Okay, I get it (pardon my obtuseness).
host1-> getent netgroup hgroup1
hgroup1 (host1.my_domain.com, -, my_domain.com)
So netgroups are working. The host group is defined in IPA and getent is
able to access that information.
Thanks,
-Mark
________________________________________________________________
Mark Tovey - UNIX Engineer | Service Strategy & Design
UTi | 400 SW Sixth Ave, Suite 1100 | Portland | Oregon | 97204 | USA
[email protected] | O / C +1 503 953-1389
-----Original Message-----
From: Jakub Hrozek [mailto:[email protected]]
Sent: Wednesday, July 17, 2013 8:58 AM
To: Tovey, Mark
Cc: [email protected]; [email protected]
Subject: Re: [Freeipa-users] sudo rules user and host group bugs?
On Wed, Jul 17, 2013 at 03:01:58PM +0000, Tovey, Mark wrote:
>
> We have sssd-1.5.1-58.el5 and ipa-client-2.1.3-5.el5_9.2 installed.
OK, these are recent enough to support netgroups and the compat tree should be
configured automatically.
>Those came out of the 'latest' repository. We do not have any netgroups
>defined (there is no /etc/netgroup file), so getent does not return anything.
Every hostgroup is automatically translated into a netgroup on the server side.
You said you have some host groups present, so does "getent netgroup
<name-of-hostgroup> return any netgroup data?
> Thanks,
> -Mark
>
>
> ________________________________________________________________
> Mark Tovey - UNIX Engineer | Service Strategy & Design UTi | 400 SW
> Sixth Ave, Suite 1100 | Portland | Oregon | 97204 | USA
> [email protected] | O / C +1 503 953-1389
>
>
> -----Original Message-----
> From: Jakub Hrozek [mailto:[email protected]]
> Sent: Wednesday, July 17, 2013 1:32 AM
> To: Tovey, Mark
> Cc: [email protected]; [email protected]
> Subject: Re: [Freeipa-users] sudo rules user and host group bugs?
>
> On Tue, Jul 16, 2013 at 09:13:00PM +0000, Tovey, Mark wrote:
> >
> >
> > We are using sssd. The sssd.conf file is mostly unchanged from how it
> > was installed by the ipa-client-install script:
>
> Hi Mark,
>
> you said your client is OEL *5.5* ? The SSSD first appeared in RHEL (and by
> extension OEL) in 5.6. Are you running the version from EPEL? I'm not sure if
> netgroups were even supported in that old version..
>
> What is the output of "rpm -q sssd" and "rpm -q ipa-client" ?
>
> Does getent netgroup <netgroup-name> work?
>
> >
> > [sssd]
> > config_file_version = 2
> > services = nss, pam
> >
> > domains = my_domain.com
> > [nss]
> >
> > [pam]
> >
> > [domain/my_domain.com]
> > cache_credentials = True
> > krb5_store_password_if_offline = True ipa_domain = my_domain.com
> > id_provider = ipa auth_provider = ipa access_provider = ipa
> > chpass_provider = ipa ipa_server = _srv_, ipa_server.my_domain.com
> > ldap_tls_cacert = /etc/ipa/ca.crt debug_level = 6
> >
> >
> > And the nsswitch.conf file:
> >
> > passwd: files sss
> > shadow: files sss
> > group: files sss
> >
> > hosts: files dns
> >
> > bootparams: nisplus [NOTFOUND=return] files
> >
> > ethers: files
> > netmasks: files
> > networks: files
> > protocols: files
> > rpc: files
> > services: files
> >
> > netgroup: files sss
> >
> > publickey: nisplus
> >
> > automount: files ldap
> > aliases: files
> >
> > sudoers: files ldap
> >
> > Thanks,
> > -Mark
> >
> >
> >
> > ________________________________________________________________
> > Mark Tovey - UNIX Engineer | Service Strategy & Design UTi | 400 SW
> > Sixth Ave, Suite 1100 | Portland | Oregon | 97204 | USA
> > [email protected] | O / C +1 503 953-1389 | Skype: mark.tovey2
> >
> >
> > -----Original Message-----
> > From: [email protected]
> > [mailto:[email protected]] On Behalf Of Dmitri Pal
> > Sent: Tuesday, July 16, 2013 12:51 PM
> > To: [email protected]
> > Subject: Re: [Freeipa-users] sudo rules user and host group bugs?
