Do:

 ipa hbactest --user=thing-sudo --host=vuwunicocatd001.ods.vuw.ac.nz
--service=sudo

with the hbac rule on and off.


On Tue, Aug 14, 2012 at 4:47 PM, Steven Jones <steven.jo...@vuw.ac.nz> wrote:
> Hi,
>
> No it fails even if I specify the host, but it works if I re-enable the 
> allowall HBAC rule.
>
> So for some reason HBAC is impacting sudo.
>
> =====
> [thing-sudo@vuwunicocatd001 ~]$ hostname
> vuwunicocatd001.ods.vuw.ac.nz
> [thing-sudo@vuwunicocatd001 ~]$ domainname
> ods.vuw.ac.nz
> [thing-sudo@vuwunicocatd001 ~]$
> [root@vuwunicocatd001 jonesst1]# more /etc/hosts
> # not remove the following line, or various programs
> # that require network functionality will fail.
> 127.0.0.1               localhost.localdomain localhost
> 10.70.1.14              vuwunicocatd001.ods.vuw.ac.nz 
> vuwunicocatd001.vuw.ac.nz visualresourcest.vuw.ac.nz vuwunicocatd001
> [root@vuwunicocatd001 jonesst1]# more /etc/sysconfig/network
> NETWORKING=yes
> HOSTNAME=vuwunicocatd001.ods.vuw.ac.nz
> GATEWAY=10.70.1.1
> NTPSERVERARGS=iburst
> [root@vuwunicocatd001 jonesst1]#
> =====
>
> All looks correct....
>
> =======
>
>
> regards
>
> Steven Jones
>
> Technical Specialist - Linux RHCE
>
> Victoria University, Wellington, NZ
>
> 0064 4 463 6272
>
> ________________________________________
> From: KodaK [sako...@gmail.com]
> Sent: Wednesday, 15 August 2012 9:41 a.m.
> To: Steven Jones
> Cc: freeipa-users@redhat.com
> Subject: Re: [Freeipa-users] Unable to get sudo commend to work...
>
> OK, so it works if you allow all hosts, but fails if you specify a
> host.  This leads me to believe that the host may not "know" who it
> is.
>
> Run the gamut on local hostname configuration:
>
> Check /etc/hosts, is the host listed with the FQDN first?
> Check "hostname" -- it should report the FQDN.
> Check "domainname" -- it should report the domain.
>
> I have a very similar rule, btw:
>
> [jebalicki@slpidml01 ~]$ ipa sudorule-show tds-web-restart
> ipa: INFO: trying https://slpidml01.unix.magellanhealth.com/ipa/xml
> ipa: INFO: Forwarding 'sudorule_show' to server
> u'http://slpidml01.unix.magellanhealth.com/ipa/xml'
>   Rule name: tds-web-restart
>   Enabled: TRUE
>   User Groups: admins, tds-webserver-users, unixadmins
>   Host Groups: tdswebhosts
>   Sudo Allow Commands: /etc/rc.d/init.d/httpd
> [jebalicki@slpidml01 ~]$
>
>
> On Tue, Aug 14, 2012 at 4:13 PM, Steven Jones <steven.jo...@vuw.ac.nz> wrote:
>> Hi,
>>
>> I am trying to get a sudo-group command to work such that a group of users 
>> can reload apache's config....I know the password is fine as I can ssh into 
>> the server....
