Re: [Freeipa-users] sudo rules user and host group bugs?
host1- nisdomainname my_domain.com host1- rpm -q sudo sudo-1.7.2p1-6.el5_5 Thanks, -Mark Mark Tovey - UNIX Engineer | Service Strategy Design UTi | 400 SW Sixth Ave, Suite 1100 | Portland | Oregon | 97204 | USA mto...@go2uti.com | O / C +1 503 953-1389 -Original Message- From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Pavel Brezina Sent: Thursday, July 18, 2013 2:03 AM To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] sudo rules user and host group bugs? On 07/17/2013 06:39 PM, Tovey, Mark wrote: Okay, I get it (pardon my obtuseness). host1- getent netgroup hgroup1 hgroup1 (host1.my_domain.com, -, my_domain.com) So netgroups are working. The host group is defined in IPA and getent is able to access that information. Thanks, -Mark Hi, can you also paste the output of following commands please? $ nisdomainname $ rpm -q sudo Thanks, Pavel. Mark Tovey - UNIX Engineer | Service Strategy Design UTi | 400 SW Sixth Ave, Suite 1100 | Portland | Oregon | 97204 | USA mto...@go2uti.com | O / C +1 503 953-1389 -Original Message- From: Jakub Hrozek [mailto:jhro...@redhat.com] Sent: Wednesday, July 17, 2013 8:58 AM To: Tovey, Mark Cc: d...@redhat.com; freeipa-users@redhat.com Subject: Re: [Freeipa-users] sudo rules user and host group bugs? On Wed, Jul 17, 2013 at 03:01:58PM +, Tovey, Mark wrote: We have sssd-1.5.1-58.el5 and ipa-client-2.1.3-5.el5_9.2 installed. OK, these are recent enough to support netgroups and the compat tree should be configured automatically. Those came out of the 'latest' repository. We do not have any netgroups defined (there is no /etc/netgroup file), so getent does not return anything. Every hostgroup is automatically translated into a netgroup on the server side. You said you have some host groups present, so does getent netgroup name-of-hostgroup return any netgroup data? Thanks, -Mark Mark Tovey - UNIX Engineer | Service Strategy Design UTi | 400 SW Sixth Ave, Suite 1100 | Portland | Oregon | 97204 | USA mto...@go2uti.com | O / C +1 503 953-1389 -Original Message- From: Jakub Hrozek [mailto:jhro...@redhat.com] Sent: Wednesday, July 17, 2013 1:32 AM To: Tovey, Mark Cc: d...@redhat.com; freeipa-users@redhat.com Subject: Re: [Freeipa-users] sudo rules user and host group bugs? On Tue, Jul 16, 2013 at 09:13:00PM +, Tovey, Mark wrote: We are using sssd. The sssd.conf file is mostly unchanged from how it was installed by the ipa-client-install script: Hi Mark, you said your client is OEL *5.5* ? The SSSD first appeared in RHEL (and by extension OEL) in 5.6. Are you running the version from EPEL? I'm not sure if netgroups were even supported in that old version.. What is the output of rpm -q sssd and rpm -q ipa-client ? Does getent netgroup netgroup-name work? [sssd] config_file_version = 2 services = nss, pam domains = my_domain.com [nss] [pam] [domain/my_domain.com] cache_credentials = True krb5_store_password_if_offline = True ipa_domain = my_domain.com id_provider = ipa auth_provider = ipa access_provider = ipa chpass_provider = ipa ipa_server = _srv_, ipa_server.my_domain.com ldap_tls_cacert = /etc/ipa/ca.crt debug_level = 6 And the nsswitch.conf file: passwd: files sss shadow: files sss group: files sss hosts: files dns bootparams: nisplus [NOTFOUND=return] files ethers: files netmasks: files networks: files protocols: files rpc:files services: files netgroup: files sss publickey: nisplus automount: files ldap aliases:files sudoers:files ldap Thanks, -Mark Mark Tovey - UNIX Engineer | Service Strategy Design UTi | 400 SW Sixth Ave, Suite 1100 | Portland | Oregon | 97204 | USA mto...@go2uti.com | O / C +1 503 953-1389 | Skype: mark.tovey2 -Original Message- From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Dmitri Pal Sent: Tuesday, July 16, 2013 12:51 PM To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] sudo rules user and host group bugs? On 07/16/2013 02:11 PM, Tovey, Mark wrote: My environment consists of OEL 5.5 clients with ipa-client-2.1.3 and the server is OEL 6.4 with ipa-server-3.0.0. We chose these because we were able to find RPM packages for them. We would prefer to go with the latest versions, but we did not want to spend the time building installation packages just yet. Again, we are just evaluating at this point. So far, so good, except for this one
Re: [Freeipa-users] sudo rules user and host group bugs?
