If you go to the CLI on the FreeIPA server and type: ipa sudorule <enter>

It will give you some useful info.  I believe you asked about the sudo user 
(which your log shows as currently unset, and configured as anonymous)

Here is a snipit:

-=-=-=-=-=-
...
FreeIPA provides a designated binddn to use with Sudo located at:
uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com

To enable the binddn run the following command to set the password:
LDAPTLS_CACERT=/etc/ipa/ca.crt /usr/bin/ldappasswd -S -W -h 
ipa.example.com<http://ipa.example.com> -ZZ -D "cn=Directory Manager" 
uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com

For more information, see the FreeIPA Documentation to Sudo.
-=-=-=-=-=-

The resulting user needs to be configured in your sudo-ldap.conf with:
binddn uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com
bindpw <password>



"Keeping your head in the cloud"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Jr Aquino | Sr. Information Security Specialist

GIAC Certified Incident Handler | GIAC WebApp Penetration Tester
Citrix Online | 7408 Hollister Avenue | Goleta, CA 
93117<x-apple-data-detectors://0/0>
T:  +1 805.690.3478<tel:+1%C2%A0805.690.3478>
C: +1 805.717.0365<tel:+1%20805.717.0365>
jr.aqu...@citrix.com<mailto:jr.aqu...@citrixonline.com>
http://www.citrixonline.com<http://www.citrixonline.com/>

On Nov 8, 2012, at 9:11 AM, William Muriithi 
<william.murii...@gmail.com<mailto:william.murii...@gmail.com>> wrote:

Steven,

Thanks for the pointers. I remember finding a post on this, but having
problem finding it now

I assume rhel6.3 by the el6 in the rpm....

1) Make sure the host and IPA server are fully patched/updated.
I am current already

2) Edit nsswitch.conf to have "sudoers: files ldap" as the last line, may or 
may not be there.

Done

3) add lines to /etc/sudo-ldap.conf, takes a recent upgrade/patch of 6.3 for 
that file to "appear"  Im not at work so I odnt have a pastable set
Yes, the file was there already.  Wonder if you can paste it now.
Mine was like this

uri ldap://ipa1-yyz-int.example.loc

sudoers_base ou=SUDOers,dc=example,dc=loc

ssl              start_tls
tls_checkpeer    (yes)
tls_cacertfile   /etc/ipa/ca.crt


4) Add "nisdomainname example.com<http://example.com>" to /etc/rc.d/rc.local.
Done
5) Add or enable the sudo "connection" user in IPA with a password.
?  Lost me here, mind explaining a bit please if you have a chance?
6) reboot the host

If it doesnt work set the debug level in sudo-ldap.conf to 2 and re-try to see 
the output..restart sssd.

sh-4.1$ sudo less /var/log/secure
LDAP Config Summary
===================
uri              ldap://ipa1-yyz-int.example.loc
ldap_version     3
sudoers_base     ou=SUDOers,dc=example,dc=loc
binddn           (anonymous)
bindpw           (anonymous)
ssl              start_tls
tls_checkpeer    (no)
tls_cacertfile   /etc/ipa/ca.crt
===================
sudo: ldap_set_option: debug -> 0
sudo: ldap_set_option: tls_checkpeer -> 0
sudo: ldap_set_option: tls_cacertfile -> /etc/ipa/ca.crt
sudo: ldap_set_option: tls_cacert -> /etc/ipa/ca.crt
sudo: ldap_initialize(ld, ldap://ipa1-yyz-int.example.loc)
sudo: ldap_set_option: ldap_version -> 3
sudo: ldap_start_tls_s() ok
sudo: ldap_sasl_bind_s() ok
sudo: no default options found in ou=SUDOers,dc=example,dc=loc
sudo: ldap search
'(|(sudoUser=williamm)(sudoUser=%williamm)(sudoUser=%operations)(sudoUser=ALL))'
sudo: ldap search 'sudoUser=+*'
sudo: user_matches=0
sudo: host_matches=0
sudo: sudo_ldap_lookup(0)=0x60
[sudo] password for williamm:
williamm is not in the sudoers file.  This incident will be reported.


