Re: [Freeipa-users] Setting up sudo
On Thu, Feb 13, 2014 at 06:30:37PM -0500, Dmitri Pal wrote: On 02/13/2014 06:23 PM, Todd Maugh wrote: and If I am configuring the sud-ldap.conf what should it look like does any one have an example? You have two options. Sudo can be integrated with SSSD or not. If you want SUDO to be integrated then this should help: http://www.freeipa.org/images/7/77/Freeipa30_SSSD_SUDO_Integration.pdf Also man sssd-sudo should have some examples. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Setting up sudo
It actually took me a long time to find this information. It is poorly documented but this mailing list post works. :) https://www.redhat.com/archives/freeipa-users/2013-June/msg00064.html On 13 February 2014 23:17, Todd Maugh tma...@boingo.com wrote: the documentation is kinda vague on some parts from the documentation: Because the sudo information is not available anonymously over LDAP by default, Identity Management defines a default sudo user, uid=sudo,cn=sysaccounts,cn=etc,$SUFFIX, which can be set in the LDAP/sudo configuration file, /etc/sud-ldap.conf. so is this user supposed to already pre defined. or do I need to create the user, and then modify them thanks -Todd ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Setting up sudo
the documentation is kinda vague on some parts from the documentation: Because the sudo information is not available anonymously over LDAP by default, Identity Management defines a default sudo user, uid=sudo,cn=sysaccounts,cn=etc,$SUFFIX, which can be set in the LDAP/sudo configuration file, /etc/sud-ldap.conf. so is this user supposed to already pre defined. or do I need to create the user, and then modify them thanks -Todd ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Setting up sudo
and If I am configuring the sud-ldap.conf what should it look like does any one have an example? From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Todd Maugh [tma...@boingo.com] Sent: Thursday, February 13, 2014 3:17 PM To: freeipa-users@redhat.com Subject: [Freeipa-users] Setting up sudo the documentation is kinda vague on some parts from the documentation: Because the sudo information is not available anonymously over LDAP by default, Identity Management defines a default sudo user, uid=sudo,cn=sysaccounts,cn=etc,$SUFFIX, which can be set in the LDAP/sudo configuration file, /etc/sud-ldap.conf. so is this user supposed to already pre defined. or do I need to create the user, and then modify them thanks -Todd ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Setting up sudo
On 02/13/2014 06:23 PM, Todd Maugh wrote: and If I am configuring the sud-ldap.conf what should it look like does any one have an example? You have two options. Sudo can be integrated with SSSD or not. If you want SUDO to be integrated then this should help: http://www.freeipa.org/images/7/77/Freeipa30_SSSD_SUDO_Integration.pdf If you want to use SUDO independently from sssd and connect directly to IPA from SUDO you need to configure sudo -ldap.conf and use some user to bind to IPA. This user should be configured in the file. See more details in the IPA docs: https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html-single/Identity_Management_Guide/index.html#config-sudo-clients *From:* freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Todd Maugh [tma...@boingo.com] *Sent:* Thursday, February 13, 2014 3:17 PM *To:* freeipa-users@redhat.com *Subject:* [Freeipa-users] Setting up sudo the documentation is kinda vague on some parts from the documentation: Because the |sudo| information is not available anonymously over LDAP by default, Identity Management defines a default |sudo| user, |uid=sudo,cn=sysaccounts,cn=etc,$SUFFIX|, which can be set in the LDAP/|sudo| configuration file, |/etc/sud-ldap.conf|. so is this user supposed to already pre defined. or do I need to create the user, and then modify them thanks -Todd ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Setting up sudo in FreeIPA v2.2
On Tue, Oct 16, 2012 at 10:50 PM, JR Aquino jr.aqu...@citrix.com wrote: On the host in question Run the command: domainname That wants to match whatever your domain is. If it doesn't it will fail even if you have all the server rules configured correctly. This is a sudo + netgroups/hostgroups 'feature' ~ Jr Aquino | Sr. Information Security Specialist GIAC Certified Incident Handler | GIAC WebApp Penetration Tester Citrix Online | 7408 Hollister Avenue | Goleta, CA 93117 T: +1 805.690.3478 C: +1 805.717.0365 jr.aqu...@citrixonline.com http://www.citrixonline.com On Oct 16, 2012, at 2:26 PM, Toasted Penguin toastedpenguini...@gmail.com wrote: I have the server setup to manage sudo and I configured a target client to use the IPA server for sudo. When a user tries to use sudo (in this case sudo su -) it fails and they get the error user is not allowed to run sudo on client-host. This incident will be reported. I verified via the log files that the client is making requests to the IPA server when the user is attemping to use sudo and it fails. I temporarily disabled using the IPA server for sudo and I get the standard User not in the sudoers file Its starting to look like the server rules maybe the issue but I believe I have the sudo rule setup correctly. I created a sudo command /bin/su, created a sudo rule Sudo to root , added the group the user in question is a part of to the WHO--User Groups; Added the Host Group the target client host is part of to Access This Host--Host Groups and added the sudo command to the sudo rule via Allow--Sudo Allow Commands. When I delete the sudo rule I get the same result as I did when I temporarily disbled the client host using tghe IPA server for sudo verification. Any ideas why or where to look to figure out this issue? Thanks, David ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users Executing domainname results in the correct domain for theFreeIPA service. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Setting up sudo in FreeIPA v2.2
