I know I'm missing something simple.  But I just can't get this ipa client
to accept any sudo rules.

-sh-4.1$ sudo -l
[sudo] password for test...@domain.com:
User test...@domain.com is not allowed to run sudo on cypress.
-sh-4.1$ id
uid=11659(test...@domain.com) gid=11659(test...@domain.com)
groups=11659(testadm@domain.
com),160400007(ad_klasadm)
context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

-sh-4.1$ kinit admin
Password for ad...@hosted.domain.com:
-sh-4.1$ ipa sudorule-show operations
  Rule name: operations
  Description: KLAS / System Admins
  Enabled: TRUE
  Command category: all
  Users: localadm
  User Groups: ad_operations, ad_operations_external, ad_klasadm,
               ad_klasadm_external

/var/log/sssd/sssd_sudo.log
(Tue Apr  8 15:08:46 2014) [sssd[sudo]] [sudosrv_cmd_parse_query_done]
(0x0200): Requesting rules for [testadm] from [DOMAIN.COM]
(Tue Apr  8 15:08:46 2014) [sssd[sudo]] [sudosrv_get_user] (0x0200):
Requestinginfo about [test...@domain.com]
(Tue Apr  8 15:08:46 2014) [sssd[sudo]] [sudosrv_get_user] (0x0400):
Returning info for user [test...@domain.com]
(Tue Apr  8 15:08:46 2014) [sssd[sudo]] [sudosrv_get_rules] (0x0400):
Retrieving rules for [test...@domain.com] from [DOMAIN.COM]
(Tue Apr  8 15:08:46 2014) [sssd[sudo]] [sysdb_search_group_by_gid]
(0x0400): No such entry
(Tue Apr  8 15:08:46 2014) [sssd[sudo]] [sudosrv_get_sudorules_query_cache]
(0x0200): Searching sysdb with
[(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=
test...@domain.com
)(sudoUser=#11659)(sudoUser=%ad_klasadm)(sudoUser=+*))(&(dataExpireTimestamp<=1396984126)))]
(Tue Apr  8 15:08:46 2014) [sssd[sudo]] [sysdb_search_group_by_gid]
(0x0400): No such entry
(Tue Apr  8 15:08:46 2014) [sssd[sudo]] [sudosrv_get_sudorules_query_cache]
(0x0200): Searching sysdb with
[(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=test...@domain.com
)(sudoUser=#11659)(sudoUser=%ad_klasadm)(sudoUser=+*)))]
(Tue Apr  8 15:08:46 2014) [sssd[sudo]] [sudosrv_get_sudorules_from_cache]
(0x0400): Returning 1 rules for [test...@domain.com]
(Tue Apr  8 15:08:46 2014) [sssd[sudo]] [client_recv] (0x0200): Client
disconnected!


[root@cypress etc]# cat nsswitch.conf
#
# /etc/nsswitch.conf
#
# An example Name Service Switch config file. This file should be
# sorted with the most-used services at the beginning.
#
# The entry '[NOTFOUND=return]' means that the search for an
# entry should stop if the search in the previous entry turned
# up nothing. Note that if the search failed due to some other reason
# (like no NIS server responding) then the search continues with the
# next entry.
#
# Valid entries include:
#
#       nisplus                 Use NIS+ (NIS version 3)
#       nis                     Use NIS (NIS version 2), also called YP
#       dns                     Use DNS (Domain Name Service)
#       files                   Use the local files
#       db                      Use the local database (.db) files
#       compat                  Use NIS on compat mode
#       hesiod                  Use Hesiod for user lookups
#       [NOTFOUND=return]       Stop searching if not found so far
#

# To use db, put the "db" in front of "files" for entries you want to be
# looked up first in the databases
#
# Example:
#passwd:    db files nisplus nis
#shadow:    db files nisplus nis
#group:     db files nisplus nis

passwd:     files sss
shadow:     files sss
group:      files sss
sudoers:    files sss

#hosts:     db files nisplus nis dns
hosts:      files dns

# Example - obey only what nisplus tells us...
#services:   nisplus [NOTFOUND=return] files
#networks:   nisplus [NOTFOUND=return] files
#protocols:  nisplus [NOTFOUND=return] files
#rpc:        nisplus [NOTFOUND=return] files
#ethers:     nisplus [NOTFOUND=return] files
#netmasks:   nisplus [NOTFOUND=return] files

bootparams: nisplus [NOTFOUND=return] files

ethers:     files
netmasks:   files
networks:   files
protocols:  files
rpc:        files
services:   files sss

netgroup:   files sss

publickey:  nisplus

automount:  files
aliases:    files nisplus

[root@cypress etc]# cd sssd
[root@cypress sssd]# ls
sssd.conf  sssd.conf.deleted  sssd.conf.sv
[root@cypress sssd]# cat sssd.conf
[domain/hosted.domain.com]

cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = hosted.domain.com
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = cypress.hosted.domain.com
chpass_provider = ipa
ipa_dyndns_update = True
ipa_server = _srv_, ipa.hosted.domain.com
ldap_tls_cacert = /etc/ipa/ca.crt
debug_level=6

#
# sudo integration
#
sudo_provider = ldap
ldap_uri = ldap://ipa.hosted.domain.com
ldap_sudo_search_base = ou=sudoers,dc=hosted,dc=domain,dc=com
ldap_sasl_mech = GSSAPI
ldap_sasl_authid = host/cypress.hosted.domain.com
ldap_sasl_realm = HOSTED.DOMAIN.COM
krb5_server = ipa.hosted.domain.com


[sssd]
services = nss, pam, ssh, pac, sudo
config_file_version = 2
domains = hosted.domain.com
debug_level=6

[nss]


[pam]


[sudo]
debug_level=6

[autofs]

[ssh]


[pac]

[root@cypress sssd]#
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to