On 09/20/2013 11:09 AM, Rowland Penny wrote:
On 20/09/13 08:36, Pavel Březina wrote:
On 09/19/2013 06:18 PM, Rowland Penny wrote:
Ok, I am back again, trying to get sssd to control sudo, but failing.
I added the sudo active directory schema ldif to samba4 AD
then added this:
dn: OU=SUDOers,DC=example,DC=com
objectClass: top
objectClass: organizationalUnit
ou: SUDOers
dn: CN=linuxusers,OU=SUDOers,DC=example,DC=com
objectClass: top
objectClass: sudoRole
cn: linuxusers
sudoUser: %linuxusers
sudoHost: ALL
sudoCommand: ALL
On a Linux Mint client:
sudo apt-get install sudo-ldap
Edited /etc/sudo-ldap.conf
# TLS certificates (needed for GnuTLS)
TLS_CACERT /etc/ssl/certs/ca-certificates.crt
BASE DC=example,DC=com
URI ldap://server.example.com
ssl=no
LDAP_VERSION 3
SUDOERS_BASE ou=SUDOers,DC=example,DC=com
SUDOERS_SEARCH_FILTER (&(objectClass=sudoRole))
BINDDN CN=Administrator,CN=Users,DC=example,DC=com
BINDPW xxxxxxxxxx
then edited /etc/nsswitch.conf and added
sudoers: files ldap
restarted sudo
then as a normal user, tried to run a command with sudo, this worked.
I then altered /etc/sssd/sssd.conf and added
services = nss, pam, autofs, sudo
[sudo]
ldap_sudo_search_base = OU=SUDOers,DC=example,DC=com
altered /etc/nsswitch.conf
sudoers: files sss
restarted sssd
restarted sudo
tried to run the command with sudo again, this time it failed
having been bitten by the way autofs works, I went straight to the way
that sudo & sssd do the ldapsearch:
SUDO
(&(&(objectClass=sudoRole))(|(sudoUser=rowland)(sudoUser=%Domain
Users)(sudoUser=%#20513)(sudoUser=%vboxusers)(sudoUser=%linuxusers)(sudoUser=%#127)(sudoUser=%#21110)(sudoUser=ALL)))
SSSD
(&(objectClass=sudoRole)(|(!(sudoHost=*))(sudoHost=ALL)(sudoHost=ThinkPad)(sudoHost=ThinkPad.home.lan)(sudoHost=192.168.0.204)(sudoHost=192.168.0.0/24)(sudoHost=fe80::86a6:c8ff:fe3b:da7b)(sudoHost=fe80::/64)(sudoHost=+*)(|(sudoHost=*\\*)(sudoHost=*?*)(sudoHost=*\**)(sudoHost=*[*]*))))
sudo searches with objectClass=sudoRole & sudoUser attribute
sssd searches with objectClass=sudoRole & sudoHost attribute
Now I understand that the sssd search for the sudoHost attribute is to
ensure that only sudo rules for the host are downloaded, but it doesn't
actually seem to download any rules.
Is there anyway I can get the sssd search to include the sudoUser
attribute in the same way that the sudo ldap search does?
Hi,
no, it is not desirable. SSSD periodically downloads all rules that
are applicable to the machine, and then filters them by user when sudo
request is performed. In other words: filtering by sudoUser is there,
only on other place (sssd_sudo process).
Then it would seem to be the later part that is failing
with 'sudoers: files ldap' in /etc/nsswitch.conf
sudo -l
Matching 'Defaults' entries for rowland on this host:
env_reset, mail_badpass,
secure_path=/usr/local/samba/bin\:/usr/local/samba/sbin\:/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User rowland may run the following commands on this host:
(root) NOPASSWD: /usr/lib/linuxmint/mintUpdate/checkAPT.py
(root) ALL
with 'sudoers: files sss' in /etc/nsswitch.conf
sudo -l
Matching 'Defaults' entries for rowland on this host:
env_reset, mail_badpass,
secure_path=/usr/local/samba/bin\:/usr/local/samba/sbin\:/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User rowland may run the following commands on this host:
(root) NOPASSWD: /usr/lib/linuxmint/mintUpdate/checkAPT.py
SSSD will not provide any rules for local users or local groups. So even
if root (local user) is part of linuxusers group (I assume LDAP group)
than the output is correct.
The rules are provided only for SSSD-managed users and groups.
If you have troubles with LDAP users, I will need those logs.
Can you send us (sanitized or privately if you want) your complete
sssd.conf, sssd_yourdomain.log and sssd_sudo.log please?
No problem, what log level would you like?
0x3ff
Or can anybody tell me where I am going wrong (again).
Rowland
_______________________________________________
sssd-users mailing list
sssd-users@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