Can you turn on debugging? sudoers_debug2 to /etc/sudo-ldap.conf (assumes RHEL6.3) Also you could try adding the host directly to the sudo rule and not via a host group as that seems buggy regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Toasted Penguin [toastedpenguini...@gmail.com] Sent: Wednesday, 17 October 2012 10:24 a.m. To: freeipa-users@redhat.com Subject: [Freeipa-users] Setting up sudo in FreeIPA v2.2 I have the server setup to manage sudo and I configured a target client to use the IPA server for sudo. When a user tries to use sudo (in this case sudo su -) it fails and they get the error user is not allowed to run sudo on client-host. This incident will be reported. I verified via the log files that the client is making requests to the IPA server when the user is attemping to use sudo and it fails. I temporarily disabled using the IPA server for sudo and I get the standard User not in the sudoers file Its starting to look like the server rules maybe the issue but I believe I have the sudo rule setup correctly. I created a sudo command /bin/su, created a sudo rule Sudo to root , added the group the user in question is a part of to the WHO--User Groups; Added the Host Group the target client host is part of to Access This Host--Host Groups and added the sudo command to the sudo rule via Allow--Sudo Allow Commands. When I delete the sudo rule I get the same result as I did when I temporarily disbled the client host using tghe IPA server for sudo verification. Any ideas why or where to look to figure out this issue? Thanks, David ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Setting up sudo in FreeIPA v2.2
Toasted Penguin wrote: I have the server setup to manage sudo and I configured a target client to use the IPA server for sudo. When a user tries to use sudo (in this case sudo su -) it fails and they get the error user is not allowed to run sudo on client-host. This incident will be reported. I verified via the log files that the client is making requests to the IPA server when the user is attemping to use sudo and it fails. I temporarily disabled using the IPA server for sudo and I get the standard User not in the sudoers file Its starting to look like the server rules maybe the issue but I believe I have the sudo rule setup correctly. I created a sudo command /bin/su, created a sudo rule Sudo to root , added the group the user in question is a part of to the WHO--User Groups; Added the Host Group the target client host is part of to Access This Host--Host Groups and added the sudo command to the sudo rule via Allow--Sudo Allow Commands. When I delete the sudo rule I get the same result as I did when I temporarily disbled the client host using tghe IPA server for sudo verification. Any ideas why or where to look to figure out this issue? Thanks, David I took a look at the docs and they state to edit /etc/nscld.conf. You want /etc/ldap.conf for the configuration. Can you give that a try? Adding sudoers_debug 2 should provide copious information on stdout. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Setting up sudo in FreeIPA v2.2
On the host in question Run the command: domainname That wants to match whatever your domain is. If it doesn't it will fail even if you have all the server rules configured correctly. This is a sudo + netgroups/hostgroups 'feature' ~ Jr Aquino | Sr. Information Security Specialist GIAC Certified Incident Handler | GIAC WebApp Penetration Tester Citrix Online | 7408 Hollister Avenue | Goleta, CA 93117 T: +1 805.690.3478 C: +1 805.717.0365 jr.aqu...@citrixonline.com http://www.citrixonline.com On Oct 16, 2012, at 2:26 PM, Toasted Penguin toastedpenguini...@gmail.com wrote: I have the server setup to manage sudo and I configured a target client to use the IPA server for sudo. When a user tries to use sudo (in this case sudo su -) it fails and they get the error user is not allowed to run sudo on client-host. This incident will be reported. I verified via the log files that the client is making requests to the IPA server when the user is attemping to use sudo and it fails. I temporarily disabled using the IPA server for sudo and I get the standard User not in the sudoers file Its starting to look like the server rules maybe the issue but I believe I have the sudo rule setup correctly. I created a sudo command /bin/su, created a sudo rule Sudo to root , added the group the user in question is a part of to the WHO--User Groups; Added the Host Group the target client host is part of to Access This Host--Host Groups and added the sudo command to the sudo rule via Allow--Sudo Allow Commands. When I delete the sudo rule I get the same result as I did when I temporarily disbled the client host using tghe IPA server for sudo verification. Any ideas why or where to look to figure out this issue? Thanks, David ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Setting up sudo clients
Hi Folks:
I am trying to configure sudo clients using FreeIPA 2.1.3 on CentOS 6.2
but it I am running into a problem that I do not know how to debug. I
used the instructions provided here:
http://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/example
-configuring-sudo.html.
