Re: [Freeipa-users] FreeIPA, version: 4.1.0 and sudo configuration
] (0x0200): Searching sysdb with [((objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=admin)(sud oUser=#146820)(sudoUser=%admins)(sudoUser=%trust admins)(sudoUser=%admins)(sudoUser=+*))((dataExpireTimestamp=1428492937))) ] (Wed Apr 8 13:35:37 2015) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [((objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=admin)(sudoUser=#14682000 00)(sudoUser=%admins)(sudoUser=%trust admins)(sudoUser=%admins)(sudoUser=+*)))] (Wed Apr 8 13:35:37 2015) [sssd[sudo]] [sudosrv_get_sudorules_from_cache] (0x0400): Returning 1 rules for [ad...@ai.co.zw] (Wed Apr 8 13:35:44 2015) [sssd[sudo]] [client_recv] (0x0200): Client disconnected! -Original Message- From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Chamambo Martin Sent: Wednesday, April 08, 2015 10:49 AM To: 'Jakub Hrozek' Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] FreeIPA, version: 4.1.0 and sudo configuration I have done below and its giving me the correct results and at the moment LET ME enable debugging in sudo itself and see if that will get me somewhere [root@ironhide ~]# getent netgroup mailservers mailservers (ironhide.ai.co.zw,-,ai.co.zw) (alvin.ai.co.zw,-,ai.co.zw) (madagascar.ai.co.zw,-,ai.co.zw) (nemo.ai.co.zw,-,ai.co.zw) [root@ironhide ~]# -Original Message- From: Jakub Hrozek [mailto:jhro...@redhat.com] Sent: Wednesday, April 08, 2015 10:35 AM To: Chamambo Martin Cc: freeipa-users@redhat.com; 'Lukas Slebodnik' Subject: Re: [Freeipa-users] FreeIPA, version: 4.1.0 and sudo configuration On Wed, Apr 08, 2015 at 10:17:59AM +0200, Chamambo Martin wrote: I have this log after doing a debug_level=6 in the sudo section and have attached a txt file for the ldbsearch -H /var/lib/sss/db/cache_ai.co.zw.ldb (Wed Apr 8 10:14:52 2015) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [((objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=admi n)(sud oUser=#146820)(sudoUser=%admins)(sudoUser=%trust admins)(sudoUser=%admins)(sudoUser=+*))((dataExpireTimestamp=1428480 892))) ] (Wed Apr 8 10:14:52 2015) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [((objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=admin)(sudoUser=#14 682000 00)(sudoUser=%admins)(sudoUser=%trust admins)(sudoUser=%admins)(sudoUser=+*)))] The above are the cache searches sssd ran. This is how the sudo rule looks in your cache: # record 29 dn: name=file-commands,cn=sudorules,cn=custom,cn=ai.co.zw,cn=sysdb cn: file-commands dataExpireTimestamp: 1428486013 entryUSN: 28714 name: file-commands objectClass: sudoRule originalDN: cn=file-commands,ou=sudoers,dc=ai,dc=co,dc=zw sudoCommand: /usr/bin/vim sudoCommand: /usr/bin/less sudoHost: +mailservers sudoRunAsGroup: ALL sudoRunAsUser: admin sudoRunAsUser: chamambom sudoRunAsUser: kamoyob sudoRunAsUser: kumalop sudoRunAsUser: machangeteb sudoRunAsUser: masaitit sudoRunAsUser: masvivic sudoRunAsUser: matangiraa sudoRunAsUser: nyahumap sudoRunAsUser: pedzisail sudoRunAsUser: tayengwaj sudoUser: ALL distinguishedName: name=file-commands,cn=sudorules,cn=custom,cn=ai.co.zw,cn=sy sdb (Wed Apr 8 10:14:52 2015) [sssd[sudo]] [sudosrv_get_sudorules_from_cache] (0x0400): Returning 1 rules for [ad...