To close the loop:

I did the following to clear the credential problem. I suspect that I
hadn't properly run kinit before doing these steps the first time:

-sh-4.2$ kinit
Password for br...@wedgeofli.me:
-sh-4.2$ sudo su -
sudo: ldap_sasl_bind_s(): Invalid credentials
[sudo] password for bretw:
bretw is not in the sudoers file.  This incident will be reported.
-sh-4.2$ ldapsearch -x ou=SUDOers,dc=wedgeofli,dc=me
# extended LDIF
#
# LDAPv3
# base <dc=wedgeofli,dc=me> (default) with scope subtree
# filter: ou=SUDOers,dc=wedgeofli,dc=me
# requesting: ALL
#

# search result
search: 2
result: 0 Success

# numResponses: 1
-sh-4.2$ ldapsearch ou=SUDOers,dc=wedgeofli,dc=me
SASL/EXTERNAL authentication started
ldap_sasl_interactive_bind_s: Unknown authentication method (-6)
additional info: SASL(-4): no mechanism available:
-sh-4.2$ ldapsearch -x ou=SUDOers,dc=wedgeofli,dc=me
# extended LDIF
#
# LDAPv3
# base <dc=wedgeofli,dc=me> (default) with scope subtree
# filter: ou=SUDOers,dc=wedgeofli,dc=me
# requesting: ALL
#

# search result
search: 2
result: 0 Success

# numResponses: 1
-sh-4.2$ ldapsearch -D uid=sudo,cn=sysaccounts,cn=etc,dc=wedgeofli,dc=me -w
password ou=SUDOers,dc=wedgeofli,dc=me
ldap_bind: Invalid credentials (49)

-sh-4.2$ ldappasswd -Y GSSAPI -S -h
fs1.wedgeofli.meuid=sudo,cn=sysaccounts,cn=etc,dc=wedgeofli,dc=me
New password:
Re-enter new password:
SASL/GSSAPI authentication started
SASL username: br...@wedgeofli.me
SASL SSF: 56
SASL data security layer installed.
-sh-4.2$ ldapsearch -D uid=sudo,cn=sysaccounts,cn=etc,dc=wedgeofli,dc=me -w
password ou=SUDOers,dc=wedgeofli,dc=me
# extended LDIF
#
# LDAPv3
# base <dc=wedgeofli,dc=me> (default) with scope subtree
# filter: ou=SUDOers,dc=wedgeofli,dc=me
# requesting: ALL
#

# search result
search: 2
result: 0 Success

# numResponses: 1
-sh-4.2$ sudo su -
[sudo] password for bretw:
[root@fs1 ~]#

On Thu, Nov 1, 2012 at 7:58 AM, Bret Wortman
<bret.wort...@damascusgrp.com>wrote:

