Re: [Freeipa-users] ns-slapd hang/segfault
On Wed, Dec 21, 2011 at 16:43, Simo Sorce wrote: > On Wed, 2011-12-21 at 15:33 -0500, Dan Scott wrote: >> On Wed, Dec 21, 2011 at 14:10, Dan Scott wrote: >> > On Mon, Dec 19, 2011 at 15:26, Dan Scott >> > wrote: >> >> On Mon, Dec 19, 2011 at 14:14, Simo Sorce wrote: >> >>> On Mon, 2011-12-19 at 11:01 -0500, Dan Scott wrote: >> On Thu, Dec 15, 2011 at 11:51, Rich Megginson >> wrote: >> > On 12/15/2011 09:48 AM, Dan Scott wrote: >> >> >> >> Hi, >> >> >> >> On Thu, Dec 15, 2011 at 10:58, Rich Megginson >> >> wrote: >> >>> >> >>> On 12/15/2011 08:41 AM, Dan Scott wrote: >> >> Hi, >> >> On my Fedora 15 FreeIPA server, I'm having some problems with >> stability. The server appears to 'hang' and stops responding to >> LDAP >> lookups. When I restart the dirsrv service, I get: >> >> Dec 15 09:40:02 ohm kernel: [254566.011404] ns-slapd[28910]: >> segfault >> at 17d ip 7f00dbc0208c sp 7fff929b7848 error 4 in >> libc-2.14.so[7f00dbb87000+18f000] >> >> and the /var/log/dirsrv/slapd-EXAMPLE-COM/errors contains >> >> [15/Dec/2011:09:47:35 -0500] set_krb5_creds - Could not get initial >> credentials for principal [ldap/example@example.com] in keytab >> [WRFILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC >> for requested realm) >> [15/Dec/2011:09:47:35 -0500] slapd_ldap_sasl_interactive_bind - >> Error: >> could not perform interactive bind for id [] mech [GSSAPI]: error >> -2 >> (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified >> GSS failure. Minor code may provide more information (Credentials >> cache file '/tmp/krb5cc_496' not found)) >> >> This is happening very frequently, I'm having to restart the dirsrv >> process once an hour, otherwise people start complaining. >> >> I experienced similar problems with FreeIPA 1, when I was using >> Fedora >> 14 and earlier, and had to regularly (also once per hour) restart >> the >> dirsrv process. Could this be related? >> >> I also noticed this: >> https://bugzilla.redhat.com/show_bug.cgi?id=730387 >> >> There are updates in 'updates-testing' which I believe fix the >> above >> issue, but I'm reluctant to install from a testing repo on my >> production server, can anyone report any feedback on this? >> >>> >> >>> The above bug does not cause a segfault. >> >>> What version of 389-ds-base are you using? >> >> >> >> [root@ohm ~]# rpm -qa|grep 389 >> >> 389-ds-base-libs-1.2.10-0.4.a4.fc15.x86_64 >> >> 389-ds-base-1.2.10-0.4.a4.fc15.x86_64 >> >> [root@ohm ~]# >> > >> > a4 is alpha software. Not sure how that got released to stable. >> > >> >>> Please enable the collection of core dumps so we can debug the >> >>> crash - >> >>> see >> >>> http://directory.fedoraproject.org/wiki/FAQ#Debugging_Crashes >> >> >> >> OK. I think there is a small typo in the instructions: >> >> >> >> 'debuginfo-install 389-ds-base-debuginfo' should be >> >> 'debuginfo-install >> >> 389-ds-base' >> > >> > Thanks. Fixed. >> > >> >> I managed to get the core dump (attached - so I only sent this >> >> message >> >> to you, not the list as well), but it doesn't contain much >> >> information. >> > >> > This is https://bugzilla.redhat.com/show_bug.cgi?id=755725 >> > >> > Will be fixed in 1.2.10.a6 >> > >> > But this still doesn't explain your kerberos errors. >> >> An additional problem is also occurring. I've been finding that the: >> >> /etc/dirsrv/slapd-EXAMPLE-COM/dse.ldif >> >> file is empty and prevents dirsrv from starting. I can restore it from >> dse.ldif.bak or dse.ldif.startOK, but this may be related to the LDAP >> problems that I'm having? >> >>> >> >>> This is an upgrade time problem, it should be fixed in latest packages. >> >>> Did you recently upgrade freeipa packages if so from what version to >> >>> what version ? >> >> >> >> The 0 length file doesn't appear related to upgrades. Possibly it only >> >> happens on the first service restart after an upgrade? >> >> >> >> It's happened at least 4 times since the last freeipa package upgrade >> >> on 4th November, so it seems to be happening too regularly to be the >> >> result of an upgrade. >> >> >> >> [root@curie ~]# grep freeipa /var/log/yum.log >> >> Sep 06 16:56:51 Installed: freeipa-python-2.0.1-2.fc15.x86_64 >> >> Sep 06 17:00:13 Installed: freeipa-client-2.0.1-2.fc15.x86_64 >> >> Sep 06 17:00:1
Re: [Freeipa-users] ns-slapd hang/segfault
