host1-> nisdomainname
my_domain.com

host1-> rpm -q sudo
sudo-1.7.2p1-6.el5_5

    Thanks,
    -Mark


________________________________________________________________
Mark Tovey - UNIX Engineer | Service Strategy & Design
UTi | 400 SW Sixth Ave, Suite 1100 | Portland | Oregon | 97204 | USA
mto...@go2uti.com | O / C +1 503 953-1389

-----Original Message-----
From: freeipa-users-boun...@redhat.com 
[mailto:freeipa-users-boun...@redhat.com] On Behalf Of Pavel Brezina
Sent: Thursday, July 18, 2013 2:03 AM
To: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] sudo rules user and host group bugs?

On 07/17/2013 06:39 PM, Tovey, Mark wrote:
>
>      Okay, I get it (pardon my obtuseness).
>
>      host1-> getent netgroup hgroup1
>      hgroup1                   (host1.my_domain.com, -, my_domain.com)
>
>      So netgroups are working.  The host group is defined in IPA and getent 
> is able to access that information.
>      Thanks,
>      -Mark

Hi,
can you also paste the output of following commands please?

$ nisdomainname
$ rpm -q sudo

Thanks,
Pavel.

>
>
> ________________________________________________________________
> Mark Tovey - UNIX Engineer | Service Strategy & Design UTi | 400 SW 
> Sixth Ave, Suite 1100 | Portland | Oregon | 97204 | USA 
> mto...@go2uti.com | O / C +1 503 953-1389
>
>
> -----Original Message-----
> From: Jakub Hrozek [mailto:jhro...@redhat.com]
> Sent: Wednesday, July 17, 2013 8:58 AM
> To: Tovey, Mark
> Cc: d...@redhat.com; freeipa-users@redhat.com
> Subject: Re: [Freeipa-users] sudo rules user and host group bugs?
>
> On Wed, Jul 17, 2013 at 03:01:58PM +0000, Tovey, Mark wrote:
>>
>>      We have sssd-1.5.1-58.el5 and ipa-client-2.1.3-5.el5_9.2 installed.
>
> OK, these are recent enough to support netgroups and the compat tree should 
> be configured automatically.
>
>> Those came out of the 'latest' repository.  We do not have any netgroups 
>> defined (there is no /etc/netgroup file), so getent does not return anything.
>
> Every hostgroup is automatically translated into a netgroup on the server 
> side. You said you have some host groups present, so does "getent netgroup 
> <name-of-hostgroup> return any netgroup data?
>
>>      Thanks,
>>      -Mark
>>
>
>>
>> ________________________________________________________________
>> Mark Tovey - UNIX Engineer | Service Strategy & Design UTi | 400 SW 
>> Sixth Ave, Suite 1100 | Portland | Oregon | 97204 | USA 
>> mto...@go2uti.com | O / C +1 503 953-1389
>>
>>
>> -----Original Message-----
>> From: Jakub Hrozek [mailto:jhro...@redhat.com]
>> Sent: Wednesday, July 17, 2013 1:32 AM
>> To: Tovey, Mark
>> Cc: d...@redhat.com; freeipa-users@redhat.com
>> Subject: Re: [Freeipa-users] sudo rules user and host group bugs?
>>
>> On Tue, Jul 16, 2013 at 09:13:00PM +0000, Tovey, Mark wrote:
>>>
>>>
>>>      We are using sssd. The sssd.conf file is mostly unchanged from how it 
>>> was installed by the ipa-client-install script:
>>
>> Hi Mark,
>>
>> you said your client is OEL *5.5* ? The SSSD first appeared in RHEL (and by 
>> extension OEL) in 5.6. Are you running the version from EPEL? I'm not sure 
>> if netgroups were even supported in that old version..
>>
>> What is the output of "rpm -q sssd" and "rpm -q ipa-client" ?
>>
>> Does getent netgroup <netgroup-name> work?