@ai.co.zw] And here we see that the sudo rule was returned from SSSD to sudo. But then in sudo, it didn't match for some reason. I expect it's because of the netgroup, can you check if nisdomainname is really set correctly and getent netgroup mailservers reports the FQDN of your client? Also, you can enable debugging in sudo itself. See man sudo.conf and search for the option Debug. That will show you how exactly sudo matches the rules. (Wed Apr 8 10:15:02 2015) [sssd[sudo]] [client_recv] (0x0200): Client disconnected! -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] FreeIPA, version: 4.1.0 and sudo configuration
From: Jakub Hrozek [jhro...@redhat.com] Sent: Wednesday, April 08, 2015 2:01 PM To: Martin Chamambo Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] FreeIPA, version: 4.1.0 and sudo configuration On Wed, Apr 08, 2015 at 01:39:44PM +0200, Chamambo Martin wrote: Sudo seems to be configured correctly but somehow it's not working Even if I do a sudo -l under the admin user [admin@ironhide tmp]$ sudo -l [sudo] password for admin: Matching Defaults entries for admin on this host: requiretty, !visiblepw, always_set_home, env_reset, env_keep=COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS, env_keep+=MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE, env_keep+=LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES, env_keep+=LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE, env_keep+=LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY, secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin User admin may run the following commands on this host: (admin, chamambom, kamoyob, kumalop, machangeteb, masaitit, masvivic, matangiraa, nyahumap, pedzisail, tayengwaj : ALL) /usr/bin/vim, ~~~ /usr/bin/less ~ According to this output, admin can run both vim and less... ?? -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] FreeIPA, version: 4.1.0 and sudo configuration
On Wed, Apr 08, 2015 at 01:39:44PM +0200, Chamambo Martin wrote: Sudo seems to be configured correctly but somehow it's not working Even if I do a sudo -l under the admin user [admin@ironhide tmp]$ sudo -l [sudo] password for admin: Matching Defaults entries for admin on this host: requiretty, !visiblepw, always_set_home, env_reset, env_keep=COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS, env_keep+=MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE, env_keep+=LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES, env_keep+=LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE, env_keep+=LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY, secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin User admin may run the following commands on this host: (admin, chamambom, kamoyob, kumalop, machangeteb, masaitit, masvivic, matangiraa, nyahumap, pedzisail, tayengwaj : ALL) /usr/bin/vim, ~~~ /usr/bin/less ~ According to this output, admin can run both vim and less... ?? -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] FreeIPA, version: 4.1.0 and sudo configuration