The server installation went fine and I even did a sudo client
installation on the server which worked well. Unfortunately, when I did
the same client setup on another host in the network I got the message:
user not in sudoers files when I tried to execute a command.
Here is the output from /var/log/secure on the client. I didn't see
anything strange on the server. The user name is bigbob.
Jun 6 10:38:35 docs unix_chkpwd[8737]: password check failed for user
(bigbob)
Jun 6 10:38:35 docs sudo: pam_unix(sudo:auth): authentication failure;
logname=bigbob uid=0 euid=0 tty=/dev/pts/2 ruser=bigbob rhost=
user=bigbob
Jun 6 10:38:36 docs sudo: pam_sss(sudo:auth): authentication success;
logname=bigbob uid=0 euid=0 tty=/dev/pts/2 ruser=bigbob rhost=
user=bigbob
Jun 6 10:38:36 docs sudo: bigbob : user NOT in sudoers ; TTY=pts/2 ;
PWD=/home/bigbob ; USER=root ; COMMAND=/bin/ls
Jun 6 10:44:09 docs unix_chkpwd[8767]: password check failed for user
(bigbob)
Jun 6 10:44:09 docs sudo: pam_unix(sudo:auth): authentication failure;
logname=bigbob uid=0 euid=0 tty=/dev/pts/2 ruser=bigbob rhost=
user=bigbob
Jun 6 10:44:10 docs sudo: pam_sss(sudo:auth): authentication success;
logname=bigbob uid=0 euid=0 tty=/dev/pts/2 ruser=bigbob rhost=
user=bigbob
Jun 6 10:44:10 docs sudo: bigbob : user NOT in sudoers ; TTY=pts/2 ;
PWD=/home/bigbob ; USER=root ; COMMAND=/bin/pwd
The command /bin/pwd is in the sudo commands and in the sudo command
group.
Any help would be greatly appreciated.
Here are the setup steps that I performed on the client. The domain is
foo.example.com.
# CITATION:
http://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/example
-configuring-sudo.html
#
# Update /etc/nsswitch.conf
#
cat /etc/nsswitch.conf EOF
#
# FreeIPA sudo support
#
sudoers: files ldap
sudoers_debug: 1
EOF
#
# Insert this just after the ipa_server line and restart sssd:
# ldap_netgroup_search_base = cn=ng,cn=compat,dc=foo,dc=example,dc=com
#
cat /etc/sssd/sssd.conf | \
awk '{print $0;if($1==ipa_server){printf(ldap_netgroup_search_base =
cn=ng,cn=compat,dc=foo,dc=example,dc=com\n);}}' /tmp/x
cp /tmp/x /etc/sssd/sssd.conf
rm -f /tmp/x
service sssd restart
#
# Create the /etc/nslcd.conf file
#
ls /etc/nslcd.conf
cat /etc/nslcd.conf EOF
binddn uid=sudo,cn=sysaccounts,cn=etc,dc=foo,dc=example,dc=com
bindpw pwd/sudo
ssl start_tls
tls_cacertfile /etc/ipa/ca.crt
tls_checkpeer yes
bind_timelimit 5
timelimit 15
uri ldap://cuthbert.foo.example.com
sudoers_base ou=SUDOers,dc=foo,dc=example,dc=com
EOF
#
# Set the NIS domain name (even though NIS is not used)
#
nisdomainname foo.example.com
Thank you,
Joe
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Setting up sudo clients
On 06/06/2012 01:59 PM, Joe Linoff wrote:
Hi Folks:
I am trying to configure sudo clients using FreeIPA 2.1.3 on CentOS
6.2 but it I am running into a problem that I do not know how to
debug. I used the instructions provided here:
http://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/example-configuring-sudo.html.