We have sssd-1.5.1-58.el5 and ipa-client-2.1.3-5.el5_9.2 installed. Those came out of the 'latest' repository. We do not have any netgroups defined (there is no /etc/netgroup file), so getent does not return anything. Thanks, -Mark Mark Tovey - UNIX Engineer | Service Strategy Design UTi | 400 SW Sixth Ave, Suite 1100 | Portland | Oregon | 97204 | USA mto...@go2uti.com | O / C +1 503 953-1389 -Original Message- From: Jakub Hrozek [mailto:jhro...@redhat.com] Sent: Wednesday, July 17, 2013 1:32 AM To: Tovey, Mark Cc: d...@redhat.com; freeipa-users@redhat.com Subject: Re: [Freeipa-users] sudo rules user and host group bugs? On Tue, Jul 16, 2013 at 09:13:00PM +, Tovey, Mark wrote: We are using sssd. The sssd.conf file is mostly unchanged from how it was installed by the ipa-client-install script: Hi Mark, you said your client is OEL *5.5* ? The SSSD first appeared in RHEL (and by extension OEL) in 5.6. Are you running the version from EPEL? I'm not sure if netgroups were even supported in that old version.. What is the output of rpm -q sssd and rpm -q ipa-client ? Does getent netgroup netgroup-name work? [sssd] config_file_version = 2 services = nss, pam domains = my_domain.com [nss] [pam] [domain/my_domain.com] cache_credentials = True krb5_store_password_if_offline = True ipa_domain = my_domain.com id_provider = ipa auth_provider = ipa access_provider = ipa chpass_provider = ipa ipa_server = _srv_, ipa_server.my_domain.com ldap_tls_cacert = /etc/ipa/ca.crt debug_level = 6 And the nsswitch.conf file: passwd: files sss shadow: files sss group: files sss hosts: files dns bootparams: nisplus [NOTFOUND=return] files ethers: files netmasks: files networks: files protocols: files rpc:files services: files netgroup: files sss publickey: nisplus automount: files ldap aliases:files sudoers:files ldap Thanks, -Mark Mark Tovey - UNIX Engineer | Service Strategy Design UTi | 400 SW Sixth Ave, Suite 1100 | Portland | Oregon | 97204 | USA mto...@go2uti.com | O / C +1 503 953-1389 | Skype: mark.tovey2 -Original Message- From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Dmitri Pal Sent: Tuesday, July 16, 2013 12:51 PM To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] sudo rules user and host group bugs? On 07/16/2013 02:11 PM, Tovey, Mark wrote: My environment consists of OEL 5.5 clients with ipa-client-2.1.3 and the server is OEL 6.4 with ipa-server-3.0.0. We chose these because we were able to find RPM packages for them. We would prefer to go with the latest versions, but we did not want to spend the time building installation packages just yet. Again, we are just evaluating at this point. So far, so good, except for this one point. The doman name, host name, and nsswitch.conf files are all properly configured. But I do not have any netgroups defined (the getent command doesn't return anything and there is no /etc/netgroup file). After you asked about that, I started looking into the documentation on netgroups. The IPA documentation for sudo states that Identity Management creates two groups, a visible host group and a shadow netgroup. sudo itself only supports NIS-style netgroups for group formats. But when I look in the Netgroups area, I do not see any netgroups defined. I used Apache Directory Studio to look around the Directory Server, and I can see cn=hgroup1,cn=ng,cn=alt,dc=my_domain,dc=com, along with cn=hgroup1,cn=hostgroups,cn=accounts,dc=my_domain,dc=com. This seems to reflect what was stated in the documentation. But I am still stumped. I cannot get sudo to work with host groups; I have to directly add each server to the sudo rule. Thanks, -Mark So can it seems that the first thing you need to to do is to make sure your netgroups work. If domain and host are properly set then it might be the wrong base in your LDAP search for the netgroups. Are you using SSSD for netgroups or something else? Can you please share your sssd.conf and area where it configures netgroups? Also is sss in the nsswitch.conf for netgroups map? Mark Tovey - UNIX Engineer | Service Strategy Design UTi | 400 SW Sixth Ave, Suite 1100 | Portland | Oregon | 97204 | USA mto...@go2uti.com | O / C +1 503 953-1389 | Skype: mark.tovey2 -Original Message- From: Martin Kosek [mailto:mko...@redhat.com] Sent: Tuesday, July 16, 2013 12:34 AM To: Tovey, Mark Cc: Steven Jones; James Hogarth; Freeipa-users@redhat.com; Pavel Brezina Subject: Re: [Freeipa
Re: [Freeipa-users] sudo rules user and host group bugs?
