Re: [Freeipa-users] Freeipa and sudo

[Danila Ladner]

Yeah, please enable logging in [sudo] section of sssd.

On Wed, Jul 6, 2016 at 11:03 AM, Jakub Hrozek  wrote:

> On Wed, Jul 06, 2016 at 03:22:34PM +0200, Tomas Simecek wrote:
> > Hi Danila and other freeipa gurus,
> > sorry for my late answer, there is a bank holiday in CZ and I am off work
> > these two days.
> > Yes, /etc/nsswitch.conf is fine, see:
> >
> > [root@spcss-2t-www ~]# cat /etc/nsswitch.conf |grep sudo
> > sudoers: files sss
> >
> > I think it is set up as part of freeipa-client package.
> > I went through this guide:
> > https://fedorahosted.org/sssd/wiki/HOWTO_Troubleshoot_SUDO
>
> We also need to see sssd_sudo.log and the log from the sudo itself
> (configured in /etc/sudo.conf)
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Freeipa and sudo

[Jakub Hrozek]

On Wed, Jul 06, 2016 at 03:22:34PM +0200, Tomas Simecek wrote:
> Hi Danila and other freeipa gurus,
> sorry for my late answer, there is a bank holiday in CZ and I am off work
> these two days.
> Yes, /etc/nsswitch.conf is fine, see:
> 
> [root@spcss-2t-www ~]# cat /etc/nsswitch.conf |grep sudo
> sudoers: files sss
> 
> I think it is set up as part of freeipa-client package.
> I went through this guide:
> https://fedorahosted.org/sssd/wiki/HOWTO_Troubleshoot_SUDO

We also need to see sssd_sudo.log and the log from the sudo itself
(configured in /etc/sudo.conf)

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Freeipa and sudo

[Tomas Simecek]

Hi Danila and other freeipa gurus,
sorry for my late answer, there is a bank holiday in CZ and I am off work
these two days.
Yes, /etc/nsswitch.conf is fine, see:

[root@spcss-2t-www ~]# cat /etc/nsswitch.conf |grep sudo
sudoers: files sss

I think it is set up as part of freeipa-client package.
I went through this guide:
https://fedorahosted.org/sssd/wiki/HOWTO_Troubleshoot_SUDO

so I guess things are set right.
When I try to sudo as domain user, sssd_linuxdomain.cz.log says followng:
(Wed Jul  6 15:19:54 2016) [sssd[be[linuxdomain.cz]]]
[sbus_message_handler] (0x2000): Received SBUS method
org.freedesktop.sssd.service.ping on path /org/freedesktop/sssd/service
(Wed Jul  6 15:19:54 2016) [sssd[be[linuxdomain.cz]]]
[sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit
(Wed Jul  6 15:19:54 2016) [sssd[be[linuxdomain.cz]]]
[sbus_message_handler] (0x2000): Received SBUS method
org.freedesktop.sssd.dataprovider.sudoHandler on path
/org/freedesktop/sssd/dataprovider
(Wed Jul  6 15:19:54 2016) [sssd[be[linuxdomain.cz]]]
[sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit
(Wed Jul  6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [be_sudo_handler]
(0x0400): Entering be_sudo_handler()
(Wed Jul  6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_sudo_handler]
(0x0400): Issuing a refresh of specific sudo rules
(Wed Jul  6 15:19:54 2016) [sssd[be[linuxdomain.cz]]]
[sdap_sudo_refresh_connect_done] (0x0400): SUDO LDAP connection successful
(Wed Jul  6 15:19:54 2016) [sssd[be[linuxdomain.cz]]]
[sdap_sudo_load_sudoers_next_base] (0x0400): Searching for sudo rules with
base [ou=sudoers,dc=linuxdomain,dc=cz]
(Wed Jul  6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_print_server]
(0x2000): Searching 10.1.123.103
(Wed Jul  6 15:19:54 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with
[(&(&(objectClass=sudoRole)(|(cn=Pokusne)))(|(!(sudoHost=*))(sudoHost=ALL)(sudoHost=
spcss-2t-www.linuxdomain.cz
)(sudoHost=spcss-2t-www)(sudoHost=10.1.62.88)(sudoHost=
10.1.62.0/24)(sudoHost=+*)(|(sudoHost=*\\*)(sudoHost=*?*)(sudoHost=*\2A*)(sudoHost=*[*]*][ou=sudoers,dc=linuxdomain,dc=cz
].
(Wed Jul  6 15:19:54 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass]
(Wed Jul  6 15:19:54 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn]
(Wed Jul  6 15:19:54 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sudoCommand]
(Wed Jul  6 15:19:54 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sudoHost]
(Wed Jul  6 15:19:54 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sudoUser]
(Wed Jul  6 15:19:54 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sudoOption]
(Wed Jul  6 15:19:54 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sudoRunAs]
(Wed Jul  6 15:19:54 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sudoRunAsUser]
(Wed Jul  6 15:19:54 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sudoRunAsGroup]
(Wed Jul  6 15:19:54 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sudoNotBefore]
(Wed Jul  6 15:19:54 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sudoNotAfter]
(Wed Jul  6 15:19:54 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sudoOrder]
(Wed Jul  6 15:19:54 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [entryUSN]
(Wed Jul  6 15:19:54 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 6
(Wed Jul  6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_op_add]
(0x2000): New operation 6 timeout 6
(Wed Jul  6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result]
(0x2000): Trace: sh[0x7f23893178c0], connected[1], ops[0x7f23893168e0],
ldap[0x7f2389333ff0]
(Wed Jul  6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_entry]
(0x1000): OriginalDN: [cn=Pokusne,ou=sudoers,dc=linuxdomain,dc=cz].
(Wed Jul  6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [objectClass]
(Wed Jul  6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [cn]
(Wed Jul  6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [sudoCommand]
(Wed Jul  6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [sudoHost]
(Wed Jul  6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [sudoUser]
(Wed Jul  6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [entryUSN]
(Wed Ju

Re: [Freeipa-users] Freeipa and sudo

[Jakub Hrozek]

On Tue, Jul 05, 2016 at 09:58:29AM -0400, Danila Ladner wrote:
> What about /etc/nsswitch.conf?
> Does it have "sudo: files sss"?

In general this upstream guide:
https://fedorahosted.org/sssd/wiki/HOWTO_Troubleshoot_SUDO
can help you pinpoint where the issue is.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Freeipa and sudo

[Danila Ladner]

What about /etc/nsswitch.conf?
Does it have "sudo: files sss"?

On Mon, Jul 4, 2016 at 3:50 AM, Tomas Simecek 
wrote:

