ldapsearch -Y GSSAPI -H ldap://dbduvdu145.dbr.roche.com 
SASL/GSSAPI authentication started
SASL username: ad...@dbr.roche.com
SASL data security layer installed.
# extended LDIF
# LDAPv3
# base <> (default) with scope subtree
# filter: ou=SUDOers,dc=dbr,dc=roche,dc=com
# requesting: ALL

# search result
search: 4
result: 32 No such object

# numResponses: 1

Different response, but still no success with the non-working account.


-----Original Message-----
From: Dmitri Pal [mailto:d...@redhat.com] 
Sent: Wednesday, October 17, 2012 11:56 AM
To: Macklin, Jason {DASB~Branford}
Cc: jr.aqu...@citrix.com; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] Sudo works for full access, but not on a per 
command or host level.

On 10/17/2012 09:26 AM, Macklin, Jason wrote:
> Okay,
>   Rule name: test4
>   Enabled: TRUE
>   Command category: all
>   Users: asteinfeld
>   Hosts: dbduwdu062.dbr.roche.com
>   Host Groups: tempsudo
> Client dbduwdu062 is matched in the rule by both the hosts and groups entry.
> /etc/nsswitch.conf has:
>       Netgroups: files sss
> Getent netgroup tempsudo returns:
>       [jmacklin@dbduwdu062 Desktop]$ getent netgroup tempsudo
>       tempsudo              (dbduwdu063.dbr.roche.com, -, dbr.roche.com) 
> (dbduwdu062.dbr.roche.com, -, dbr.roche.com)
> To the previous ldapsearch request:
>       [jmacklin@dbduwdu062 Desktop]$ ldapsearch -Y GSSAPI -H 
> ldap://dbduvdu145.dbr.roche.com "ou=SUDOers,dc=dbr,dc=roche,dc=com"
>       SASL/GSSAPI authentication started
>       ldap_sasl_interactive_bind_s: Server is unwilling to perform (53)
>       additional info: Entry permanently locked.

It seems that you tried the wrong password and the account is now temporarily 
locked thus the server is unwilling to perform authentication for this account.

> I am still scratching my head on this one...
> Cheers,
> Jason
> If you look closely, the reason that your admin works is because it appears 
> to be matching a sudo rule who has the "ALL" hosts value set.
> When you run the non working user, it is attempting to match the 
> hostname/hostgroup to the rule and fails to do so.
> Try this. Type: getent netgroup hostgroupname <- your host's hostgroup goes 
> there.
> ^ that command should return all of the hosts in your hostgroup. If it does 
> not, then check /etc/nsswitch.conf and make sure that netgroup is set to use 
> sss.
> You will also need to make sure that the output of: domainname or 
> nisdomainname matches your expected domain.
> Let me know how things look after trying that.

Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio Red Hat Inc.

Looking to carve out IT costs?

Freeipa-users mailing list

Reply via email to