On Wed, 2011-12-21 at 15:33 -0500, Dan Scott wrote: > On Wed, Dec 21, 2011 at 14:10, Dan Scott wrote: > > On Mon, Dec 19, 2011 at 15:26, Dan Scott wrote: > >> On Mon, Dec 19, 2011 at 14:14, Simo Sorce wrote: > >>> On Mon, 2011-12-19 at 11:01 -0500, Dan Scott wrote: > On Thu, Dec 15, 2011 at 11:51, Rich Megginson > wrote: > > On 12/15/2011 09:48 AM, Dan Scott wrote: > >> > >> Hi, > >> > >> On Thu, Dec 15, 2011 at 10:58, Rich Megginson > >> wrote: > >>> > >>> On 12/15/2011 08:41 AM, Dan Scott wrote: > > Hi, > > On my Fedora 15 FreeIPA server, I'm having some problems with > stability. The server appears to 'hang' and stops responding to LDAP > lookups. When I restart the dirsrv service, I get: > > Dec 15 09:40:02 ohm kernel: [254566.011404] ns-slapd[28910]: > segfault > at 17d ip 7f00dbc0208c sp 7fff929b7848 error 4 in > libc-2.14.so[7f00dbb87000+18f000] > > and the /var/log/dirsrv/slapd-EXAMPLE-COM/errors contains > > [15/Dec/2011:09:47:35 -0500] set_krb5_creds - Could not get initial > credentials for principal [ldap/example@example.com] in keytab > [WRFILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC > for requested realm) > [15/Dec/2011:09:47:35 -0500] slapd_ldap_sasl_interactive_bind - > Error: > could not perform interactive bind for id [] mech [GSSAPI]: error -2 > (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified > GSS failure. Minor code may provide more information (Credentials > cache file '/tmp/krb5cc_496' not found)) > > This is happening very frequently, I'm having to restart the dirsrv > process once an hour, otherwise people start complaining. > > I experienced similar problems with FreeIPA 1, when I was using > Fedora > 14 and earlier, and had to regularly (also once per hour) restart > the > dirsrv process. Could this be related? > > I also noticed this: > https://bugzilla.redhat.com/show_bug.cgi?id=730387 > > There are updates in 'updates-testing' which I believe fix the above > issue, but I'm reluctant to install from a testing repo on my > production server, can anyone report any feedback on this? > >>> > >>> The above bug does not cause a segfault. > >>> What version of 389-ds-base are you using? > >> > >> [root@ohm ~]# rpm -qa|grep 389 > >> 389-ds-base-libs-1.2.10-0.4.a4.fc15.x86_64 > >> 389-ds-base-1.2.10-0.4.a4.fc15.x86_64 > >> [root@ohm ~]# > > > > a4 is alpha software. Not sure how that got released to stable. > > > >>> Please enable the collection of core dumps so we can debug the crash > >>> - > >>> see > >>> http://directory.fedoraproject.org/wiki/FAQ#Debugging_Crashes > >> > >> OK. I think there is a small typo in the instructions: > >> > >> 'debuginfo-install 389-ds-base-debuginfo' should be 'debuginfo-install > >> 389-ds-base' > > > > Thanks. Fixed. > > > >> I managed to get the core dump (attached - so I only sent this message > >> to you, not the list as well), but it doesn't contain much > >> information. > > > > This is https://bugzilla.redhat.com/show_bug.cgi?id=755725 > > > > Will be fixed in 1.2.10.a6 > > > > But this still doesn't explain your kerberos errors. > > An additional problem is also occurring. I've been finding that the: > > /etc/dirsrv/slapd-EXAMPLE-COM/dse.ldif > > file is empty and prevents dirsrv from starting. I can restore it from > dse.ldif.bak or dse.ldif.startOK, but this may be related to the LDAP > problems that I'm having? > >>> > >>> This is an upgrade time problem, it should be fixed in latest packages. > >>> Did you recently upgrade freeipa packages if so from what version to > >>> what version ? > >> > >> The 0 length file doesn't appear related to upgrades. Possibly it only > >> happens on the first service restart after an upgrade? > >> > >> It's happened at least 4 times since the last freeipa package upgrade > >> on 4th November, so it seems to be happening too regularly to be the > >> result of an upgrade. > >> > >> [root@curie ~]# grep freeipa /var/log/yum.log > >> Sep 06 16:56:51 Installed: freeipa-python-2.0.1-2.fc15.x86_64 > >> Sep 06 17:00:13 Installed: freeipa-client-2.0.1-2.fc15.x86_64 > >> Sep 06 17:00:14 Installed: freeipa-admintools-2.0.1-2.fc15.x86_64 > >> Sep 06 17:01:52 Installed: freeipa-server-selinux-2.0.1-2.fc15.x86_64 > >> Sep 06 17:01:56 Installed: freeipa-server-2.0.1-2.fc15.x86_64 > >> Sep 08 11:23:35 Updated: freeipa-py
Re: [Freeipa-users] ns-slapd hang/segfault
On Mon, Dec 19, 2011 at 15:26, Dan Scott wrote: > On Mon, Dec 19, 2011 at 14:14, Simo Sorce wrote: >> On Mon, 2011-12-19 at 11:01 -0500, Dan Scott wrote: >>> On Thu, Dec 15, 2011 at 11:51, Rich Megginson wrote: >>> > On 12/15/2011 09:48 AM, Dan Scott wrote: >>> >> >>> >> Hi, >>> >> >>> >> On Thu, Dec 15, 2011 at 10:58, Rich Megginson >>> >> wrote: >>> >>> >>> >>> On 12/15/2011 08:41 AM, Dan Scott wrote: >>> >>> Hi, >>> >>> On my Fedora 15 FreeIPA server, I'm having some problems with >>> stability. The server appears to 'hang' and stops responding to LDAP >>> lookups. When I restart the dirsrv service, I get: >>> >>> Dec 15 09:40:02 ohm kernel: [254566.011404] ns-slapd[28910]: segfault >>> at 17d ip 7f00dbc0208c sp 7fff929b7848 error 4 in >>> libc-2.14.so[7f00dbb87000+18f000] >>> >>> and the /var/log/dirsrv/slapd-EXAMPLE-COM/errors contains >>> >>> [15/Dec/2011:09:47:35 -0500] set_krb5_creds - Could not get