Thank you again for your help

Regards,

William
regards
Steven Jones
Technical Specialist - Linux RHCE
Victoria University, Wellington, NZ
0064 4 463 6272



________________________________________
From: freeipa-users-boun...@redhat.com<mailto:freeipa-users-boun...@redhat.com> 
[freeipa-users-boun...@redhat.com<mailto:freeipa-users-boun...@redhat.com>] on 
behalf of William Muriithi 
[william.murii...@gmail.com<mailto:william.murii...@gmail.com>]
Sent: Thursday, 8 November 2012 10:28 a.m.
To: freeipa-users@redhat.com<mailto:freeipa-users@redhat.com>
Subject: [Freeipa-users] Managing Sudo through FreeIPA

Hello

I have been trying to setup user access through sudo file managed by
FreeIPA and it don't seem to be working.  I am not sure how to go
about fixing it, but I guess the best place to start is ask what I
should expect the IPA installation script should set up and what
should be done manually

[root@demo2 wmuriithi]# rpm -qa | grep sssd
sssd-client-1.8.0-32.el6.x86_64
sssd-1.8.0-32.el6.x86_64
[root@demo2 wmuriithi]#



[root@demo2 wmuriithi]# rpm -qa | grep sudo
sudo-1.7.4p5-13.el6_3.x86_64

The only errors related to sudo that I can find is on apache error logs

[Wed Nov 07 13:16:18 2012] [error] ipa: INFO: 
ad...@example.loc<mailto:ad...@example.loc>:
sudorule_add_user(u'read_only_viewiers', all=False, raw=False,
version=u'2.34', group=(u'operations',)): SUCCESS
[Wed Nov 07 13:54:44 2012] [error] ipa: ERROR: release_ipa_ccache:
ccache_name (FILE:/var/run/ipa_memcached/krbcc_3988) != KRB5CCNAME
environment variable (FILE:/tmp/krb5cc_apache_NB7pph)
[Wed Nov 07 13:54:44 2012] [error] ipa: INFO: 
ad...@example.loc<mailto:ad...@example.loc>:
sudorule_find(None, sizelimit=0, pkey_only=True): SUCCESS
[Wed Nov 07 13:54:44 2012] [error] ipa: INFO: 
ad...@example.loc<mailto:ad...@example.loc>:
batch: sudorule_show(u'Full_Access', all=True): SUCCESS
[Wed Nov 07 13:54:44 2012] [error] ipa: INFO: 
ad...@example.loc<mailto:ad...@example.loc>:
batch: sudorule_show(u'read_only_viewiers', all=True): SUCCESS
[Wed Nov 07 13:54:44 2012] [error] ipa: INFO: 
ad...@example.loc<mailto:ad...@example.loc>:
batch: sudorule_show(u'developers', all=True): SUCCESS
[Wed Nov 07 13:54:44 2012] [error] ipa: INFO: 
ad...@example.loc<mailto:ad...@example.loc>:
batch: sudorule_show(u'operation', all=True): SUCCESS
[Wed Nov 07 13:54:44 2012] [error] ipa: INFO: 
ad...@example.loc<mailto:ad...@example.loc>:
batch(({u'params': [[u'Full_Access'], {u'all': True}], u'method':
u'sudorule_show'}, {u'params': [[u'read_only_viewiers'], {u'all':
True}], u'method': u'sudorule_show'}, {u'params': [[u'developers'],
{u'all': True}], u'method': u'sudorule_show'}, {u'params':
[[u'operation'], {u'all': True}], u'method': u'sudorule_show'})):
SUCCESS
[Wed Nov 07 13:54:50 2012] [error] ipa: INFO: 
ad...@example.loc<mailto:ad...@example.loc>:
sudorule_show(u'read_only_viewiers', rights=True, all=True): SUCCESS


I created the user as below and associated it with a group, which I
then allowed to use less for reading file.  As you can see below, it
seem to does not work.

Nov  7 16:05:42 demo2 sudo: pam_sss(sudo:auth): authentication
success; logname=williamm uid=0 euid=0 tty=/dev/pts/2 ruser=williamm
rhost= user=williamm
Nov  7 16:05:43 demo2 sudo: williamm : user NOT in sudoers ; TTY=pts/2
; PWD=/home/wmuriithi ; USER=root ; COMMAND=/usr/bin/less
/var/log/secure


- My question is, does the client install script take care of sudo
configuration or is that done manually?  I don't see any sudo related
flag on the client installation script.