> >
> > On 07/16/2013 02:11 PM, Tovey, Mark wrote:
> > > My environment consists of OEL 5.5 clients with ipa-client-2.1.3 and
> > > the server is OEL 6.4 with ipa-server-3.0.0. We chose these because we
> > > were able to find RPM packages for them. We would prefer to go with the
> > > latest versions, but we did not want to spend the time building
> > > installation packages just yet. Again, we are just evaluating at this
> > > point. So far, so good, except for this one point.
> > > The doman name, host name, and nsswitch.conf files are all properly
> > > configured. But I do not have any netgroups defined (the getent command
> > > doesn't return anything and there is no /etc/netgroup file). After you
> > > asked about that, I started looking into the documentation on netgroups.
> > > The IPA documentation for sudo states that "Identity Management creates
> > > two groups, a visible host group and a shadow netgroup. sudo itself only
> > > supports NIS-style netgroups for group formats." But when I look in the
> > > Netgroups area, I do not see any netgroups defined. I used Apache
> > > Directory Studio to look around the Directory Server, and I can see
> > > "cn=hgroup1,cn=ng,cn=alt,dc=my_domain,dc=com", along with
> > > "cn=hgroup1,cn=hostgroups,cn=accounts,dc=my_domain,dc=com". This seems
> > > to reflect what was stated in the documentation.
> > > But I am still stumped. I cannot get sudo to work with host groups;
> > > I have to directly add each server to the sudo rule.
> > > Thanks,
> > > -Mark
> >
> > So can it seems that the first thing you need to to do is to make sure your
> > netgroups work.
> > If domain and host are properly set then it might be the wrong base in your
> > LDAP search for the netgroups.
> > Are you using SSSD for netgroups or something else?
> > Can you please share your sssd.conf and area where it configures netgroups?
> > Also is sss in the nsswitch.conf for netgroups map?
> >
> > >
> > >
> > > ________________________________________________________________
> > > Mark Tovey - UNIX Engineer | Service Strategy & Design UTi | 400
> > > SW Sixth Ave, Suite 1100 | Portland | Oregon | 97204 | USA
> > > [email protected] | O / C +1 503 953-1389 | Skype: mark.tovey2
> > >
> > > -----Original Message-----
> > > From: Martin Kosek [mailto:[email protected]]
> > > Sent: Tuesday, July 16, 2013 12:34 AM
> > > To: Tovey, Mark
> > > Cc: Steven Jones; James Hogarth; [email protected]; Pavel
> > > Brezina
> > > Subject: Re: [Freeipa-users] sudo rules user and host group bugs?
> > >
> > > Just checking, did you try troubleshooting hints from JR I found at the
> > > top of the thread? I did not find an information about that.
> > >
> > > ~~~~
> > > Can you confirm that the output of the following commands:
> > > 1. $ domainname
> > > * does it match your domain?
> > > 2. $ hostname
> > > * does match match your fqdn?
> > > 3. $ getent netgroup esolutions-sandbox-hosts
> > > * does this list your host?
> > > 4. Does /etc/nsswitch.conf contain the line: "netgroup: files sss"?
> > >
> > >
> > > Another important Sudo Troubleshooting step is to edit:
> > > /etc/sudo-ldap.conf (or /etc/ldap.conf, depending on what version of
> > > RHEL/Sudo you're running):
> > >
> > > At the top, add the line: sudoers_debug 2
> > >
> > > Then try another sudo command. sudo -l for example.
> > > ~~~~
> > >
> > > For example, it would help to know that netgroup list (step 3) works or
> > > domainname is set correctly (step 1).
> > >
> > > Martin
> > >
> > >
> > > On 07/16/2013 06:09 AM, Tovey, Mark wrote:
> > >>
> > >>
> > >> Okay, I stopped sssd on the client and deleted the cache
> > >> files, removed the sudo rule, started sssd and verified that the
> > >> rule was gone, stopped sssd and deleted the files again, added
> > >> the rule back in, restarted sssd, and still it does not work.