initial >>> credentials for principal [ldap/example@example.com] in keytab >>> [WRFILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC >>> for requested realm) >>> [15/Dec/2011:09:47:35 -0500] slapd_ldap_sasl_interactive_bind - Error: >>> could not perform interactive bind for id [] mech [GSSAPI]: error -2 >>> (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified >>> GSS failure. Minor code may provide more information (Credentials >>> cache file '/tmp/krb5cc_496' not found)) >>> >>> This is happening very frequently, I'm having to restart the dirsrv >>> process once an hour, otherwise people start complaining. >>> >>> I experienced similar problems with FreeIPA 1, when I was using Fedora >>> 14 and earlier, and had to regularly (also once per hour) restart the >>> dirsrv process. Could this be related? >>> >>> I also noticed this: >>> https://bugzilla.redhat.com/show_bug.cgi?id=730387 >>> >>> There are updates in 'updates-testing' which I believe fix the above >>> issue, but I'm reluctant to install from a testing repo on my >>> production server, can anyone report any feedback on this? >>> >>> >>> >>> The above bug does not cause a segfault. >>> >>> What version of 389-ds-base are you using? >>> >> >>> >> [root@ohm ~]# rpm -qa|grep 389 >>> >> 389-ds-base-libs-1.2.10-0.4.a4.fc15.x86_64 >>> >> 389-ds-base-1.2.10-0.4.a4.fc15.x86_64 >>> >> [root@ohm ~]# >>> > >>> > a4 is alpha software. Not sure how that got released to stable. >>> > >>> >>> Please enable the collection of core dumps so we can debug the crash - >>> >>> see >>> >>> http://directory.fedoraproject.org/wiki/FAQ#Debugging_Crashes >>> >> >>> >> OK. I think there is a small typo in the instructions: >>> >> >>> >> 'debuginfo-install 389-ds-base-debuginfo' should be 'debuginfo-install >>> >> 389-ds-base' >>> > >>> > Thanks. Fixed. >>> > >>> >> I managed to get the core dump (attached - so I only sent this message >>> >> to you, not the list as well), but it doesn't contain much >>> >> information. >>> > >>> > This is https://bugzilla.redhat.com/show_bug.cgi?id=755725 >>> > >>> > Will be fixed in 1.2.10.a6 >>> > >>> > But this still doesn't explain your kerberos errors. >>> >>> An additional problem is also occurring. I've been finding that the: >>> >>> /etc/dirsrv/slapd-EXAMPLE-COM/dse.ldif >>> >>> file is empty and prevents dirsrv from starting. I can restore it from >>> dse.ldif.bak or dse.ldif.startOK, but this may be related to the LDAP >>> problems that I'm having? >> >> This is an upgrade time problem, it should be fixed in latest packages. >> Did you recently upgrade freeipa packages if so from what version to >> what version ? > > The 0 length file doesn't appear related to upgrades. Possibly it only > happens on the first service restart after an upgrade? > > It's happened at least 4 times since the last freeipa package upgrade > on 4th November, so it seems to be happening too regularly to be the > result of an upgrade. > > [root@curie ~]# grep freeipa /var/log/yum.log > Sep 06 16:56:51 Installed: freeipa-python-2.0.1-2.fc15.x86_64 > Sep 06 17:00:13 Installed: freeipa-client-2.0.1-2.fc15.x86_64 > Sep 06 17:00:14 Installed: freeipa-admintools-2.0.1-2.fc15.x86_64 > Sep 06 17:01:52 Installed: freeipa-server-selinux-2.0.1-2.fc15.x86_64 > Sep 06 17:01:56 Installed: freeipa-server-2.0.1-2.fc15.x86_64 > Sep 08 11:23:35 Updated: freeipa-python-2.1.0-1.fc15.x86_64 > Sep 08 11:23:41 Updated: freeipa-client-2.1.0-1.fc15.x86_64 > Sep 08 11:23:41 Updated: freeipa-admintools-2.1.0-1.fc15.x86_64 > Sep 08 11:25:00 Updated: freeipa-server-selinux-2.1.0-1.fc15.x86_64 > Sep 08 11:26:06 Updated: freeipa-server-2.1.0-1.fc15.x86_64 > Nov 04 15:46:43 Updated: freeipa-python-2.1.3-2.fc15.x86_64 > Nov 04 15:52:48 Updated: freeipa-client-2.1.3-2.fc15.x86_64 > Nov 04 15:52:48 Updated: freeipa-admintools-2.1.3-2.fc15.x86_64 > Nov 04 15:54:47 U
Re: [Freeipa-users] Sudo configuration question
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 12/21/2011 09:14 AM, Stephen Gallagher wrote: > On Wed, 2011-12-21 at 09:08 -0900, Erinn Looney-Triggs wrote: >> On 12/21/2011 04:37 AM, Stephen Gallagher wrote: >>> On Tue, 2011-12-20 at 12:59 -0900, Erinn Looney-Triggs wrote: I have been working through configuring sudo via IPA and ran into the following situation. There is a directive in the documentation to configure /etc/sssd/sssd.conf on the clients with something like the following: ldap_netgroup_search_base = cn=ng,cn=compat,dc=example,dc=com This is pulled from the docse here for reference: http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/example-configuring-sudo.html This is fine and causes no problems, however, when I mistakenly left it out on a few systems, sudo continued to function, so I am wondering what it is that this directive does? Does this get sssd into