Does anyone have any other suggestions for this or need any additional information? Thanks, -Mark
________________________________________________________________ Mark Tovey - UNIX Engineer | Service Strategy & Design UTi | 400 SW Sixth Ave, Suite 1100 | Portland | Oregon | 97204 | USA mto...@go2uti.com | O / C +1 503 953-1389 -----Original Message----- From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Tovey, Mark Sent: Thursday, July 18, 2013 11:06 AM To: Pavel Březina; freeipa-users@redhat.com Subject: Re: [Freeipa-users] sudo rules user and host group bugs? host1-> nisdomainname my_domain.com host1-> rpm -q sudo sudo-1.7.2p1-6.el5_5 Thanks, -Mark ________________________________________________________________ Mark Tovey - UNIX Engineer | Service Strategy & Design UTi | 400 SW Sixth Ave, Suite 1100 | Portland | Oregon | 97204 | USA mto...@go2uti.com | O / C +1 503 953-1389 -----Original Message----- From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Pavel Brezina Sent: Thursday, July 18, 2013 2:03 AM To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] sudo rules user and host group bugs? On 07/17/2013 06:39 PM, Tovey, Mark wrote: > > Okay, I get it (pardon my obtuseness). > > host1-> getent netgroup hgroup1 > hgroup1 (host1.my_domain.com, -, my_domain.com) > > So netgroups are working. The host group is defined in IPA and getent > is able to access that information. > Thanks, > -Mark Hi, can you also paste the output of following commands please? $ nisdomainname $ rpm -q sudo Thanks, Pavel. > > > ________________________________________________________________ > Mark Tovey - UNIX Engineer | Service Strategy & Design UTi | 400 SW > Sixth Ave, Suite 1100 | Portland | Oregon | 97204 | USA > mto...@go2uti.com | O / C +1 503 953-1389 > > > -----Original Message----- > From: Jakub Hrozek [mailto:jhro...@redhat.com] > Sent: Wednesday, July 17, 2013 8:58 AM > To: Tovey, Mark > Cc: d...@redhat.com; freeipa-users@redhat.com > Subject: Re: [Freeipa-users] sudo rules user and host group bugs? > > On Wed, Jul 17, 2013 at 03:01:58PM +0000, Tovey, Mark wrote: >> >> We have sssd-1.5.1-58.el5 and ipa-client-2.1.3-5.el5_9.2 installed. > > OK, these are recent enough to support netgroups and the compat tree should > be configured automatically. > >> Those came out of the 'latest' repository. We do not have any netgroups >> defined (there is no /etc/netgroup file), so getent does not return anything. > > Every hostgroup is automatically translated into a netgroup on the server > side. You said you have some host groups present, so does "getent netgroup > <name-of-hostgroup> return any netgroup data? > >> Thanks, >> -Mark >> > >> >> ________________________________________________________________ >> Mark Tovey - UNIX Engineer | Service Strategy & Design UTi | 400 SW >> Sixth Ave, Suite 1100 | Portland | Oregon | 97204 | USA >> mto...@go2uti.com | O / C +1 503 953-1389 >> >> >> -----Original Message----- >> From: Jakub Hrozek [mailto:jhro...@redhat.com] >> Sent: Wednesday, July 17, 2013 1:32 AM >> To: Tovey, Mark >> Cc: d...@redhat.com; freeipa-users@redhat.com >> Subject: Re: [Freeipa-users] sudo rules user and host group bugs? >> >> On Tue, Jul 16, 2013 at 09:13:00PM +0000, Tovey, Mark wrote: >>> >>> >>> We are using sssd. The sssd.conf file is mostly unchanged from how it >>> was installed by the ipa-client-install script: >> >> Hi Mark, >> >> you said your client is OEL *5.5* ? The SSSD first appeared in RHEL (and by >> extension OEL) in 5.6. Are you running the version from EPEL? I'm not sure >> if netgroups were even supported in that old version.. >> >> What is the output of "rpm -q sssd" and "rpm -q ipa-client" ? >> >> Does getent netgroup <netgroup-name> work? >> >>> >>> [sssd] >>> config_file_version = 2 >>> services = nss, pam >>> >>> domains = my_domain.com >>> [nss] >>> >>> [pam] >>> >>> [domain/my_domain.com] >>> cache_credentials = True >>> krb5_store_password_if_offline = True ipa_domain = my_domain.com >>> id_provider = ipa auth_provider = ipa access_provider = ipa >>> chpass_provider = ipa ipa_server = _srv_, ipa_server.my_domain.com >>> ldap_tls_cacert = /etc/ipa/ca.crt debug_level = 6 >>> >>> >>> And the nsswitch.conf file: >>> >>> passwd: files sss >>> shadow: files sss >>> group: files sss >>> >>> hosts: files dns >>> >>> bootparams: nisplus [NOTFOUND=return] files >>> >>> ethers: files >>> netmasks: files >>> networks: files >>> protocols: files >>> rpc: files >>> services: files >>> >>> netgroup: files sss >>> >>> publickey: nisplus >>> >>> automount: files ldap >>> aliases: files >>> >>> sudoers: files ldap >>> >>> Thanks, >>> -Mark >>> >>> >>> >>> ________________________________________________________________ >>> Mark Tovey - UNIX Engineer | Service Strategy & Design UTi | 400 SW >>> Sixth Ave, Suite 1100 | Portland | Oregon | 97204 | USA >>> mto...@go2uti.com | O / C +1 503 953-1389 | Skype: mark.tovey2 >>> >>> >>> -----Original Message----- >>> From: freeipa-users-boun...@redhat.com >>> [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Dmitri Pal >>> Sent: Tuesday, July 16, 2013 12:51 PM >>> To: freeipa-users@redhat.com >>> Subject: Re: [Freeipa-users] sudo rules user and host group bugs? >>> >>> On 07/16/2013 02:11 PM, Tovey, Mark wrote: >>>> My environment consists of OEL 5.5 clients with ipa-client-2.1.3 and >>>> the server is OEL 6.4 with ipa-server-3.0.0. We chose these because we >>>> were able to find RPM packages for them. We would prefer to go with the >>>> latest versions, but we did not want to spend the time building >>>> installation packages just yet. Again, we are just evaluating at this >>>> point. So far, so good, except for this one point. >>>> The doman name, host name, and nsswitch.conf files are all properly >>>> configured. But I do not have any netgroups defined (the getent command >>>> doesn't return anything and there is no /etc/netgroup file). After you >>>> asked about that, I started looking into the documentation on netgroups. >>>> The IPA documentation for sudo states that "Identity Management creates >>>> two groups, a visible host group and a shadow netgroup. sudo itself only >>>> supports NIS-style netgroups for group formats." But when I look in the >>>> Netgroups area, I do not see any netgroups defined. I used Apache >>>> Directory Studio to look around the Directory Server, and I can see >>>> "cn=hgroup1,cn=ng,cn=alt,dc=my_domain,dc=com", along with >>>> "cn=hgroup1,cn=hostgroups,cn=accounts,dc=my_domain,dc=com". This seems to >>>> reflect what was stated in the documentation. >>>> But I am still stumped. I cannot get sudo to work with host groups; >>>> I have to directly add each server to the sudo rule. >>>> Thanks, >>>> -Mark >>> >>> So can it seems that the first thing you need to to do is to make sure your >>> netgroups work. >>> If domain and host are properly set then it might be the wrong base in your >>> LDAP search for the netgroups. >>> Are you using SSSD for netgroups or something else? >>> Can you please share your sssd.conf and area where it configures netgroups? >>> Also is sss in the nsswitch.conf for netgroups map? >>> >>>> >>>> >>>> ________________________________________________________________ >>>> Mark Tovey - UNIX Engineer | Service Strategy & Design UTi | 400 SW >>>> Sixth Ave, Suite 1100 | Portland | Oregon | 97204 | USA >>>> mto...@go2uti.com | O / C +1 503 953-1389 | Skype: mark.tovey2 >>>> >>>> -----Original Message----- >>>> From: Martin Kosek [mailto:mko...