgp
Description: PGP signature
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] sudo rules question on ubuntu 16.0.1

2016-08-25 Thread Jeff Goddard

I'm still hoping someone can offer additional help. I see in the apt
term.log these errors when downloading the freeipa-client package. Could
this be the problem?

Creating SSSD system user & group...
adduser: Warning: The home directory `/var/lib/sss' does not belong to the
user you are currently creating.
Warning: found usr.sbin.sssd in /etc/apparmor.d/force-complain, forcing
complain mode
Warning failed to create cache: usr.sbin.sssd
Job for sssd.service failed because the control process exited with error
code. See "systemctl status sssd.service" and "journalctl -xe" for details.
sssd.service couldn't start.
Setting up sssd-ad-common (1.13.4-1ubuntu1) ...
Setting up sssd-krb5-common (1.13.4-1ubuntu1) ...
Setting up sssd-ad (1.13.4-1ubuntu1) ...
Setting up sssd-ipa (1.13.4-1ubuntu1) ...
Setting up sssd-krb5 (1.13.4-1ubuntu1) ...
Setting up sssd-ldap (1.13.4-1ubuntu1) ...
Setting up sssd-proxy (1.13.4-1ubuntu1) ...
Setting up sssd (1.13.4-1ubuntu1) ...
Setting up freeipa-client (4.3.1-0ubuntu1) ...
Processing triggers for libc-bin (2.23-0ubuntu3) ...
Processing triggers for systemd (229-4ubuntu7) ...
Processing triggers for ureadahead (0.100.0-19) ...
Processing triggers for dbus (1.10.6-1ubuntu3) ...
Log ended: 2016-08-25  13:49:53

On Sun, Aug 14, 2016 at 2:16 PM, Jakub Hrozek  wrote:

> Hi Pavel, can you help us with this thread?
>
> > On 12 Aug 2016, at 21:57, Jeff Goddard  wrote:
> >
> >
> >
> > On Fri, Aug 12, 2016 at 3:53 PM, Justin Stephenson 
> wrote:
> > In the CentOS/RHEL 7 version of sssd, a NIS netgroup is created
> automatically in the IPA compat tree under 'cn=ng,cn=compat,$suffix'
> because sudo has no understanding of hostgroups.
> >
> > You should be able to query this on a client with
> >   # getent netgroup office
> >
> > This should return nisNetgroupTriple for each host in the hostgroup
> >  (ipa-client-1.example.com,-,example.com) (ipa-client-2.example.com
> ,-,example.com)
> >
> > I would check this in your environment between working and non-working
> systems.
> > I believe in later versions of sssd they added IPA sudo schema support
> to eliminate the need for the compat tree so this could be related to the
> issue if newer ubuntu clients are not working but CentOS is working.
> >
> > What version of sssd are you running?
> > Kind regards,
> >
> > Justin Stephenson
> > On 08/12/2016 02:35 PM, Jeff Goddard wrote:
> >> I made the edit as suggested - removing nis and just leaving sss -
> restarted sssd and then re-tried. I also tried with files sss. Still
> getting the same result.
> >>
> >> Thanks,
> >>
> >> Jeff
> > The query returns the expect results:
> >
> >  getent netgroup office
> > office(docker-dev-01.internal.emerlyn.com,-,internal.
> emerlyn.com) (docker-dev-02.internal.emerlyn.com,-,internal.emerlyn.com) (
> docker-dev-03.internal.emerlyn.com,-,internal.emerlyn.com) [more hosts]
> >
> > sssd version is 1.13.4
> >
> > Jeff
> >
> >
> >
>
>

Jeff
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] sudo rules question on ubuntu 16.0.1

2016-08-14 Thread Jeff Goddard

Just some additional information, this is a default install however as a
modification after running the ipa-client-install executable I followed
these instructions  so that users get an automatically-created home
directory:

https://debian-administration.org/article/403/Giving_users_a_home_directory_automatically

I greatly appreciate your time and efforts on this problem.

Jeff

On Sun, Aug 14, 2016 at 2:16 PM, Jakub Hrozek  wrote:

> Hi Pavel, can you help us with this thread?
>
> > On 12 Aug 2016, at 21:57, Jeff Goddard  wrote:
> >
> >
> >
> > On Fri, Aug 12, 2016 at 3:53 PM, Justin Stephenson 
> wrote:
> > In the CentOS/RHEL 7 version of sssd, a NIS netgroup is created
> automatically in the IPA compat tree under 'cn=ng,cn=compat,$suffix'
> because sudo has no understanding of hostgroups.
> >
> > You should be able to query this on a client with
> >   # getent netgroup office
> >
> > This should return nisNetgroupTriple for each host in the hostgroup
> >  (ipa-client-1.example.com,-,example.com) (ipa-client-2.example.com
> ,-,example.com)
> >
> > I would check this in your environment between working and non-working
> systems.
> > I believe in later versions of sssd they added IPA sudo schema support
> to eliminate the need for the compat tree so this could be related to the
> issue if newer ubuntu clients are not working but CentOS is working.
> >
> > What version of sssd are you running?
> > Kind regards,
> >
> > Justin Stephenson
> > On 08/12/2016 02:35 PM, Jeff Goddard wrote:
> >> I made the edit as suggested - removing nis and just leaving sss -
> restarted sssd and then re-tried. I also tried with files sss. Still
> getting the same result.
> >>
> >> Thanks,
> >>
> >> Jeff
> > The query returns the expect results:
> >
> >  getent netgroup office
> > office(docker-dev-01.internal.emerlyn.com,-,internal.
> emerlyn.com) (docker-dev-02.internal.emerlyn.com,-,internal.emerlyn.com) (
> docker-dev-03.internal.emerlyn.com,-,internal.emerlyn.com) [more hosts]
> >
> > sssd version is 1.13.4
> >
> > Jeff
> >
> >
> >
>
>
Jeff
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] sudo rules question on ubuntu 16.0.1

2016-08-14 Thread Jakub Hrozek

Hi Pavel, can you help us with this thread?