>>
>>>
>>> [sssd]
>>> config_file_version = 2
>>> services = nss, pam
>>>
>>> domains = my_domain.com
>>> [nss]
>>>
>>> [pam]
>>>
>>>   [domain/my_domain.com]
>>> cache_credentials = True
>>> krb5_store_password_if_offline = True ipa_domain = my_domain.com 
>>> id_provider = ipa auth_provider = ipa access_provider = ipa 
>>> chpass_provider = ipa ipa_server = _srv_, ipa_server.my_domain.com 
>>> ldap_tls_cacert = /etc/ipa/ca.crt debug_level = 6
>>>
>>>
>>>      And the nsswitch.conf file:
>>>
>>> passwd:     files sss
>>> shadow:     files sss
>>> group:      files sss
>>>
>>> hosts:      files dns
>>>
>>> bootparams: nisplus [NOTFOUND=return] files
>>>
>>> ethers:     files
>>> netmasks:   files
>>> networks:   files
>>> protocols:  files
>>> rpc:        files
>>> services:   files
>>>
>>> netgroup:   files sss
>>>
>>> publickey:  nisplus
>>>
>>> automount:  files ldap
>>> aliases:    files
>>>
>>> sudoers:    files ldap
>>>
>>>      Thanks,
>>>      -Mark
>>>
>>>
>>>
>>> ________________________________________________________________
>>> Mark Tovey - UNIX Engineer | Service Strategy & Design UTi | 400 SW 
>>> Sixth Ave, Suite 1100 | Portland | Oregon | 97204 | USA 
>>> mto...@go2uti.com | O / C +1 503 953-1389 | Skype: mark.tovey2
>>>
>>>
>>> -----Original Message-----
>>> From: freeipa-users-boun...@redhat.com 
>>> [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Dmitri Pal
>>> Sent: Tuesday, July 16, 2013 12:51 PM
>>> To: freeipa-users@redhat.com
>>> Subject: Re: [Freeipa-users] sudo rules user and host group bugs?
>>>
>>> On 07/16/2013 02:11 PM, Tovey, Mark wrote:
>>>>      My environment consists of OEL 5.5 clients with ipa-client-2.1.3 and 
>>>> the server is OEL 6.4 with ipa-server-3.0.0.  We chose these because we 
>>>> were able to find RPM packages for them.  We would prefer to go with the 
>>>> latest versions, but we did not want to spend the time building 
>>>> installation packages just yet.  Again, we are just evaluating at this 
>>>> point.  So far, so good, except for this one point.
>>>>      The doman name, host name, and nsswitch.conf files are all properly 
>>>> configured.  But I do not have any netgroups defined (the getent command 
>>>> doesn't return anything and there is no /etc/netgroup file).  After you 
>>>> asked about that, I started looking into the documentation on netgroups.  
>>>> The IPA documentation for sudo states that "Identity Management creates 
>>>> two groups, a visible host group and a shadow netgroup. sudo itself only 
>>>> supports NIS-style netgroups for group formats."  But when I look in the 
>>>> Netgroups area, I do not see any netgroups defined.  I used Apache 
>>>> Directory Studio to look around the Directory Server, and I can see 
>>>> "cn=hgroup1,cn=ng,cn=alt,dc=my_domain,dc=com", along with 
>>>> "cn=hgroup1,cn=hostgroups,cn=accounts,dc=my_domain,dc=com".  This seems to 
>>>> reflect what was stated in the documentation.
>>>>      But I am still stumped.  I cannot get sudo to work with host groups; 
>>>> I have to directly add each server to the sudo rule.
>>>>      Thanks,
>>>>      -Mark
>>>
>>> So can it seems that the first thing you need to to do is to make sure your 
>>> netgroups work.
>>> If domain and host are properly set then it might be the wrong base in your 
>>> LDAP search for the netgroups.
>>> Are you using SSSD for netgroups or something else?
>>> Can you please share your sssd.conf and area where it configures netgroups?
>>> Also is sss in the nsswitch.conf for netgroups map?