- I have tried configuring sssd for sudo use and it didn't go well.
Last time I messed around with LDAP managed sudo, I have to install a
LDAP capable sudo package.  The ipa-client install did not install
this package. Does IPA sudo management work differently?

- Where would I check for logs?  I checked sssd logs and they are empty.

- I am missing the basedn configuration on  sssd configuration.  From
this bug, it should have been setup by installer, oddly though it was
not setup and the bug is closed. I attempted to fix it by adding the
line below but it make sudo completely unusable.  It could not find
any valid users apparently

https://fedorahosted.org/freeipa/ticket/932

ldap_netgroup_search_base = cn=ng,cn=compat,dc=example,dc=loc

Nov  7 16:05:42 demo2 sudo: pam_sss(sudo:auth): authentication
success; logname=williamm uid=0 euid=0 tty=/dev/pts/2 ruser=williamm
rhost= user=williamm
Nov  7 16:05:43 demo2 sudo: williamm : user NOT in sudoers ; TTY=pts/2
; PWD=/home/wmuriithi ; USER=root ; COMMAND=/usr/bin/less
/var/log/secure


Any pointers on why we are going?

Thank you a lot in advance.

William

----------------------------
[root@ipa1-yyz-int wmuriithi]# ipa sudocmd-add --desc='For reading log
files' '/usr/bin/less'
----------------------------------
Added Sudo Command "/usr/bin/less"
----------------------------------
 Sudo Command: /usr/bin/less
 Description: For reading log files
[root@ipa1-yyz-int wmuriithi]# ipa sudocmdgroup-add --desc='Read Only
Commands' readonly
-----------------------------------
Added Sudo Command Group "readonly"
-----------------------------------
 Sudo Command Group: readonly
 Description: Read Only Commands
[root@ipa1-yyz-int wmuriithi]# ipa sudocmdgroup-add-member
--sudocmds='/usr/bin/less' readonly
 Sudo Command Group: readonly
 Description: Read Only Commands
 Member Sudo commands: /usr/bin/less
-------------------------
Number of members added 1
-------------------------
[root@ipa1-yyz-int wmuriithi]# ipa sudorule-add testing_viewiers
-----------------------------------
Added Sudo Rule "testing_viewiers"
-----------------------------------
 Rule name: testing_viewiers
 Enabled: TRUE
[root@ipa1-yyz-int wmuriithi]# ipa sudorule-add-allow-command
--sudocmdgroups=readonly  testing_viewiers
 Rule name: testing_viewiers
 Enabled: TRUE
 Sudo Allow Command Groups: readonly
-------------------------
Number of members added 1
-------------------------
[root@ipa1-yyz-int wmuriithi]# ipa hostgroup-add  demo
Description: Demonstration systems
Description: Leading and trailing spaces are not allowed
Description: Demonstration system
----------------------
Added hostgroup "demo"
----------------------
 Host-group: demo
 Description: Demonstration system
[root@ipa1-yyz-int wmuriithi]#  ipa hostgroup-add-member
--hosts=demo2.yyz.int.testing.com demo
 Host-group: demo
 Description: Demonstration system
 Member hosts: demo2.yyz.int.testing.com
-------------------------
Number of members added 1
-------------------------
[root@ipa1-yyz-int wmuriithi]# ipa sudorule-add-host --hostgroups=demo
testing_viewiers
 Rule name: testing_viewiers
 Enabled: TRUE
 Host Groups: demo
 Sudo Allow Command Groups: readonly
-------------------------
Number of members added 1
-------------------------
[root@ipa1-yyz-int wmuriithi]# ipa sudorule-add-user
--groups=operations testing_viewiers
 Rule name: testing_viewiers
 Enabled: TRUE
 User Groups: operations
 Host Groups: demo
 Sudo Allow Command Groups: readonly
-------------------------
Number of members added 1
-------------------------

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users



------------------------------

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

End of Freeipa-users Digest, Vol 52, Issue 18
*********************************************

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com<mailto:Freeipa-users@redhat.com>
https://www.redhat.com/mailman/listinfo/freeipa-users


_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to