Steven, Thanks for the pointers. I remember finding a post on this, but having problem finding it now > > I assume rhel6.3 by the el6 in the rpm.... > > 1) Make sure the host and IPA server are fully patched/updated. I am current already
> 2) Edit nsswitch.conf to have "sudoers: files ldap" as the last line, may or > may not be there. Done > 3) add lines to /etc/sudo-ldap.conf, takes a recent upgrade/patch of 6.3 for > that file to "appear" Im not at work so I odnt have a pastable set Yes, the file was there already. Wonder if you can paste it now. Mine was like this uri ldap://ipa1-yyz-int.example.loc sudoers_base ou=SUDOers,dc=example,dc=loc ssl start_tls tls_checkpeer (yes) tls_cacertfile /etc/ipa/ca.crt > 4) Add "nisdomainname example.com" to /etc/rc.d/rc.local. Done > 5) Add or enable the sudo "connection" user in IPA with a password. ? Lost me here, mind explaining a bit please if you have a chance? > 6) reboot the host > > If it doesnt work set the debug level in sudo-ldap.conf to 2 and re-try to > see the output..restart sssd. > sh-4.1$ sudo less /var/log/secure LDAP Config Summary =================== uri ldap://ipa1-yyz-int.example.loc ldap_version 3 sudoers_base ou=SUDOers,dc=example,dc=loc binddn (anonymous) bindpw (anonymous) ssl start_tls tls_checkpeer (no) tls_cacertfile /etc/ipa/ca.crt =================== sudo: ldap_set_option: debug -> 0 sudo: ldap_set_option: tls_checkpeer -> 0 sudo: ldap_set_option: tls_cacertfile -> /etc/ipa/ca.crt sudo: ldap_set_option: tls_cacert -> /etc/ipa/ca.crt sudo: ldap_initialize(ld, ldap://ipa1-yyz-int.example.loc) sudo: ldap_set_option: ldap_version -> 3 sudo: ldap_start_tls_s() ok sudo: ldap_sasl_bind_s() ok sudo: no default options found in ou=SUDOers,dc=example,dc=loc sudo: ldap search '(|(sudoUser=williamm)(sudoUser=%williamm)(sudoUser=%operations)(sudoUser=ALL))' sudo: ldap search 'sudoUser=+*' sudo: user_matches=0 sudo: host_matches=0 sudo: sudo_ldap_lookup(0)=0x60 [sudo] password for williamm: williamm is not in the sudoers file. This incident will be reported. Thank you again for your help Regards, William > regards > Steven Jones > Technical Specialist - Linux RHCE > Victoria University, Wellington, NZ > 0064 4 463 6272 > > > > ________________________________________ > From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on > behalf of William Muriithi [william.murii...@gmail.com] > Sent: Thursday, 8 November 2012 10:28 a.m. > To: freeipa-users@redhat.com > Subject: [Freeipa-users] Managing Sudo through FreeIPA > > Hello > > I have been trying to setup user access through sudo file managed by > FreeIPA and it don't seem to be working. I am not sure how to go > about fixing it, but I guess the best place to start is ask what I > should expect the IPA installation script should set up and what > should be done manually > > [root@demo2 wmuriithi]# rpm -qa | grep sssd > sssd-client-1.8.0-32.el6.x86_64 > sssd-1.8.0-32.el6.x86_64 > [root@demo2 wmuriithi]# > > > > [root@demo2 wmuriithi]# rpm -qa | grep sudo > sudo-1.7.4p5-13.el6_3.x86_64 > > The only errors related to sudo that I can find is on apache error logs > > [Wed Nov 07 13:16:18 2012] [error] ipa: INFO: ad...@example.loc: > sudorule_add_user(u'read_only_viewiers', all=False, raw=False, > version=u'2.34', group=(u'operations',)): SUCCESS > [Wed Nov 07 13:54:44 2012] [error] ipa: ERROR: release_ipa_ccache: > ccache_name (FILE:/var/run/ipa_memcached/krbcc_3988) != KRB5CCNAME > environment variable (FILE:/tmp/krb5cc_apache_NB7pph) > [Wed Nov 07 13:54:44 2012] [error] ipa: INFO: ad...@example.loc: > sudorule_find(None, sizelimit=0, pkey_only=True): SUCCESS > [Wed Nov 07 13:54:44 2012] [error] ipa: INFO: ad...@example.loc: > batch: sudorule_show(u'Full_Access', all=True): SUCCESS > [Wed Nov 07 13:54:44 2012] [error] ipa: INFO: ad...@example.loc: > batch: sudorule_show(u'read_only_viewiers', all=True): SUCCESS > [Wed Nov 07 13:54:44 2012] [error] ipa: INFO: ad...@example.loc: > batch: sudorule_show(u'developers', all=True): SUCCESS > [Wed Nov 07 13:54:44 2012] [error] ipa: INFO: ad...@example.loc: > batch: sudorule_show(u'operation', all=True): SUCCESS > [Wed Nov 07 13:54:44 2012] [error] ipa: INFO: ad...@example.loc: > batch(({u'params': [[u'Full_Access'], {u'all': True}], u'method': > u'sudorule_show'}, {u'params': [[u'read_only_viewiers'], {u'all': > True}], u'method': u'sudorule_show'}, {u'params': [[u'developers'], > {u'all': True}], u'method': u'sudorule_show'}, {u'params': > [[u'operation'], {u'all': True}], u'method': u'sudorule_show'})): > SUCCESS > [Wed Nov 07 13:54:50 2012] [error] ipa: INFO: ad...