On 11/08/2012 01:13 AM, Dmitri Pal wrote:
On 11/07/2012 04:28 PM, William Muriithi wrote:
Hello

I have been trying to setup user access through sudo file managed by
FreeIPA and it don't seem to be working.  I am not sure how to go
about fixing it, but I guess the best place to start is ask what I
should expect the IPA installation script should set up and what
should be done manually

[root@demo2 wmuriithi]# rpm -qa | grep sssd
sssd-client-1.8.0-32.el6.x86_64
sssd-1.8.0-32.el6.x86_64
[root@demo2 wmuriithi]#



[root@demo2 wmuriithi]# rpm -qa | grep sudo
sudo-1.7.4p5-13.el6_3.x86_64

The only errors related to sudo that I can find is on apache error logs

[Wed Nov 07 13:16:18 2012] [error] ipa: INFO: ad...@example.loc:
sudorule_add_user(u'read_only_viewiers', all=False, raw=False,
version=u'2.34', group=(u'operations',)): SUCCESS
[Wed Nov 07 13:54:44 2012] [error] ipa: ERROR: release_ipa_ccache:
ccache_name (FILE:/var/run/ipa_memcached/krbcc_3988) != KRB5CCNAME
environment variable (FILE:/tmp/krb5cc_apache_NB7pph)
[Wed Nov 07 13:54:44 2012] [error] ipa: INFO: ad...@example.loc:
sudorule_find(None, sizelimit=0, pkey_only=True): SUCCESS
[Wed Nov 07 13:54:44 2012] [error] ipa: INFO: ad...@example.loc:
batch: sudorule_show(u'Full_Access', all=True): SUCCESS
[Wed Nov 07 13:54:44 2012] [error] ipa: INFO: ad...@example.loc:
batch: sudorule_show(u'read_only_viewiers', all=True): SUCCESS
[Wed Nov 07 13:54:44 2012] [error] ipa: INFO: ad...@example.loc:
batch: sudorule_show(u'developers', all=True): SUCCESS
[Wed Nov 07 13:54:44 2012] [error] ipa: INFO: ad...@example.loc:
batch: sudorule_show(u'operation', all=True): SUCCESS
[Wed Nov 07 13:54:44 2012] [error] ipa: INFO: ad...@example.loc:
batch(({u'params': [[u'Full_Access'], {u'all': True}], u'method':
u'sudorule_show'}, {u'params': [[u'read_only_viewiers'], {u'all':
True}], u'method': u'sudorule_show'}, {u'params': [[u'developers'],
{u'all': True}], u'method': u'sudorule_show'}, {u'params':
[[u'operation'], {u'all': True}], u'method': u'sudorule_show'})):
SUCCESS
[Wed Nov 07 13:54:50 2012] [error] ipa: INFO: ad...@example.loc:
sudorule_show(u'read_only_viewiers', rights=True, all=True): SUCCESS


I created the user as below and associated it with a group, which I
then allowed to use less for reading file.  As you can see below, it
seem to does not work.

Nov  7 16:05:42 demo2 sudo: pam_sss(sudo:auth): authentication
success; logname=williamm uid=0 euid=0 tty=/dev/pts/2 ruser=williamm
rhost= user=williamm
Nov  7 16:05:43 demo2 sudo: williamm : user NOT in sudoers ; TTY=pts/2
; PWD=/home/wmuriithi ; USER=root ; COMMAND=/usr/bin/less
/var/log/secure


- My question is, does the client install script take care of sudo
configuration or is that done manually?  I don't see any sudo related
flag on the client installation script.

- I have tried configuring sssd for sudo use and it didn't go well.
Last time I messed around with LDAP managed sudo, I have to install a
LDAP capable sudo package.  The ipa-client install did not install
this package. Does IPA sudo management work differently?

- Where would I check for logs?  I checked sssd logs and they are empty.