> On 12 Aug 2016, at 21:57, Jeff Goddard  wrote:
> 
> 
> 
> On Fri, Aug 12, 2016 at 3:53 PM, Justin Stephenson  
> wrote:
> In the CentOS/RHEL 7 version of sssd, a NIS netgroup is created automatically 
> in the IPA compat tree under 'cn=ng,cn=compat,$suffix' because sudo has no 
> understanding of hostgroups.
> 
> You should be able to query this on a client with 
>   # getent netgroup office
> 
> This should return nisNetgroupTriple for each host in the hostgroup
>  (ipa-client-1.example.com,-,example.com) 
> (ipa-client-2.example.com,-,example.com)
> 
> I would check this in your environment between working and non-working 
> systems.
> I believe in later versions of sssd they added IPA sudo schema support to 
> eliminate the need for the compat tree so this could be related to the issue 
> if newer ubuntu clients are not working but CentOS is working.
> 
> What version of sssd are you running?
> Kind regards,
> 
> Justin Stephenson
> On 08/12/2016 02:35 PM, Jeff Goddard wrote:
>> I made the edit as suggested - removing nis and just leaving sss - restarted 
>> sssd and then re-tried. I also tried with files sss. Still getting the same 
>> result.
>> 
>> Thanks,
>> 
>> Jeff
> The query returns the expect results:
> 
>  getent netgroup office
> office
> (docker-dev-01.internal.emerlyn.com,-,internal.emerlyn.com) 
> (docker-dev-02.internal.emerlyn.com,-,internal.emerlyn.com) 
> (docker-dev-03.internal.emerlyn.com,-,internal.emerlyn.com) [more hosts]
> 
> sssd version is 1.13.4
> 
> Jeff
> 
> 
> 


-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] sudo rules question on ubuntu 16.0.1

2016-08-12 Thread Jeff Goddard

On Fri, Aug 12, 2016 at 3:53 PM, Justin Stephenson 
wrote:

> In the CentOS/RHEL 7 version of sssd, a NIS netgroup is created
> automatically in the IPA compat tree under 'cn=ng,cn=compat,$suffix'
> because sudo has no understanding of hostgroups.
>
> You should be able to query this on a client with
>
>   # getent netgroup office
>
> This should return nisNetgroupTriple for each host in the hostgroup
>
>  (ipa-client-1.example.com,-,example.com) (ipa-client-2.example.com,-,
> example.com)
>
> I would check this in your environment between working and non-working
> systems.
>
> I believe in later versions of sssd they added IPA sudo schema support to
> eliminate the need for the compat tree so this could be related to the
> issue if newer ubuntu clients are not working but CentOS is working.
>
> What version of sssd are you running?
>
> Kind regards,
>
> Justin Stephenson
> On 08/12/2016 02:35 PM, Jeff Goddard wrote:
>
> I made the edit as suggested - removing nis and just leaving sss -
> restarted sssd and then re-tried. I also tried with files sss. Still
> getting the same result.
>
> Thanks,
>
> Jeff
>
> The query returns the expect results:

 getent netgroup office
office(docker-dev-01.internal.emerlyn.com,-,
internal.emerlyn.com) (docker-dev-02.internal.emerlyn.com,-,
internal.emerlyn.com) (docker-dev-03.internal.emerlyn.com,-,
internal.emerlyn.com) [more hosts]

sssd version is 1.13.4

Jeff
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] sudo rules question on ubuntu 16.0.1

2016-08-12 Thread Justin Stephenson

In the CentOS/RHEL 7 version of sssd, a NIS netgroup is created 
automatically in the IPA compat tree under 'cn=ng,cn=compat,$suffix' 
because sudo has no understanding of hostgroups.


You should be able to query this on a client with

  # getent netgroup office

This should return nisNetgroupTriple for each host in the hostgroup

 (ipa-client-1.example.com,-,example.com) 
(ipa-client-2.example.com,-,example.com)


I would check this in your environment between working and non-working 
systems.


I believe in later versions of sssd they added IPA sudo schema support 
to eliminate the need for the compat tree so this could be related to 
the issue if newer ubuntu clients are not working but CentOS is working.


What version of sssd are you running?

Kind regards,

Justin Stephenson

On 08/12/2016 02:35 PM, Jeff Goddard wrote:
I made the edit as suggested - removing nis and just leaving sss - 
restarted sssd and then re-tried. I also tried with files sss. Still 
getting the same result.


Thanks,

Jeff

On Fri, Aug 12, 2016 at 2:27 PM, Justin Stephenson 
mailto:jstep...@redhat.com>> wrote:


This looks suspicious

/Aug 12 08:45:00 sudo[31732] val[0]=+office//
//Aug 12 08:45:00 sudo[31732] -> addr_matches @
/build/sudo-L2mAoN/sudo-1.8.16/plugins/sudoers/match_addr.c:195//
//Aug 12 08:45:00 sudo[31732] -> addr_matches_if @
/build/sudo-L2mAoN/sudo-1.8.16/plugins/sudoers/match_addr.c:56//
//Aug 12 08:45:00 sudo[31732] <- addr_matches_if @
/build/sudo-L2mAoN/sudo-1.8.16/plugins/sudoers/match_addr.c:66
:= false//
//Aug 12 08:45:00 sudo[31732] IP address +office matches local
host: false @ addr_matches()
/build/sudo-L2mAoN/sudo-1.8.16/plugins/sudoers/match_addr.c:206//
//Aug 12 08:45:00 sudo[31732] <- addr_matches @
/build/sudo-L2mAoN/sudo-1.8.16/plugins/sudoers/match_addr.c:207
:= false//
//Aug 12 08:45:00 sudo[31732] -> netgr_matches @
/build/sudo-L2mAoN/sudo-1.8.16/plugins/sudoers/match.c:1015//
//Aug 12 08:45:00 sudo[31732] -> sudo_getdomainname @
/build/sudo-L2mAoN/sudo-1.8.16/plugins/sudoers/match.c:953//
//Aug 12 08:45:00 sudo[31732] <- sudo_getdomainname @
/build/sudo-L2mAoN/sudo-1.8.16/plugins/sudoers/match.c:992 :=
(null)//
//Aug 12 08:45:00 sudo[31732] netgroup office matches
(//docker-dev-01.internal.emerlyn.com

//|//docker-dev-01.internal.emerlyn.com
//, jgoddard, ):
false @ netgr_matches()
/build/sudo-L2mAoN/sudo-1.8.16/plugins/sudoers/match.c:1041//
//Aug 12 08:45:00 sudo[31732] <- netgr_matches @
/build/sudo-L2mAoN/sudo-1.8.16/plugins/sudoers/match.c:1044 :=
false//
//Aug 12 08:45:00 sudo[31732] -> hostname_matches @
/build/sudo-L2mAoN/sudo-1.8.16/plugins/sudoers/match.c:819//
//Aug 12 08:45:00 sudo[31732] host
//docker-dev-01.internal.emerlyn.com
//matches sudoers
pattern +office: false @ hostname_matches()
/build/sudo-L2mAoN/sudo-1.8.16/plugins/sudoers/match.c:829//
//Aug 12 08:45:00 sudo[31732] <- hostname_matches @
/build/sudo-L2mAoN/sudo-1.8.16/plugins/sudoers/match.c:830 :=
false//
//Aug 12 08:45:00 sudo[31732] sssd/ldap sudoHost '+office' ...
not//
//Aug 12 08:45:00 sudo[31732] <- sudo_sss_check_host @
/build/sudo-L2mAoN/sudo-1.8.16/plugins/sudoers/sssd.c:687 :=
false/

It doesn't seem to find this host as part of the hostgroup, I
suspect the problem is because of this entry in nsswitch:

 netgroup:   nis sss

Could you try just 'sss' or 'files sss' ?