@example.loc: > sudorule_show(u'read_only_viewiers', rights=True, all=True): SUCCESS > > > I created the user as below and associated it with a group, which I > then allowed to use less for reading file. As you can see below, it > seem to does not work. > > Nov 7 16:05:42 demo2 sudo: pam_sss(sudo:auth): authentication > success; logname=williamm uid=0 euid=0 tty=/dev/pts/2 ruser=williamm > rhost= user=williamm > Nov 7 16:05:43 demo2 sudo: williamm : user NOT in sudoers ; TTY=pts/2 > ; PWD=/home/wmuriithi ; USER=root ; COMMAND=/usr/bin/less > /var/log/secure > > > - My question is, does the client install script take care of sudo > configuration or is that done manually? I don't see any sudo related > flag on the client installation script. > > - I have tried configuring sssd for sudo use and it didn't go well. > Last time I messed around with LDAP managed sudo, I have to install a > LDAP capable sudo package. The ipa-client install did not install > this package. Does IPA sudo management work differently? > > - Where would I check for logs? I checked sssd logs and they are empty. > > - I am missing the basedn configuration on sssd configuration. From > this bug, it should have been setup by installer, oddly though it was > not setup and the bug is closed. I attempted to fix it by adding the > line below but it make sudo completely unusable. It could not find > any valid users apparently > > https://fedorahosted.org/freeipa/ticket/932 > > ldap_netgroup_search_base = cn=ng,cn=compat,dc=example,dc=loc > > Nov 7 16:05:42 demo2 sudo: pam_sss(sudo:auth): authentication > success; logname=williamm uid=0 euid=0 tty=/dev/pts/2 ruser=williamm > rhost= user=williamm > Nov 7 16:05:43 demo2 sudo: williamm : user NOT in sudoers ; TTY=pts/2 > ; PWD=/home/wmuriithi ; USER=root ; COMMAND=/usr/bin/less > /var/log/secure > > > Any pointers on why we are going? > > Thank you a lot in advance. > > William > > ---------------------------- > [root@ipa1-yyz-int wmuriithi]# ipa sudocmd-add --desc='For reading log > files' '/usr/bin/less' > ---------------------------------- > Added Sudo Command "/usr/bin/less" > ---------------------------------- > Sudo Command: /usr/bin/less > Description: For reading log files > [root@ipa1-yyz-int wmuriithi]# ipa sudocmdgroup-add --desc='Read Only > Commands' readonly > ----------------------------------- > Added Sudo Command Group "readonly" > ----------------------------------- > Sudo Command Group: readonly > Description: Read Only Commands > [root@ipa1-yyz-int wmuriithi]# ipa sudocmdgroup-add-member > --sudocmds='/usr/bin/less' readonly > Sudo Command Group: readonly > Description: Read Only Commands > Member Sudo commands: /usr/bin/less > ------------------------- > Number of members added 1 > ------------------------- > [root@ipa1-yyz-int wmuriithi]# ipa sudorule-add testing_viewiers > ----------------------------------- > Added Sudo Rule "testing_viewiers" > ----------------------------------- > Rule name: testing_viewiers > Enabled: TRUE > [root@ipa1-yyz-int wmuriithi]# ipa sudorule-add-allow-command > --sudocmdgroups=readonly testing_viewiers > Rule name: testing_viewiers > Enabled: TRUE > Sudo Allow Command Groups: readonly > ------------------------- > Number of members added 1 > ------------------------- > [root@ipa1-yyz-int wmuriithi]# ipa hostgroup-add demo > Description: Demonstration systems >>>> Description: Leading and trailing spaces are not allowed > Description: Demonstration system > ---------------------- > Added hostgroup "demo" > ---------------------- > Host-group: demo > Description: Demonstration system > [root@ipa1-yyz-int wmuriithi]# ipa hostgroup-add-member > --hosts=demo2.yyz.int.testing.com demo > Host-group: demo > Description: Demonstration system > Member hosts: demo2.yyz.int.testing.com > ------------------------- > Number of members added 1 > ------------------------- > [root@ipa1-yyz-int wmuriithi]# ipa sudorule-add-host --hostgroups=demo > testing_viewiers > Rule name: testing_viewiers > Enabled: TRUE > Host Groups: demo > Sudo Allow Command Groups: readonly > ------------------------- > Number of members added 1 > ------------------------- > [root@ipa1-yyz-int wmuriithi]# ipa sudorule-add-user > --groups=operations testing_viewiers > Rule name: testing_viewiers > Enabled: TRUE > User Groups: operations > Host Groups: demo > Sudo Allow Command Groups: readonly > ------------------------- > Number of members added 1 > ------------------------- > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > > > ------------------------------ > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > End of Freeipa-users Digest, Vol 52, Issue 18 > ********************************************* _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users