Okay, I get it (pardon my obtuseness). host1- getent netgroup hgroup1 hgroup1 (host1.my_domain.com, -, my_domain.com) So netgroups are working. The host group is defined in IPA and getent is able to access that information. Thanks, -Mark Mark Tovey - UNIX Engineer | Service Strategy Design UTi | 400 SW Sixth Ave, Suite 1100 | Portland | Oregon | 97204 | USA mto...@go2uti.com | O / C +1 503 953-1389 -Original Message- From: Jakub Hrozek [mailto:jhro...@redhat.com] Sent: Wednesday, July 17, 2013 8:58 AM To: Tovey, Mark Cc: d...@redhat.com; freeipa-users@redhat.com Subject: Re: [Freeipa-users] sudo rules user and host group bugs? On Wed, Jul 17, 2013 at 03:01:58PM +, Tovey, Mark wrote: We have sssd-1.5.1-58.el5 and ipa-client-2.1.3-5.el5_9.2 installed. OK, these are recent enough to support netgroups and the compat tree should be configured automatically. Those came out of the 'latest' repository. We do not have any netgroups defined (there is no /etc/netgroup file), so getent does not return anything. Every hostgroup is automatically translated into a netgroup on the server side. You said you have some host groups present, so does getent netgroup name-of-hostgroup return any netgroup data? Thanks, -Mark Mark Tovey - UNIX Engineer | Service Strategy Design UTi | 400 SW Sixth Ave, Suite 1100 | Portland | Oregon | 97204 | USA mto...@go2uti.com | O / C +1 503 953-1389 -Original Message- From: Jakub Hrozek [mailto:jhro...@redhat.com] Sent: Wednesday, July 17, 2013 1:32 AM To: Tovey, Mark Cc: d...@redhat.com; freeipa-users@redhat.com Subject: Re: [Freeipa-users] sudo rules user and host group bugs? On Tue, Jul 16, 2013 at 09:13:00PM +, Tovey, Mark wrote: We are using sssd. The sssd.conf file is mostly unchanged from how it was installed by the ipa-client-install script: Hi Mark, you said your client is OEL *5.5* ? The SSSD first appeared in RHEL (and by extension OEL) in 5.6. Are you running the version from EPEL? I'm not sure if netgroups were even supported in that old version.. What is the output of rpm -q sssd and rpm -q ipa-client ? Does getent netgroup netgroup-name work? [sssd] config_file_version = 2 services = nss, pam domains = my_domain.com [nss] [pam] [domain/my_domain.com] cache_credentials = True krb5_store_password_if_offline = True ipa_domain = my_domain.com id_provider = ipa auth_provider = ipa access_provider = ipa chpass_provider = ipa ipa_server = _srv_, ipa_server.my_domain.com ldap_tls_cacert = /etc/ipa/ca.crt debug_level = 6 And the nsswitch.conf file: passwd: files sss shadow: files sss group: files sss hosts: files dns bootparams: nisplus [NOTFOUND=return] files ethers: files netmasks: files networks: files protocols: files rpc:files services: files netgroup: files sss publickey: nisplus automount: files ldap aliases:files sudoers:files ldap Thanks, -Mark Mark Tovey - UNIX Engineer | Service Strategy Design UTi | 400 SW Sixth Ave, Suite 1100 | Portland | Oregon | 97204 | USA mto...@go2uti.com | O / C +1 503 953-1389 | Skype: mark.tovey2 -Original Message- From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Dmitri Pal Sent: Tuesday, July 16, 2013 12:51 PM To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] sudo rules user and host group bugs? On 07/16/2013 02:11 PM, Tovey, Mark wrote: My environment consists of OEL 5.5 clients with ipa-client-2.1.3 and the server is OEL 6.4 with ipa-server-3.0.0. We chose these because we were able to find RPM packages for them. We would prefer to go with the latest versions, but we did not want to spend the time building installation packages just yet. Again, we are just evaluating at this point. So far, so good, except for this one point. The doman name, host name, and nsswitch.conf files are all properly configured. But I do not have any netgroups defined (the getent command doesn't return anything and there is no /etc/netgroup file). After you asked about that, I started looking into the documentation on netgroups. The IPA documentation for sudo states that Identity Management creates two groups, a visible host group and a shadow netgroup. sudo itself only supports NIS-style netgroups for group formats. But when I look in the Netgroups area, I do not see any netgroups defined. I used Apache Directory Studio to look around the Directory Server, and I can see
Re: [Freeipa-users] sudo rules user and host group bugs?