A successful hostgroup match should look something like this instead:

/Aug 12 14:20:32 sudo[25075] val[0]=+nonproduction//
//Aug 12 14:20:32 sudo[25075] -> addr_matches @
./match_addr.c:190//
//Aug 12 14:20:32 sudo[25075] -> addr_matches_if @
./match_addr.c:62//
//Aug 12 14:20:32 sudo[25075] <- addr_matches_if @
./match_addr.c:100 := false//
//Aug 12 14:20:32 sudo[25075] <- addr_matches @
./match_addr.c:200 := false//
//Aug 12 14:20:32 sudo[25075] ->
sudo_sss_ipa_hostname_matches @ ./sssd.c:558//
//Aug 12 14:20:32 sudo[25075] -> hostname_matches @
./match.c:740//
//Aug 12 14:20:32 sudo[25075] <- hostname_matches @
./match.c:751 := false//
//Aug 12 14:20:32 sudo[25075] -> netgr_matches @
./match.c:856//
//Aug 12 14:20:32 sudo[25075]
(rhel7-ipa-client.example.com
, *, example.com
) found in netgroup nonproduction//

Re: [Freeipa-users] sudo rules question on ubuntu 16.0.1

2016-08-12 Thread Jeff Goddard

I made the edit as suggested - removing nis and just leaving sss -
restarted sssd and then re-tried. I also tried with files sss. Still
getting the same result.

Thanks,

Jeff

On Fri, Aug 12, 2016 at 2:27 PM, Justin Stephenson 
wrote:

> This looks suspicious
>
> *Aug 12 08:45:00 sudo[31732] val[0]=+office*
> *Aug 12 08:45:00 sudo[31732] -> addr_matches @
> /build/sudo-L2mAoN/sudo-1.8.16/plugins/sudoers/match_addr.c:195*
> *Aug 12 08:45:00 sudo[31732] -> addr_matches_if @
> /build/sudo-L2mAoN/sudo-1.8.16/plugins/sudoers/match_addr.c:56*
> *Aug 12 08:45:00 sudo[31732] <- addr_matches_if @
> /build/sudo-L2mAoN/sudo-1.8.16/plugins/sudoers/match_addr.c:66 := false*
> *Aug 12 08:45:00 sudo[31732] IP address +office matches local host: false
> @ addr_matches()
> /build/sudo-L2mAoN/sudo-1.8.16/plugins/sudoers/match_addr.c:206*
> *Aug 12 08:45:00 sudo[31732] <- addr_matches @
> /build/sudo-L2mAoN/sudo-1.8.16/plugins/sudoers/match_addr.c:207 := false*
> *Aug 12 08:45:00 sudo[31732] -> netgr_matches @
> /build/sudo-L2mAoN/sudo-1.8.16/plugins/sudoers/match.c:1015*
> *Aug 12 08:45:00 sudo[31732] -> sudo_getdomainname @
> /build/sudo-L2mAoN/sudo-1.8.16/plugins/sudoers/match.c:953*
> *Aug 12 08:45:00 sudo[31732] <- sudo_getdomainname @
> /build/sudo-L2mAoN/sudo-1.8.16/plugins/sudoers/match.c:992 := (null)*
> *Aug 12 08:45:00 sudo[31732] netgroup office matches 
> (**docker-dev-01.internal.emerlyn.com
> **|**docker-dev-01.internal.emerlyn.com
> **, jgoddard, ): false @
> netgr_matches() /build/sudo-L2mAoN/sudo-1.8.16/plugins/sudoers/match.c:1041*
> *Aug 12 08:45:00 sudo[31732] <- netgr_matches @
> /build/sudo-L2mAoN/sudo-1.8.16/plugins/sudoers/match.c:1044 := false*
> *Aug 12 08:45:00 sudo[31732] -> hostname_matches @
> /build/sudo-L2mAoN/sudo-1.8.16/plugins/sudoers/match.c:819*
> *Aug 12 08:45:00 sudo[31732] host **docker-dev-01.internal.emerlyn.com
> ** matches sudoers pattern
> +office: false @ hostname_matches()
> /build/sudo-L2mAoN/sudo-1.8.16/plugins/sudoers/match.c:829*
> *Aug 12 08:45:00 sudo[31732] <- hostname_matches @
> /build/sudo-L2mAoN/sudo-1.8.16/plugins/sudoers/match.c:830 := false*
> *Aug 12 08:45:00 sudo[31732] sssd/ldap sudoHost '+office' ... not*
> *Aug 12 08:45:00 sudo[31732] <- sudo_sss_check_host @
> /build/sudo-L2mAoN/sudo-1.8.16/plugins/sudoers/sssd.c:687 := false*
>
> It doesn't seem to find this host as part of the hostgroup, I suspect the
> problem is because of this entry in nsswitch:
>
>  netgroup:   nis sss
>
> Could you try just 'sss' or 'files sss' ?
>
> A successful hostgroup match should look something like this instead:
>
> *Aug 12 14:20:32 sudo[25075] val[0]=+nonproduction*
> *Aug 12 14:20:32 sudo[25075] -> addr_matches @ ./match_addr.c:190*
> *Aug 12 14:20:32 sudo[25075] -> addr_matches_if @ ./match_addr.c:62*
> *Aug 12 14:20:32 sudo[25075] <- addr_matches_if @ ./match_addr.c:100 :=
> false*
> *Aug 12 14:20:32 sudo[25075] <- addr_matches @ ./match_addr.c:200 := false*
> *Aug 12 14:20:32 sudo[25075] -> sudo_sss_ipa_hostname_matches @
> ./sssd.c:558*
> *Aug 12 14:20:32 sudo[25075] -> hostname_matches @ ./match.c:740*
> *Aug 12 14:20:32 sudo[25075] <- hostname_matches @ ./match.c:751 := false*
> *Aug 12 14:20:32 sudo[25075] -> netgr_matches @ ./match.c:856*
> *Aug 12 14:20:32 sudo[25075] (rhel7-ipa-client.example.com
> , *, example.com )
> found in netgroup nonproduction*
> *Aug 12 14:20:32 sudo[25075] <- netgr_matches @ ./match.c:909 := true*
> *Aug 12 14:20:32 sudo[25075] IPA hostname (rhel7-ipa-client.example.com
> ) matches +nonproduction => true*
> *Aug 12 14:20:32 sudo[25075] <- sudo_sss_ipa_hostname_matches @
> ./sssd.c:569 := true*
> *Aug 12 14:20:32 sudo[25075] sssd/ldap sudoHost '+nonproduction' ...
> MATCH!*
> *Aug 12 14:20:32 sudo[25075] <- sudo_sss_check_host @ ./sssd.c:614 := true*
>
> Kind regards,
> Justin Stephenson
>
>
>
>
>
>
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] sudo rules question on ubuntu 16.0.1