> Dear freeipa users/admins,
> I'm trying to implement freeipa in our company, so that our Unix admins
> can authenticate on Linux servers using their Windows AD account.
> Following this guide
> https://www.freeipa.org/page/Active_Directory_trust_setup it seems to
> work well, they can login without problems.
> What I cannot make working is sudo from their AD accounts on Linux.
>
> No matter what I try, it is still:
>
> sudo systemctl restart httpd
> [sudo] password for simecek.to...@sd-stc.cz:
> Sorry, try again.
>
> Here's our setup:
> Freeipa server: CentOS Linux release 7.2.1511 (Core),
> ipa-server-4.2.0-15.0.1.el7.centos.6.1.x86_64
> Freeipa client: the same
>
> AD domain name: sd-stc.cz
> IPA domain: linuxdomain.cz
>
> When digging in logs and googling, I realized that the problem on client
> side could be:
>
> [root@spcss-2t-www ~]# kinit -k
> kinit: Cannot determine realm for host (principal host/spcss-2t-www@)
>
> But this seems to work:
> [root@spcss-2t-www ~]# kinit simecek.to...@sd-stc.cz
> Password for simecek.to...@sd-stc.cz:
> [root@spcss-2t-www ~]# klist
> Default principal: simecek.to...@sd-stc.cz
>
> Valid starting   Expires  Service principal
> 07/04/2016 09:36:26  07/04/2016 19:36:26  krbtgt/sd-stc...@sd-stc.cz
> renew until 07/05/2016 09:36:23
>
> My /etc/sssd/sssd.conf:
> [domain/linuxdomain.cz]
>
> cache_credentials = True
> krb5_store_password_if_offline = True
> ipa_domain = linuxdomain.cz
> krb5_realm = LINUXDOMAIN.CZ
> id_provider = ipa
> auth_provider = ipa
> access_provider = ipa
> ipa_hostname = spcss-2t-www.linuxdomain.cz
> chpass_provider = ipa
> ipa_server = svlxxipap.linuxdomain.cz
> ldap_tls_cacert = /etc/ipa/ca.crt
> override_shell = /bin/bash
> sudo_provider = ldap
> ldap_uri = ldap://svlxxipap.linuxdomain.cz
> ldap_sudo_search_base = ou=sudoers,dc=linuxdomain,dc=cz
> ldap_sasl_mech = GSSAPI
> ldap_sasl_authid = host/spcss-2t-www.linuxdomain...@linuxdomain.cz
> ldap_sasl_realm = LINUXDOMAIN.CZ
> krb5_server = svlxxipap.linuxdomain.cz
>
> [sssd]
> services = nss, sudo, pam, ssh
> config_file_version = 2
>
> domains = linuxdomain.cz
> [nss]
> homedir_substring = /home
> 
>
> My /etc/krb5.conf:
> #File modified by ipa-client-install
>
> includedir /var/lib/sss/pubconf/krb5.include.d/
>
> [libdefaults]
>   default_realm = LINUXDOMAIN.CZ
>   dns_lookup_realm = true
>   dns_lookup_kdc = true
>   rdns = false
>   ticket_lifetime = 24h
>   forwardable = yes
>   udp_preference_limit = 0
>   default_ccache_name = KEYRING:persistent:%{uid}
>
>
> [realms]
>   LINUXDOMAIN.CZ = {
> pkinit_anchors = FILE:/etc/ipa/ca.crt
>   }
>
>
> [domain_realm]
>   .linuxdomain.cz = LINUXDOMAIN.CZ
>   linuxdomain.cz = LINUXDOMAIN.CZ
>
> Would you please suggest which way to investigate?
>
> Thanks
>
> Tomas Simecek
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] FreeIPA and sudo Defaults

[Pavel Březina]

On 08/04/2015 11:57 AM, Innes, Duncan wrote:

Hi folks,
Struggling with creating a sudo rule in IPA that will allow my
foreman-proxy to run specific commands.  When I put the following into
/etc/sudoers.d/foreman:
[root@puppet01 ~]# cat /etc/sudoers.d/foreman
foreman-proxy ALL = NOPASSWD: /usr/bin/puppet cert *, /usr/bin/puppet kick *
Defaults:foreman-proxy !requiretty
innesd ALL = NOPASSWD: /usr/bin/puppet cert *, /usr/bin/puppet kick *
Defaults:innesd !requiretty
[root@puppet01 ~]#

[innesd@puppet01 ~]$ sudo -l
Matching Defaults entries for innesd on this host:
!requiretty
User innesd may run the following commands on this host:
 (root) NOPASSWD: /usr/bin/puppet cert *, (root) /usr/bin/puppet kick *
 (root) /bin/su
[innesd@puppet01 ~]$
Both my user and the foreman-proxy can run the relevant commands both on
the command line and remotely.
IT Security are not happy with local sudo rules being condifured around
the network, so I'm trying to create the same configuration via IPA.
When I try to get the same rule into IPA, my user can run the command in
a tty, but the foreman-proxy user is refused.  This looks to be down to
the lack of !requiretty coming through for the users:
[root@ipa01 ~]# ipa sudorule-show foreman-proxy
   Rule name: foreman-proxy
Enabled: TRUE
   User category: all
   Hosts: puppet02.example.com, puppet01.example.com,
puppet03.example.com, puppet04.example.com
   Sudo Allow Commands: /usr/bin/puppet cert *, /usr/bin/puppet kick *
   Sudo Option: !authenticate, !requiretty
[root@ipa01 ~]#
and once I've removed the #includedir option from my local sudoers file,
I get the following as my user:
[innesd@puppet01 ~]$ sudo -l
User innesd may run the following commands on this host:
 (root) /bin/su
 (root) NOPASSWD: /usr/bin/puppet cert *, /usr/bin/puppet kick *
[innesd@puppet01 ~]$
where the noticeable difference is that the !requiretty isn't listed
under any "Matching Defaults entries" for my user.  With the rule set up
like this, I can run the command in a tty, but the foreman-proxy user is
denied when the command is run without a tty.
How do I go about setting the Defaults for the foreman-proxy user?  Once
my testing is done, I'd like to move the rule to run only against the
foreman-proxy external user rather than all users.


Can you also provide sudo logs please?


And a small follow-up question: how long should I expect it to take for
a change to the sudo rule on my IPA server to become available on the
client?  I keep doing sss_cache -E to clear the cache, but it still
seems to take it's own sweet time to be changed on the client.  It's not
a huge wait - just a bit of a pain when I'm testing these changes.


Please, set entry_cache_sudo_timeout = 0 in your domain for testing 
purpose. You can also look at ldap_sudo_full_refresh_interval and 
ldap_sudo_smart_refresh_interval that says how often sssd searches for 
new/modified rules.



Thanks in advance,
Duncan Innes


--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] FreeIPA and sudo Defaults

[Jakub Hrozek]

On Tue, Aug 04, 2015 at 10:57:34AM +0100, Innes, Duncan wrote:
> Hi folks,
>  
> Struggling with creating a sudo rule in IPA that will allow my
> foreman-proxy to run specific commands.  When I put the following into
> /etc/sudoers.d/foreman:
>  
> [root@puppet01 ~]# cat /etc/sudoers.d/foreman
> foreman-proxy ALL = NOPASSWD: /usr/bin/puppet cert *, /usr/bin/puppet
> kick *
> Defaults:foreman-proxy !requiretty
> innesd ALL = NOPASSWD: /usr/bin/puppet cert *, /usr/bin/puppet kick *
> Defaults:innesd !requiretty
> [root@puppet01 ~]#
> 
> [innesd@puppet01 ~]$ sudo -l
> Matching Defaults entries for innesd on this host:
> !requiretty
>  
> User innesd may run the following commands on this host:
> (root) NOPASSWD: /usr/bin/puppet cert *, (root) /usr/bin/puppet kick
> *
> (root) /bin/su
> [innesd@puppet01 ~]$
> 
> Both my user and the foreman-proxy can run the relevant commands both on
> the command line and remotely.
>  
> IT Security are not happy with local sudo rules being condifured around
> the network, so I'm trying to create the same configuration via IPA.
>  
> When I try to get the same rule into IPA, my user can run the command in
> a tty, but the foreman-proxy user is refused.  This looks to be down to
> the lack of !requiretty coming through for the users:
>  
> [root@ipa01 ~]# ipa sudorule-show foreman-proxy
>   Rule name: foreman-proxy
>   Enabled: TRUE
>   User category: all
>   Hosts: puppet02.example.com, puppet01.example.com,
>  puppet03.example.com, puppet04.example.com
>   Sudo Allow Commands: /usr/bin/puppet cert *, /usr/bin/puppet kick *
>   Sudo Option: !authenticate, !requiretty
> [root@ipa01 ~]#

I'm adding Pavel Brezina who might have some hints.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] FreeIPA and sudo Defaults

[Innes, Duncan]

More information:
 
[root@puppet01 ~]# cat /etc/sssd/sssd.conf
[domain/example.com]
 
cache_credentials = True
krb5_realm = EXAMPLE.COM
ipa_domain = example.com
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = puppet01.example.com
chpass_provider = ipa
ipa_server = ipa01.example.com, ipa02.example.com
ldap_tls_cacert = /etc/ipa/ca.crt
ldap_network_timeout = 2
ldap_opt_timeout = 2
ldap_search_timeout = 2
ldap_user_extra_attrs = email:mail, firstname:givenname, lastname:sn, ou
[sssd]
services = nss, sudo, pam, ssh
config_file_version = 2
 
domains = example.com
[nss]
filter_users =
root,apache,postgres,oracle,tomcat,puppet,foreman,foreman-proxy
filter_groups = root,apache,postgres,oracle,tomcat,puppet,foreman-proxy
homedir_substring = /home
 
[pam]
 
[sudo]
 
[autofs]
 
[ssh]

We don't use _srv_ as we have no control over the DNS servers.
 