>>
>> [thing-sudo@vuwunicocatd001 ~]$ sudo /sbin/service httpd reload
>> LDAP Config Summary
>> ===================
>> uri              ldap://vuwunicoipam001.ods.vuw.ac.nz 
>> ldap://vuwunicoipam002.ods.vuw.ac.nz ldap://vuwunicoipam003.ods.vuw.ac.nz
>> ldap_version     3
>> sudoers_base     ou=SUDOers,dc=ods,dc=vuw,dc=ac,dc=nz
>> binddn           uid=sudo,cn=sysaccounts,cn=etc,dc=ods,dc=vuw,dc=ac,dc=nz
>> bindpw           xxxxxxxxxxxx
>> bind_timelimit   5000000
>> ssl              start_tls
>> tls_checkpeer    (no)
>> tls_cacertfile   /etc/ipa/ca.crt
>> ===================
>> sudo: ldap_set_option: debug -> 0
>> sudo: ldap_set_option: tls_checkpeer -> 0
>> sudo: ldap_set_option: tls_cacertfile -> /etc/ipa/ca.crt
>> sudo: ldap_set_option: tls_cacert -> /etc/ipa/ca.crt
>> sudo: ldap_initialize(ld, ldap://vuwunicoipam001.ods.vuw.ac.nz 
>> ldap://vuwunicoipam002.ods.vuw.ac.nz ldap://vuwunicoipam003.ods.vuw.ac.nz)
>> sudo: ldap_set_option: ldap_version -> 3
>> sudo: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT, 5000)
>> sudo: ldap_start_tls_s() ok
>> sudo: ldap_sasl_bind_s() ok
>> sudo: no default options found in ou=SUDOers,dc=ods,dc=vuw,dc=ac,dc=nz
>> sudo: ldap search 
>> '(|(sudoUser=thing-sudo)(sudoUser=%thing-sudo)(sudoUser=%ipausers)(sudoUser=%collectriveaccess-student)(sudoUser=%login04-mysql)(sudoUser=%360-ftp)(sudoUser=%become-mysql-users)(sudoUser=ALL))'
>> sudo: 
>> found:cn=sudo-commands-catd-students,ou=sudoers,dc=ods,dc=vuw,dc=ac,dc=nz
>> sudo: ldap sudoHost 'vuwunicocatd001.ods.vuw.ac.nz' ... MATCH!
>> sudo: ldap sudoCommand '/sbin/service httpd reload' ... MATCH!
>> sudo: ldap sudoCommand '/etc/init.d/httpd reload' ... MATCH!
>> sudo: Command allowed
>> sudo: user_matches=1
>> sudo: host_matches=1
>> sudo: sudo_ldap_lookup(0)=0x02
>> [sudo] password for thing-sudo:
>> Sorry, try again.
>> [sudo] password for thing-sudo:
>> Sorry, try again.
>> [sudo] password for thing-sudo:
>> Sorry, try again.
>> sudo: 3 incorrect password attempts
>> [thing-sudo@vuwunicocatd001 ~]$ sudo /sbin/service httpd reload
>> LDAP Config Summary
>> ===================
>> uri              ldap://vuwunicoipam001.ods.vuw.ac.nz 
>> ldap://vuwunicoipam002.ods.vuw.ac.nz ldap://vuwunicoipam003.ods.vuw.ac.nz
>> ldap_version     3
>> sudoers_base     ou=SUDOers,dc=ods,dc=vuw,dc=ac,dc=nz
>> binddn           uid=sudo,cn=sysaccounts,cn=etc,dc=ods,dc=vuw,dc=ac,dc=nz
>> bindpw           xxxxxxxxxxxxx
>> bind_timelimit   5000000
>> ssl              start_tls
>> tls_checkpeer    (no)
>> tls_cacertfile   /etc/ipa/ca.crt
>> ===================
>> sudo: ldap_set_option: debug -> 0
>> sudo: ldap_set_option: tls_checkpeer -> 0
>> sudo: ldap_set_option: tls_cacertfile -> /etc/ipa/ca.crt
>> sudo: ldap_set_option: tls_cacert -> /etc/ipa/ca.crt
>> sudo: ldap_initialize(ld, ldap://vuwunicoipam001.ods.vuw.ac.nz 
>> ldap://vuwunicoipam002.ods.vuw.ac.nz ldap://vuwunicoipam003.ods.vuw.ac.nz)
>> sudo: ldap_set_option: ldap_version -> 3
>> sudo: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT, 5000)
>> sudo: ldap_start_tls_s() ok
>> sudo: ldap_sasl_bind_s() ok
>> sudo: no default options found in ou=SUDOers,dc=ods,dc=vuw,dc=ac,dc=nz
>> sudo: ldap search 
>> '(|(sudoUser=thing-sudo)(sudoUser=%thing-sudo)(sudoUser=%ipausers)(sudoUser=%collectriveaccess-student)(sudoUser=%login04-mysql)(sudoUser=%360-ftp)(sudoUser=%become-mysql-users)(sudoUser=ALL))'
>> sudo: 
>> found:cn=sudo-commands-catd-students,ou=sudoers,dc=ods,dc=vuw,dc=ac,dc=nz
>> sudo: ldap sudoHost 'vuwunicocatd001.ods.vuw.ac.nz' ... MATCH!