2016-08-12 Thread Justin Stephenson


This looks suspicious

   /Aug 12 08:45:00 sudo[31732] val[0]=+office//
   //Aug 12 08:45:00 sudo[31732] -> addr_matches @
   /build/sudo-L2mAoN/sudo-1.8.16/plugins/sudoers/match_addr.c:195//
   //Aug 12 08:45:00 sudo[31732] -> addr_matches_if @
   /build/sudo-L2mAoN/sudo-1.8.16/plugins/sudoers/match_addr.c:56//
   //Aug 12 08:45:00 sudo[31732] <- addr_matches_if @
   /build/sudo-L2mAoN/sudo-1.8.16/plugins/sudoers/match_addr.c:66 :=
   false//
   //Aug 12 08:45:00 sudo[31732] IP address +office matches local host:
   false @ addr_matches()
   /build/sudo-L2mAoN/sudo-1.8.16/plugins/sudoers/match_addr.c:206//
   //Aug 12 08:45:00 sudo[31732] <- addr_matches @
   /build/sudo-L2mAoN/sudo-1.8.16/plugins/sudoers/match_addr.c:207 :=
   false//
   //Aug 12 08:45:00 sudo[31732] -> netgr_matches @
   /build/sudo-L2mAoN/sudo-1.8.16/plugins/sudoers/match.c:1015//
   //Aug 12 08:45:00 sudo[31732] -> sudo_getdomainname @
   /build/sudo-L2mAoN/sudo-1.8.16/plugins/sudoers/match.c:953//
   //Aug 12 08:45:00 sudo[31732] <- sudo_getdomainname @
   /build/sudo-L2mAoN/sudo-1.8.16/plugins/sudoers/match.c:992 := (null)//
   //Aug 12 08:45:00 sudo[31732] netgroup office matches
   (//docker-dev-01.internal.emerlyn.com
   
//|//docker-dev-01.internal.emerlyn.com
   //, jgoddard, ): false @
   netgr_matches()
   /build/sudo-L2mAoN/sudo-1.8.16/plugins/sudoers/match.c:1041//
   //Aug 12 08:45:00 sudo[31732] <- netgr_matches @
   /build/sudo-L2mAoN/sudo-1.8.16/plugins/sudoers/match.c:1044 := false//
   //Aug 12 08:45:00 sudo[31732] -> hostname_matches @
   /build/sudo-L2mAoN/sudo-1.8.16/plugins/sudoers/match.c:819//
   //Aug 12 08:45:00 sudo[31732] host
   //docker-dev-01.internal.emerlyn.com
   //matches sudoers pattern
   +office: false @ hostname_matches()
   /build/sudo-L2mAoN/sudo-1.8.16/plugins/sudoers/match.c:829//
   //Aug 12 08:45:00 sudo[31732] <- hostname_matches @
   /build/sudo-L2mAoN/sudo-1.8.16/plugins/sudoers/match.c:830 := false//
   //Aug 12 08:45:00 sudo[31732] sssd/ldap sudoHost '+office' ... not//
   //Aug 12 08:45:00 sudo[31732] <- sudo_sss_check_host @
   /build/sudo-L2mAoN/sudo-1.8.16/plugins/sudoers/sssd.c:687 := false/

It doesn't seem to find this host as part of the hostgroup, I suspect 
the problem is because of this entry in nsswitch:


 netgroup:   nis sss

Could you try just 'sss' or 'files sss' ?

A successful hostgroup match should look something like this instead:

   /Aug 12 14:20:32 sudo[25075] val[0]=+nonproduction//
   //Aug 12 14:20:32 sudo[25075] -> addr_matches @ ./match_addr.c:190//
   //Aug 12 14:20:32 sudo[25075] -> addr_matches_if @
   ./match_addr.c:62//
   //Aug 12 14:20:32 sudo[25075] <- addr_matches_if @
   ./match_addr.c:100 := false//
   //Aug 12 14:20:32 sudo[25075] <- addr_matches @
   ./match_addr.c:200 := false//
   //Aug 12 14:20:32 sudo[25075] -> sudo_sss_ipa_hostname_matches @
   ./sssd.c:558//
   //Aug 12 14:20:32 sudo[25075] -> hostname_matches @ ./match.c:740//
   //Aug 12 14:20:32 sudo[25075] <- hostname_matches @
   ./match.c:751 := false//
   //Aug 12 14:20:32 sudo[25075] -> netgr_matches @ ./match.c:856//
   //Aug 12 14:20:32 sudo[25075] (rhel7-ipa-client.example.com, *,
   example.com) found in netgroup nonproduction//
   //Aug 12 14:20:32 sudo[25075] <- netgr_matches @ ./match.c:909
   := true//
   //Aug 12 14:20:32 sudo[25075] IPA hostname
   (rhel7-ipa-client.example.com) matches +nonproduction => true//
   //Aug 12 14:20:32 sudo[25075] <- sudo_sss_ipa_hostname_matches @
   ./sssd.c:569 := true//
   //Aug 12 14:20:32 sudo[25075] sssd/ldap sudoHost
   '+nonproduction' ... MATCH!//
   //Aug 12 14:20:32 sudo[25075] <- sudo_sss_check_host @
   ./sssd.c:614 := true/

Kind regards,
Justin Stephenson

On 08/12/2016 10:00 AM, Jeff Goddard wrote:
The rule is defined that all members of the developer group have sudo 
access to all commands available on the machines in the office group.


Jeff

On Fri, Aug 12, 2016 at 9:58 AM, Jakub Hrozek > wrote:


On Fri, Aug 12, 2016 at 08:53:53AM -0400, Jeff Goddard wrote:
> Jakub,
>
> Here is the log file output:

How is the sudorule defined?

> Aug 12 08:45:00 sudo[31732] user_in_group: user jgoddard NOT in
group admin
> Aug 12 08:45:00 sudo[31732] <- user_in_group @
> /build/sudo-L2mAoN/sudo-1.8.16/plugins/sudoers/pwutil.c:855 := false
> Aug 12 08:45:00 sudo[31732] user jgoddard matches group admin:
false @
> usergr_matches()
/build/sudo-L2mAoN/sudo-1.8.16/plugins/sudoers/match.c:940
> Aug 12 08:45:00 sudo[31732] <- usergr_matches @

Here it looks like sudo tried to match user's groups against the
groups
allowed to run sudo and admin didn't match.




--
Jeff Goddard
Director of Information Technology
Eme

Re: [Freeipa-users] sudo rules question on ubuntu 16.0.1

2016-08-12 Thread Jeff Goddard

The rule is defined that all members of the developer group have sudo
access to all commands available on the machines in the office group.