On (08/04/15 09:25), Chamambo Martin wrote: Good day I am running FreeIPA, version: 4.1.0 and everything is working well except SUDO configuration. ipa-client-install on CentOS 7.1 should configure sudo by default. I have 3 questions 1: I have configured the bare minimum sudo configuration without hostgroups and netgroups , just sudo commands and sudo command groups that have been added as sudo rules .this should work right yes. and sudo rules with netgroups shuld work on CentOS 7.1 as well because nisdomainname should be configured. 2: I have centos 6.6 and redhat 6.6 clients using the sssd service ,is that enough for sudo to work if the configs are as below cat /etc/nsswitch.conf sudoers: files sss cat /etc/sssd/sssd.conf [domain/ai.co.zw] debug_level=6 cache_credentials = True krb5_store_password_if_offline = True ipa_domain = ai.co.zw id_provider = ipa auth_provider = ipa access_provider = ipa ipa_hostname = ironhide.ai.co.zw chpass_provider = ipa ipa_server = _srv_, cyclops.ai.co.zw ldap_tls_cacert = /etc/ipa/ca.crt [sssd] services = nss, sudo, pam, ssh config_file_version = 2 domains = ai.co.zw [nss] homedir_substring = /home The default value of this option is /home You can remove it. Where did you find it? [pam] [sudo] [autofs] [ssh] If you do not use netgroups (or hostgroups) in sudo rules then this configuration should work on rhel 6.6 (sssd = 1.10) The same steps are decribed in manual page sssd-sudo. LS -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] FreeIPA, version: 4.1.0 and sudo configuration
On Wed, Apr 08, 2015 at 10:00:50AM +0200, Chamambo Martin wrote: I have these logs and cant seem to make sense of them These are not the logs we asked for. What we need is debug_level=6 in the sudo section, then run sudo, then attach /var/log/sssd/sssd_sudo.log. It would also be nice if you could install ldb-tools and run: ldbsearch -H /var/lib/sss/db/cache_ai.co.zw.ldb To see if the sudo rules were cached at all by the sudo full refresh (see man sssd-sudo for description of the different refreshes sssd does). -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] FreeIPA, version: 4.1.0 and sudo configuration
, 2015 10:07 AM To: Chamambo Martin Cc: freeipa-users@redhat.com; 'Lukas Slebodnik' Subject: Re: [Freeipa-users] FreeIPA, version: 4.1.0 and sudo configuration On Wed, Apr 08, 2015 at 10:00:50AM +0200, Chamambo Martin wrote: I have these logs and cant seem to make sense of them These are not the logs we asked for. What we need is debug_level=6 in the sudo section, then run sudo, then attach /var/log/sssd/sssd_sudo.log. It would also be nice if you could install ldb-tools and run: ldbsearch -H /var/lib/sss/db/cache_ai.co.zw.ldb To see if the sudo rules were cached at all by the sudo full refresh (see man sssd-sudo for description of the different refreshes sssd does). # record 1 dn: name=login,cn=hbac_services,cn=custom,cn=ai.co.zw,cn=sysdb cn: login ipauniqueid: 5931df0c-d8c0-11e4-9f0b-525400143fc1 objectclass: ipahbacservice objectclass: ipaobject originalDN: cn=login,cn=hbacservices,cn=hbac,dc=ai,dc=co,dc=zw distinguishedName: name=login,cn=hbac_services,cn=custom,cn=ai.co.zw,cn=sysdb # record 2 dn: name=proftpd,cn=hbac_services,cn=custom,cn=ai.co.zw,cn=sysdb cn: proftpd ipauniqueid: cbc9010c-d8c1-11e4-b74a-525400143fc1 