[root@puppet01 ~]# cat /etc/nsswitch.conf | grep -v \#
 

passwd: files sss
shadow: files sss
group:  files sss
 
hosts:  files dns
 

bootparams: nisplus [NOTFOUND=return] files
 
ethers: files
netmasks:   files
networks:   files
protocols:  files
rpc:files
services:   files sss
 
netgroup:   files sss
 
publickey:  nisplus
 
automount:  files
aliases:files nisplus
sudoers:files sss
 
[root@puppet01 ~]#

The client runs sudo successfully for other rules that are in place.



From: freeipa-users-boun...@redhat.com
[mailto:freeipa-users-boun...@redhat.com] On Behalf Of Innes, Duncan
Sent: 04 August 2015 12:10
To: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] FreeIPA and sudo Defaults


Information:
 
IPA server and client both running on RHEL 6.7 fully patched.
IPA server version: ipa-server-3.0.0-47.el6.x86_64
sssd client version: sssd-1.12.4-47.el6.x86_64
 
IPA server hosts dozens of sudo rules that work as expected.  This is
the first rule, however, that needs the !requiretty in the Defaults for
the user.
 
Thanks

D
 



From: freeipa-users-boun...@redhat.com
[mailto:freeipa-users-boun...@redhat.com] On Behalf Of Innes, Duncan
Sent: 04 August 2015 10:58
To: freeipa-users@redhat.com
Subject: [Freeipa-users] FreeIPA and sudo Defaults


Hi folks,
 
Struggling with creating a sudo rule in IPA that will allow my
foreman-proxy to run specific commands.  When I put the following into
/etc/sudoers.d/foreman:
 
[root@puppet01 ~]# cat /etc/sudoers.d/foreman
foreman-proxy ALL = NOPASSWD: /usr/bin/puppet cert *, /usr/bin/puppet
kick *
Defaults:foreman-proxy !requiretty
innesd ALL = NOPASSWD: /usr/bin/puppet cert *, /usr/bin/puppet kick *
Defaults:innesd !requiretty
[root@puppet01 ~]#

[innesd@puppet01 ~]$ sudo -l
Matching Defaults entries for innesd on this host:
!requiretty
 
User innesd may run the following commands on this host:
(root) NOPASSWD: /usr/bin/puppet cert *, (root) /usr/bin/puppet kick
*
(root) /bin/su
[innesd@puppet01 ~]$

Both my user and the foreman-proxy can run the relevant commands both on
the command line and remotely.
 
IT Security are not happy with local sudo rules being condifured around
the network, so I'm trying to create the same configuration via IPA.
 
When I try to get the same rule into IPA, my user can run the command in
a tty, but the foreman-proxy user is refused.  This looks to be down to
the lack of !requiretty coming through for the users:
 
[root@ipa01 ~]# ipa sudorule-show foreman-proxy
  Rule name: foreman-proxy
  Enabled: TRUE
  User category: all
  Hosts: puppet02.example.com, puppet01.example.com,
 puppet03.example.com, puppet04.example.com
  Sudo Allow Commands: /usr/bin/puppet cert *, /usr/bin/puppet kick *
  Sudo Option: !authenticate, !requiretty
[root@ipa01 ~]#

and once I've removed the #includedir option from my local sudoers file,
I get the following as my user:
 
[innesd@puppet01 ~]$ sudo -l
User innesd may run the following commands on this host:
(root) /bin/su
(root) NOPASSWD: /usr/bin/puppet cert *, /usr/bin/puppet kick *
[innesd@puppet01 ~]$

where the noticeable difference is that the !requiretty isn't listed
under any "Matching Defaults entries" for my user.  With the rule set up
like this, I can run the command in a tty, but the foreman-proxy user is
denied when the command is run without a tty.
 
How do I go about setting the Defaults for the foreman-proxy user?  Once
my testing is done, I'd like to move the rule to run only against the
foreman-proxy external user rather than all users.
 
And a small follow-up question: how long should I expect it to take for
a change to the sudo rule on my IPA server to become available on the
client?  I keep doing sss_cache -E to clear the cache, but it still
seems to take it's own sweet time to be changed on the client.  It's not
a huge wait - just a bit of a pain when I'm testing these changes.
 
Thanks in advance,
 
Duncan Innes

This message has been checked for viruses 

Re: [Freeipa-users] FreeIPA and sudo Defaults

[Innes, Duncan]

Information:
 
IPA server and client both running on RHEL 6.7 fully patched.
IPA server version: ipa-server-3.0.0-47.el6.x86_64
sssd client version: sssd-1.12.4-47.el6.x86_64
 
IPA server hosts dozens of sudo rules that work as expected.  This is
the first rule, however, that needs the !requiretty in the Defaults for
the user.
 
Thanks

D
 



From: freeipa-users-boun...@redhat.com
[mailto:freeipa-users-boun...@redhat.com] On Behalf Of Innes, Duncan
Sent: 04 August 2015 10:58
To: freeipa-users@redhat.com
Subject: [Freeipa-users] FreeIPA and sudo Defaults


Hi folks,
 
Struggling with creating a sudo rule in IPA that will allow my
foreman-proxy to run specific commands.  When I put the following into
/etc/sudoers.d/foreman:
 
[root@puppet01 ~]# cat /etc/sudoers.d/foreman
foreman-proxy ALL = NOPASSWD: /usr/bin/puppet cert *, /usr/bin/puppet
kick *
Defaults:foreman-proxy !requiretty
innesd ALL = NOPASSWD: /usr/bin/puppet cert *, /usr/bin/puppet kick *
Defaults:innesd !requiretty
[root@puppet01 ~]#

[innesd@puppet01 ~]$ sudo -l
Matching Defaults entries for innesd on this host:
!requiretty
 
User innesd may run the following commands on this host:
(root) NOPASSWD: /usr/bin/puppet cert *, (root) /usr/bin/puppet kick
*
(root) /bin/su
[innesd@puppet01 ~]$

Both my user and the foreman-proxy can run the relevant commands both on
the command line and remotely.
 
IT Security are not happy with local sudo rules being condifured around
the network, so I'm trying to create the same configuration via IPA.
 
When I try to get the same rule into IPA, my user can run the command in
a tty, but the foreman-proxy user is refused.  This looks to be down to
the lack of !requiretty coming through for the users:
 
[root@ipa01 ~]# ipa sudorule-show foreman-proxy
  Rule name: foreman-proxy
  Enabled: TRUE
  User category: all
  Hosts: puppet02.example.com, puppet01.example.com,
 puppet03.example.com, puppet04.example.com
  Sudo Allow Commands: /usr/bin/puppet cert *, /usr/bin/puppet kick *
  Sudo Option: !authenticate, !requiretty
[root@ipa01 ~]#

and once I've removed the #includedir option from my local sudoers file,
I get the following as my user:
 
[innesd@puppet01 ~]$ sudo -l
User innesd may run the following commands on this host:
(root) /bin/su
(root) NOPASSWD: /usr/bin/puppet cert *, /usr/bin/puppet kick *
[innesd@puppet01 ~]$

where the noticeable difference is that the !requiretty isn't listed
under any "Matching Defaults entries" for my user.  With the rule set up
like this, I can run the command in a tty, but the foreman-proxy user is
denied when the command is run without a tty.
 
How do I go about setting the Defaults for the foreman-proxy user?  Once
my testing is done, I'd like to move the rule to run only against the
foreman-proxy external user rather than all users.
 