Jeff

On Fri, Aug 12, 2016 at 9:58 AM, Jakub Hrozek  wrote:

> On Fri, Aug 12, 2016 at 08:53:53AM -0400, Jeff Goddard wrote:
> > Jakub,
> >
> > Here is the log file output:
>
> How is the sudorule defined?
>
> > Aug 12 08:45:00 sudo[31732] user_in_group: user jgoddard NOT in group
> admin
> > Aug 12 08:45:00 sudo[31732] <- user_in_group @
> > /build/sudo-L2mAoN/sudo-1.8.16/plugins/sudoers/pwutil.c:855 := false
> > Aug 12 08:45:00 sudo[31732] user jgoddard matches group admin: false @
> > usergr_matches() /build/sudo-L2mAoN/sudo-1.8.
> 16/plugins/sudoers/match.c:940
> > Aug 12 08:45:00 sudo[31732] <- usergr_matches @
>
> Here it looks like sudo tried to match user's groups against the groups
> allowed to run sudo and admin didn't match.
>



-- 
Jeff Goddard
Director of Information Technology
Emerlyn Technology

Email: jgodd...@emerlyn.com
Telephone: (603) 447-8571
Toll free: (888) 363-7596 ext. 108
Fax: (603) 356-3346
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] sudo rules question on ubuntu 16.0.1

2016-08-12 Thread Jakub Hrozek

On Fri, Aug 12, 2016 at 08:53:53AM -0400, Jeff Goddard wrote:
> Jakub,
> 
> Here is the log file output:

How is the sudorule defined?

> Aug 12 08:45:00 sudo[31732] user_in_group: user jgoddard NOT in group admin
> Aug 12 08:45:00 sudo[31732] <- user_in_group @
> /build/sudo-L2mAoN/sudo-1.8.16/plugins/sudoers/pwutil.c:855 := false
> Aug 12 08:45:00 sudo[31732] user jgoddard matches group admin: false @
> usergr_matches() /build/sudo-L2mAoN/sudo-1.8.16/plugins/sudoers/match.c:940
> Aug 12 08:45:00 sudo[31732] <- usergr_matches @

Here it looks like sudo tried to match user's groups against the groups
allowed to run sudo and admin didn't match.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] sudo rules question on ubuntu 16.0.1

2016-08-12 Thread Jakub Hrozek

On Fri, Aug 12, 2016 at 08:31:52AM -0400, Jeff Goddard wrote:
> Jakub,
> 
> I apologize for my ignorance, can you give me the syntax for that? In the
> file I created I only added the statement "debug_level=9". Adding a
> "log_file=/var/log/sudo.log" statement does not produce a file. Googling
> for syntax returns a bunch of results for the sudoers file. Also of note,
> digging around and looking at the auth.log file I see entries such as this:

As described here:
https://fedorahosted.org/sssd/wiki/HOWTO_Troubleshoot_SUDO

 a) How do I get sudo logs?
 Open /etc/sudo.conf and put down the following lines:
 Debug sudo /var/log/sudo_debug all@debug
 Debug sudoers.so /var/log/sudo_debug all@debug

Run sudo

File /var/log/sudo_debug contains sudo logs 

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] sudo rules question on ubuntu 16.0.1

2016-08-12 Thread Jeff Goddard

Jakub,

I apologize for my ignorance, can you give me the syntax for that? In the
file I created I only added the statement "debug_level=9". Adding a
"log_file=/var/log/sudo.log" statement does not produce a file. Googling
for syntax returns a bunch of results for the sudoers file. Also of note,
digging around and looking at the auth.log file I see entries such as this:

Aug 12 08:16:27 docker-dev-01 login[29210]: pam_sss(login:auth):
authentication success; logname=LOGIN uid=0 euid=0 tty=/dev/tty1 ruser=
rhost= user=jgoddard
Aug 12 08:16:29 docker-dev-01 login[29210]: pam_unix(login:session):
session opened for user jgoddard by LOGIN(uid=0)
Aug 12 08:16:29 docker-dev-01 systemd: pam_unix(systemd-user:session):
session opened for user jgoddard by (uid=0)
Aug 12 08:16:29 docker-dev-01 systemd-logind[3252]: New session 77 of user
jgoddard.
Aug 12 08:16:37 docker-dev-01 sudo: pam_unix(sudo:auth): authentication
failure; logname=jgoddard uid=32001 euid=0 tty=/dev/tty1 ruser=jgoddard
rhost=  user=jgoddard
Aug 12 08:16:37 docker-dev-01 sudo: pam_sss(sudo:auth): authentication
success; logname=jgoddard uid=32001 euid=0 tty=/dev/tty1 ruser=jgoddard
rhost= user=jgoddard
Aug 12 08:16:38 docker-dev-01 sudo: jgoddard : command not allowed ;
TTY=tty1 ; PWD=/home/jgoddard ; USER=root ; COMMAND=list

On Fri, Aug 12, 2016 at 3:52 AM, Jakub Hrozek  wrote:

> On Thu, Aug 11, 2016 at 05:02:49PM -0400, Jeff Goddard wrote:
> > Manually creating the file and then restarting the service and performing
>
> So according to this:
>
> > (Thu Aug 11 16:58:29 2016) [sssd[sudo]] [sudosrv_get_user] (0x0400):
> > Returning info for user [jgodd...@internal.emerlyn.com]
> > (Thu Aug 11 16:58:29 2016) [sssd[sudo]] [sudosrv_get_rules] (0x0400):
> > Retrieving rules for [jgoddard] from [internal.emerlyn.com]
> > (Thu Aug 11 16:58:29 2016) [sssd[sudo]] [ldb] (0x4000): Added timed event
> > "ltdb_callback": 0x6dbce0
>
> at least one rule was passed on to sudo to process. Can you look into
> the sudo log (not sssd_sudo, but really the log from the sudo
> executable, the one you asked sudo to create in /etc/sudo.conf) and see
> why sudo didn't allow you to execute anything?
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>

Thanks,

Jeff
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] sudo rules question on ubuntu 16.0.1

2016-08-12 Thread Jakub Hrozek

On Thu, Aug 11, 2016 at 05:02:49PM -0400, Jeff Goddard wrote:
> Manually creating the file and then restarting the service and performing

So according to this:

> (Thu Aug 11 16:58:29 2016) [sssd[sudo]] [sudosrv_get_user] (0x0400):
> Returning info for user [jgodd...@internal.emerlyn.com]
> (Thu Aug 11 16:58:29 2016) [sssd[sudo]] [sudosrv_get_rules] (0x0400):
> Retrieving rules for [jgoddard] from [internal.emerlyn.com]
> (Thu Aug 11 16:58:29 2016) [sssd[sudo]] [ldb] (0x4000): Added timed event
> "ltdb_callback": 0x6dbce0

at least one rule was passed on to sudo to process. Can you look into
the sudo log (not sssd_sudo, but really the log from the sudo
executable, the one you asked sudo to create in /etc/sudo.conf) and see
why sudo didn't allow you to execute anything?