@redhat.com] >>>> Sent: Tuesday, July 16, 2013 12:34 AM >>>> To: Tovey, Mark >>>> Cc: Steven Jones; James Hogarth; Freeipa-users@redhat.com; Pavel >>>> Brezina >>>> Subject: Re: [Freeipa-users] sudo rules user and host group bugs? >>>> >>>> Just checking, did you try troubleshooting hints from JR I found at the >>>> top of the thread? I did not find an information about that. >>>> >>>> ~~~~ >>>> Can you confirm that the output of the following commands: >>>> 1. $ domainname >>>> * does it match your domain? >>>> 2. $ hostname >>>> * does match match your fqdn? >>>> 3. $ getent netgroup esolutions-sandbox-hosts >>>> * does this list your host? >>>> 4. Does /etc/nsswitch.conf contain the line: "netgroup: files sss"? >>>> >>>> >>>> Another important Sudo Troubleshooting step is to edit: >>>> /etc/sudo-ldap.conf (or /etc/ldap.conf, depending on what version of >>>> RHEL/Sudo you're running): >>>> >>>> At the top, add the line: sudoers_debug 2 >>>> >>>> Then try another sudo command. sudo -l for example. >>>> ~~~~ >>>> >>>> For example, it would help to know that netgroup list (step 3) works or >>>> domainname is set correctly (step 1). >>>> >>>> Martin >>>> >>>> >>>> On 07/16/2013 06:09 AM, Tovey, Mark wrote: >>>>> >>>>> >>>>> Okay, I stopped sssd on the client and deleted the cache >>>>> files, removed the sudo rule, started sssd and verified that the >>>>> rule was gone, stopped sssd and deleted the files again, added the >>>>> rule back in, restarted sssd, and still it does not work. >>>>> One note, when I enter the hosts into the sudo rule in place of >>>>> the host group, the effect is immediate; I do not need to restart >>>>> sssd. And the opposite is true too: if I put the host group back, >>>>> the rule immediately stops working. I don't think the issue is >>>>> cache related; it seems to be something else. The serv_account that we >>>>> are accessing with the sudo rule is external. I wouldn't expect that to >>>>> matter, but perhaps it does? >>>>> >>>>> >>>>> >>>>> I like your idea for the labels; they make sense. Right now >>>>> we are just evaluating this to see if we want to go this route. >>>>> So far we like it, but this could be a problem because we have a >>>>> several hundred hosts that we need to manage. Having to enter each one >>>>> individually will be problematic. >>>>> >>>>> Thanks, >>>>> >>>>> -Mark >>>>> >>>>> >>>>> >>>>> * * >>>>> >>>>> *________________________________________________________________ >>>>> * >>>>> >>>>> *Mark Tovey - UNIX Engineer | Service Strategy & Design* >>>>> >>>>> UTi <http://www.go2uti.com/> | 400 SW Sixth Ave, Suite 1100 | >>>>> Portland >>>>> | Oregon >>>>> | 97204 | USA >>>>> >>>>> mto...@go2uti.com <mailto:mto...@go2uti.com> | O / C +1 503 953-1389 | >>>>> Skype: >>>>> mark.tovey2 >>>>> >>>>> >>>>> >>>>> *From:*Steven Jones [mailto:steven.jo...@vuw.ac.nz] >>>>> *Sent:* Monday, July 15, 2013 4:44 PM >>>>> *To:* Tovey, Mark; James Hogarth >>>>> *Cc:* Freeipa-users@redhat.com >>>>> *Subject:* RE: [Freeipa-users] sudo rules user and host group bugs? >>>>> >>>>> >>>>> >>>>> option b) delete the rule totally and redo it from scratch. >>>>> >>>>> I label rules like this, >>>>> >>>>> hb-xxxx for a hbac rule >>>>> >>>>> su-xxxx for a sudo rule >>>>> >>>>> sc-xxxx for a sudo command group >>>>> >>>>> ug-xxxx for a user group >>>>> >>>>> hg-xxxx for a host groups >>>>> >>>>> etc >>>>> >>>>> etc >>>>> >>>>> It makes the logic easier when you go into command line which I >>>>> find easier to trace with than the gui at time. >>>>> >>>>> >>>>> >>>>> regards >>>>> >>>>> Steven Jones >>>>> >>>>> Technical Specialist - Linux RHCE >>>>> >>>>> Victoria University, Wellington, NZ >>>>> >>>>> 0064 4 463 6272 >>>>> >>>>> ----------------------------------------------------------------- >>>>> -- >>>>> -- >>>>> - >>>>> --------- >>>>> >>>>> *From:*Tovey, Mark [mto...