And a small follow-up question: how long should I expect it to take for
a change to the sudo rule on my IPA server to become available on the
client?  I keep doing sss_cache -E to clear the cache, but it still
seems to take it's own sweet time to be changed on the client.  It's not
a huge wait - just a bit of a pain when I'm testing these changes.
 
Thanks in advance,
 
Duncan Innes

This message has been checked for viruses and spam by the Virgin Money
email scanning system powered by Messagelabs.

This e-mail is intended to be confidential to the recipient. If you
receive a copy in error, please inform the sender and then delete this
message.

Virgin Money plc - Registered in England and Wales (Company no.
6952311). Registered office - Jubilee House, Gosforth, Newcastle upon
Tyne NE3 4PL. Virgin Money plc is authorised by the Prudential
Regulation Authority and regulated by the Financial Conduct Authority
and the Prudential Regulation Authority.

The following companies also trade as Virgin Money. They are both
authorised and regulated by the Financial Conduct Authority, are
registered in England and Wales and have their registered office at
Jubilee House, Gosforth, Newcastle upon Tyne NE3 4PL: Virgin Money
Personal Financial Service Limited (Company no. 3072766) and Virgin
Money Unit Trust Managers Limited (Company no. 3000482).

For further details of Virgin Money group companies please visit our
website at virginmoney.com

This message has been checked for viruses and spam by the Virgin Money
email scanning system powered by Messagelabs.


This message has been checked for viruses and spam by the Virgin Money email 
scanning system powered by Messagelabs.

This e-mail is intended to be confidential to the recipient. If you receive a 
copy in error, please inform the sender and then delete this message.

Virgin Money plc - Registered in England and Wales (Company no. 6952311). 
Registered office - Jubilee House, Gosforth, Newcastle upon Tyne NE3 4PL. 
Virgin Money plc is authorised by the Prudential Regulation Authority and 
regulated by the Financial Conduct Authority and the Prudential

Re: [Freeipa-users] freeipa and sudo

[Dean Hunter]

On Wed, 2013-09-11 at 11:21 +0200, Pavel Březina wrote:

> On 09/09/2013 07:32 PM, Dean Hunter wrote:
> >
> > On Mon, 2013-09-09 at 11:23 +0200, Pavel Březina wrote:
> >> On 09/08/2013 01:35 AM, Dmitri Pal wrote:
> >>> On 09/07/2013 02:11 PM, Christian Horn wrote:
>  On Sat, Sep 07, 2013 at 12:06:37PM -0500, Dean Hunter wrote:
> > Are [1] and[2] still the current and best sources of
> > information for configuring sudo for use with the current
> > release of FreeIPA on Fedora 19?
> >
> > 1.
> > http://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/sudo.html
> >>
> >
> >>> 2.
> > http://www.freeipa.org/images/7/77/Freeipa30_SSSD_SUDO_Integration.pdf
> >>
> >
> >> There is also the Identity_Management_Guide as part of the RHEL
>  product documentation:
>  https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html-single/Identity_Management_Guide/index.html
> >>
> 
> > This and the pdf above are the latest word in this area.
> >>
> >> Hi, those documents describes configuration for SSSD 1.9. Although
> >> it is still valid, we have simplified configuration for IPA
> >> provider in 1.10.
> >>
> >> The most up to date document for your version of SSSD is always
> >> man sssd-sudo.
> >>
> >> ___ Freeipa-users
> >> mailing list Freeipa-users@redhat.com
> >> 
> >> https://www.redhat.com/mailman/listinfo/freeipa-users
> >
> > Thank you.  Please verify that I have correctly understood your note.
> >  Your slides from 12-20-2012 applied to SSSD 1.9 and included a
> > reference to the manual pages, which I now understand, as well as
> > this example configuration:
> >
> > sudo_provider = ldap ldap_uri = ldap://ipa.example.com
> > ldap_sudo_search_base = ou=sudoers,dc=example,dc=com ldap_sasl_mech =
> > GSSAPI ldap_sasl_authid = host/hostname.example.com ldap_sasl_realm =
> > EXAMPLE.COM krb5_server = ipa.example.com
> >
> > I have used this configuration with good results.  However, reading
> > "man sssd-sudo" from sssd-1.9.5-2.fc18.x86_64 I find this paragraph:
> >
> > When the SSSD is configured to use the IPA provider, the sudo
> > provider is automatically enabled. The sudo search base is configured
> > to use the compat tree (ou=sudoers,$DC).
> 
> I forgot that the configuration was simplified also in 1.9. You can just
> stick with contents of sssd-sudo. I.e. you only need to put sudo to
> "services" (there's an RFE to do it automatically by ipa-client-install)
> and "sudoers: files sss" to /etc/nsswitch.conf
> 
> > May I suggest that you change "IPA provider" to "IPA as the ID
> > provider"?  There are a number of providers identified in sssd.conf
> > and most of them are configured to use IPA.
> 
> This is a valid point, thanks.
> 
> >
> > Testing shows that the only change now required to sssd.conf is the
> > addition of sudo to the services list in the sssd section [sssd]:
> >
> > services = autofs, nss, pam, ssh, sudo
> >
> > Add to this the one line change in nsswitch.conf
> >
> > sudoers:files sss
> >
> > and I am done.
> 
> Correct.
> 
> ___
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users


Nope, there is still one step remaining.  nisdomainname must be
configured:

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] freeipa and sudo

[Pavel Březina]

On 09/11/2013 11:21 AM, Pavel Březina wrote:

On 09/09/2013 07:32 PM, Dean Hunter wrote:


On Mon, 2013-09-09 at 11:23 +0200, Pavel Březina wrote:

On 09/08/2013 01:35 AM, Dmitri Pal wrote:

On 09/07/2013 02:11 PM, Christian Horn wrote:

On Sat, Sep 07, 2013 at 12:06:37PM -0500, Dean Hunter wrote:

Are [1] and[2] still the current and best sources of
information for configuring sudo for use with the current
release of FreeIPA on Fedora 19?

1.
http://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/sudo.html






2.

http://www.freeipa.org/images/7/77/Freeipa30_SSSD_SUDO_Integration.pdf






There is also the Identity_Management_Guide as part of the RHEL

product documentation:
https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html-single/Identity_Management_Guide/index.html






This and the pdf above are the latest word in this area.


Hi, those documents describes configuration for SSSD 1.9. Although
it is still valid, we have simplified configuration for IPA
provider in 1.10.

The most up to date document for your version of SSSD is always
man sssd-sudo.

___ Freeipa-users
mailing list Freeipa-users@redhat.com

https://www.redhat.com/mailman/listinfo/freeipa-users


Thank you.  Please verify that I have correctly understood your note.
 Your slides from 12-20-2012 applied to SSSD 1.9 and included a
reference to the manual pages, which I now understand, as well as
this example configuration:

sudo_provider = ldap ldap_uri = ldap://ipa.example.com
ldap_sudo_search_base = ou=sudoers,dc=example,dc=com ldap_sasl_mech =
GSSAPI ldap_sasl_authid = host/hostname.example.com ldap_sasl_realm =
EXAMPLE.COM krb5_server = ipa.example.com

I have used this configuration with good results.  However, reading
"man sssd-sudo" from sssd-1.9.5-2.fc18.x86_64 I find this paragraph:

When the SSSD is configured to use the IPA provider, the sudo
provider is automatically enabled. The sudo search base is configured
to use the compat tree (ou=sudoers,$DC).


I forgot that the configuration was simplified also in 1.9. You can just
stick with contents of sssd-sudo. I.e. you only need to put sudo to
"services" (there's an RFE to do it automatically by ipa-client-install)
and "sudoers: files sss" to /etc/nsswitch.conf


May I suggest that you change "IPA provider" to "IPA as the ID
provider"?  There are a number of providers identified in sssd.conf
and most of them are configured to use IPA.