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] sudo rules question on ubuntu 16.0.1

2016-08-11 Thread Justin Stephenson


Hello,

Could you increase the debug level to 9, restart sssd  + clear the cache 
and reproduce the problem then provide the sssd_.log as well as 
the sssd_sudo.log ?


Also you may want to rule out HBAC issues with the below command:

 # ipa hbactest --user 'jgoddard' --host $(hostname) --service sudo

Kind regards,

Justin Stephenson

On 08/11/2016 02:24 PM, Jeff Goddard wrote:

Here is relevant configuration files:

*nsswitch.conf:*

passwd: compat sss
group:  compat sss
shadow: compat sss
gshadow:files

hosts:  files dns
networks:   files

protocols:  db files
services:   db files sss
ethers: db files
rpc:db files

netgroup:   nis sss
sudoers: sss files

*sssd.conf:*

[domain/internal.emerlyn.com ]

cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = internal.emerlyn.com 
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = docker-dev-01.internal.emerlyn.com 


chpass_provider = ipa
ipa_server = _srv_, id-management-1.internal.emerlyn.com 


ldap_tls_cacert = /etc/ipa/ca.crt
sudo_provider=ipa
ldap_uri=ldap://id-management-1.internal.emerlyn.com 


ldap_sudo_search_base=ou=sudoers,dc=internal,dc=emerlyn,dc=com
debug_level=7

[sssd]
services = nss, pam, sudo, ssh
debug_level=7
domains = internal.emerlyn.com 

[nss]
homedir_substring = /home

[pam]

[sudo]
debug_level=7
[autofs]

[ssh]
debug_level=7
[pac]

[ifp]

*Log output - /var/log/sssd/sssd_sudo.log:

*(Thu Aug 11 12:21:43 2016) [sssd[sudo]] [accept_fd_handler] (0x0400): 
Client connected!
(Thu Aug 11 12:21:43 2016) [sssd[sudo]] [sss_cmd_get_version] 
(0x0200): Received client version [1].
(Thu Aug 11 12:21:43 2016) [sssd[sudo]] [sss_cmd_get_version] 
(0x0200): Offered version [1].
(Thu Aug 11 12:21:43 2016) [sssd[sudo]] [sss_parse_name_for_domains] 
(0x0200): name 'jgoddard' matched without domain, user is jgoddard
(Thu Aug 11 12:21:43 2016) [sssd[sudo]] [sss_parse_name_for_domains] 
(0x0200): name 'jgoddard' matched without domain, user is jgoddard
(Thu Aug 11 12:21:43 2016) [sssd[sudo]] [sudosrv_cmd_parse_query_done] 
(0x0200): Requesting default options for [jgoddard] from []
(Thu Aug 11 12:21:43 2016) [sssd[sudo]] [sudosrv_get_user] (0x0200): 
Requesting info about [jgodd...@internal.emerlyn.com 
]
(Thu Aug 11 12:21:43 2016) [sssd[sudo]] [sudosrv_get_user] (0x0400): 
Returning info for user [jgodd...@internal.emerlyn.com 
]
(Thu Aug 11 12:21:43 2016) [sssd[sudo]] [sudosrv_get_rules] (0x0400): 
Retrieving default options for [jgoddard] from [internal.emerlyn.com 
]
(Thu Aug 11 12:21:43 2016) [sssd[sudo]] 
[sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with 
[(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=jgoddard)(sudoUser=#32001)(sudoUser=%developers)(sudoUser=%jira-administrators)(sudoUser=%admins)(sudoUser=%ipausers)(sudoUser=%jgoddard)(sudoUser=+*))(&(dataExpireTimestamp<=1470932503)))]
(Thu Aug 11 12:21:43 2016) [sssd[sudo]] 
[sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with 
[(&(objectClass=sudoRule)(|(name=defaults)))]
(Thu Aug 11 12:21:43 2016) [sssd[sudo]] 
[sudosrv_get_sudorules_from_cache] (0x0400): Returning 0 rules for 
[@internal.emerlyn.com ]
(Thu Aug 11 12:21:43 2016) [sssd[sudo]] [sss_parse_name_for_domains] 
(0x0200): name 'jgoddard' matched without domain, user is jgoddard*
(*Thu Aug 11 12:21:43 2016) [sssd[sudo]] [sss_parse_name_for_domains] 
(0x0200): name 'jgoddard' matched without domain, user is jgoddard
(Thu Aug 11 12:21:43 2016) [sssd[sudo]] [sudosrv_cmd_parse_query_done] 
(0x0200): Requesting rules for [jgoddard] from []
(Thu Aug 11 12:21:43 2016) [sssd[sudo]] [sudosrv_get_user] (0x0200): 
Requesting info about [jgodd...@internal.emerlyn.com 
]
(Thu Aug 11 12:21:43 2016) [sssd[sudo]] [sudosrv_get_user] (0x0400): 
Returning info for user [jgodd...@internal.emerlyn.com 
]
(Thu Aug 11 12:21:43 2016) [sssd[sudo]] [sudosrv_get_rules] (0x0400): 
Retrieving rules for [jgoddard] from [internal.emerlyn.com 
]
(Thu Aug 11 12:21:43 2016) [sssd[sudo]] 
[sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with 
[(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=jgoddard)(sudoUser=#32001)(sudoUser=%developers)(sudoUser=%jira-administrators)(sudoUser=%admins)(sudoUser=%ipausers)(sudoUser=%jgoddard)(sudoUser=+*))(&(dataExpireTimestamp<=1470932503)))]
(Thu Aug 11 12:21:43 2016) [sssd[sudo]] 
[sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with 
[(&(objectClass=sudoRul

Re: [Freeipa-users] sudo rules question on ubuntu 16.0.1

2016-08-11 Thread Jeff Goddard

Here is relevant configuration files:

*nsswitch.conf:*

passwd: compat sss
group:  compat sss
shadow: compat sss
gshadow:files

hosts:  files dns
networks:   files

protocols:  db files
services:   db files sss
ethers: db files
rpc:db files

netgroup:   nis sss
sudoers: sss files

*sssd.conf:*

[domain/internal.emerlyn.com]

cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = internal.emerlyn.com
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = docker-dev-01.internal.emerlyn.com
chpass_provider = ipa
ipa_server = _srv_, id-management-1.internal.emerlyn.com
ldap_tls_cacert = /etc/ipa/ca.crt
sudo_provider=ipa
ldap_uri=ldap://id-management-1.internal.emerlyn.com
ldap_sudo_search_base=ou=sudoers,dc=internal,dc=emerlyn,dc=com
debug_level=7

[sssd]
services = nss, pam, sudo, ssh
debug_level=7
domains = internal.emerlyn.com

[nss]
homedir_substring = /home

[pam]

[sudo]
debug_level=7
[autofs]

[ssh]
debug_level=7
[pac]

[ifp]