>> sudo: ldap sudoCommand '/sbin/service httpd reload' ... MATCH!
>> sudo: ldap sudoCommand '/etc/init.d/httpd reload' ... MATCH!
>> sudo: Command allowed
>> sudo: user_matches=1
>> sudo: host_matches=1
>> sudo: sudo_ldap_lookup(0)=0x02
>> [sudo] password for thing-sudo:
>> Sorry, try again.
>> [sudo] password for thing-sudo:
>>
>> Sorry, try again.
>> [sudo] password for thing-sudo:
>>
>> Sorry, try again.
>> sudo: 3 incorrect password attempts
>> [thing-sudo@vuwunicocatd001 ~]$
>> [thing-sudo@vuwunicocatd001 ~]$
>>
>> ============
>>
>> The secure log says system error, unable to read password,
>>
>> ===============
>> Aug 15 08:49:09 vuwunicocatd001 sudo: pam_unix(sudo:auth): authentication 
>> failure; logname=thing-sudo uid=0 euid=0 tty=/dev/pts/2 ruser=thing-sudo 
>> rhost=  user=thing-sudo
>> Aug 15 08:49:10 vuwunicocatd001 sudo: pam_sss(sudo:auth): authentication 
>> success; logname=thing-sudo uid=0 euid=0 tty=/dev/pts/2 ruser=thing-sudo 
>> rhost= user=thing-sudo
>> Aug 15 08:49:10 vuwunicocatd001 sudo: pam_sss(sudo:account): Access denied 
>> for user thing-sudo: 6 (Permission denied)
>> Aug 15 08:49:43 vuwunicocatd001 sudo: pam_sss(sudo:auth): system info: 
>> [Cannot read password]
>> Aug 15 08:49:43 vuwunicocatd001 sudo: pam_sss(sudo:auth): authentication 
>> failure; logname=thing-sudo uid=0 euid=0 tty=/dev/pts/2 ruser=thing-sudo 
>> rhost= user=thing-sudo
>> Aug 15 08:49:43 vuwunicocatd001 sudo: pam_sss(sudo:auth): received for user 
>> thing-sudo: 4 (System error)
>> Aug 15 08:49:45 vuwunicocatd001 sudo: pam_sss(sudo:auth): system info: 
>> [Cannot read password]
>> Aug 15 08:49:45 vuwunicocatd001 sudo: pam_sss(sudo:auth): authentication 
>> failure; logname=thing-sudo uid=0 euid=0 tty=/dev/pts/2 ruser=thing-sudo 
>> rhost= user=thing-sudo
>> Aug 15 08:49:45 vuwunicocatd001 sudo: pam_sss(sudo:auth): received for user 
>> thing-sudo: 4 (System error)
>> Aug 15 08:49:47 vuwunicocatd001 sudo: thing-sudo : 3 incorrect password 
>> attempts ; TTY=pts/2 ; PWD=/home/thing-sudo ; USER=root ; 
>> COMMAND=/sbin/service httpd reload
>> Aug 15 08:55:35 vuwunicocatd001 sudo: PAM unable to 
>> dlopen(/lib64/security/pam_fprintd.so): /lib64/security/pam_fprintd.so: 
>> cannot open shared object file: No such file or directory
>> Aug 15 08:55:35 vuwunicocatd001 sudo: PAM adding faulty module: 
>> /lib64/security/pam_fprintd.so
>> Aug 15 08:55:44 vuwunicocatd001 sudo: pam_unix(sudo:auth): authentication 
>> failure; logname=thing-sudo uid=0 euid=0 tty=/dev/pts/2 ruser=thing-sudo 
>> rhost=  user=thing-sudo
>> Aug 15 08:55:44 vuwunicocatd001 sudo: pam_sss(sudo:auth): authentication 
>> success; logname=thing-sudo uid=0 euid=0 tty=/dev/pts/2 ruser=thing-sudo 
>> rhost= user=thing-sudo
>> Aug 15 08:55:44 vuwunicocatd001 sudo: pam_sss(sudo:account): Access denied 
>> for user thing-sudo: 6 (Permission denied)
>> Aug 15 08:55:46 vuwunicocatd001 sudo: pam_sss(sudo:auth): system info: 