- I am missing the basedn configuration on  sssd configuration.  From
this bug, it should have been setup by installer, oddly though it was
not setup and the bug is closed. I attempted to fix it by adding the
line below but it make sudo completely unusable.  It could not find
any valid users apparently

https://fedorahosted.org/freeipa/ticket/932

ldap_netgroup_search_base = cn=ng,cn=compat,dc=example,dc=loc

Nov  7 16:05:42 demo2 sudo: pam_sss(sudo:auth): authentication
success; logname=williamm uid=0 euid=0 tty=/dev/pts/2 ruser=williamm
rhost= user=williamm
Nov  7 16:05:43 demo2 sudo: williamm : user NOT in sudoers ; TTY=pts/2
; PWD=/home/wmuriithi ; USER=root ; COMMAND=/usr/bin/less
/var/log/secure


Any pointers on why we are going?

Thank you a lot in advance.

William

----------------------------
[root@ipa1-yyz-int wmuriithi]# ipa sudocmd-add --desc='For reading log
files' '/usr/bin/less'
----------------------------------
Added Sudo Command "/usr/bin/less"
----------------------------------
   Sudo Command: /usr/bin/less
   Description: For reading log files
[root@ipa1-yyz-int wmuriithi]# ipa sudocmdgroup-add --desc='Read Only
Commands' readonly
-----------------------------------
Added Sudo Command Group "readonly"
-----------------------------------
   Sudo Command Group: readonly
   Description: Read Only Commands
[root@ipa1-yyz-int wmuriithi]# ipa sudocmdgroup-add-member
--sudocmds='/usr/bin/less' readonly
   Sudo Command Group: readonly
   Description: Read Only Commands
   Member Sudo commands: /usr/bin/less
-------------------------
Number of members added 1
-------------------------
[root@ipa1-yyz-int wmuriithi]# ipa sudorule-add testing_viewiers
-----------------------------------
Added Sudo Rule "testing_viewiers"
-----------------------------------
   Rule name: testing_viewiers
   Enabled: TRUE
[root@ipa1-yyz-int wmuriithi]# ipa sudorule-add-allow-command
--sudocmdgroups=readonly  testing_viewiers
   Rule name: testing_viewiers
   Enabled: TRUE
   Sudo Allow Command Groups: readonly
-------------------------
Number of members added 1
-------------------------
[root@ipa1-yyz-int wmuriithi]# ipa hostgroup-add  demo
Description: Demonstration systems
Description: Leading and trailing spaces are not allowed
Description: Demonstration system
----------------------
Added hostgroup "demo"
----------------------
   Host-group: demo
   Description: Demonstration system
[root@ipa1-yyz-int wmuriithi]#  ipa hostgroup-add-member
--hosts=demo2.yyz.int.testing.com demo
   Host-group: demo
   Description: Demonstration system
   Member hosts: demo2.yyz.int.testing.com
-------------------------
Number of members added 1
-------------------------
[root@ipa1-yyz-int wmuriithi]# ipa sudorule-add-host --hostgroups=demo
  testing_viewiers
   Rule name: testing_viewiers
   Enabled: TRUE
   Host Groups: demo
   Sudo Allow Command Groups: readonly
-------------------------
Number of members added 1
-------------------------
[root@ipa1-yyz-int wmuriithi]# ipa sudorule-add-user
--groups=operations testing_viewiers
   Rule name: testing_viewiers
   Enabled: TRUE
   User Groups: operations
   Host Groups: demo
   Sudo Allow Command Groups: readonly
-------------------------
Number of members added 1
-------------------------

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

The SODO integration is evolving so it important to know what OS and
version you are on.
I would assume you are on RHEL6.3 or equivalent.
There are two main ways to integrate SUDO with IPA. One with SSSD
integration and another without. The one with the SSSD integration was a
tech preview in 6.3 and did not work well

Hi, caching capabilities were not optimal in the tech preview, but it was fully functional (or at least should be, I don't think anyone really tried it in production), unless sssd is configured with multiple domains.

 so we will set is aside for
now (but we fixed it and it is coming in 6.4 as a supported feature).

So the only reasonable option ATM is to setup sudo without SSSD integration.

So this solution implies that SUDO will use LDAP to get data from the
LDAP server and LDAP server happens to be IPA in this case.
You need to configure SUDO with LDAP as one would do following the
instructions provided by SUDO package.
Please search archives of the last month. There have been couple threads
that you can find helpful in your quest.

Kee in mind that the location and name of the file used by sudo to
configure LDAP connection has changed. The exact names of the files and
recommendations you will find in the mentioned threads.

Once you configured SUDO and if you still have problems please let us
know and we will help to troubleshoot the issue.


_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to