*Log output - /var/log/sssd/sssd_sudo.log:*(Thu Aug 11 12:21:43 2016)
[sssd[sudo]] [accept_fd_handler] (0x0400): Client connected!
(Thu Aug 11 12:21:43 2016) [sssd[sudo]] [sss_cmd_get_version] (0x0200):
Received client version [1].
(Thu Aug 11 12:21:43 2016) [sssd[sudo]] [sss_cmd_get_version] (0x0200):
Offered version [1].
(Thu Aug 11 12:21:43 2016) [sssd[sudo]] [sss_parse_name_for_domains]
(0x0200): name 'jgoddard' matched without domain, user is jgoddard
(Thu Aug 11 12:21:43 2016) [sssd[sudo]] [sss_parse_name_for_domains]
(0x0200): name 'jgoddard' matched without domain, user is jgoddard
(Thu Aug 11 12:21:43 2016) [sssd[sudo]] [sudosrv_cmd_parse_query_done]
(0x0200): Requesting default options for [jgoddard] from []
(Thu Aug 11 12:21:43 2016) [sssd[sudo]] [sudosrv_get_user] (0x0200):
Requesting info about [jgodd...@internal.emerlyn.com]
(Thu Aug 11 12:21:43 2016) [sssd[sudo]] [sudosrv_get_user] (0x0400):
Returning info for user [jgodd...@internal.emerlyn.com]
(Thu Aug 11 12:21:43 2016) [sssd[sudo]] [sudosrv_get_rules] (0x0400):
Retrieving default options for [jgoddard] from [internal.emerlyn.com]
(Thu Aug 11 12:21:43 2016) [sssd[sudo]] [sudosrv_get_sudorules_query_cache]
(0x0200): Searching sysdb with
[(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=jgoddard)(sudoUser=#32001)(sudoUser=%developers)(sudoUser=%jira-administrators)(sudoUser=%admins)(sudoUser=%ipausers)(sudoUser=%jgoddard)(sudoUser=+*))(&(dataExpireTimestamp<=1470932503)))]
(Thu Aug 11 12:21:43 2016) [sssd[sudo]] [sudosrv_get_sudorules_query_cache]
(0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(name=defaults)))]
(Thu Aug 11 12:21:43 2016) [sssd[sudo]] [sudosrv_get_sudorules_from_cache]
(0x0400): Returning 0 rules for [@internal.emerlyn.com]
(Thu Aug 11 12:21:43 2016) [sssd[sudo]] [sss_parse_name_for_domains]
(0x0200): name 'jgoddard' matched without domain, user is jgoddard
*(*Thu Aug 11 12:21:43 2016) [sssd[sudo]] [sss_parse_name_for_domains]
(0x0200): name 'jgoddard' matched without domain, user is jgoddard
(Thu Aug 11 12:21:43 2016) [sssd[sudo]] [sudosrv_cmd_parse_query_done]
(0x0200): Requesting rules for [jgoddard] from []
(Thu Aug 11 12:21:43 2016) [sssd[sudo]] [sudosrv_get_user] (0x0200):
Requesting info about [jgodd...@internal.emerlyn.com]
(Thu Aug 11 12:21:43 2016) [sssd[sudo]] [sudosrv_get_user] (0x0400):
Returning info for user [jgodd...@internal.emerlyn.com]
(Thu Aug 11 12:21:43 2016) [sssd[sudo]] [sudosrv_get_rules] (0x0400):
Retrieving rules for [jgoddard] from [internal.emerlyn.com]
(Thu Aug 11 12:21:43 2016) [sssd[sudo]] [sudosrv_get_sudorules_query_cache]
(0x0200): Searching sysdb with
[(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=jgoddard)(sudoUser=#32001)(sudoUser=%developers)(sudoUser=%jira-administrators)(sudoUser=%admins)(sudoUser=%ipausers)(sudoUser=%jgoddard)(sudoUser=+*))(&(dataExpireTimestamp<=1470932503)))]
(Thu Aug 11 12:21:43 2016) [sssd[sudo]] [sudosrv_get_sudorules_query_cache]
(0x0200): Searching sysdb with
[(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=jgoddard)(sudoUser=#32001)(sudoUser=%developers)(sudoUser=%jira-administrators)(sudoUser=%admins)(sudoUser=%ipausers)(sudoUser=%jgoddard)(sudoUser=+*)))]
(Thu Aug 11 12:21:43 2016) [sssd[sudo]] [sort_sudo_rules] (0x0400): Sorting
rules with higher-wins logic
(Thu Aug 11 12:21:43 2016) [sssd[sudo]] [sudosrv_get_sudorules_from_cache]
(0x0400): Returning 1 rules for [jgodd...@internal.emerlyn.com]
(Thu Aug 11 12:21:47 2016) [sssd[sudo]] [client_recv] (0x0200): Client
disconnected!
(Thu Aug 11 12:22:12 2016) [sssd[sudo]] [accept_fd_handler] (0x0400):
Client connected!
(Thu Aug 11 12:22:12 2016) [sssd[sudo]] [sss_cmd_get_version] (0x0200):
Received client version [1].
(Thu Aug 11 12:22:12 2016) [sssd[sudo]] [sss_cmd_get_version] (0x0200):
Offered version [1].
(Thu Aug 11 12:22:12 2016) [sssd[sudo]] [sss_parse_name_for_domains]
(0x0200): name 'jgoddard' matche

Re: [Freeipa-users] sudo rules question on ubuntu 16.0.1

2016-08-11 Thread Rob Crittenden


Jeff Goddard wrote:

I've looked though these but not found anything helpful. It appears as
though my previous statement about the 1 group being found was
misleading as the sssd.$mydomain.com.log file reports that no sudo rules
are found. Does this mean that the LDAP tree being searched is different
on ubuntu vs centos?


I find that extremely unlikely.

You may want to outline more what you've already checked.

For example, is sss in sudoers in /etc/nsswitch.conf?

You can check the 389-ds access log to see what, if any queries are 
being made. I'd clean the sssd cache in advance.


rob



Jeff

On Wed, Aug 10, 2016 at 2:13 PM, Rob Crittenden mailto:rcrit...@redhat.com>> wrote:

Jeff Goddard wrote:

Sean,

Thanks for the reply. I don't think that's my problem but I'm
posting a
redacted copy of the sssd.conf file for review below.


I'd start here:
https://fedorahosted.org/sssd/wiki/HOWTO_Troubleshoot_SUDO


rob







--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] sudo rules question on ubuntu 16.0.1

2016-08-11 Thread Jeff Goddard

I've looked though these but not found anything helpful. It appears as
though my previous statement about the 1 group being found was misleading
as the sssd.$mydomain.com.log file reports that no sudo rules are found.
Does this mean that the LDAP tree being searched is different on ubuntu vs
centos?