>>>
>>>>
>>>>
>>>> ________________________________________________________________
>>>> Mark Tovey - UNIX Engineer | Service Strategy & Design UTi | 400 SW 
>>>> Sixth Ave, Suite 1100 | Portland | Oregon | 97204 | USA 
>>>> mto...@go2uti.com | O / C +1 503 953-1389 | Skype: mark.tovey2
>>>>
>>>> -----Original Message-----
>>>> From: Martin Kosek [mailto:mko...@redhat.com]
>>>> Sent: Tuesday, July 16, 2013 12:34 AM
>>>> To: Tovey, Mark
>>>> Cc: Steven Jones; James Hogarth; Freeipa-users@redhat.com; Pavel 
>>>> Brezina
>>>> Subject: Re: [Freeipa-users] sudo rules user and host group bugs?
>>>>
>>>> Just checking, did you try troubleshooting hints from JR I found at the 
>>>> top of the thread? I did not find an information about that.
>>>>
>>>> ~~~~
>>>> Can you confirm that the output of the following commands:
>>>> 1. $ domainname
>>>> * does it match your domain?
>>>> 2. $ hostname
>>>> * does match match your fqdn?
>>>> 3. $ getent netgroup esolutions-sandbox-hosts
>>>> * does this list your host?
>>>> 4. Does /etc/nsswitch.conf contain the line: "netgroup:   files sss"?
>>>>
>>>>
>>>> Another important Sudo Troubleshooting step is to edit: 
>>>> /etc/sudo-ldap.conf (or /etc/ldap.conf, depending on what version of 
>>>> RHEL/Sudo you're running):
>>>>
>>>> At the top, add the line: sudoers_debug 2
>>>>
>>>> Then try another sudo command. sudo -l for example.
>>>> ~~~~
>>>>
>>>> For example, it would help to know that netgroup list (step 3) works or 
>>>> domainname is set correctly (step 1).
>>>>
>>>> Martin
>>>>
>>>>
>>>> On 07/16/2013 06:09 AM, Tovey, Mark wrote:
>>>>>
>>>>>
>>>>>      Okay, I stopped sssd on the client and deleted the cache 
>>>>> files, removed the sudo rule, started sssd and verified that the 
>>>>> rule was gone, stopped sssd and deleted the files again, added the 
>>>>> rule back in, restarted sssd, and still it does not work.
>>>>> One note, when I enter the hosts into the sudo rule in place of 
>>>>> the host group, the effect is immediate; I do not need to restart 
>>>>> sssd.  And the opposite is true too: if I put the host group back, 
>>>>> the rule immediately stops working.  I don't think the issue is 
>>>>> cache related; it seems to be something else.  The serv_account that we 
>>>>> are accessing with the sudo rule is external.  I wouldn't expect that to 
>>>>> matter, but perhaps it does?
>>>>>
>>>>>
>>>>>
>>>>>      I like your idea for the labels; they make sense.  Right now 
>>>>> we are just evaluating this to see if we want to go this route.
>>>>> So far we like it, but this could be a problem because we have a 
>>>>> several hundred hosts that we need to manage.  Having to enter each one 
>>>>> individually will be problematic.
>>>>>
>>>>>      Thanks,
>>>>>
>>>>>      -Mark
>>>>>
>>>>>
>>>>>
>>>>> * *
>>>>>
>>>>> *________________________________________________________________
>>>>> *
>>>>>
>>>>> *Mark Tovey - UNIX Engineer | Service Strategy & Design*
>>>>>
>>>>> UTi <http://www.go2uti.com/> | 400 SW Sixth Ave, Suite 1100 | 
>>>>> Portland
>>>>> | Oregon
>>>>> | 97204 | USA
>>>>>
>>>>> mto...@go2uti.com <mailto:mto...@go2uti.com> | O / C +1 503 953-1389 | 
>>>>> Skype:
>>>>> mark.tovey2
>>>>>
>>>>>
>>>>>
>>>>> *From:*Steven Jones [mailto:steven.jo...@vuw.ac.nz]
>>>>> *Sent:* Monday, July 15, 2013 4:44 PM
>>>>> *To:* Tovey, Mark; James Hogarth
>>>>> *Cc:* Freeipa-users@redhat.com
>>>>> *Subject:* RE: [Freeipa-users] sudo rules user and host group bugs?