> That's got me closer now, as I'm at least getting an error message on
> stdout:
>
> [root@fs1 etc]# more nslcd.conf
> binddn uid=sudo,cn=sysaccounts,cn=etc,dc=wedgeofli,dc=me
> bindpw password
>
> ssl start_tls
> tls_cacertfile /etc/ipa/ca.crt
> tls_checkpeer yes
>
> bind_timelimit 5
> timelimit 15
>
> uri ldap://fs1.wedgeofli.me
> sudoers_base ou=SUDOers,dc=wedgeofli,dc=me
> [root@fs1 etc]# sudo su -
> sudo: ldap_sasl_bind_s(): Invalid credentials
> [root@fs1 ~]#
>
> So I'm off to figure out where my credentials are wrong. Thanks again,
> Rob, Stephen & Pavel.
>
>
> Bret
>
> On Wed, Oct 31, 2012 at 2:39 PM, Rob Crittenden <rcrit...@redhat.com>wrote:
>
>> Bret Wortman wrote:
>>
>>> [root@fs1 etc]# more /etc/ldap.conf
>>> sudoers_debug: 1
>>> [root@fs1 etc]# ls -l /etc/ldap.conf
>>> -rw-r--r--. 1 root root 17 Oct 19 14:54 /etc/ldap.conf
>>>
>>> Where should I see the extra output? I've had this set since last Friday
>>> and I'm not seeing any difference.
>>>
>>
>> Move the contents of /etc/nslcd.conf to this file and add ldap to sudoers
>> in /etc/nsswitch.conf.
>>
>> rob
>>
>>
>>> On Wed, Oct 31, 2012 at 2:20 PM, Rob Crittenden <rcrit...@redhat.com
>>> <mailto:rcrit...@redhat.com>> wrote:
>>>
>>>     Bret Wortman wrote:
>>>
>>>         F17.
>>>
>>>
>>>     I think you want /etc/ldap.conf then. The easiest way to be sure the
>>>     right file is being used is to add sudoers_debug 1 to the file. This
>>>     will present a lot of extra output so you'll know the file is being
>>>     read.
>>>
>>>     rob
>>>
>>>
>>>         On Wed, Oct 31, 2012 at 2:04 PM, Rob Crittenden
>>>         <rcrit...@redhat.com <mailto:rcrit...@redhat.com>
>>>         <mailto:rcrit...@redhat.com <mailto:rcrit...@redhat.com>>>
>>> wrote:
>>>
>>>              Bret Wortman wrote:
>>>
>>>                  I had enabled debugging of sudo but am not clear on
>>>         where that
>>>                  debugging
>>>                  is going. It's not stdout, and I'm not seeing anything
>>> in
>>>                  /var/log/messages.
>>>
>>>                  I'll try switching to SSS and see what that gets me.
>>>
>>>
>>>              What distro is this? If it is RHEL 6.3 then put the
>>>         configuration
>>>              into /etc/sudo-ldap.conf instead of /etc/nslcd. The docs are
>>>              incorrect (we are working on getting them fixed).
>>>
>>>              rob
>>>
>>>
>>>
>>>                  On Wed, Oct 31, 2012 at 1:33 PM, Stephen Gallagher
>>>                  <sgall...@redhat.com <mailto:sgall...@redhat.com>
>>>         <mailto:sgall...@redhat.com <mailto:sgall...@redhat.com>>
>>>                  <mailto:sgall...@redhat.com
>>>         <mailto:sgall...@redhat.com> <mailto:sgall...@redhat.com
>>>         <mailto:sgall...@redhat.com>>>**> wrote:
>>>
>>>                       On Wed 31 Oct 2012 11:53:15 AM EDT, Bret Wortman
>>>         wrote:
>>>
>>>                           I'm pretty certain there's a painfully simple
>>>         solution
>>>                  to this that
>>>                           I'm not seeing, but my current configuration
>>> isn't
>>>                  picking up the
>>>                           freeipa sudoer rule that I've set.
>>>
>>>                           /etc/nsswitch.conf specifies:
>>>                             sudoers:    files ldap
>>>
>>>                           /etc/nslcd.conf contains:
>>>
>>>                           binddn
>>>                  uid=sudo,cn=sysaccounts,cn=___**
>>> ___etc,dc=wedgeofli,dc=me
>>>
>>>
>>>
>>>                           bindpw password
>>>
>>>                           ssl start_tls
>>>                           tls_cacertfile /etc/ipa/ca.crt
>>>                           tls_checkpeer yes
>>>
>>>                           bind_timelimit 5
>>>                           timelimit 15
>>>
>>>                           uri ldap://fs1.wedgeofli.me
>>>         <http://fs1.wedgeofli.me> <http://fs1.wedgeofli.me>
>>>                  <http://fs1.wedgeofli.me>
>>>                           <http://fs1.wedgeofli.me>
>>>
>>>                           sudoers_base ou=SUDOers,dc=wedgeofli,dc=me
>>>
>>>