The server installation went fine and I even did a sudo client
installation on the server which worked well. Unfortunately, when I
did the same client setup on another host in the network I got the
message: user not in sudoers files when I tried to execute a command.
Here is the output from /var/log/secure on the client. I didn't see
anything strange on the server. The user name is bigbob.
Jun 6 10:38:35 docs unix_chkpwd[8737]: password check failed for user
(bigbob)
Jun 6 10:38:35 docs sudo: pam_unix(sudo:auth): authentication
failure; logname=bigbob uid=0 euid=0 tty=/dev/pts/2 ruser=bigbob
rhost= user=bigbob
Jun 6 10:38:36 docs sudo: pam_sss(sudo:auth): authentication success;
logname=bigbob uid=0 euid=0 tty=/dev/pts/2 ruser=bigbob rhost= user=bigbob
Jun 6 10:38:36 docs sudo: bigbob : user NOT in sudoers ; TTY=pts/2
; PWD=/home/bigbob ; USER=root ; COMMAND=/bin/ls
Jun 6 10:44:09 docs unix_chkpwd[8767]: password check failed for user
(bigbob)
Jun 6 10:44:09 docs sudo: pam_unix(sudo:auth): authentication
failure; logname=bigbob uid=0 euid=0 tty=/dev/pts/2 ruser=bigbob
rhost= user=bigbob
Jun 6 10:44:10 docs sudo: pam_sss(sudo:auth): authentication success;
logname=bigbob uid=0 euid=0 tty=/dev/pts/2 ruser=bigbob rhost= user=bigbob
Jun 6 10:44:10 docs sudo: bigbob : user NOT in sudoers ; TTY=pts/2
; PWD=/home/bigbob ; USER=root ; COMMAND=/bin/pwd
Looks like sudo utility is not going over the ldap and tries to find
user in the local file.
Can you bind to the ldap server? Is firewall port open?
The command /bin/pwd is in the sudo commands and in the sudo command
group.
Any help would be greatly appreciated.
Here are the setup steps that I performed on the client. The domain is
foo.example.com.
# CITATION:
http://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/example-configuring-sudo.html
#
# Update /etc/nsswitch.conf
#
cat/etc/nsswitch.conf EOF
#
# FreeIPA sudo support
#
sudoers: files ldap
sudoers_debug: 1
EOF
#
# Insert this just after the ipa_server line and restart sssd:
# ldap_netgroup_search_base = cn=ng,cn=compat,dc=foo,dc=example,dc=com
#
cat/etc/sssd/sssd.conf | \
awk'{print $0;if($1==ipa_server){printf(ldap_netgroup_search_base =
cn=ng,cn=compat,dc=foo,dc=example,dc=com\n);}}'/tmp/x
cp/tmp/x/etc/sssd/sssd.conf
rm-f /tmp/x
service sssd restart
#
# Create the /etc/nslcd.conf file
#
ls/etc/nslcd.conf
cat/etc/nslcd.conf EOF
binddn uid=sudo,cn=sysaccounts,cn=etc,dc=foo,dc=example,dc=com
bindpw pwd/sudo
ssl start_tls
tls_cacertfile /etc/ipa/ca.crt
tls_checkpeer yes
bind_timelimit 5
timelimit 15
uri ldap://cuthbert.foo.example.com
sudoers_base ou=SUDOers,dc=foo,dc=example,dc=com
EOF
#
# Set the NIS domain name (even though NIS is not used)
#
nisdomainname foo.example.com
Thank you,
Joe
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IPA project,
Red Hat Inc.
---
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