the loop to cache sudo rules for offline use? Any ideas? >>> Sorry for the confusion in the other responses to this thread. The short >>> answer is this: SUDO can use LDAP rules (as you clearly know). It does >>> this with its own internal LDAP lookup (it doesn't currently go through >>> SSSD to accomplish this). >>> >>> However, SUDO rules can specify netgroups as part of their restrictions >>> on who can do what (usually these are used to limit functions to certain >>> hosts). In order to do this, SSSD needs to be configured to look up >>> netgroups properly so that SUDO can use the 'getnetgrent()' glibc >>> command to locate the netgroups. >>> >>> The doc you are looking at is actually a bit out of date. It's no longer >>> necessary to provide that option, because if it's unspecified, we set it >>> automatically to cn=ng,cn=compat,dc=example,dc=com (using the >>> appropriate base, of course). >>> >>> Jan's comments about upstream work were that we recently made changes to >>> avoid needing to use the compat tree for netgroup lookups and can >>> instead use FreeIPA's native, custom schema for netgroups. That's not >>> terribly relevant to you, but it's a useful piece of information. >>> >>> So, in short, you don't need to set it, the doc is outdated. >>> >>> >>> ___ >>> Freeipa-users mailing list >>> Freeipa-users@redhat.com >>> https://www.redhat.com/mailman/listinfo/freeipa-users >> >> Ok thanks, that makes sense. One final question here, is there a way >> to verify that sssd is in fact setting this properly? Not that I doubt >> you of course, it is just a matter of so many versions of sssd in so >> many places that it would be good to verify that it works >> automagically on RHEL 5, 6, and whatever else, say Ubuntu etc. >> >> -Erinn >> > > You can set 'debug_level = 6' in [domain/] of sssd.conf and > restart. If you look in the sssd_.log, you should see a line > setting the ldap_netgroup_search_base option. Great, thank you so much for your time. I really appreciate it. - -Erinn -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.18 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBAgAGBQJO8igHAAoJENetaK3v/E7PHTEH/iFlfavkBEholqDzym2G4PPU 8d8pmL0LLQqnssxFXShMICQqzjnIb+f/TGiBAIBvFaKUzT7UAO9QD5LI42UuoZIw Npbh2rBTAXQ0nTXRHkA4/VwtCVHWbZFenbfztyR87MrZsv+cNgZQ0PFA2shgu3pb VzAPx7ow7jPpFrAk/NC1bCJv2rJQZHMWS15zfgV9d0cS1kPfXeAJqQge12zEaFLQ 6EaaavlQulv8KubAJxMa3BL/JTy2cgnHYC32l1zA/RUGBXglceRdAydReoQuXGYm IcEbhqtpS4PEPlwYoI7Ir21YtUMFomqdpjUSvTOWnC62a7EiI6qyns9DcPgN/PI= =8wy+ -END PGP SIGNATURE- ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Sudo configuration question
On Wed, 2011-12-21 at 09:08 -0900, Erinn Looney-Triggs wrote: > On 12/21/2011 04:37 AM, Stephen Gallagher wrote: > > On Tue, 2011-12-20 at 12:59 -0900, Erinn Looney-Triggs wrote: > > > I have been working through configuring sudo via IPA and ran into the > > > following situation. > > > > > > There is a directive in the documentation to configure > > > /etc/sssd/sssd.conf on the clients with something like the following: > > > > > > ldap_netgroup_search_base = cn=ng,cn=compat,dc=example,dc=com > > > > > > > > > This is pulled from the docse here for reference: > > > http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/example-configuring-sudo.html > > > > > > This is fine and causes no problems, however, when I mistakenly left it > > > out on a few systems, sudo continued to function, so I am wondering what > > > it is that this directive does? Does this get sssd into the loop to > > > cache sudo rules for offline use? > > > > > > Any ideas? > > Sorry for the confusion in the other responses to this thread. The short > > answer is this: SUDO can use LDAP rules (as you clearly know). It does > > this with its own internal LDAP lookup (it doesn't currently go through > > SSSD to accomplish this). > > > > However, SUDO rules can specify netgroups as part of their restrictions > > on who can do what (usually these are used to limit functions to certain > > hosts). In order to do this, SSSD needs to be configured to look up > > netgroups properly so that SUDO can use the 'getnetgrent()' glibc > > command to locate the netgroups. > > > > The doc you are looking at is actually a bit out of date. It's no longer > > necessary to provide that option, because if it's unspecified, we set it > > automatically to cn=ng,cn=compat,dc=example,dc=com (using the > > appropriate base, of course). > > > > Jan's comments about upstream work were that we recently made changes to > > avoid needing to use the compat tree for netgroup lookups and can > > instead use FreeIPA's native, custom schema for netgroups. That's not > > terribly relevant to you, but it's a useful piece of information. > > > > So, in short, you don't need to set it, the doc is outdated. > > > > > > ___ > > Freeipa-users mailing list > > Freeipa-users@redhat.com > > https://www.redhat.com/mailman/listinfo/freeipa-users > > Ok thanks, that makes sense. One final question here, is there a way > to verify that sssd is in fact setting this properly? Not that I doubt > you of course, it is just a matter of so many versions of sssd in so > many places that it would be good to verify that it works > automagically on RHEL 5, 6, and whatever else, say Ubuntu etc. > > -Erinn > You can set 'debug_level = 6' in [domain/] of sssd.conf and restart. If you look in the sssd_.log, you should see a line setting the ldap_netgroup_search_base option. signature.asc Description: This is a digitally signed message part ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Sudo configuration question
On 12/21/2011 04:37 AM, Stephen Gallagher wrote: > On Tue, 2011-12-20 at 12:59 -0900, Erinn Looney-Triggs wrote: >> I have been working through configuring sudo via IPA and ran into the >> following situation. >> >> There is a directive in the documentation to configure >> /etc/sssd/sssd.conf on the clients with something like the following: >> >> ldap_netgroup_search_base = cn=ng,cn=compat,dc=example,dc=com >> >> >> This is pulled from the docse here for reference: >> http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/example-configuring-sudo.html >> >> This is fine and causes no problems, however, when I mistakenly left it >> out on a few systems, sudo continued to function, so I am wondering what >> it is that this directive does? Does this get sssd into the loop to >> cache sudo rules for offline use? >> >> Any ideas? > Sorry for the confusion in the other responses to this thread. The short > answer is this: SUDO can use LDAP rules (as you clearly know). It does > this with its own internal LDAP lookup (it doesn't currently go through > SSSD to accomplish this). > > However, SUDO rules can specify netgroups as part of their restrictions > on who can do what (usually these are used to limit functions to certain > hosts). In order to do this, SSSD needs to be configured to look up > netgroups properly so that SUDO can use the 'getnetgrent()' glibc > command to locate the netgroups. > > The doc you are looking at is actually a bit out of date. It's no longer > necessary to provide that option, because if it's unspecified, we set it > automatically to cn=ng,cn=compat,dc=example,dc=com (using the > appropriate base, of course). > > Jan's comments about upstream work were that we recently made changes to > avoid needing to use the compat tree for netgroup lookups and can > instead use FreeIPA's native, custom schema for netgroups. That's not > terribly relevant to you, but it's a useful piece of information. > > So, in short, you don't need to set it, the doc is outdated. > > > ___ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users Ok thanks, that makes sense. One final question here, is there a way to verify that sssd is in fact setting this properly? Not that I doubt you of course, it is just a matter of so many versions of sssd in so many places that it would be good to verify that it works automagically on RHEL 5, 6, and whatever else, say Ubuntu etc. -Erinn ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Sudo configuration question
> On Tue, 2011-12-20 at 12:59 -0900, Erinn Looney-Triggs wrote: > > I have been working through configuring sudo via IPA and ran into the > > following situation. > > > > There is a directive in the documentation to configure > > /etc/sssd/sssd.conf on the clients with something like the following: > > > > ldap_netgroup_search_base = cn=ng,cn=compat,dc=example,dc=com > > > > > > This is pulled from the docse here for reference: > > http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identit > > y_Management_Guide/example-configuring-sudo.html > > > > This is fine and causes no problems, however, when I mistakenly left it > > out on a few systems, sudo continued to function, so I am wondering what > > it is that this directive does? Does this get sssd into the loop to > > cache sudo rules for offline use? > > > > Any ideas? > > Sorry for the confusion in the other responses to this thread. The short > answer is this: SUDO can use LDAP rules (as you clearly know). It does > this with its own internal LDAP lookup (it doesn't currently go through > SSSD to accomplish this). > > However, SUDO rules can specify netgroups as part of their restrictions > on who can do what (usually these are used to limit functions to certain > hosts). In order to do this, SSSD needs to be configured to look up > netgroups properly so that SUDO can use the 'getnetgrent()' glibc > command to locate the netgroups. > > The doc you are looking at is actually a bit out of date. It's no longer > necessary to provide that option, because if it's unspecified, we set it > automatically to cn=ng,cn=compat,dc=example,dc=com (using the > appropriate base, of course). > > Jan's comments about upstream work were that we recently made changes to > avoid needing to use the compat tree for netgroup lookups and can > instead use FreeIPA's native, custom schema for netgroups. That's not > terribly relevant to you, but it's a useful piece of information. Actually no, my comment was a reaction to the original question if the SSSD can get into loop to cache sudo rules for offline use. > So, in short, you don't need to set it, the doc is outdated. Jan signature.asc Description: This is a digitally signed message part. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Sudo configuration question
On Tue, 2011-12-20 at 12:59 -0900, Erinn Looney-Triggs wrote: > I have been working through configuring sudo via IPA and ran into the > following situation. > > There is a directive in the documentation to configure > /etc/sssd/sssd.conf on the clients with something like the following: > > ldap_netgroup_search_base = cn=ng,cn=compat,dc=example,dc=com > > > This is pulled from the docse here for reference: > http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/example-configuring-sudo.html > > This is fine and causes no problems, however, when I mistakenly left it > out on a few systems, sudo continued to function, so I am wondering what > it is that this directive does? Does this get sssd into the loop to > cache sudo rules for offline use? > > Any ideas? Sorry for the confusion in the other responses to this thread. The short answer is this: SUDO can use LDAP rules (as you clearly know). It does this with its own internal LDAP lookup (it doesn't currently go through SSSD to accomplish this). However, SUDO rules can specify netgroups as part of their restrictions on who can do what (usually these are used to limit functions to certain hosts). In order to do this, SSSD needs to be configured to look up netgroups properly so that SUDO can use the 'getnetgrent()' glibc command to locate the netgroups. The doc you are looking at is actually a bit out of date. It's no longer necessary to provide that option, because if it's unspecified, we set it automatically to cn=ng,cn=compat,dc=example,dc=com (using the appropriate base, of course). Jan's comments about upstream work were that we recently made changes to avoid needing to use the compat tree for netgroup lookups and can instead use FreeIPA's native, custom schema for netgroups. That's not terribly relevant to you, but it's a useful piece of information. So, in short, you don't need to set it, the doc is outdated. signature.asc Description: This is a digitally signed message part ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Sudo configuration question
On Tue, Dec 20, 2011 at 12:59:45PM -0900, Erinn Looney-Triggs wrote: > I have been working through configuring sudo via IPA and ran into the > following situation. > > There is a directive in the documentation to configure > /etc/sssd/sssd.conf on the clients with something like the following: > > ldap_netgroup_search_base = cn=ng,cn=compat,dc=example,dc=com > > > This is pulled from the docse here for reference: > http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/example-configuring-sudo.html > > This is fine and causes no problems, however, when I mistakenly left it > out on a few systems, sudo continued to function, so I am wondering what > it is that this directive does? Does this get sssd into the loop to > cache sudo rules for offline use? > > Any ideas? > > -Erinn > When sudo performs a lookup it does so in two iterations: 1) Try to find a matching rule using ALL, username or any of group names 2) if 1) does not match, search for all netgroups and look if user is a member of a netgroup with innetgr() so I assume that your sudo lookups matched with the first iteration and never actually needed to look up netgroup data. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Sudo configuration question
> On 12/21/2011 12:22 AM, Jan Zelený wrote: > >> On 12/20/2011 10:27 PM, Jan Zelený wrote: > I have been working through configuring sudo via IPA and ran into the > following situation. > > There is a directive in the documentation to configure > /etc/sssd/sssd.conf on the clients with something like the following: > > ldap_netgroup_search_base = cn=ng,cn=compat,dc=example,dc=com > > > This is pulled from the docse here for reference: > http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Iden > ti ty_ Management_Guide/example-configuring-sudo.html > > This is fine and causes no problems, however, when I mistakenly left > it out on a few systems, sudo continued to function, so I am > wondering what it is that this directive does? Does this