On 11/07/2012 04:28 PM, William Muriithi wrote:
> Hello
>
> I have been trying to setup user access through sudo file managed by
> FreeIPA and it don't seem to be working.  I am not sure how to go
> about fixing it, but I guess the best place to start is ask what I
> should expect the IPA installation script should set up and what
> should be done manually
>
> [root@demo2 wmuriithi]# rpm -qa | grep sssd
> sssd-client-1.8.0-32.el6.x86_64
> sssd-1.8.0-32.el6.x86_64
> [root@demo2 wmuriithi]#
>
>
>
> [root@demo2 wmuriithi]# rpm -qa | grep sudo
> sudo-1.7.4p5-13.el6_3.x86_64
>
> The only errors related to sudo that I can find is on apache error logs
>
> [Wed Nov 07 13:16:18 2012] [error] ipa: INFO: ad...@example.loc:
> sudorule_add_user(u'read_only_viewiers', all=False, raw=False,
> version=u'2.34', group=(u'operations',)): SUCCESS
> [Wed Nov 07 13:54:44 2012] [error] ipa: ERROR: release_ipa_ccache:
> ccache_name (FILE:/var/run/ipa_memcached/krbcc_3988) != KRB5CCNAME
> environment variable (FILE:/tmp/krb5cc_apache_NB7pph)
> [Wed Nov 07 13:54:44 2012] [error] ipa: INFO: ad...@example.loc:
> sudorule_find(None, sizelimit=0, pkey_only=True): SUCCESS
> [Wed Nov 07 13:54:44 2012] [error] ipa: INFO: ad...@example.loc:
> batch: sudorule_show(u'Full_Access', all=True): SUCCESS
> [Wed Nov 07 13:54:44 2012] [error] ipa: INFO: ad...@example.loc:
> batch: sudorule_show(u'read_only_viewiers', all=True): SUCCESS
> [Wed Nov 07 13:54:44 2012] [error] ipa: INFO: ad...@example.loc:
> batch: sudorule_show(u'developers', all=True): SUCCESS
> [Wed Nov 07 13:54:44 2012] [error] ipa: INFO: ad...@example.loc:
> batch: sudorule_show(u'operation', all=True): SUCCESS
> [Wed Nov 07 13:54:44 2012] [error] ipa: INFO: ad...@example.loc:
> batch(({u'params': [[u'Full_Access'], {u'all': True}], u'method':
> u'sudorule_show'}, {u'params': [[u'read_only_viewiers'], {u'all':
> True}], u'method': u'sudorule_show'}, {u'params': [[u'developers'],
> {u'all': True}], u'method': u'sudorule_show'}, {u'params':
> [[u'operation'], {u'all': True}], u'method': u'sudorule_show'})):
> SUCCESS
> [Wed Nov 07 13:54:50 2012] [error] ipa: INFO: ad...@example.loc:
> sudorule_show(u'read_only_viewiers', rights=True, all=True): SUCCESS
>
>
> I created the user as below and associated it with a group, which I
> then allowed to use less for reading file.  As you can see below, it
> seem to does not work.
>
> Nov  7 16:05:42 demo2 sudo: pam_sss(sudo:auth): authentication
> success; logname=williamm uid=0 euid=0 tty=/dev/pts/2 ruser=williamm
> rhost= user=williamm
> Nov  7 16:05:43 demo2 sudo: williamm : user NOT in sudoers ; TTY=pts/2
> ; PWD=/home/wmuriithi ; USER=root ; COMMAND=/usr/bin/less
> /var/log/secure
>
>
> - My question is, does the client install script take care of sudo
> configuration or is that done manually?  I don't see any sudo related
> flag on the client installation script.
>
> - I have tried configuring sssd for sudo use and it didn't go well.
> Last time I messed around with LDAP managed sudo, I have to install a
> LDAP capable sudo package.  The ipa-client install did not install
> this package. Does IPA sudo management work differently?
>
> - Where would I check for logs?  I checked sssd logs and they are empty.
>
> - I am missing the basedn configuration on  sssd configuration.  From
> this bug, it should have been setup by installer, oddly though it was
> not setup and the bug is closed. I attempted to fix it by adding the
> line below but it make sudo completely unusable.  It could not find
> any valid users apparently
>
> https://fedorahosted.org/freeipa/ticket/932
>
> ldap_netgroup_search_base = cn=ng,cn=compat,dc=example,dc=loc
>
> Nov  7 16:05:42 demo2 sudo: pam_sss(sudo:auth): authentication
> success; logname=williamm uid=0 euid=0 tty=/dev/pts/2 ruser=williamm
> rhost= user=williamm
> Nov  7 16:05:43 demo2 sudo: williamm : user NOT in sudoers ; TTY=pts/2
> ; PWD=/home/wmuriithi ; USER=root ; COMMAND=/usr/bin/less
> /var/log/secure
>