> > >> One note, when I enter the hosts into the sudo rule in place of
> > >> the host group, the effect is immediate; I do not need to restart
> > >> sssd. And the opposite is true too: if I put the host group
> > >> back, the rule immediately stops working. I don't think the
> > >> issue is cache related; it seems to be something else. The serv_account
> > >> that we are accessing with the sudo rule is external. I wouldn't expect
> > >> that to matter, but perhaps it does?
> > >>
> > >>
> > >>
> > >> I like your idea for the labels; they make sense. Right now
> > >> we are just evaluating this to see if we want to go this route.
> > >> So far we like it, but this could be a problem because we have a
> > >> several hundred hosts that we need to manage. Having to enter each one
> > >> individually will be problematic.
> > >>
> > >> Thanks,
> > >>
> > >> -Mark
> > >>
> > >>
> > >>
> > >> * *
> > >>
> > >> *________________________________________________________________
> > >> *
> > >>
> > >> *Mark Tovey - UNIX Engineer | Service Strategy & Design*
> > >>
> > >> UTi <http://www.go2uti.com/> | 400 SW Sixth Ave, Suite 1100 |
> > >> Portland
> > >> | Oregon
> > >> | 97204 | USA
> > >>
> > >> [email protected] <mailto:[email protected]> | O / C +1 503 953-1389 |
> > >> Skype:
> > >> mark.tovey2
> > >>
> > >>
> > >>
> > >> *From:*Steven Jones [mailto:[email protected]]
> > >> *Sent:* Monday, July 15, 2013 4:44 PM
> > >> *To:* Tovey, Mark; James Hogarth
> > >> *Cc:* [email protected]
> > >> *Subject:* RE: [Freeipa-users] sudo rules user and host group bugs?
> > >>
> > >>
> > >>
> > >> option b) delete the rule totally and redo it from scratch.
> > >>
> > >> I label rules like this,
> > >>
> > >> hb-xxxx for a hbac rule
> > >>
> > >> su-xxxx for a sudo rule
> > >>
> > >> sc-xxxx for a sudo command group
> > >>
> > >> ug-xxxx for a user group
> > >>
> > >> hg-xxxx for a host groups
> > >>
> > >> etc
> > >>
> > >> etc
> > >>
> > >> It makes the logic easier when you go into command line which I
> > >> find easier to trace with than the gui at time.
> > >>
> > >>
> > >>
> > >> regards
> > >>
> > >> Steven Jones
> > >>
> > >> Technical Specialist - Linux RHCE
> > >>
> > >> Victoria University, Wellington, NZ
> > >>
> > >> 0064 4 463 6272
> > >>
> > >> -----------------------------------------------------------------
> > >> --
> > >> --
> > >> -
> > >> ---------
> > >>
> > >> *From:*Tovey, Mark [[email protected]]
> > >> *Sent:* Tuesday, 16 July 2013 11:34 a.m.
> > >> *To:* Steven Jones; James Hogarth
> > >> *Cc:* [email protected] <mailto:[email protected]>
> > >> *Subject:* RE: [Freeipa-users] sudo rules user and host group bugs?
> > >>
> > >>
> > >>
> > >> That didn't work either. I set up the host group in my sudo
> > >> rule, stopped sssd, renamed /var/lib/sss/db and created a new db
> > >> directory, then restarted sssd. New files were created in the db
> > >> directory, but it still refuses to work unless the hosts are directly
> > >> specified in the sudo rule.
> > >>
> > >> Thanks,
> > >>
> > >> -Mark
> > >>
> > >>
> > >>
> > >> * *
> > >>
> > >> *________________________________________________________________
> > >> *
> > >>
> > >> *Mark Tovey - UNIX Engineer | Service Strategy & Design*
> > >>
> > >> UTi <http://www.go2uti.com/> | 400 SW Sixth Ave, Suite 1100 |
> > >> Portland
> > >> | Oregon
> > >> | 97204 | USA
> > >>
> > >> [email protected] <mailto:[email protected]> | O / C +1 503 953-1389 |
> > >> Skype:
> > >> mark.tovey2
> > >>
> > >>
> > >>
> > >> *From:*Steven Jones [mailto:[email protected]]
> > >> *Sent:* Monday, July 15, 2013 4:15 PM
> > >> *To:* Tovey, Mark; James Hogarth
> > >> *Cc:* [email protected] <mailto:[email protected]>
> > >> *Subject:* RE: [Freeipa-users] sudo rules user and host group bugs?