This is a valid point, thanks.


https://fedorahosted.org/sssd/ticket/2085





Testing shows that the only change now required to sssd.conf is the
addition of sudo to the services list in the sssd section [sssd]:

services = autofs, nss, pam, ssh, sudo

Add to this the one line change in nsswitch.conf

sudoers:files sss

and I am done.


Correct.

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] freeipa and sudo

[Pavel Březina]

On 09/09/2013 05:53 PM, Dean Hunter wrote:

On Mon, 2013-09-09 at 11:35 +0200, Pavel Březina wrote:

On 09/09/2013 12:26 AM, Dean Hunter wrote:
> On Sun, 2013-09-08 at 23:11 +0200, Jakub Hrozek wrote:
>> On Sun, Sep 08, 2013 at 03:42:16PM -0500, Dean Hunter wrote:
>> > On Sat, 2013-09-07 at 19:35 -0400, Dmitri Pal wrote:
>> >
>> > > On 09/07/2013 02:11 PM, Christian Horn wrote:
>> > > > On Sat, Sep 07, 2013 at 12:06:37PM -0500, Dean Hunter wrote:
>> > > >> Are [1] and[2] still the current and best sources of information for
>> > > >> configuring sudo for use with the current release of FreeIPA on Fedora
>> > > >> 19?
>> > > >>
>> > > >> 1.
>> > > 
>>http://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/sudo.html
>> > > >> 2.
>> > > >>http://www.freeipa.org/images/7/77/Freeipa30_SSSD_SUDO_Integration.pdf
>> > > > There is also the Identity_Management_Guide as part of the RHEL
>> > > > product documentation:
>> > > 
>https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html-single/Identity_Management_Guide/index.html
>> > > This and the pdf above are the latest word in this area.
>> > >
>> > > > Christian
>> > > >
>> > > > ___
>> > > > Freeipa-users mailing list
>> > > >Freeipa-users@redhat.com     

>> > > >https://www.redhat.com/mailman/listinfo/freeipa-users
>> > >
>> > >
>> >
>> > Some sudo rules are causing:
>> >
>> >   [dean@desktop2 ~]$ sudo id
>> >   sudo: internal error, tried to erealloc3(0)
>>
>> This is a known bug:
>>https://bugzilla.redhat.com/show_bug.cgi?id=1000389
>>
>> I think the sudo rules are just missing the sudoHost attribute.
>>
>> >
>> > , but others do not.  In the trial and error process of determining
>> > which rule specifications are causing the error, I have been restarting
>> > the virtual machine I am using as the sudo client between tests.  Is
>> > there a better way to clear the SSSD cache between trials to make sure I
>> > am testing the most recent rule change?
>>
>> Unfortunately right now the only way is to rm the sssd cache which would
>> also remove any cached credentials. I thought there was an RFE open to
>> track the enhancement to make sss_cache invalidate and refresh sudo
>> rules, but I can't find it now in the SSSD trac, so I filed another one:
>>https://fedorahosted.org/sssd/ticket/2081
>>
>> Worst case, we mark it as a duplicate.
>>
>> ___
>> Freeipa-users mailing list
>>Freeipa-users@redhat.com     

>>https://www.redhat.com/mailman/listinfo/freeipa-users
>
> I saw bug report 1000389, but I could not understand it or whether it
> applied to me.
>
> I discovered that sudo rules for which I specified a host group caused
> the error.  Rules with a host category of "all" instead of the host
> group did not cause the error.  Is this what 1000389 says?
>
>ipa sudorule-addserver-admins  --desc "Server Administrators"
>ipa sudorule-modserver-admins  --cmdcat all
> # ipa sudorule-add-host   server-admins  --hostgroups servers
>ipa sudorule-modserver-admins  --hostcat all
>ipa sudorule-add-option server-admins  --sudooption '!authenticate'
>ipa sudorule-add-runasuser  server-admins  --users root
>ipa sudorule-add-runasgroup server-admins  --groups root
>ipa sudorule-add-user   server-admins  --groups server-admins

Does the machine where sudo prints this error belongs to the hostgroup
'servers'? If the answer is *no* then you are hitting 1000389.


Yes, the virtual machine where the sudo internal error occurs is a
member of the hostgroup.  So I guess this is a new error and should be
reported?


FYI Dean reported https://bugzilla.redhat.com/show_bug.cgi?id=1006611

I still think it is the same bug as 1000389, however with slightly 
different back trace. I'll follow up in BZ.





> This problem exists with the latest updates on both Fedora 18 and Fedora 19.
>
> I also discovered that libsss_sudo.so is missing from  Fedora 18
> installations.

It needs to be installed separately by installing libsss_sudo package.


Yes, I did find the package and installed it.


___
Freeipa-users mailing list
Freeipa-users@redhat.com  
https://www.redhat.com/mailman/listinfo/freeipa-users




___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users



___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] freeipa and sudo

[Pavel Březina]

On 09/09/2013 07:32 PM, Dean Hunter wrote:


On Mon, 2013-09-09 at 11:23 +0200, Pavel Březina wrote:

On 09/08/2013 01:35 AM, Dmitri Pal wrote:

On 09/07/2013 02:11 PM, Christian Horn wrote:

On Sat, Sep 07, 2013 at 12:06:37PM -0500, Dean Hunter wrote:

Are [1] and[2] still the current and best sources of
information for configuring sudo for use with the current
release of FreeIPA on Fedora 19?

1.
http://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/sudo.html





2.

http://www.freeipa.org/images/7/77/Freeipa30_SSSD_SUDO_Integration.pdf





There is also the Identity_Management_Guide as part of the RHEL

product documentation:
https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html-single/Identity_Management_Guide/index.html





This and the pdf above are the latest word in this area.


Hi, those documents describes configuration for SSSD 1.9. Although
it is still valid, we have simplified configuration for IPA
provider in 1.10.

The most up to date document for your version of SSSD is always
man sssd-sudo.

___ Freeipa-users
mailing list Freeipa-users@redhat.com

https://www.redhat.com/mailman/listinfo/freeipa-users


Thank you.  Please verify that I have correctly understood your note.
 Your slides from 12-20-2012 applied to SSSD 1.9 and included a
reference to the manual pages, which I now understand, as well as
this example configuration:

sudo_provider = ldap ldap_uri = ldap://ipa.example.com
ldap_sudo_search_base = ou=sudoers,dc=example,dc=com ldap_sasl_mech =
GSSAPI ldap_sasl_authid = host/hostname.example.com ldap_sasl_realm =
EXAMPLE.COM krb5_server = ipa.example.com

I have used this configuration with good results.  However, reading
"man sssd-sudo" from sssd-1.9.5-2.fc18.x86_64 I find this paragraph:

When the SSSD is configured to use the IPA provider, the sudo
provider is automatically enabled. The sudo search base is configured
to use the compat tree (ou=sudoers,$DC).


I forgot that the configuration was simplified also in 1.9. You can just
stick with contents of sssd-sudo. I.e. you only need to put sudo to
"services" (there's an RFE to do it automatically by ipa-client-install)
and "sudoers: files sss" to /etc/nsswitch.conf


May I suggest that you change "IPA provider" to "IPA as the ID
provider"?  There are a number of providers identified in sssd.conf
and most of them are configured to use IPA.


This is a valid point, thanks.



Testing shows that the only change now required to sssd.conf is the
addition of sudo to the services list in the sssd section [sssd]:

services = autofs, nss, pam, ssh, sudo

Add to this the one line change in nsswitch.conf

sudoers:files sss

and I am done.


Correct.