objectclass: ipaobject objectclass: ipahbacservice originalDN: cn=proftpd,cn=hbacservices,cn=hbac,dc=ai,dc=co,dc=zw originalMemberOf: cn=ftp,cn=hbacservicegroups,cn=hbac,dc=ai,dc=co,dc=zw distinguishedName: name=proftpd,cn=hbac_services,cn=custom,cn=ai.co.zw,cn=sysd b # record 3 dn: name=admins,cn=groups,cn=ai.co.zw,cn=sysdb createTimestamp: 1428096032 gidNumber: 146820 name: admins objectClass: group isPosix: TRUE originalDN: cn=admins,cn=groups,cn=accounts,dc=ai,dc=co,dc=zw member: name=admin,cn=users,cn=ai.co.zw,cn=sysdb memberuid: admin orig_member: uid=admin,cn=users,cn=accounts,dc=ai,dc=co,dc=zw originalModifyTimestamp: 20150407175030Z entryUSN: 28639 lastUpdate: 1428479925 dataExpireTimestamp: 1428485325 distinguishedName: name=admins,cn=groups,cn=ai.co.zw,cn=sysdb # record 4 dn: name=ironhide.ai.co.zw,cn=hbac_hosts,cn=custom,cn=ai.co.zw,cn=sysdb fqdn: ironhide.ai.co.zw name: ironhide.ai.co.zw originalDN: fqdn=ironhide.ai.co.zw,cn=computers,cn=accounts,dc=ai,dc=co,dc=zw originalMemberOf: cn=mailservers,cn=hostgroups,cn=accounts,dc=ai,dc=co,dc=zw originalMemberOf: ipaUniqueID=bacaa788-dac0-11e4-93fe-525400143fc1,cn=sudorule s,cn=sudo,dc=ai,dc=co,dc=zw originalMemberOf: cn=mailservers,cn=ng,cn=alt,dc=ai,dc=co,dc=zw serverHostname: ironhide sshPublicKey: c3NoLWRzcyBBQUFBQjNOemFDMWtjM01BQUFDQkFJRE5udWVoYmpIK3VTRnRWZUoy dzFETEJiL0Y4TTd5bHZGbUd5VUZVZlArSVRkUWtkMml4ZUdnL0JVVVYrTy9zbk5RRWh6RmMxZi84c 2hqZ0tsWDdCOTZxTWZOK0k4MnZKeVBDbkdRVzAvZEwrbTRMMmZYaEZzOSs2NnZjcnpSTGo2bmZlcU 9zY1B1eWNwK3FJUDlKcStVamJxbTNpZHJ0RDI2MjlXQnZXTTVBQUFBRlFEVGRZVmx1M1JtNzJPeE5 ieEJlc3MzRE56ZlBRQUFBSUErTDFCQnd6YVdvVDBlUUN5VmxPbE9pOUE4enNIUUkwWTk0R2FBN0d3 V01QWkNSRnI4ZlpXWFFubW1lZWwxZmdHbkUvNWp0clY3Y05UWERRbVM2cEhBOGljekRzV3RkMzlLN TF5UE04NmhyKytiaEx2aXVqeDFwOTJQSnZFODVGajhORFlHR1JCUFowM3ZJMlZGK3JPbW5tb2xsSj JYZVZQeTFUTHEvNmNsd2dBQUFJQTFlS09VMEdrT0dKWXFRWFRCcXpBNlRscmJna0FNRXlnOWVaaW1 yZ2lTeVBRTTF5SUtjZytUaGNTUlRNTjFPT1ZKczRCV2p6dm9PR2IzSVk2OVQ5L2tTOTh2VG9wQVp5 VnllbnltNERuWFd3TmY5V1F4RzM4SGRxNXZuVEZTaFhoZW5XR3h3anJXT09sT3g3OUZEWDJTL0ROM XVpOHJvV1g2aDh2ekJoRzVDQT09 sshPublicKey: c3NoLXJzYSBBQUFBQjNOemFDMXljMkVBQUFBQkl3QUFBUUVBd2VXdTNKMXRTdzV0 MHJhYkZWMzRXZ3FaWHJrUFBuTEg2SWxDY3ZnSFRzQ0lnNmpNNGxWOGhrRUNoMm9aTWtRZktpcGdDN 0FpUHdpTnRqSkNxQ2pTcVFYQldJZTJyMXB2TzVPNmRKMnc3VmhHYWY0T3lNZkZzZTY3bnVrY2MyMz dmOTZrbXkxTVVVWVRVSHBxT1cwTUlMMC9OTXExTzFNRU04YVkxbnZIcDk1RVpHTXF3dU01WStBSkN KbGo0Sks2Ynh3bnA4RkI3MDhSTzRoOGFpZDZXdGh0ZHpFQjJ2WUgrZi96NTdyMmxJNGk3RWNXdEVm K0hBczlCTWlmNjNjVE1OcThhOEVjMzV5Sy8wc3FpdmppVVJ1WW9rSnRsRW1BbEpxZEV3czhhZGZqe lhLSzBPVkxlUkhwaE9UZHlGSU9ydDhHRzhhZmE2dlV5MFN1WktGREV3PT0= uniqueID: 2b90a78a-da47-11e4-9ae8-525400143fc1 distinguishedName: name=ironhide.ai.co.zw,cn=hbac_hosts,cn=custom,cn=ai.co.zw, cn=sysdb # record 5 dn: name=chamambom,cn=users,cn=ai.co.zw,cn=sysdb createTimestamp: 1428096343 fullName: Martin Chamambo gecos: Martin Chamambo gidNumber: 146821 homeDirectory: /home/chamambom loginShell: /bin/bash name: chamambom objectClass: user uidNumber: 146821 originalDN: uid=chamambom,cn=users,cn=accounts,dc=ai,dc=co,dc=zw userPrincipalName: chamam...