> > >>
> > >>
> > >>
> > >> Hi,
> > >>
> > >> This is a known issue Ive suffered a long time with. What would
> > >> be interesting is adding another host to the host group could
> > >> well work fine, that will really make you bang your head against the
> > >> wall..
> > >>
> > >> 2 possibilities, stop the sssd daemon on the problem host, delete
> > >> its cache and start it, that might fix it.
> > >>
> > >> Otherwise best to,
> > >>
> > >> All RH support could come up with is delete the HBAC rule, sudo
> > >> rule, user group and host group and re-do it, then it will probably work
> > >> fine.
> > >>
> > >>
> > >>
> > >> regards
> > >>
> > >> Steven Jones
> > >>
> > >> Technical Specialist - Linux RHCE
> > >>
> > >> Victoria University, Wellington, NZ
> > >>
> > >> 0064 4 463 6272
> > >>
> > >> -----------------------------------------------------------------
> > >> --
> > >> --
> > >> -
> > >> ---------
> > >>
> > >> *From:*[email protected]
> > >> <mailto:[email protected]>
> > >> [[email protected]] on behalf of Tovey, Mark
> > >> [[email protected]]
> > >> *Sent:* Tuesday, 16 July 2013 10:54 a.m.
> > >> *To:* James Hogarth
> > >> *Cc:* [email protected] <mailto:[email protected]>
> > >> *Subject:* Re: [Freeipa-users] sudo rules user and host group bugs?
> > >>
> > >>
> > >>
> > >>
> > >>
> > >> I checked that and it is set correctly:
> > >>
> > >>
> > >>
> > >> [user1@host1 ~]$ nisdomainname
> > >>
> > >> my_domain.com
> > >>
> > >>
> > >>
> > >> If I try to run a command with the hosts specified indirectly
> > >> through a host group, it fails:
> > >>
> > >>
> > >>
> > >> [user1@host1 ~]$ sudo -i -u serv_account
> > >>
> > >> LDAP Config Summary
> > >>
> > >> ===================
> > >>
> > >> uri ldap://ipa_server.my_domain.com
> > >>
> > >> ldap_version 3
> > >>
> > >> sudoers_base ou=SUDOers,dc=my_domain,dc=com
> > >>
> > >> binddn uid=sudo,cn=sysaccounts,cn=etc,dc=my_domain,dc=com
> > >>
> > >> bindpw **********
> > >>
> > >> bind_timelimit 5000
> > >>
> > >> timelimit 15
> > >>
> > >> ssl start_tls
> > >>
> > >> tls_checkpeer (yes)
> > >>
> > >> tls_cacertfile /etc/ipa/ca.crt
> > >>
> > >> ===================
> > >>
> > >> sudo: ldap_initialize(ld, ldap://ipa_server.my_domain.com)
> > >>
> > >> sudo: ldap_set_option: debug -> 0
> > >>
> > >> sudo: ldap_set_option: ldap_version -> 3
> > >>
> > >> sudo: ldap_set_option: tls_checkpeer -> 1
> > >>
> > >> sudo: ldap_set_option: tls_cacertfile -> /etc/ipa/ca.crt
> > >>
> > >> sudo: ldap_set_option: timelimit -> 15
> > >>
> > >> sudo: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT, 5)
> > >>
> > >>
> > >>
> > >> sudo: ldap_start_tls_s() ok
> > >>
> > >> sudo: ldap_sasl_bind_s() ok
> > >>
> > >> sudo: no default options found!
> > >>
> > >> sudo: ldap search
> > >> '(|(sudoUser=user1)(sudoUser=%user1)(sudoUser=%user1s)(sudoUser=ALL))'
> > >>
> > >> sudo: found:cn=my_sudo_rule,ou=sudoers,dc=my_domain,dc=com
> > >>
> > >> sudo: ldap sudoHost '+hgroup1' ... not
> > >>
> > >> sudo: ldap search 'sudoUser=+*'
> > >>
> > >> sudo: user_matches=1
> > >>
> > >> sudo: host_matches=0
> > >>
> > >> sudo: sudo_ldap_lookup(0)=0x40
> > >>
> > >> [sudo] password for user1:
> > >>
> > >> Sorry, try again.