>>>                           The sssd_DOMAIN.log file contains this when I
>>>         try to sudo:
>>>
>>>
>>>                       <snip>
>>>
>>>                       The SSSD logs aren't showing anything wrong
>>>         because they have
>>>                       nothing to do with the execution of the SUDO rules
>>>         in this
>>>                       situation. All the SSSD is doing is verifying the
>>>                  authentication
>>>                       (when sudo prompts you for your password).
>>>
>>>                       The problem with the rule is most likely happening
>>>         inside SUDO
>>>                       itself. When you specify 'sudoers: files, ldap' in
>>>                  nsswitch.conf,
>>>                       it's telling SUDO to use its own internal LDAP
>>>         driver to
>>>                  look up the
>>>                       rules. So you need to check sudo logs to see
>>>         what's happening
>>>                       (probably you will need to enable debug logging in
>>>                  /etc/sudo.conf).
>>>
>>>                       Recent versions of SUDO (1.8.6 and later) have
>>>         support for
>>>                  setting
>>>                       'sudoers: files, sss' in nsswitch.conf which DOES
>>>         use SSSD
>>>                  (1.9.0
>>>                       and later) for lookups (and caching) of sudo rules.
>>>
>>>
>>>
>>>
>>>                  --
>>>                  Bret Wortman
>>>                  The Damascus Group
>>>                  Fairfax, VA
>>>         http://bretwortman.com/
>>>         http://twitter.com/BretWortman
>>>
>>>
>>>
>>>
>>>                  --
>>>                  Bret Wortman
>>>                  The Damascus Group
>>>                  Fairfax, VA
>>>         http://bretwortman.com/
>>>         http://twitter.com/BretWortman
>>>
>>>
>>>
>>>                  ______________________________**_____________________
>>>
>>>                  Freeipa-users mailing list
>>>         Freeipa-users@redhat.com 
>>> <mailto:Freeipa-users@redhat.**com<Freeipa-users@redhat.com>
>>> >
>>>         <mailto:Freeipa-users@redhat._**_com
>>>         <mailto:Freeipa-users@redhat.**com <Freeipa-users@redhat.com>>>
>>>         
>>> https://www.redhat.com/____**mailman/listinfo/freeipa-users<https://www.redhat.com/____mailman/listinfo/freeipa-users>
>>>         
>>> <https://www.redhat.com/__**mailman/listinfo/freeipa-users<https://www.redhat.com/__mailman/listinfo/freeipa-users>
>>> **>
>>>
>>>
>>>         
>>> <https://www.redhat.com/__**mailman/listinfo/freeipa-users<https://www.redhat.com/__mailman/listinfo/freeipa-users>
>>>         
>>> <https://www.redhat.com/**mailman/listinfo/freeipa-users<https://www.redhat.com/mailman/listinfo/freeipa-users>
>>> **>__>
>>>
>>>
>>>
>>>
>>>
>>>
>>>         --
>>>         Bret Wortman
>>>         The Damascus Group
>>>         Fairfax, VA
>>>         http://bretwortman.com/
>>>         http://twitter.com/BretWortman
>>>
>>>
>>>
>>>         ______________________________**___________________
>>>         Freeipa-users mailing list
>>>         Freeipa-users@redhat.com 
>>> <mailto:Freeipa-users@redhat.**com<Freeipa-users@redhat.com>
>>> >
>>>         
>>> https://www.redhat.com/__**mailman/listinfo/freeipa-users<https://www.redhat.com/__mailman/listinfo/freeipa-users>
>>>         
>>> <https://www.redhat.com/**mailman/listinfo/freeipa-users<https://www.redhat.com/mailman/listinfo/freeipa-users>
>>> **>
>>>
>>>
>>>
>>>
>>>
>>> --
>>> Bret Wortman
>>> The Damascus Group
>>> Fairfax, VA
>>> http://bretwortman.com/
>>> http://twitter.com/BretWortman
>>>
>>>
>>>
>>> ______________________________**_________________
>>> Freeipa-users mailing list
>>> Freeipa-users@redhat.com
>>> https://www.redhat.com/**mailman/listinfo/freeipa-users<https://www.redhat.com/mailman/listinfo/freeipa-users>
>>>
>>>
>>
>
>
> --
> Bret Wortman
> The Damascus Group
> Fairfax, VA
> http://bretwortman.com/
> http://twitter.com/BretWortman
>
>


-- 
Bret Wortman
The Damascus Group
Fairfax, VA
http://bretwortman.com/
http://twitter.com/BretWortman
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to