Jeff

On Wed, Aug 10, 2016 at 2:13 PM, Rob Crittenden  wrote:

> Jeff Goddard wrote:
>
>> Sean,
>>
>> Thanks for the reply. I don't think that's my problem but I'm posting a
>> redacted copy of the sssd.conf file for review below.
>>
>
> I'd start here: https://fedorahosted.org/sssd/wiki/HOWTO_Troubleshoot_SUDO
>
> rob
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] sudo rules question on ubuntu 16.0.1

2016-08-10 Thread Rob Crittenden


Jeff Goddard wrote:

Sean,

Thanks for the reply. I don't think that's my problem but I'm posting a
redacted copy of the sssd.conf file for review below.


I'd start here: https://fedorahosted.org/sssd/wiki/HOWTO_Troubleshoot_SUDO

rob

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] sudo rules question on ubuntu 16.0.1

2016-08-10 Thread Jeff Goddard

Sean,

Thanks for the reply. I don't think that's my problem but I'm posting a
redacted copy of the sssd.conf file for review below.


[domain/domain.com]

cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = domain.com
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = docker-dev-01.domain.com
chpass_provider = ipa
ipa_server = _srv_, server.domain.com
ldap_tls_cacert = /etc/ipa/ca.crt
debug_level=7
[sssd]
services = nss, sudo, pam, ssh
debug_level=7
domains = domain.com
[nss]
homedir_substring = /home

[pam]

[sudo]
debug_level=7
[autofs]

[ssh]

[pac]

[ifp]

Jeff

On Wed, Aug 10, 2016 at 2:04 PM, Sean Hogan  wrote:

> Not sure it is the same as 14.X but I had to add the sudo in the list of
> services to sssd.conf as it was not put in by default. I am by no means an
> expert on it but my own personal experience with 14.x
>
>
>
> Sean Hogan
>
>
>
>
>
> [image: Inactive hide details for Jeff Goddard ---08/10/2016 10:52:31
> AM---I've got a freeipa domain and many centos 7.2 clients. I als]Jeff
> Goddard ---08/10/2016 10:52:31 AM---I've got a freeipa domain and many
> centos 7.2 clients. I also have a sudo rule that allows member of
>
> From: Jeff Goddard 
> To: freeipa-users@redhat.com
> Date: 08/10/2016 10:52 AM
> Subject: [Freeipa-users] sudo rules question on ubuntu 16.0.1
> Sent by: freeipa-users-boun...@redhat.com
> --
>
>
>
> I've got a freeipa domain and many centos 7.2 clients. I also have a sudo
> rule that allows member of the developer group sudo rights on virtual
> servers in the "development" group. This works great on the centos servers.
> However, I recently set up 3 ubuntu boxes, and added them to the IPA domain
> and then to the "development" group. My sudo rules fail. I've enabled
> debugging and I see in the /var/log/sssd/sssd_sudo.log that the clients
> connects to the server, identifies group memberships, and finally prints
> "returning 1 rules for [*u...@domain.com* ]. We only
> have the single rule so I can't figure out why it's not working. Can
> someone point me in the correct direction?
>
> Thanks,
>
> Jeff
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>
>
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] sudo rules question on ubuntu 16.0.1

2016-08-10 Thread Sean Hogan


   Not sure it is the same as 14.X but I had to add the sudo in the list of
services to sssd.conf as it was not put in by default.  I am by no means an
expert on it but my own personal experience with 14.x



Sean Hogan







From:   Jeff Goddard 
To: freeipa-users@redhat.com
Date:   08/10/2016 10:52 AM
Subject:[Freeipa-users] sudo rules question on ubuntu 16.0.1
Sent by:freeipa-users-boun...@redhat.com



I've got a freeipa domain and many centos 7.2 clients. I also have a sudo
rule that allows member of the developer group sudo rights on virtual
servers in the "development" group. This works great on the centos servers.
However, I recently set up 3 ubuntu boxes, and added them to the IPA domain
and then to the "development" group. My sudo rules fail. I've enabled
debugging and I see in the /var/log/sssd/sssd_sudo.log that the clients
connects to the server, identifies group memberships, and finally prints
"returning 1 rules for [u...@domain.com]. We only have the single rule so I
can't figure out why it's not working. Can someone point me in the correct
direction?

Thanks,

Jeff

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] sudo rules question on ubuntu 16.0.1

2016-08-10 Thread Jeff Goddard

I've got a freeipa domain and many centos 7.2 clients. I also have a sudo
rule that allows member of the developer group sudo rights on virtual
servers in the "development" group. This works great on the centos servers.
However, I recently set up 3 ubuntu boxes, and added them to the IPA domain
and then to the "development" group. My sudo rules fail. I've enabled
debugging and I see in the /var/log/sssd/sssd_sudo.log that the clients
connects to the server, identifies group memberships, and finally prints
"returning 1 rules for [u...@domain.com]. We only have the single rule so I
can't figure out why it's not working. Can someone point me in the correct
direction?

Thanks,

Jeff
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] sudo rules question on ubuntu 16.0.1

Re: [Freeipa-users] sudo rules question on ubuntu 16.0.1

Re: [Freeipa-users] sudo rules question on ubuntu 16.0.1

Re: [Freeipa-users] sudo rules question on ubuntu 16.0.1

Re: [Freeipa-users] sudo rules question on ubuntu 16.0.1

Re: [Freeipa-users] sudo rules question on ubuntu 16.0.1

[Freeipa-users] sudo rules question on ubuntu 16.0.1

Re: [Freeipa-users] sudo rules question on ubuntu 16.0.1

Re: [Freeipa-users] sudo rules question on ubuntu 16.0.1

Re: [Freeipa-users] sudo rules question on ubuntu 16.0.1

Re: [Freeipa-users] sudo rules question on ubuntu 16.0.1

Re: [Freeipa-users] sudo rules question on ubuntu 16.0.1

Re: [Freeipa-users] sudo rules question on ubuntu 16.0.1

Re: [Freeipa-users] sudo rules question on ubuntu 16.0.1

Re: [Freeipa-users] sudo rules question on ubuntu 16.0.1

Re: [Freeipa-users] sudo rules question on ubuntu 16.0.1

Re: [Freeipa-users] sudo rules question on ubuntu 16.0.1

Re: [Freeipa-users] sudo rules question on ubuntu 16.0.1

Re: [Freeipa-users] sudo rules question on ubuntu 16.0.1

Re: [Freeipa-users] sudo rules question on ubuntu 16.0.1

Re: [Freeipa-users] sudo rules question on ubuntu 16.0.1

Re: [Freeipa-users] sudo rules question on ubuntu 16.0.1

Re: [Freeipa-users] sudo rules question on ubuntu 16.0.1

Re: [Freeipa-users] sudo rules question on ubuntu 16.0.1

Re: [Freeipa-users] sudo rules question on ubuntu 16.0.1

Re: [Freeipa-users] sudo rules question on ubuntu 16.0.1

[Freeipa-users] sudo rules question on ubuntu 16.0.1

27 matches

Site Navigation

Mail list logo

Footer information