>> [Cannot read password]
>> Aug 15 08:55:46 vuwunicocatd001 sudo: pam_sss(sudo:auth): authentication 
>> failure; logname=thing-sudo uid=0 euid=0 tty=/dev/pts/2 ruser=thing-sudo 
>> rhost= user=thing-sudo
>> Aug 15 08:55:46 vuwunicocatd001 sudo: pam_sss(sudo:auth): received for user 
>> thing-sudo: 4 (System error)
>> Aug 15 08:55:52 vuwunicocatd001 sudo: pam_sss(sudo:auth): system info: 
>> [Cannot read password]
>> Aug 15 08:55:52 vuwunicocatd001 sudo: pam_sss(sudo:auth): authentication 
>> failure; logname=thing-sudo uid=0 euid=0 tty=/dev/pts/2 ruser=thing-sudo 
>> rhost= user=thing-sudo
>> Aug 15 08:55:52 vuwunicocatd001 sudo: pam_sss(sudo:auth): received for user 
>> thing-sudo: 4 (System error)
>> Aug 15 08:55:54 vuwunicocatd001 sudo: thing-sudo : 3 incorrect password 
>> attempts ; TTY=pts/2 ; PWD=/home/thing-sudo ; USER=root ; 
>> COMMAND=/sbin/service httpd reload
>> Aug 15 08:55:57 vuwunicocatd001 sudo: PAM unable to 
>> dlopen(/lib64/security/pam_fprintd.so): /lib64/security/pam_fprintd.so: 
>> cannot open shared object file: No such file or directory
>> Aug 15 08:55:57 vuwunicocatd001 sudo: PAM adding faulty module: 
>> /lib64/security/pam_fprintd.so
>> Aug 15 08:56:04 vuwunicocatd001 sudo: pam_unix(sudo:auth): authentication 
>> failure; logname=thing-sudo uid=0 euid=0 tty=/dev/pts/2 ruser=thing-sudo 
>> rhost=  user=thing-sudo
>> Aug 15 08:56:05 vuwunicocatd001 sudo: pam_sss(sudo:auth): authentication 
>> success; logname=thing-sudo uid=0 euid=0 tty=/dev/pts/2 ruser=thing-sudo 
>> rhost= user=thing-sudo
>> Aug 15 08:56:05 vuwunicocatd001 sudo: pam_sss(sudo:account): Access denied 
>> for user thing-sudo: 6 (Permission denied)
>> Aug 15 08:56:06 vuwunicocatd001 sudo: pam_sss(sudo:auth): system info: 
>> [Cannot read password]
>> Aug 15 08:56:06 vuwunicocatd001 sudo: pam_sss(sudo:auth): authentication 
>> failure; logname=thing-sudo uid=0 euid=0 tty=/dev/pts/2 ruser=thing-sudo 
>> rhost= user=thing-sudo
>> Aug 15 08:56:06 vuwunicocatd001 sudo: pam_sss(sudo:auth): received for user 
>> thing-sudo: 4 (System error)
>> Aug 15 08:56:08 vuwunicocatd001 sudo: pam_sss(sudo:auth): system info: 
>> [Cannot read password]
>> Aug 15 08:56:08 vuwunicocatd001 sudo: pam_sss(sudo:auth): authentication 
>> failure; logname=thing-sudo uid=0 euid=0 tty=/dev/pts/2 ruser=thing-sudo 
>> rhost= user=thing-sudo
>> Aug 15 08:56:08 vuwunicocatd001 sudo: pam_sss(sudo:auth): received for user 
>> thing-sudo: 4 (System error)
>> Aug 15 08:56:09 vuwunicocatd001 sudo: thing-sudo : 3 incorrect password 
>> attempts ; TTY=pts/2 ; PWD=/home/thing-sudo ; USER=root ; 
>> COMMAND=/sbin/service httpd reload
>> [root@vuwunicocatd001 jonesst1]#
>> ================
>>
>> Looks like Bug 814414
>>
>> :(
>>
>> "Rob told me elsewhere that when he re-enabled the allow_all rule it started 
>> behaving properly, which seems highly suspect."