@ai.co.zw krbLastPwdChange: 20150401231521Z krbPasswordExpiration: 20150630231521Z memberof: name=ipausers,cn=groups,cn=ai.co.zw,cn=sysdb failedLoginAttempts: 0 ccacheFile: FILE:/tmp/krb5cc_146821_iZyDmv cachedPassword: $6$pTj0oneavWD1blkW$XokRKnnjbxoecu.OhMwWGTfvUAvATu78arF1GqVclz LtCq2Wun0LCu7u2w/oEbIMr8pSO3ZitJV42xCPih0jw. lastCachedPasswordChange: 1428399866 lastOnlineAuth: 1428399867 lastLogin: 1428399867 initgrExpireTimestamp: 1428405386 originalMemberOf: cn=ipausers,cn=groups,cn=accounts,dc=ai,dc=co,dc=zw originalModifyTimestamp: 20150407175033Z entryUSN: 28655 lastUpdate: 1428476544 dataExpireTimestamp: 1428481944 distinguishedName: name=chamambom,cn=users,cn=ai.co.zw,cn=sysdb # record 6 dn: name=su-l,cn
Re: [Freeipa-users] FreeIPA, version: 4.1.0 and sudo configuration
On Wed, Apr 08, 2015 at 09:25:33AM +0200, Chamambo Martin wrote: Good day I am running FreeIPA, version: 4.1.0 and everything is working well except SUDO configuration. I have 3 questions 1: I have configured the bare minimum sudo configuration without hostgroups and netgroups , just sudo commands and sudo command groups that have been added as sudo rules .this should work right 2: I have centos 6.6 and redhat 6.6 clients using the sssd service ,is that enough for sudo to work if the configs are as below Didn't you start exactly the same thread yesterday? :-) Can you provide the sudo responder logs as we asked yesterday? cat /etc/nsswitch.conf sudoers: files sss cat /etc/sssd/sssd.conf [domain/ai.co.zw] debug_level=6 cache_credentials = True krb5_store_password_if_offline = True ipa_domain = ai.co.zw id_provider = ipa auth_provider = ipa access_provider = ipa ipa_hostname = ironhide.ai.co.zw chpass_provider = ipa ipa_server = _srv_, cyclops.ai.co.zw ldap_tls_cacert = /etc/ipa/ca.crt [sssd] services = nss, sudo, pam, ssh config_file_version = 2 domains = ai.co.zw [nss] homedir_substring = /home [pam] [sudo] [autofs] [ssh] -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] FreeIPA, version: 4.1.0 and sudo configuration
)] (Wed Apr 8 09:58:48 2015) [sssd[be[ai.co.zw]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(objectClass=ipaHBACService)][cn=hbac,dc=ai,dc=co,dc=zw]. (Wed Apr 8 09:58:48 2015) [sssd[be[ai.co.zw]]] [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg set (Wed Apr 8 09:58:48 2015) [sssd[be[ai.co.zw]]] [ipa_hbac_servicegroup_info_next] (0x0400): Sending request for next search base: [cn=hbac,dc=ai,dc=co,dc=zw][2][(objectClass=ipaHBACServiceGroup)] (Wed Apr 8 09:58:48 2015) [sssd[be[ai.co.zw]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(objectClass=ipaHBACServiceGroup)][cn=hbac,dc=ai,dc=co,dc=zw]. (Wed Apr 8 09:58:48 2015) [sssd[be[ai.co.zw]]] [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg set (Wed Apr 8 09:58:48 2015) [sssd[be[ai.co.zw]]] [ipa_hbac_rule_info_next] (0x0400): Sending request for next search base: [cn=hbac,dc=ai,dc=co,dc=zw][2][((objectclass=ipaHBACRule)(ipaenabledflag=TR UE)(|(hostCategory=all)(memberHost=fqdn=ironhide.ai.co.zw,cn=computers,cn=ac counts,dc=ai,dc=co,dc=zw)(memberHost=cn=mailservers,cn=hostgroups,cn=account s,dc=ai,dc=co,dc=zw)(memberHost=ipaUniqueID=bacaa788-dac0-11e4-93fe-52540014 3fc1,cn=sudorules,cn=sudo,dc=ai,dc=co,dc=zw)(memberHost=cn=mailservers,cn=ng ,cn=alt,dc=ai,dc=co,dc=zw)))] (Wed Apr 8 09:58:48 