> > >>
> > >> [sudo] password for user1:
> > >>
> > >> sudo: 1 incorrect password attempt
> > >>
> > >>
> > >>
> > >>
> > >>
> > >> But if I remove the host group from the sudo rule and
> > >> directly add the hosts that were in the host group, it works fine:
> > >>
> > >>
> > >>
> > >> <snip>
> > >>
> > >>
> > >>
> > >> sudo: ldap_start_tls_s() ok
> > >>
> > >> sudo: ldap_sasl_bind_s() ok
> > >>
> > >> sudo: no default options found!
> > >>
> > >> sudo: ldap search
> > >> '(|(sudoUser=user1)(sudoUser=%user1)(sudoUser=%user1s)(sudoUser=ALL))'
> > >>
> > >> sudo: found:cn=my_sudo_rule,ou=sudoers,dc=my_domain,dc=com
> > >>
> > >> sudo: ldap sudoHost 'host1.my_domain.com' ... MATCH!
> > >>
> > >> sudo: ldap sudoRunAsUser 'serv_account' ... MATCH!
> > >>
> > >> sudo: ldap sudoCommand 'ALL' ... MATCH!
> > >>
> > >> sudo: Command allowed
> > >>
> > >> sudo: user_matches=1
> > >>
> > >> sudo: host_matches=1
> > >>
> > >> sudo: sudo_ldap_lookup(0)=0x02
> > >>
> > >> [sudo] password for user1:
> > >>
> > >> [serv_account@host1 ~]$
> > >>
> > >>
> > >>
> > >>
> > >>
> > >> So something isn't lining up correctly with host groups in
> > >> sudo rules somewhere. I just haven't been able to track it down.
> > >>
> > >> Thanks,
> > >>
> > >> -Mark
> > >>
> > >>
> > >>
> > >>
> > >>
> > >> * *
> > >>
> > >> *________________________________________________________________
> > >> *
> > >>
> > >> *Mark Tovey - UNIX Engineer | Service Strategy & Design*
> > >>
> > >> UTi <http://www.go2uti.com/> | 400 SW Sixth Ave, Suite 1100 |
> > >> Portland
> > >> | Oregon
> > >> | 97204 | USA
> > >>
> > >> [email protected] <mailto:[email protected]> | O / C +1 503 953-1389 |
> > >> Skype:
> > >> mark.tovey2
> > >>
> > >>
> > >>
> > >> *From:*James Hogarth [mailto:[email protected]]
> > >> *Sent:* Monday, July 15, 2013 1:11 PM
> > >> *To:* Tovey, Mark
> > >> *Subject:* Re: [Freeipa-users] sudo rules user and host group bugs?
> > >>
> > >>
> > >>
> > >>
> > >>>
> > >>>
> > >>> Did anyone find a solution for this? I am having the same
> > >>> experience.
> > >>>
> > >>>
> > >>>
> > >> Wow that was a mess...
> > >>
> > >> To use hostgroups for sudo ensure nisdomainname is set on the
> > >> hosts to the IPA domain.
> > >>
> > >>
> > >>
> > >> _______________________________________________
> > >> Freeipa-users mailing list
> > >> [email protected]
> > >> https://www.redhat.com/mailman/listinfo/freeipa-users
> > >>
> > >
> > > _______________________________________________
> > > Freeipa-users mailing list
> > > [email protected]
> > > https://www.redhat.com/mailman/listinfo/freeipa-users
> >
> >
> > --
> > Thank you,
> > Dmitri Pal
> >
> > Sr. Engineering Manager for IdM portfolio Red Hat Inc.
> >
> >
> > -------------------------------
> > Looking to carve out IT costs?
> > www.redhat.com/carveoutcosts/
> >
> >
> >
> > _______________________________________________
> > Freeipa-users mailing list
> > [email protected]
> > https://www.redhat.com/mailman/listinfo/freeipa-users
> >
> > _______________________________________________
> > Freeipa-users mailing list
> > [email protected]
> > https://www.redhat.com/mailman/listinfo/freeipa-users
_______________________________________________
Freeipa-users mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/freeipa-users