>>>>>
>>>>>
>>>>>
>>>>> option b) delete the rule totally and redo it from scratch.
>>>>>
>>>>> I label rules like this,
>>>>>
>>>>> hb-xxxx   for a hbac rule
>>>>>
>>>>> su-xxxx for a sudo rule
>>>>>
>>>>> sc-xxxx for a sudo command group
>>>>>
>>>>> ug-xxxx for a user group
>>>>>
>>>>> hg-xxxx for a host groups
>>>>>
>>>>> etc
>>>>>
>>>>> etc
>>>>>
>>>>> It makes the logic easier when you go into command line which I 
>>>>> find easier to trace with than the gui at time.
>>>>>
>>>>>
>>>>>
>>>>> regards
>>>>>
>>>>> Steven Jones
>>>>>
>>>>> Technical Specialist - Linux RHCE
>>>>>
>>>>> Victoria University, Wellington, NZ
>>>>>
>>>>> 0064 4 463 6272
>>>>>
>>>>> -----------------------------------------------------------------
>>>>> --
>>>>> --
>>>>> -
>>>>> ---------
>>>>>
>>>>> *From:*Tovey, Mark [mto...@go2uti.com]
>>>>> *Sent:* Tuesday, 16 July 2013 11:34 a.m.
>>>>> *To:* Steven Jones; James Hogarth
>>>>> *Cc:* Freeipa-users@redhat.com <mailto:Freeipa-users@redhat.com>
>>>>> *Subject:* RE: [Freeipa-users] sudo rules user and host group bugs?
>>>>>
>>>>>
>>>>>
>>>>>      That didn't work either.  I set up the host group in my sudo 
>>>>> rule, stopped sssd, renamed /var/lib/sss/db and created a new db 
>>>>> directory, then restarted sssd.  New files were created in the db 
>>>>> directory, but it still refuses to work unless the hosts are directly 
>>>>> specified in the sudo rule.
>>>>>
>>>>>      Thanks,
>>>>>
>>>>>      -Mark
>>>>>
>>>>>
>>>>>
>>>>> * *
>>>>>
>>>>> *________________________________________________________________
>>>>> *
>>>>>
>>>>> *Mark Tovey - UNIX Engineer | Service Strategy & Design*
>>>>>
>>>>> UTi <http://www.go2uti.com/> | 400 SW Sixth Ave, Suite 1100 | 
>>>>> Portland
>>>>> | Oregon
>>>>> | 97204 | USA
>>>>>
>>>>> mto...@go2uti.com <mailto:mto...@go2uti.com> | O / C +1 503 953-1389 | 
>>>>> Skype:
>>>>> mark.tovey2
>>>>>
>>>>>
>>>>>
>>>>> *From:*Steven Jones [mailto:steven.jo...@vuw.ac.nz]
>>>>> *Sent:* Monday, July 15, 2013 4:15 PM
>>>>> *To:* Tovey, Mark; James Hogarth
>>>>> *Cc:* Freeipa-users@redhat.com <mailto:Freeipa-users@redhat.com>
>>>>> *Subject:* RE: [Freeipa-users] sudo rules user and host group bugs?
>>>>>
>>>>>
>>>>>
>>>>> Hi,
>>>>>
>>>>> This is a known issue Ive suffered a long time with.  What would 
>>>>> be interesting is adding another host to the host group could well 
>>>>> work fine, that will really make you bang your head against the wall..
>>>>>
>>>>> 2 possibilities, stop the sssd daemon on the problem host, delete 
>>>>> its cache and start it, that might fix it.