2015) [sssd[be[ai.co.zw]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [((objectclass=ipaHBACRule)(ipaenabledflag=TRUE)(|(hostCategory=all)(member Host=fqdn=ironhide.ai.co.zw,cn=computers,cn=accounts,dc=ai,dc=co,dc=zw)(memb erHost=cn=mailservers,cn=hostgroups,cn=accounts,dc=ai,dc=co,dc=zw)(memberHos t=ipaUniqueID=bacaa788-dac0-11e4-93fe-525400143fc1,cn=sudorules,cn=sudo,dc=a i,dc=co,dc=zw)(memberHost=cn=mailservers,cn=ng,cn=alt,dc=ai,dc=co,dc=zw)))][ cn=hbac,dc=ai,dc=co,dc=zw]. (Wed Apr 8 09:58:48 2015) [sssd[be[ai.co.zw]]] [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg set (Wed Apr 8 09:58:48 2015) [sssd[be[ai.co.zw]]] [hbac_get_category] (0x0200): Category is set to 'all'. (Wed Apr 8 09:58:48 2015) [sssd[be[ai.co.zw]]] [hbac_get_category] (0x0200): Category is set to 'all'. (Wed Apr 8 09:58:48 2015) [sssd[be[ai.co.zw]]] [hbac_get_category] (0x0200): Category is set to 'all'. (Wed Apr 8 09:58:48 2015) [sssd[be[ai.co.zw]]] [hbac_shost_attrs_to_rule] (0x0400): Processing source hosts for rule [allow_all] (Wed Apr 8 09:58:48 2015) [sssd[be[ai.co.zw]]] [ipa_hbac_evaluate_rules] (0x0080): Access granted by HBAC rule [allow_all] (Wed Apr 8 09:58:48 2015) [sssd[be[ai.co.zw]]] [be_pam_handler_callback] (0x0100): Backend returned: (0, 0, NULL) [Success] (Wed Apr 8 09:58:48 2015) [sssd[be[ai.co.zw]]] [ipa_get_selinux_send] (0x0400): Retrieving SELinux user mapping (Wed Apr 8 09:58:48 2015) [sssd[be[ai.co.zw]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [((cn=ipaConfig)(objectClass=ipaGuiConfig))][cn=etc,dc=ai,dc=co,dc=zw]. (Wed Apr 8 09:58:48 2015) [sssd[be[ai.co.zw]]] [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg set (Wed Apr 8 09:58:48 2015) [sssd[be[ai.co.zw]]] [ipa_selinux_get_maps_next] (0x0400): Trying to fetch SELinux maps with following parameters: [2][((objectclass=ipaselinuxusermap)(ipaEnabledFlag=TRUE))][cn=selinux,dc=a i,dc=co,dc=zw] (Wed Apr 8 09:58:48 2015) [sssd[be[ai.co.zw]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [((objectclass=ipaselinuxusermap)(ipaEnabledFlag=TRUE))][cn=selinux,dc=ai,d c=co,dc=zw]. (Wed Apr 8 09:58:48 2015) [sssd[be[ai.co.zw]]] [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg set (Wed Apr 8 09:58:48 2015) [sssd[be[ai.co.zw]]] [ipa_selinux_get_maps_done] (0x0400): No SELinux user maps found! (Wed Apr 8 09:58:48 2015) [sssd[be[ai.co.zw]]] [be_pam_handler_callback] (0x0100): Backend returned: (0, 0, Success) [Success] (Wed Apr 8 09:58:48 2015) [sssd[be[ai.co.zw]]] [be_pam_handler_callback] (0x0100): Sending result [0][ai.co.zw] (Wed Apr 8 09:58:48 2015) [sssd[be[ai.co.zw]]] [be_pam_handler_callback] (0x0100): Sent result [0][ai.co.zw] -Original Message- From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Jakub Hrozek Sent: Wednesday, April 08, 2015 9:40 AM To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] FreeIPA, version: 4.1.0 and sudo configuration On Wed, Apr 08, 2015 at 09:25:33AM +0200, Chamambo Martin wrote: Good day I am running FreeIPA, version: 4.1.0 and everything is working well except SUDO configuration. I have 3 questions 1: I have configured the bare minimum sudo configuration without hostgroups and netgroups , just sudo commands and sudo command groups that have been added as sudo rules .this should work right 2: I have centos 6.6 and redhat 6.6 clients using the sssd service ,is that enough for sudo to work if the configs are as below Didn't you start