get sssd > into the loop to cache sudo rules for offline use? > >>> > >>> Support for SUDO in SSSD has been added just about a week ago into > >>> master branch and is considered experimental right now. And as I > >>> understand it, the support in SUDO itself is still not entirely > >>> complete. So the simple answer is: hang on, the support is coming. > >>> > >>> Jan > >> > >> Hmm, that is odd. I am not trying to be on the bleeding edge here, my > >> sudo setup is taken directly from the RHEL 6.2 documentation concerning > >> identity management. It would be very strange if RHEL was running such > >> an experimental and bleeding edge thing in the base RHEL setup. > > > > Of course, it's not even in Fedora yet. The documentation link you sent > > doesn't refer to SSSD but directly to sudo LDAP plugin which should be > > working as described there. > > > >> So I guess to back up a bit here, IF sudo were working with SSSD as it > >> will in the future would the aforementioned directive be the way to make > >> it work. Understanding of course that for now it doesn't. > > > > I assume you are referring to the SSSD search base directive. In that > > case the correct directive will be ldap_sudo_search_base. There are also > > 11 more directives which can be used to configure attribute names of > > LDAP sudo objects like ldap_sudorule_name, ldap_sudorule_command, etc. > > > > Some configuration will be also needed for the entire chain to work. For > > example sudo responder config section will have to be set up. But let's > > not skip ahead, I'm sure everything will be well documented by the time > > when the sudo chain is stable. > > > > I hope this answers your question. If you have any more questions please > > don't hesitate to ask. > > > > Thanks > > Jan > > Ok thanks. I think we are talking about two slightly different things > here. I am just trying to figure out why that directive is supposed to > be in sssd.conf (according to the docs) and why sudo continues to > function with the IPA server if that directive is not in sssd.conf. It's there because sudo rules can be based, among other things, on netgroups and users' memberships in them. Therefore what happens with that configuration is that sudo LDAP plugin asks for sudo objects, but SSSD is used to retreive information about netgroups and maybe also about common users/groups (I'm not completely sure about that since I haven't check the documentation thoroughly). I hope the whole thing is a bit more clear to you now Thanks Jan signature.asc Description: This is a digitally signed message part. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Sudo configuration question
On 12/21/2011 12:22 AM, Jan Zelený wrote: >> On 12/20/2011 10:27 PM, Jan Zelený wrote: I have been working through configuring sudo via IPA and ran into the following situation. There is a directive in the documentation to configure /etc/sssd/sssd.conf on the clients with something like the following: ldap_netgroup_search_base = cn=ng,cn=compat,dc=example,dc=com This is pulled from the docse here for reference: http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identi ty_ Management_Guide/example-configuring-sudo.html This is fine and causes no problems, however, when I mistakenly left it out on a few systems, sudo continued to function, so I am wondering what it is that this directive does? Does this get sssd into the loop to cache sudo rules for offline use? >>> Support for SUDO in SSSD has been added just about a week ago into master >>> branch and is considered experimental right now. And as I understand it, >>> the support in SUDO itself is still not entirely complete. So the simple >>> answer is: hang on, the support is coming. >>> >>> Jan >> Hmm, that is odd. I am not trying to be on the bleeding edge here, my >> sudo setup is taken directly from the RHEL 6.2 documentation concerning >> identity management. It would be very strange if RHEL was running such >> an experimental and bleeding edge thing in the base RHEL setup. > Of course, it's not even in Fedora yet. The documentation link you sent > doesn't refer to SSSD but directly to sudo LDAP plugin which should be > working > as described there. > >> So I guess to back up a bit here, IF sudo were working with SSSD as it >> will in the future would the aforementioned directive be the way to make >> it work. Understanding of course that for now it doesn't. > I assume you are referring to the SSSD search base directive. In that case > the > correct directive will be ldap_sudo_search_base. There are also 11 more > directives which can be used to configure attribute names of LDAP sudo > objects > like ldap_sudorule_name, ldap_sudorule_command, etc. > > Some configuration will be also needed for the entire chain to work. For > example sudo responder config section will have to be set up. But let's not > skip ahead, I'm sure everything will be well documented by the time when the > sudo chain is stable. > > I hope this answers your question. If you have any more questions please > don't > hesitate to ask. > > Thanks > Jan Ok thanks. I think we are talking about two slightly different things here. I am just trying to figure out why that directive is supposed to be in sssd.conf (according to the docs) and why sudo continues to function with the IPA server if that directive is not in sssd.conf. -Erinn ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Sudo configuration question