>>
>> So lets do that, and yes,
>>
>> =========
>> [thing-sudo@vuwunicocatd001 ~]$
>> [thing-sudo@vuwunicocatd001 ~]$ sudo /sbin/service httpd reload
>> LDAP Config Summary
>> ===================
>> uri              ldap://vuwunicoipam001.ods.vuw.ac.nz 
>> ldap://vuwunicoipam002.ods.vuw.ac.nz ldap://vuwunicoipam003.ods.vuw.ac.nz
>> ldap_version     3
>> sudoers_base     ou=SUDOers,dc=ods,dc=vuw,dc=ac,dc=nz
>> binddn           uid=sudo,cn=sysaccounts,cn=etc,dc=ods,dc=vuw,dc=ac,dc=nz
>> bindpw           xxxxxxxxxxx
>> bind_timelimit   5000000
>> ssl              start_tls
>> tls_checkpeer    (no)
>> tls_cacertfile   /etc/ipa/ca.crt
>> ===================
>> sudo: ldap_set_option: debug -> 0
>> sudo: ldap_set_option: tls_checkpeer -> 0
>> sudo: ldap_set_option: tls_cacertfile -> /etc/ipa/ca.crt
>> sudo: ldap_set_option: tls_cacert -> /etc/ipa/ca.crt
>> sudo: ldap_initialize(ld, ldap://vuwunicoipam001.ods.vuw.ac.nz 
>> ldap://vuwunicoipam002.ods.vuw.ac.nz ldap://vuwunicoipam003.ods.vuw.ac.nz)
>> sudo: ldap_set_option: ldap_version -> 3
>> sudo: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT, 5000)
>> sudo: ldap_start_tls_s() ok
>> sudo: ldap_sasl_bind_s() ok
>> sudo: no default options found in ou=SUDOers,dc=ods,dc=vuw,dc=ac,dc=nz
>> sudo: ldap search 
>> '(|(sudoUser=thing-sudo)(sudoUser=%thing-sudo)(sudoUser=%ipausers)(sudoUser=%collectriveaccess-student)(sudoUser=%login04-mysql)(sudoUser=%360-ftp)(sudoUser=%become-mysql-users)(sudoUser=ALL))'
>> sudo: 
>> found:cn=sudo-commands-catd-students,ou=sudoers,dc=ods,dc=vuw,dc=ac,dc=nz
>> sudo: ldap sudoHost 'vuwunicocatd001.ods.vuw.ac.nz' ... MATCH!
>> sudo: ldap sudoCommand '/sbin/service httpd reload' ... MATCH!
>> sudo: ldap sudoCommand '/etc/init.d/httpd reload' ... MATCH!
>> sudo: Command allowed
>> sudo: user_matches=1
>> sudo: host_matches=1
>> sudo: sudo_ldap_lookup(0)=0x02
>> [sudo] password for thing-sudo:
>> Reloading httpd:
>> [thing-sudo@vuwunicocatd001 ~]$
>> ===================
>>
>> and as we can see that indeed "fixes it".
>>
>> D:
>>
>> If you let me know exactly which logs you want to see I will send them to 
>> you.
>>
>> I have "sudoers_debug   3"  at present, anything else needs to be set higher 
>> to help?
>>
>> What I can see is I made an oops is specifying the wrong host group but that 
>> contains the host anyway....but also Ive then bypassed hostgroups and set a 
>> specific host....this still fails as above.
>>
>> I am also getting other intermitant failures when I do a sudo su - but its 
>> not consistant.
>>
>> regards
>>
>> Steven Jones
>>
>> Technical Specialist - Linux RHCE
>>
>> Victoria University, Wellington, NZ
>>
>> 0064 4 463 6272
>>
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users@redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
>
> --
> The government is going to read our mail anyway, might as well make it
> tough for them.  GPG Public key ID:  B6A1A7C6
>
>



-- 
The government is going to read our mail anyway, might as well make it
tough for them.  GPG Public key ID:  B6A1A7C6

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to