Re: [Freeipa-users] FreeIPA, version: 4.1.0 and sudo configuration
On Wed, Apr 08, 2015 at 10:17:59AM +0200, Chamambo Martin wrote: I have this log after doing a debug_level=6 in the sudo section and have attached a txt file for the ldbsearch -H /var/lib/sss/db/cache_ai.co.zw.ldb (Wed Apr 8 10:14:52 2015) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [((objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=admin)(sud oUser=#146820)(sudoUser=%admins)(sudoUser=%trust admins)(sudoUser=%admins)(sudoUser=+*))((dataExpireTimestamp=1428480892))) ] (Wed Apr 8 10:14:52 2015) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [((objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=admin)(sudoUser=#14682000 00)(sudoUser=%admins)(sudoUser=%trust admins)(sudoUser=%admins)(sudoUser=+*)))] The above are the cache searches sssd ran. This is how the sudo rule looks in your cache: # record 29 dn: name=file-commands,cn=sudorules,cn=custom,cn=ai.co.zw,cn=sysdb cn: file-commands dataExpireTimestamp: 1428486013 entryUSN: 28714 name: file-commands objectClass: sudoRule originalDN: cn=file-commands,ou=sudoers,dc=ai,dc=co,dc=zw sudoCommand: /usr/bin/vim sudoCommand: /usr/bin/less sudoHost: +mailservers sudoRunAsGroup: ALL sudoRunAsUser: admin sudoRunAsUser: chamambom sudoRunAsUser: kamoyob sudoRunAsUser: kumalop sudoRunAsUser: machangeteb sudoRunAsUser: masaitit sudoRunAsUser: masvivic sudoRunAsUser: matangiraa
Re: [Freeipa-users] FreeIPA, version: 4.1.0 and sudo configuration
I have done below and its giving me the correct results and at the moment LET ME enable debugging in sudo itself and see if that will get me somewhere [root@ironhide ~]# getent netgroup mailservers mailservers (ironhide.ai.co.zw,-,ai.co.zw) (alvin.ai.co.zw,-,ai.co.zw) (madagascar.ai.co.zw,-,ai.co.zw) (nemo.ai.co.zw,-,ai.co.zw) [root@ironhide ~]# -Original Message- From: Jakub Hrozek [mailto:jhro...@redhat.com] Sent: Wednesday, April 08, 2015 10:35 AM To: Chamambo Martin Cc: freeipa-users@redhat.com; 'Lukas Slebodnik' Subject: Re: [Freeipa-users] FreeIPA, version: 4.1.0 and sudo configuration On Wed, Apr 08, 2015 at 10:17:59AM +0200, Chamambo Martin wrote: I have this log after doing a debug_level=6 in the sudo section and have attached a txt file for the ldbsearch -H /var/lib/sss/db/cache_ai.co.zw.ldb (Wed Apr 8 10:14:52 2015) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [((objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=admi n)(sud oUser=#146820)(sudoUser=%admins)(sudoUser=%trust admins)(sudoUser=%admins)(sudoUser=+*))((dataExpireTimestamp=1428480 892))) ] (Wed Apr 8 10:14:52 2015) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [((objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=admin)(sudoUser=#14 682000 00)(sudoUser=%admins)(sudoUser=%trust admins)(sudoUser=%admins)(sudoUser=+*)))] The above are the cache searches sssd ran. This is how the sudo rule looks in your cache: # record 29 dn: name=file-commands,cn=sudorules,cn=custom,cn=ai.co.zw,cn=sysdb