>>>>>
>>>>> Otherwise best to,
>>>>>
>>>>> All RH support could come up with is delete the HBAC rule, sudo 
>>>>> rule, user group and host group and re-do it, then it will probably work 
>>>>> fine.
>>>>>
>>>>>
>>>>>
>>>>> regards
>>>>>
>>>>> Steven Jones
>>>>>
>>>>> Technical Specialist - Linux RHCE
>>>>>
>>>>> Victoria University, Wellington, NZ
>>>>>
>>>>> 0064 4 463 6272
>>>>>
>>>>> -----------------------------------------------------------------
>>>>> --
>>>>> --
>>>>> -
>>>>> ---------
>>>>>
>>>>> *From:*freeipa-users-boun...@redhat.com
>>>>> <mailto:freeipa-users-boun...@redhat.com>
>>>>> [freeipa-users-boun...@redhat.com] on behalf of Tovey, Mark 
>>>>> [mto...@go2uti.com]
>>>>> *Sent:* Tuesday, 16 July 2013 10:54 a.m.
>>>>> *To:* James Hogarth
>>>>> *Cc:* Freeipa-users@redhat.com <mailto:Freeipa-users@redhat.com>
>>>>> *Subject:* Re: [Freeipa-users] sudo rules user and host group bugs?
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>      I checked that and it is set correctly:
>>>>>
>>>>>
>>>>>
>>>>> [user1@host1 ~]$ nisdomainname
>>>>>
>>>>> my_domain.com
>>>>>
>>>>>
>>>>>
>>>>>      If I try to run a command with the hosts specified indirectly 
>>>>> through a host group, it fails:
>>>>>
>>>>>
>>>>>
>>>>> [user1@host1 ~]$ sudo -i -u serv_account
>>>>>
>>>>> LDAP Config Summary
>>>>>
>>>>> ===================
>>>>>
>>>>> uri              ldap://ipa_server.my_domain.com
>>>>>
>>>>> ldap_version     3
>>>>>
>>>>> sudoers_base     ou=SUDOers,dc=my_domain,dc=com
>>>>>
>>>>> binddn           uid=sudo,cn=sysaccounts,cn=etc,dc=my_domain,dc=com
>>>>>
>>>>> bindpw           **********
>>>>>
>>>>> bind_timelimit   5000
>>>>>
>>>>> timelimit        15
>>>>>
>>>>> ssl              start_tls
>>>>>
>>>>> tls_checkpeer    (yes)
>>>>>
>>>>> tls_cacertfile   /etc/ipa/ca.crt
>>>>>
>>>>> ===================
>>>>>
>>>>> sudo: ldap_initialize(ld, ldap://ipa_server.my_domain.com)
>>>>>
>>>>> sudo: ldap_set_option: debug -> 0
>>>>>
>>>>> sudo: ldap_set_option: ldap_version -> 3
>>>>>
>>>>> sudo: ldap_set_option: tls_checkpeer -> 1
>>>>>
>>>>> sudo: ldap_set_option: tls_cacertfile -> /etc/ipa/ca.crt
>>>>>
>>>>> sudo: ldap_set_option: timelimit -> 15
>>>>>
>>>>> sudo: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT, 5)
>>>>>
>>>>>
>>>>>
>>>>> sudo: ldap_start_tls_s() ok
>>>>>
>>>>> sudo: ldap_sasl_bind_s() ok
>>>>>
>>>>> sudo: no default options found!
>>>>>
>>>>> sudo: ldap search
>>>>> '(|(sudoUser=user1)(sudoUser=%user1)(sudoUser=%user1s)(sudoUser=ALL))'
>>>>>
>>>>> sudo: found:cn=my_sudo_rule,ou=sudoers,dc=my_domain,dc=com
>>>>>
>>>>> sudo: ldap sudoHost '+hgroup1' ... not
>>>>>
>>>>> sudo: ldap search 'sudoUser=+*'
>>>>>
>>>>> sudo: user_matches=1
>>>>>
>>>>> sudo: host_matches=0
>>>>>
>>>>> sudo: sudo_ldap_lookup(0)=0x40
>>>>>
>>>>> [sudo] password for user1:
>>>>>
>>>>> Sorry, try again.