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] freeipa and sudo

[Dean Hunter]

On Mon, 2013-09-09 at 11:35 +0200, Pavel Březina wrote:

> On 09/09/2013 12:26 AM, Dean Hunter wrote:
> > On Sun, 2013-09-08 at 23:11 +0200, Jakub Hrozek wrote:
> >> On Sun, Sep 08, 2013 at 03:42:16PM -0500, Dean Hunter wrote:
> >> > On Sat, 2013-09-07 at 19:35 -0400, Dmitri Pal wrote:
> >> >
> >> > > On 09/07/2013 02:11 PM, Christian Horn wrote:
> >> > > > On Sat, Sep 07, 2013 at 12:06:37PM -0500, Dean Hunter wrote:
> >> > > >> Are [1] and[2] still the current and best sources of information for
> >> > > >> configuring sudo for use with the current release of FreeIPA on 
> >> > > >> Fedora
> >> > > >> 19?
> >> > > >>
> >> > > >> 1.
> >> > > >>http://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/sudo.html
> >> > > >> 2.
> >> > > >>http://www.freeipa.org/images/7/77/Freeipa30_SSSD_SUDO_Integration.pdf
> >> > > > There is also the Identity_Management_Guide as part of the RHEL
> >> > > > product documentation:
> >> > > >https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html-single/Identity_Management_Guide/index.html
> >> > > This and the pdf above are the latest word in this area.
> >> > >
> >> > > > Christian
> >> > > >
> >> > > > ___
> >> > > > Freeipa-users mailing list
> >> > > >Freeipa-users@redhat.com  
> >> > > >https://www.redhat.com/mailman/listinfo/freeipa-users
> >> > >
> >> > >
> >> >
> >> > Some sudo rules are causing:
> >> >
> >> >   [dean@desktop2 ~]$ sudo id
> >> >   sudo: internal error, tried to erealloc3(0)
> >>
> >> This is a known bug:
> >> https://bugzilla.redhat.com/show_bug.cgi?id=1000389
> >>
> >> I think the sudo rules are just missing the sudoHost attribute.
> >>
> >> >
> >> > , but others do not.  In the trial and error process of determining
> >> > which rule specifications are causing the error, I have been restarting
> >> > the virtual machine I am using as the sudo client between tests.  Is
> >> > there a better way to clear the SSSD cache between trials to make sure I
> >> > am testing the most recent rule change?
> >>
> >> Unfortunately right now the only way is to rm the sssd cache which would
> >> also remove any cached credentials. I thought there was an RFE open to
> >> track the enhancement to make sss_cache invalidate and refresh sudo
> >> rules, but I can't find it now in the SSSD trac, so I filed another one:
> >> https://fedorahosted.org/sssd/ticket/2081
> >>
> >> Worst case, we mark it as a duplicate.
> >>
> >> ___
> >> Freeipa-users mailing list
> >> Freeipa-users@redhat.com  
> >> https://www.redhat.com/mailman/listinfo/freeipa-users
> >
> > I saw bug report 1000389, but I could not understand it or whether it
> > applied to me.
> >
> > I discovered that sudo rules for which I specified a host group caused
> > the error.  Rules with a host category of "all" instead of the host
> > group did not cause the error.  Is this what 1000389 says?
> >
> >ipa sudorule-addserver-admins  --desc "Server Administrators"
> >ipa sudorule-modserver-admins  --cmdcat all
> > # ipa sudorule-add-host   server-admins  --hostgroups servers
> >ipa sudorule-modserver-admins  --hostcat all
> >ipa sudorule-add-option server-admins  --sudooption '!authenticate'
> >ipa sudorule-add-runasuser  server-admins  --users root
> >ipa sudorule-add-runasgroup server-admins  --groups root
> >ipa sudorule-add-user   server-admins  --groups server-admins
> 
> Does the machine where sudo prints this error belongs to the hostgroup 
> 'servers'? If the answer is *no* then you are hitting 1000389.


Yes, the virtual machine where the sudo internal error occurs is a
member of the hostgroup.  So I guess this is a new error and should be
reported?


> > This problem exists with the latest updates on both Fedora 18 and Fedora 19.
> >
> > I also discovered that libsss_sudo.so is missing from  Fedora 18
> > installations.
> 
> It needs to be installed separately by installing libsss_sudo package.


Yes, I did find the package and installed it.


> ___
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] freeipa and sudo

[Dean Hunter]

On Mon, 2013-09-09 at 11:29 +0200, Pavel Březina wrote:

> On 09/08/2013 11:11 PM, Jakub Hrozek wrote:
> > On Sun, Sep 08, 2013 at 03:42:16PM -0500, Dean Hunter wrote:
> >> On Sat, 2013-09-07 at 19:35 -0400, Dmitri Pal wrote:
> >>
> >>> On 09/07/2013 02:11 PM, Christian Horn wrote:
>  On Sat, Sep 07, 2013 at 12:06:37PM -0500, Dean Hunter wrote:
> > Are [1] and[2] still the current and best sources of information for
> > configuring sudo for use with the current release of FreeIPA on Fedora
> > 19?
> >
> > 1.
> > http://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/sudo.html
> > 2.
> > http://www.freeipa.org/images/7/77/Freeipa30_SSSD_SUDO_Integration.pdf
>  There is also the Identity_Management_Guide as part of the RHEL
>  product documentation:
>  https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html-single/Identity_Management_Guide/index.html
> >>> This and the pdf above are the latest word in this area.
> >>>
>  Christian
> 
>  ___
>  Freeipa-users mailing list
>  Freeipa-users@redhat.com
>  https://www.redhat.com/mailman/listinfo/freeipa-users
> >>>
> >>>
> >>
> >> Some sudo rules are causing:
> >>
> >>[dean@desktop2 ~]$ sudo id
> >>sudo: internal error, tried to erealloc3(0)
> >
> > This is a known bug:
> > https://bugzilla.redhat.com/show_bug.cgi?id=1000389
> >
> > I think the sudo rules are just missing the sudoHost attribute.
> >
> >>
> >> , but others do not.  In the trial and error process of determining
> >> which rule specifications are causing the error, I have been restarting
> >> the virtual machine I am using as the sudo client between tests.  Is
> >> there a better way to clear the SSSD cache between trials to make sure I
> >> am testing the most recent rule change?
> >
> > Unfortunately right now the only way is to rm the sssd cache which would
> > also remove any cached credentials.
> 
> You don't necessarily have to remove the cache. If you just restart SSSD 
> the rules will be refreshed in approximately 15 seconds.


Ah!  Thank you.  I will try to remember that for the next time I have to
debug rules


>   I thought there was an RFE open to
> > track the enhancement to make sss_cache invalidate and refresh sudo
> > rules, but I can't find it now in the SSSD trac, so I filed another one:
> > https://fedorahosted.org/sssd/ticket/2081
> >
> > Worst case, we mark it as a duplicate.
> >
> > ___
> > Freeipa-users mailing list
> > Freeipa-users@redhat.com
> > https://www.redhat.com/mailman/listinfo/freeipa-users
> >
> 
> ___
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] freeipa and sudo

[Dean Hunter]

On Mon, 2013-09-09 at 11:23 +0200, Pavel Březina wrote: 

> On 09/08/2013 01:35 AM, Dmitri Pal wrote:
> > On 09/07/2013 02:11 PM, Christian Horn wrote:
> >> On Sat, Sep 07, 2013 at 12:06:37PM -0500, Dean Hunter wrote:
> >>> Are [1] and[2] still the current and best sources of information for
> >>> configuring sudo for use with the current release of FreeIPA on Fedora
> >>> 19?
> >>>
> >>> 1.
> >>> http://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/sudo.html
> >>> 2.
> >>> http://www.freeipa.org/images/7/77/Freeipa30_SSSD_SUDO_Integration.pdf
> >> There is also the Identity_Management_Guide as part of the RHEL
> >> product documentation:
> >> https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html-single/Identity_Management_Guide/index.html
> > This and the pdf above are the latest word in this area.
> 
> Hi,
> those documents describes configuration for SSSD 1.9. Although it is 
> still valid, we have simplified configuration for IPA provider in 1.10.
> 
> The most up to date document for your version of SSSD is always man 
> sssd-sudo.
> 
> ___
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users


Thank you.  Please verify that I have correctly understood your note.
Your slides from 12-20-2012 applied to SSSD 1.9 and included a reference
to the manual pages, which I now understand, as well as this example
configuration:

sudo_provider = ldap
ldap_uri = ldap://ipa.example.com
ldap_sudo_search_base = ou=sudoers,dc=example,dc=com
ldap_sasl_mech = GSSAPI
ldap_sasl_authid = host/hostname.example.com
ldap_sasl_realm = EXAMPLE.COM
krb5_server = ipa.example.com

I have used this configuration with good results.  However, reading "man
sssd-sudo" from sssd-1.9.5-2.fc18.x86_64 I find this paragraph:

When the SSSD is configured to use the IPA provider, the sudo
provider
is automatically enabled. The sudo search base is configured to
use the
compat tree (ou=sudoers,$DC).