cn: file-commands dataExpireTimestamp: 1428486013 entryUSN: 28714 name: file-commands objectClass: sudoRule originalDN: cn=file-commands,ou=sudoers,dc=ai,dc=co,dc=zw sudoCommand: /usr/bin/vim sudoCommand: /usr/bin/less sudoHost: +mailservers sudoRunAsGroup: ALL sudoRunAsUser: admin sudoRunAsUser: chamambom sudoRunAsUser: kamoyob sudoRunAsUser: kumalop sudoRunAsUser: machangeteb sudoRunAsUser: masaitit sudoRunAsUser: masvivic sudoRunAsUser: matangiraa sudoRunAsUser: nyahumap sudoRunAsUser: pedzisail sudoRunAsUser: tayengwaj sudoUser: ALL distinguishedName: name=file-commands,cn=sudorules,cn=custom,cn=ai.co.zw,cn=sy sdb (Wed Apr 8 10:14:52 2015) [sssd[sudo]] [sudosrv_get_sudorules_from_cache] (0x0400): Returning 1 rules for [ad...@ai.co.zw] And here we see that the sudo rule was returned from SSSD to sudo. But then in sudo, it didn't match for some reason. I expect it's because of the netgroup, can you check if nisdomainname is really set correctly and getent netgroup mailservers reports the FQDN of your client? Also, you can enable debugging in sudo itself. See man sudo.conf and search for the option Debug. That will show you how exactly sudo matches the rules. (Wed Apr 8 10:15:02 2015) [sssd[sudo]] [client_recv] (0x0200): Client disconnected! -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] FreeIPA, version: 4.1.0 and sudo configuration
Good day I managed to configure sudo and its working for all my centos 6.6 and RHEL 6.6 clients. somehow i managed to change the sudo rules ,sudo comands and sudo groups to be less restrictive ,thats when i managed to access root owned files using sudo thanx for your help My advice when configuring sudo , when configuring your sudo rules , start with a less restrictive access control e.g where they say Access this host say any where they say Run Commands ---say any command and when its working ,thats when you can then fine tune your access policies From: Jakub Hrozek [jhro...@redhat.com] Sent: Wednesday, April 08, 2015 2:01 PM To: Martin Chamambo Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] FreeIPA, version: 4.1.0 and sudo configuration On Wed, Apr 08, 2015 at 01:39:44PM +0200, Chamambo Martin wrote: Sudo seems to be configured correctly but somehow it's not working Even if I do a sudo -l under the admin user [admin@ironhide tmp]$ sudo -l [sudo] password for admin: Matching Defaults entries for admin on this host: requiretty, !visiblepw, always_set_home, env_reset, env_keep=COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS, env_keep+=MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE, env_keep+=LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES, env_keep+=LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE, env_keep+=LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY, secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin User admin may run the following commands on this host: (admin, chamambom, kamoyob, kumalop, machangeteb, masaitit, masvivic, matangiraa, nyahumap, pedzisail, tayengwaj : ALL) /usr/bin/vim, ~~~ /usr/bin/less ~ According to this output, admin can run both vim and less... ?? -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