>>>>>
>>>>> [sudo] password for user1:
>>>>>
>>>>> sudo: 1 incorrect password attempt
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>      But if I remove the host group from the sudo rule and 
>>>>> directly add the hosts that were in the host group, it works fine:
>>>>>
>>>>>
>>>>>
>>>>> <snip>
>>>>>
>>>>>
>>>>>
>>>>> sudo: ldap_start_tls_s() ok
>>>>>
>>>>> sudo: ldap_sasl_bind_s() ok
>>>>>
>>>>> sudo: no default options found!
>>>>>
>>>>> sudo: ldap search
>>>>> '(|(sudoUser=user1)(sudoUser=%user1)(sudoUser=%user1s)(sudoUser=ALL))'
>>>>>
>>>>> sudo: found:cn=my_sudo_rule,ou=sudoers,dc=my_domain,dc=com
>>>>>
>>>>> sudo: ldap sudoHost 'host1.my_domain.com' ... MATCH!
>>>>>
>>>>> sudo: ldap sudoRunAsUser 'serv_account' ... MATCH!
>>>>>
>>>>> sudo: ldap sudoCommand 'ALL' ... MATCH!
>>>>>
>>>>> sudo: Command allowed
>>>>>
>>>>> sudo: user_matches=1
>>>>>
>>>>> sudo: host_matches=1
>>>>>
>>>>> sudo: sudo_ldap_lookup(0)=0x02
>>>>>
>>>>> [sudo] password for user1:
>>>>>
>>>>> [serv_account@host1 ~]$
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>      So something isn't lining up correctly with host groups in 
>>>>> sudo rules somewhere.  I just haven't been able to track it down.
>>>>>
>>>>>      Thanks,
>>>>>
>>>>>      -Mark
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> * *
>>>>>
>>>>> *________________________________________________________________
>>>>> *
>>>>>
>>>>> *Mark Tovey - UNIX Engineer | Service Strategy & Design*
>>>>>
>>>>> UTi <http://www.go2uti.com/> | 400 SW Sixth Ave, Suite 1100 | 
>>>>> Portland
>>>>> | Oregon
>>>>> | 97204 | USA
>>>>>
>>>>> mto...@go2uti.com <mailto:mto...@go2uti.com> | O / C +1 503 953-1389 | 
>>>>> Skype:
>>>>> mark.tovey2
>>>>>
>>>>>
>>>>>
>>>>> *From:*James Hogarth [mailto:james.hoga...@gmail.com]
>>>>> *Sent:* Monday, July 15, 2013 1:11 PM
>>>>> *To:* Tovey, Mark
>>>>> *Subject:* Re: [Freeipa-users] sudo rules user and host group bugs?
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>>
>>>>>>
>>>>>>      Did anyone find a solution for this?  I am having the same 
>>>>>> experience.
>>>>>>
>>>>>>
>>>>>>
>>>>> Wow that was a mess...
>>>>>
>>>>> To use hostgroups for sudo ensure nisdomainname is set on the 
>>>>> hosts to the IPA domain.
>>>>>
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> Freeipa-users mailing list
>>>>> Freeipa-users@redhat.com
>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>>>
>>>>
>>>> _______________________________________________
>>>> Freeipa-users mailing list
>>>> Freeipa-users@redhat.com
>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>
>>>
>>> --
>>> Thank you,
>>> Dmitri Pal
>>>
>>> Sr. Engineering Manager for IdM portfolio Red Hat Inc.
>>>
>>>
>>> -------------------------------
>>> Looking to carve out IT costs?
>>> www.redhat.com/carveoutcosts/
>>>
>>>
>>>
>>> _______________________________________________
>>> Freeipa-users mailing list
>>> Freeipa-users@redhat.com
>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>
>>> _______________________________________________
>>> Freeipa-users mailing list
>>> Freeipa-users@redhat.com
>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to