May I suggest that you change "IPA provider" to "IPA as the ID
provider"?  There are a number of providers identified in sssd.conf and
most of them are configured to use IPA.

Testing shows that the only change now required to sssd.conf is the
addition of sudo to the services list in the sssd section [sssd]:

services = autofs, nss, pam, ssh, sudo

Add to this the one line change in nsswitch.conf

sudoers:files sss

and I am done.

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] freeipa and sudo

[Jakub Hrozek]

On Mon, Sep 09, 2013 at 11:35:52AM +0200, Pavel Březina wrote:
> >This problem exists with the latest updates on both Fedora 18 and Fedora 19.
> >
> >I also discovered that libsss_sudo.so is missing from  Fedora 18
> >installations.
> 
> It needs to be installed separately by installing libsss_sudo package.

btw this is only true on "older" systems, recently we folded back
libsss_sudo and libsss_autofs back to the main packages to avoid this
kind of confusion.

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] freeipa and sudo

[Pavel Březina]

On 09/09/2013 12:26 AM, Dean Hunter wrote:

On Sun, 2013-09-08 at 23:11 +0200, Jakub Hrozek wrote:

On Sun, Sep 08, 2013 at 03:42:16PM -0500, Dean Hunter wrote:
> On Sat, 2013-09-07 at 19:35 -0400, Dmitri Pal wrote:
>
> > On 09/07/2013 02:11 PM, Christian Horn wrote:
> > > On Sat, Sep 07, 2013 at 12:06:37PM -0500, Dean Hunter wrote:
> > >> Are [1] and[2] still the current and best sources of information for
> > >> configuring sudo for use with the current release of FreeIPA on Fedora
> > >> 19?
> > >>
> > >> 1.
> > >>http://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/sudo.html
> > >> 2.
> > >>http://www.freeipa.org/images/7/77/Freeipa30_SSSD_SUDO_Integration.pdf
> > > There is also the Identity_Management_Guide as part of the RHEL
> > > product documentation:
> > 
>https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html-single/Identity_Management_Guide/index.html
> > This and the pdf above are the latest word in this area.
> >
> > > Christian
> > >
> > > ___
> > > Freeipa-users mailing list
> > >Freeipa-users@redhat.com  
> > >https://www.redhat.com/mailman/listinfo/freeipa-users
> >
> >
>
> Some sudo rules are causing:
>
>   [dean@desktop2 ~]$ sudo id
>   sudo: internal error, tried to erealloc3(0)

This is a known bug:
https://bugzilla.redhat.com/show_bug.cgi?id=1000389

I think the sudo rules are just missing the sudoHost attribute.

>
> , but others do not.  In the trial and error process of determining
> which rule specifications are causing the error, I have been restarting
> the virtual machine I am using as the sudo client between tests.  Is
> there a better way to clear the SSSD cache between trials to make sure I
> am testing the most recent rule change?

Unfortunately right now the only way is to rm the sssd cache which would
also remove any cached credentials. I thought there was an RFE open to
track the enhancement to make sss_cache invalidate and refresh sudo
rules, but I can't find it now in the SSSD trac, so I filed another one:
https://fedorahosted.org/sssd/ticket/2081

Worst case, we mark it as a duplicate.

___
Freeipa-users mailing list
Freeipa-users@redhat.com  
https://www.redhat.com/mailman/listinfo/freeipa-users


I saw bug report 1000389, but I could not understand it or whether it
applied to me.

I discovered that sudo rules for which I specified a host group caused
the error.  Rules with a host category of "all" instead of the host
group did not cause the error.  Is this what 1000389 says?

   ipa sudorule-addserver-admins  --desc "Server Administrators"
   ipa sudorule-modserver-admins  --cmdcat all
# ipa sudorule-add-host   server-admins  --hostgroups servers
   ipa sudorule-modserver-admins  --hostcat all
   ipa sudorule-add-option server-admins  --sudooption '!authenticate'
   ipa sudorule-add-runasuser  server-admins  --users root
   ipa sudorule-add-runasgroup server-admins  --groups root
   ipa sudorule-add-user   server-admins  --groups server-admins


Does the machine where sudo prints this error belongs to the hostgroup 
'servers'? If the answer is *no* then you are hitting 1000389.



This problem exists with the latest updates on both Fedora 18 and Fedora 19.

I also discovered that libsss_sudo.so is missing from  Fedora 18
installations.


It needs to be installed separately by installing libsss_sudo package.

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] freeipa and sudo

[Pavel Březina]

On 09/08/2013 11:11 PM, Jakub Hrozek wrote:

On Sun, Sep 08, 2013 at 03:42:16PM -0500, Dean Hunter wrote:

On Sat, 2013-09-07 at 19:35 -0400, Dmitri Pal wrote:


On 09/07/2013 02:11 PM, Christian Horn wrote:

On Sat, Sep 07, 2013 at 12:06:37PM -0500, Dean Hunter wrote:

Are [1] and[2] still the current and best sources of information for
configuring sudo for use with the current release of FreeIPA on Fedora
19?

1.
http://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/sudo.html
2.
http://www.freeipa.org/images/7/77/Freeipa30_SSSD_SUDO_Integration.pdf

There is also the Identity_Management_Guide as part of the RHEL
product documentation:
https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html-single/Identity_Management_Guide/index.html

This and the pdf above are the latest word in this area.


Christian

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users





Some sudo rules are causing:

   [dean@desktop2 ~]$ sudo id
   sudo: internal error, tried to erealloc3(0)


This is a known bug:
https://bugzilla.redhat.com/show_bug.cgi?id=1000389

I think the sudo rules are just missing the sudoHost attribute.



, but others do not.  In the trial and error process of determining
which rule specifications are causing the error, I have been restarting
the virtual machine I am using as the sudo client between tests.  Is
there a better way to clear the SSSD cache between trials to make sure I
am testing the most recent rule change?


Unfortunately right now the only way is to rm the sssd cache which would
also remove any cached credentials.


You don't necessarily have to remove the cache. If you just restart SSSD 
the rules will be refreshed in approximately 15 seconds.


 I thought there was an RFE open to

track the enhancement to make sss_cache invalidate and refresh sudo
rules, but I can't find it now in the SSSD trac, so I filed another one:
https://fedorahosted.org/sssd/ticket/2081

Worst case, we mark it as a duplicate.

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users



___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] freeipa and sudo

[Pavel Březina]

On 09/08/2013 01:35 AM, Dmitri Pal wrote:

On 09/07/2013 02:11 PM, Christian Horn wrote:

On Sat, Sep 07, 2013 at 12:06:37PM -0500, Dean Hunter wrote:

Are [1] and[2] still the current and best sources of information for
configuring sudo for use with the current release of FreeIPA on Fedora
19?

1.
http://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/sudo.html
2.
http://www.freeipa.org/images/7/77/Freeipa30_SSSD_SUDO_Integration.pdf

There is also the Identity_Management_Guide as part of the RHEL
product documentation:
https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html-single/Identity_Management_Guide/index.html

This and the pdf above are the latest word in this area.


Hi,
those documents describes configuration for SSSD 1.9. Although it is 
still valid, we have simplified configuration for IPA provider in 1.10.


The most up to date document for your version of SSSD is always man 
sssd-sudo.


