On 10/17/2012 12:33 PM, Macklin, Jason wrote: > ldapsearch -Y GSSAPI -H ldap://dbduvdu145.dbr.roche.com > "ou=SUDOers,dc=dbr,dc=roche,dc=com"
You are missing -b ldapsearch -Y GSSAPI -H ldap://dbduvdu145.dbr.roche.com -b "ou=SUDOers,dc=dbr,dc=roche,dc=com" Currently the command treats it as filter and thus returns no results. I am asking you to run this command to see what LDAP data the server presents to the client. Running this would not cure the problem but rather might give more hints of what the actual problem is. > SASL/GSSAPI authentication started > SASL username: ad...@dbr.roche.com > SASL SSF: 56 > SASL data security layer installed. > # extended LDIF > # > # LDAPv3 > # base <> (default) with scope subtree > # filter: ou=SUDOers,dc=dbr,dc=roche,dc=com > # requesting: ALL > # > > # search result > search: 4 > result: 32 No such object > > # numResponses: 1 > > Different response, but still no success with the non-working account. > > Cheers, > Jason > > -----Original Message----- > From: Dmitri Pal [mailto:d...@redhat.com] > Sent: Wednesday, October 17, 2012 11:56 AM > To: Macklin, Jason {DASB~Branford} > Cc: jr.aqu...@citrix.com; freeipa-users@redhat.com > Subject: Re: [Freeipa-users] Sudo works for full access, but not on a per > command or host level. > > On 10/17/2012 09:26 AM, Macklin, Jason wrote: >> Okay, >> >> Rule name: test4 >> Enabled: TRUE >> Command category: all >> Users: asteinfeld >> Hosts: dbduwdu062.dbr.roche.com >> Host Groups: tempsudo >> >> Client dbduwdu062 is matched in the rule by both the hosts and groups entry. >> >> /etc/nsswitch.conf has: >> >> Netgroups: files sss >> >> Getent netgroup tempsudo returns: >> >> [jmacklin@dbduwdu062 Desktop]$ getent netgroup tempsudo >> tempsudo (dbduwdu063.dbr.roche.com, -, dbr.roche.com) >> (dbduwdu062.dbr.roche.com, -, dbr.roche.com) >> >> To the previous ldapsearch request: >> >> [jmacklin@dbduwdu062 Desktop]$ ldapsearch -Y GSSAPI -H >> ldap://dbduvdu145.dbr.roche.com "ou=SUDOers,dc=dbr,dc=roche,dc=com" >> SASL/GSSAPI authentication started >> ldap_sasl_interactive_bind_s: Server is unwilling to perform (53) >> additional info: Entry permanently locked. > It seems that you tried the wrong password and the account is now temporarily > locked thus the server is unwilling to perform authentication for this > account. > >> I am still scratching my head on this one... >> >> Cheers, >> Jason >> >> If you look closely, the reason that your admin works is because it appears >> to be matching a sudo rule who has the "ALL" hosts value set. >> >> When you run the non working user, it is attempting to match the >> hostname/hostgroup to the rule and fails to do so. >> >> Try this. Type: getent netgroup hostgroupname <- your host's hostgroup goes >> there. >> >> ^ that command should return all of the hosts in your hostgroup. If it does >> not, then check /etc/nsswitch.conf and make sure that netgroup is set to use >> sss. >> >> You will also need to make sure that the output of: domainname or >> nisdomainname matches your expected domain. >> >> Let me know how things look after trying that. >> > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager for IdM portfolio Red Hat Inc. > > > ------------------------------- > Looking to carve out IT costs? > www.redhat.com/carveoutcosts/ > > > -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