@go2uti.com] >>>>> *Sent:* Tuesday, 16 July 2013 11:34 a.m. >>>>> *To:* Steven Jones; James Hogarth >>>>> *Cc:* Freeipa-users@redhat.com <mailto:Freeipa-users@redhat.com> >>>>> *Subject:* RE: [Freeipa-users] sudo rules user and host group bugs? >>>>> >>>>> >>>>> >>>>> That didn't work either. I set up the host group in my sudo >>>>> rule, stopped sssd, renamed /var/lib/sss/db and created a new db >>>>> directory, then restarted sssd. New files were created in the db >>>>> directory, but it still refuses to work unless the hosts are directly >>>>> specified in the sudo rule. >>>>> >>>>> Thanks, >>>>> >>>>> -Mark >>>>> >>>>> >>>>> >>>>> * * >>>>> >>>>> *________________________________________________________________ >>>>> * >>>>> >>>>> *Mark Tovey - UNIX Engineer | Service Strategy & Design* >>>>> >>>>> UTi <http://www.go2uti.com/> | 400 SW Sixth Ave, Suite 1100 | >>>>> Portland >>>>> | Oregon >>>>> | 97204 | USA >>>>> >>>>> mto...@go2uti.com <mailto:mto...@go2uti.com> | O / C +1 503 953-1389 | >>>>> Skype: >>>>> mark.tovey2 >>>>> >>>>> >>>>> >>>>> *From:*Steven Jones [mailto:steven.jo...@vuw.ac.nz] >>>>> *Sent:* Monday, July 15, 2013 4:15 PM >>>>> *To:* Tovey, Mark; James Hogarth >>>>> *Cc:* Freeipa-users@redhat.com <mailto:Freeipa-users@redhat.com> >>>>> *Subject:* RE: [Freeipa-users] sudo rules user and host group bugs? >>>>> >>>>> >>>>> >>>>> Hi, >>>>> >>>>> This is a known issue Ive suffered a long time with. What would >>>>> be interesting is adding another host to the host group could well >>>>> work fine, that will really make you bang your head against the wall.. >>>>> >>>>> 2 possibilities, stop the sssd daemon on the problem host, delete >>>>> its cache and start it, that might fix it. >>>>> >>>>> Otherwise best to, >>>>> >>>>> All RH support could come up with is delete the HBAC rule, sudo >>>>> rule, user group and host group and re-do it, then it will probably work >>>>> fine. >>>>> >>>>> >>>>> >>>>> regards >>>>> >>>>> Steven Jones >>>>> >>>>> Technical Specialist - Linux RHCE >>>>> >>>>> Victoria University, Wellington, NZ >>>>> >>>>> 0064 4 463 6272 >>>>> >>>>> ----------------------------------------------------------------- >>>>> -- >>>>> -- >>>>> - >>>>> --------- >>>>> >>>>> *From:*freeipa-users-boun...@redhat.com >>>>> <mailto:freeipa-users-boun...@redhat.com> >>>>> [freeipa-users-boun...@redhat.com] on behalf of Tovey, Mark >>>>> [mto...@go2uti.com] >>>>> *Sent:* Tuesday, 16 July 2013 10:54 a.m. >>>>> *To:* James Hogarth >>>>> *Cc:* Freeipa-users@redhat.com <mailto:Freeipa-users@redhat.com> >>>>> *Subject:* Re: [Freeipa-users] sudo rules user and host group bugs? >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> I checked that and it is set correctly: >>>>> >>>>> >>>>> >>>>> [user1@host1 ~]$ nisdomainname >>>>> >>>>> my_domain.com >>>>> >>>>> >>>>> >>>>> If I try to run a command with the hosts specified indirectly >>>>> through a host group, it fails: >>>>> >>>>> >>>>> >>>>> [user1@host1 ~]$ sudo -i -u serv_account >>>>> >>>>> LDAP Config Summary >>>>> >>>>> =================== >>>>> >>>>> uri ldap://ipa_server.my_domain.com >>>>> >>>>> ldap_version 3 >>>>> >>>>> sudoers_base ou=SUDOers,dc=my_domain,dc=com >>>>> >>>>> binddn uid=sudo,cn=sysaccounts,cn=etc,dc=my_domain,dc=com >>>>> >>>>> bindpw ********** >>>>> >>>>> bind_timelimit 5000 >>>>> >>>>> timelimit 15 >>>>> >>>>> ssl start_tls >>>>> >>>>> tls_checkpeer (yes) >>>>> >>>>> tls_cacertfile /etc/ipa/ca.crt >>>>> >>>>> =================== >>>>> >>>>> sudo: ldap_initialize(ld, ldap://ipa_server.my_domain.com) >>>>> >>>>> sudo: ldap_set_option: debug -> 0 >>>>> >>>>> sudo: ldap_set_option: ldap_version -> 3 >>>>> >>>>> sudo: ldap_set_option: tls_checkpeer -> 1 >>>>> >>>>> sudo: ldap_set_option: tls_cacertfile -> /etc/ipa/ca.crt >>>>> >>>>> sudo: ldap_set_option: timelimit -> 15 >>>>> >>>>> sudo: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT, 