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] freeipa and sudo

[Dean Hunter]

On Sun, 2013-09-08 at 23:11 +0200, Jakub Hrozek wrote:

> On Sun, Sep 08, 2013 at 03:42:16PM -0500, Dean Hunter wrote:
> > On Sat, 2013-09-07 at 19:35 -0400, Dmitri Pal wrote:
> > 
> > > On 09/07/2013 02:11 PM, Christian Horn wrote:
> > > > On Sat, Sep 07, 2013 at 12:06:37PM -0500, Dean Hunter wrote:
> > > >> Are [1] and[2] still the current and best sources of information for
> > > >> configuring sudo for use with the current release of FreeIPA on Fedora
> > > >> 19?
> > > >>
> > > >> 1.
> > > >> http://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/sudo.html
> > > >> 2.
> > > >> http://www.freeipa.org/images/7/77/Freeipa30_SSSD_SUDO_Integration.pdf
> > > > There is also the Identity_Management_Guide as part of the RHEL
> > > > product documentation:
> > > > https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html-single/Identity_Management_Guide/index.html
> > > This and the pdf above are the latest word in this area.
> > > 
> > > > Christian
> > > >
> > > > ___
> > > > Freeipa-users mailing list
> > > > Freeipa-users@redhat.com
> > > > https://www.redhat.com/mailman/listinfo/freeipa-users
> > > 
> > > 
> > 
> > Some sudo rules are causing:
> > 
> >   [dean@desktop2 ~]$ sudo id
> >   sudo: internal error, tried to erealloc3(0)
> 
> This is a known bug:
> https://bugzilla.redhat.com/show_bug.cgi?id=1000389
> 
> I think the sudo rules are just missing the sudoHost attribute.
> 
> > 
> > , but others do not.  In the trial and error process of determining
> > which rule specifications are causing the error, I have been restarting
> > the virtual machine I am using as the sudo client between tests.  Is
> > there a better way to clear the SSSD cache between trials to make sure I
> > am testing the most recent rule change?
> 
> Unfortunately right now the only way is to rm the sssd cache which would
> also remove any cached credentials. I thought there was an RFE open to
> track the enhancement to make sss_cache invalidate and refresh sudo
> rules, but I can't find it now in the SSSD trac, so I filed another one:
> https://fedorahosted.org/sssd/ticket/2081
> 
> Worst case, we mark it as a duplicate.
> 
> ___
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users


I saw bug report 1000389, but I could not understand it or whether it
applied to me.  

I discovered that sudo rules for which I specified a host group caused
the error.  Rules with a host category of "all" instead of the host
group did not cause the error.  Is this what 1000389 says?

  ipa sudorule-addserver-admins  --desc "Server
Administrators"
  ipa sudorule-modserver-admins  --cmdcat all
# ipa sudorule-add-host   server-admins  --hostgroups servers
  ipa sudorule-modserver-admins  --hostcat all
  ipa sudorule-add-option server-admins  --sudooption '!
authenticate'
  ipa sudorule-add-runasuser  server-admins  --users root
  ipa sudorule-add-runasgroup server-admins  --groups root
  ipa sudorule-add-user   server-admins  --groups server-admins

This problem exists with the latest updates on both Fedora 18 and Fedora
19.

I also discovered that libsss_sudo.so is missing from  Fedora 18
installations.

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] freeipa and sudo

[Jakub Hrozek]

On Sun, Sep 08, 2013 at 03:42:16PM -0500, Dean Hunter wrote:
> On Sat, 2013-09-07 at 19:35 -0400, Dmitri Pal wrote:
> 
> > On 09/07/2013 02:11 PM, Christian Horn wrote:
> > > On Sat, Sep 07, 2013 at 12:06:37PM -0500, Dean Hunter wrote:
> > >> Are [1] and[2] still the current and best sources of information for
> > >> configuring sudo for use with the current release of FreeIPA on Fedora
> > >> 19?
> > >>
> > >> 1.
> > >> http://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/sudo.html
> > >> 2.
> > >> http://www.freeipa.org/images/7/77/Freeipa30_SSSD_SUDO_Integration.pdf
> > > There is also the Identity_Management_Guide as part of the RHEL
> > > product documentation:
> > > https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html-single/Identity_Management_Guide/index.html
> > This and the pdf above are the latest word in this area.
> > 
> > > Christian
> > >
> > > ___
> > > Freeipa-users mailing list
> > > Freeipa-users@redhat.com
> > > https://www.redhat.com/mailman/listinfo/freeipa-users
> > 
> > 
> 
> Some sudo rules are causing:
> 
>   [dean@desktop2 ~]$ sudo id
>   sudo: internal error, tried to erealloc3(0)

This is a known bug:
https://bugzilla.redhat.com/show_bug.cgi?id=1000389

I think the sudo rules are just missing the sudoHost attribute.

> 
> , but others do not.  In the trial and error process of determining
> which rule specifications are causing the error, I have been restarting
> the virtual machine I am using as the sudo client between tests.  Is
> there a better way to clear the SSSD cache between trials to make sure I
> am testing the most recent rule change?

Unfortunately right now the only way is to rm the sssd cache which would
also remove any cached credentials. I thought there was an RFE open to
track the enhancement to make sss_cache invalidate and refresh sudo
rules, but I can't find it now in the SSSD trac, so I filed another one:
https://fedorahosted.org/sssd/ticket/2081

Worst case, we mark it as a duplicate.

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] freeipa and sudo

[Dean Hunter]

On Sat, 2013-09-07 at 19:35 -0400, Dmitri Pal wrote:

> On 09/07/2013 02:11 PM, Christian Horn wrote:
> > On Sat, Sep 07, 2013 at 12:06:37PM -0500, Dean Hunter wrote:
> >> Are [1] and[2] still the current and best sources of information for
> >> configuring sudo for use with the current release of FreeIPA on Fedora
> >> 19?
> >>
> >> 1.
> >> http://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/sudo.html
> >> 2.
> >> http://www.freeipa.org/images/7/77/Freeipa30_SSSD_SUDO_Integration.pdf
> > There is also the Identity_Management_Guide as part of the RHEL
> > product documentation:
> > https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html-single/Identity_Management_Guide/index.html
> This and the pdf above are the latest word in this area.
> 
> > Christian
> >
> > ___
> > Freeipa-users mailing list
> > Freeipa-users@redhat.com
> > https://www.redhat.com/mailman/listinfo/freeipa-users
> 
> 

Some sudo rules are causing:

  [dean@desktop2 ~]$ sudo id
  sudo: internal error, tried to erealloc3(0)

, but others do not.  In the trial and error process of determining
which rule specifications are causing the error, I have been restarting
the virtual machine I am using as the sudo client between tests.  Is
there a better way to clear the SSSD cache between trials to make sure I
am testing the most recent rule change?

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] freeipa and sudo

[Dmitri Pal]

On 09/07/2013 02:11 PM, Christian Horn wrote:
> On Sat, Sep 07, 2013 at 12:06:37PM -0500, Dean Hunter wrote:
>> Are [1] and[2] still the current and best sources of information for
>> configuring sudo for use with the current release of FreeIPA on Fedora
>> 19?
>>
>> 1.
>> http://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/sudo.html
>> 2.
>> http://www.freeipa.org/images/7/77/Freeipa30_SSSD_SUDO_Integration.pdf
> There is also the Identity_Management_Guide as part of the RHEL
> product documentation:
> https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html-single/Identity_Management_Guide/index.html
This and the pdf above are the latest word in this area.

> Christian
>
> ___
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.


---
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] freeipa and sudo

[Christian Horn]

On Sat, Sep 07, 2013 at 12:06:37PM -0500, Dean Hunter wrote:
> Are [1] and[2] still the current and best sources of information for
> configuring sudo for use with the current release of FreeIPA on Fedora
> 19?
> 
> 1.
> http://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/sudo.html
> 2.
> http://www.freeipa.org/images/7/77/Freeipa30_SSSD_SUDO_Integration.pdf

There is also the Identity_Management_Guide as part of the RHEL
product documentation:
https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html-single/Identity_Management_Guide/index.html

Christian

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users