> On 12/20/2011 10:27 PM, Jan Zelený wrote: > >> I have been working through configuring sudo via IPA and ran into the > >> following situation. > >> > >> There is a directive in the documentation to configure > >> /etc/sssd/sssd.conf on the clients with something like the following: > >> > >> ldap_netgroup_search_base = cn=ng,cn=compat,dc=example,dc=com > >> > >> > >> This is pulled from the docse here for reference: > >> http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identi > >> ty_ Management_Guide/example-configuring-sudo.html > >> > >> This is fine and causes no problems, however, when I mistakenly left it > >> out on a few systems, sudo continued to function, so I am wondering what > >> it is that this directive does? Does this get sssd into the loop to > >> cache sudo rules for offline use? > > > > Support for SUDO in SSSD has been added just about a week ago into master > > branch and is considered experimental right now. And as I understand it, > > the support in SUDO itself is still not entirely complete. So the simple > > answer is: hang on, the support is coming. > > > > Jan > > Hmm, that is odd. I am not trying to be on the bleeding edge here, my > sudo setup is taken directly from the RHEL 6.2 documentation concerning > identity management. It would be very strange if RHEL was running such > an experimental and bleeding edge thing in the base RHEL setup. Of course, it's not even in Fedora yet. The documentation link you sent doesn't refer to SSSD but directly to sudo LDAP plugin which should be working as described there. > So I guess to back up a bit here, IF sudo were working with SSSD as it > will in the future would the aforementioned directive be the way to make > it work. Understanding of course that for now it doesn't. I assume you are referring to the SSSD search base directive. In that case the correct directive will be ldap_sudo_search_base. There are also 11 more directives which can be used to configure attribute names of LDAP sudo objects like ldap_sudorule_name, ldap_sudorule_command, etc. Some configuration will be also needed for the entire chain to work. For example sudo responder config section will have to be set up. But let's not skip ahead, I'm sure everything will be well documented by the time when the sudo chain is stable. I hope this answers your question. If you have any more questions please don't hesitate to ask. Thanks Jan signature.asc Description: This is a digitally signed message part. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Sudo configuration question
On 12/20/2011 10:27 PM, Jan Zelený wrote: >> I have been working through configuring sudo via IPA and ran into the >> following situation. >> >> There is a directive in the documentation to configure >> /etc/sssd/sssd.conf on the clients with something like the following: >> >> ldap_netgroup_search_base = cn=ng,cn=compat,dc=example,dc=com >> >> >> This is pulled from the docse here for reference: >> http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_ >> Management_Guide/example-configuring-sudo.html >> >> This is fine and causes no problems, however, when I mistakenly left it >> out on a few systems, sudo continued to function, so I am wondering what >> it is that this directive does? Does this get sssd into the loop to >> cache sudo rules for offline use? > Support for SUDO in SSSD has been added just about a week ago into master > branch and is considered experimental right now. And as I understand it, the > support in SUDO itself is still not entirely complete. So the simple answer > is: hang on, the support is coming. > > Jan Hmm, that is odd. I am not trying to be on the bleeding edge here, my sudo setup is taken directly from the RHEL 6.2 documentation concerning identity management. It would be very strange if RHEL was running such an experimental and bleeding edge thing in the base RHEL setup. So I guess to back up a bit here, IF sudo were working with SSSD as it will in the future would the aforementioned directive be the way to make it work. Understanding of course that for now it doesn't. -Erinn ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users