5) >>>>> >>>>> >>>>> >>>>> sudo: ldap_start_tls_s() ok >>>>> >>>>> sudo: ldap_sasl_bind_s() ok >>>>> >>>>> sudo: no default options found! >>>>> >>>>> sudo: ldap search >>>>> '(|(sudoUser=user1)(sudoUser=%user1)(sudoUser=%user1s)(sudoUser=ALL))' >>>>> >>>>> sudo: found:cn=my_sudo_rule,ou=sudoers,dc=my_domain,dc=com >>>>> >>>>> sudo: ldap sudoHost '+hgroup1' ... not >>>>> >>>>> sudo: ldap search 'sudoUser=+*' >>>>> >>>>> sudo: user_matches=1 >>>>> >>>>> sudo: host_matches=0 >>>>> >>>>> sudo: sudo_ldap_lookup(0)=0x40 >>>>> >>>>> [sudo] password for user1: >>>>> >>>>> Sorry, try again. >>>>> >>>>> [sudo] password for user1: >>>>> >>>>> sudo: 1 incorrect password attempt >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> But if I remove the host group from the sudo rule and >>>>> directly add the hosts that were in the host group, it works fine: >>>>> >>>>> >>>>> >>>>> <snip> >>>>> >>>>> >>>>> >>>>> sudo: ldap_start_tls_s() ok >>>>> >>>>> sudo: ldap_sasl_bind_s() ok >>>>> >>>>> sudo: no default options found! >>>>> >>>>> sudo: ldap search >>>>> '(|(sudoUser=user1)(sudoUser=%user1)(sudoUser=%user1s)(sudoUser=ALL))' >>>>> >>>>> sudo: found:cn=my_sudo_rule,ou=sudoers,dc=my_domain,dc=com >>>>> >>>>> sudo: ldap sudoHost 'host1.my_domain.com' ... MATCH! >>>>> >>>>> sudo: ldap sudoRunAsUser 'serv_account' ... MATCH! >>>>> >>>>> sudo: ldap sudoCommand 'ALL' ... MATCH! >>>>> >>>>> sudo: Command allowed >>>>> >>>>> sudo: user_matches=1 >>>>> >>>>> sudo: host_matches=1 >>>>> >>>>> sudo: sudo_ldap_lookup(0)=0x02 >>>>> >>>>> [sudo] password for user1: >>>>> >>>>> [serv_account@host1 ~]$ >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> So something isn't lining up correctly with host groups in >>>>> sudo rules somewhere. I just haven't been able to track it down. >>>>> >>>>> Thanks, >>>>> >>>>> -Mark >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> * * >>>>> >>>>> *________________________________________________________________ >>>>> * >>>>> >>>>> *Mark Tovey - UNIX Engineer | Service Strategy & Design* >>>>> >>>>> UTi <http://www.go2uti.com/> | 400 SW Sixth Ave, Suite 1100 | >>>>> Portland >>>>> | Oregon >>>>> | 97204 | USA >>>>> >>>>> mto...@go2uti.com <mailto:mto...@go2uti.com> | O / C +1 503 953-1389 | >>>>> Skype: >>>>> mark.tovey2 >>>>> >>>>> >>>>> >>>>> *From:*James Hogarth [mailto:james.hoga...@gmail.com] >>>>> *Sent:* Monday, July 15, 2013 1:11 PM >>>>> *To:* Tovey, Mark >>>>> *Subject:* Re: [Freeipa-users] sudo rules user and host group bugs? >>>>> >>>>> >>>>> >>>>> >>>>>> >>>>>> >>>>>> Did anyone find a solution for this? I am having the same >>>>>> experience. >>>>>> >>>>>> >>>>>> >>>>> Wow that was a mess... >>>>> >>>>> To use hostgroups for sudo ensure nisdomainname is set on the >>>>> hosts to the IPA domain. >>>>> >>>>> >>>>> >>>>> _______________________________________________ >>>>> Freeipa-users mailing list >>>>> Freeipa-users@redhat.com >>>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>>> >>>> >>>> _______________________________________________ >>>> Freeipa-users mailing list >>>> Freeipa-users@redhat.com >>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>> >>> >>> -- >>> Thank you, >>> Dmitri Pal >>> >>> Sr. Engineering Manager for IdM portfolio Red Hat Inc. >>> >>> >>> ------------------------------- >>> Looking to carve out IT costs? >>> www.redhat.com/carveoutcosts/ >>> >>> >>> >>> _______________________________________________ >>> Freeipa-users mailing list >>> Freeipa-users@redhat.com >>> https://www.redhat.com/mailman/listinfo/freeipa-users >>> >>> _______________________________________________ >>> Freeipa-users mailing list >>> Freeipa-users@redhat.com >>> https://www.redhat.com/mailman/listinfo/freeipa-users > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users