>
> Any pointers on why we are going?
>
> Thank you a lot in advance.
>
> William
>
> ----------------------------
> [root@ipa1-yyz-int wmuriithi]# ipa sudocmd-add --desc='For reading log
> files' '/usr/bin/less'
> ----------------------------------
> Added Sudo Command "/usr/bin/less"
> ----------------------------------
>   Sudo Command: /usr/bin/less
>   Description: For reading log files
> [root@ipa1-yyz-int wmuriithi]# ipa sudocmdgroup-add --desc='Read Only
> Commands' readonly
> -----------------------------------
> Added Sudo Command Group "readonly"
> -----------------------------------
>   Sudo Command Group: readonly
>   Description: Read Only Commands
> [root@ipa1-yyz-int wmuriithi]# ipa sudocmdgroup-add-member
> --sudocmds='/usr/bin/less' readonly
>   Sudo Command Group: readonly
>   Description: Read Only Commands
>   Member Sudo commands: /usr/bin/less
> -------------------------
> Number of members added 1
> -------------------------
> [root@ipa1-yyz-int wmuriithi]# ipa sudorule-add testing_viewiers
> -----------------------------------
> Added Sudo Rule "testing_viewiers"
> -----------------------------------
>   Rule name: testing_viewiers
>   Enabled: TRUE
> [root@ipa1-yyz-int wmuriithi]# ipa sudorule-add-allow-command
> --sudocmdgroups=readonly  testing_viewiers
>   Rule name: testing_viewiers
>   Enabled: TRUE
>   Sudo Allow Command Groups: readonly
> -------------------------
> Number of members added 1
> -------------------------
> [root@ipa1-yyz-int wmuriithi]# ipa hostgroup-add  demo
> Description: Demonstration systems
>>>> Description: Leading and trailing spaces are not allowed
> Description: Demonstration system
> ----------------------
> Added hostgroup "demo"
> ----------------------
>   Host-group: demo
>   Description: Demonstration system
> [root@ipa1-yyz-int wmuriithi]#  ipa hostgroup-add-member
> --hosts=demo2.yyz.int.testing.com demo
>   Host-group: demo
>   Description: Demonstration system
>   Member hosts: demo2.yyz.int.testing.com
> -------------------------
> Number of members added 1
> -------------------------
> [root@ipa1-yyz-int wmuriithi]# ipa sudorule-add-host --hostgroups=demo
>  testing_viewiers
>   Rule name: testing_viewiers
>   Enabled: TRUE
>   Host Groups: demo
>   Sudo Allow Command Groups: readonly
> -------------------------
> Number of members added 1
> -------------------------
> [root@ipa1-yyz-int wmuriithi]# ipa sudorule-add-user
> --groups=operations testing_viewiers
>   Rule name: testing_viewiers
>   Enabled: TRUE
>   User Groups: operations
>   Host Groups: demo
>   Sudo Allow Command Groups: readonly
> -------------------------
> Number of members added 1
> -------------------------
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users

The SODO integration is evolving so it important to know what OS and
version you are on.
I would assume you are on RHEL6.3 or equivalent.
There are two main ways to integrate SUDO with IPA. One with SSSD
integration and another without. The one with the SSSD integration was a
tech preview in 6.3 and did not work well so we will set is aside for
now (but we fixed it and it is coming in 6.4 as a supported feature).

So the only reasonable option ATM is to setup sudo without SSSD integration.

So this solution implies that SUDO will use LDAP to get data from the
LDAP server and LDAP server happens to be IPA in this case.
You need to configure SUDO with LDAP as one would do following the
instructions provided by SUDO package.
Please search archives of the last month. There have been couple threads
that you can find helpful in your quest.

Kee in mind that the location and name of the file used by sudo to
configure LDAP connection has changed. The exact names of the files and
recommendations you will find in the mentioned threads.

Once you configured SUDO and if you still have problems please let us
know and we will help to troubleshoot the issue.

-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to