My environment consists of OEL 5.5 clients with ipa-client-2.1.3 and the server is OEL 6.4 with ipa-server-3.0.0. We chose these because we were able to find RPM packages for them. We would prefer to go with the latest versions, but we did not want to spend the time building installation packages just yet. Again, we are just evaluating at this point. So far, so good, except for this one point. The doman name, host name, and nsswitch.conf files are all properly configured. But I do not have any netgroups defined (the getent command doesn't return anything and there is no /etc/netgroup file). After you asked about that, I started looking into the documentation on netgroups. The IPA documentation for sudo states that Identity Management creates two groups, a visible host group and a shadow netgroup. sudo itself only supports NIS-style netgroups for group formats. But when I look in the Netgroups area, I do not see any netgroups defined. I used Apache Directory Studio to look around the Directory Server, and I can see cn=hgroup1,cn=ng,cn=alt,dc=my_domain,dc=com, along with cn=hgroup1,cn=hostgroups,cn=accounts,dc=my_domain,dc=com. This seems to reflect what was stated in the documentation. But I am still stumped. I cannot get sudo to work with host groups; I have to directly add each server to the sudo rule. Thanks, -Mark Mark Tovey - UNIX Engineer | Service Strategy Design UTi | 400 SW Sixth Ave, Suite 1100 | Portland | Oregon | 97204 | USA mto...@go2uti.com | O / C +1 503 953-1389 | Skype: mark.tovey2 -Original Message- From: Martin Kosek [mailto:mko...@redhat.com] Sent: Tuesday, July 16, 2013 12:34 AM To: Tovey, Mark Cc: Steven Jones; James Hogarth; Freeipa-users@redhat.com; Pavel Brezina Subject: Re: [Freeipa-users] sudo rules user and host group bugs? Just checking, did you try troubleshooting hints from JR I found at the top of the thread? I did not find an information about that. Can you confirm that the output of the following commands: 1. $ domainname * does it match your domain? 2. $ hostname * does match match your fqdn? 3. $ getent netgroup esolutions-sandbox-hosts * does this list your host? 4. Does /etc/nsswitch.conf contain the line: netgroup: files sss? Another important Sudo Troubleshooting step is to edit: /etc/sudo-ldap.conf (or /etc/ldap.conf, depending on what version of RHEL/Sudo you're running): At the top, add the line: sudoers_debug 2 Then try another sudo command. sudo -l for example. For example, it would help to know that netgroup list (step 3) works or domainname is set correctly (step 1). Martin On 07/16/2013 06:09 AM, Tovey, Mark wrote: Okay, I stopped sssd on the client and deleted the cache files, removed the sudo rule, started sssd and verified that the rule was gone, stopped sssd and deleted the files again, added the rule back in, restarted sssd, and still it does not work. One note, when I enter the hosts into the sudo rule in place of the host group, the effect is immediate; I do not need to restart sssd. And the opposite is true too: if I put the host group back, the rule immediately stops working. I don't think the issue is cache related; it seems to be something else. The serv_account that we are accessing with the sudo rule is external. I wouldn't expect that to matter, but perhaps it does? I like your idea for the labels; they make sense. Right now we are just evaluating this to see if we want to go this route. So far we like it, but this could be a problem because we have a several hundred hosts that we need to manage. Having to enter each one individually will be problematic. Thanks, -Mark * * ** *Mark Tovey - UNIX Engineer | Service Strategy Design* UTi http://www.go2uti.com/ | 400 SW Sixth Ave, Suite 1100 | Portland | Oregon | 97204 | USA mto...@go2uti.com mailto:mto...@go2uti.com | O / C +1 503 953-1389 | Skype: mark.tovey2 *From:*Steven Jones [mailto:steven.jo...@vuw.ac.nz] *Sent:* Monday, July 15, 2013 4:44 PM *To:* Tovey, Mark; James Hogarth *Cc:* Freeipa-users@redhat.com *Subject:* RE: [Freeipa-users] sudo rules user and host group bugs? option b) delete the rule totally and redo it from scratch. I label rules like this, hb- for a hbac rule su- for a sudo rule sc- for a sudo command group ug- for a user group hg- for a host groups etc etc It makes the logic easier when you go into command line which I find easier to trace with than the gui at time. regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 -- - *From:*Tovey, Mark [mto
[Freeipa-users] Limit password synchronization from Active Directory
Is there a way to limit what user accounts are synchronized from Active Directory? There are around 15,000 entries in our production AD system, but probably only about 300 of those need to have an account in the IPA system. Can we set an attribute in the user information in AD that would flag that this is a candidate for replication, and lack of that attribute would cause an account to be skipped? Thanks, -Mark Mark Tovey - UNIX Engineer | Service Strategy Design UTihttp://www.go2uti.com/ | 400 SW Sixth Ave, Suite 1100 | Portland | Oregon | 97204 | USA mto...@go2uti.commailto:mto...@go2uti.com | O / C +1 503 953-1389 | Skype: mark.tovey2 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] sudo rules user and host group bugs?
We are using sssd. The sssd.conf file is mostly unchanged from how it was installed by the ipa-client-install script: [sssd] config_file_version = 2 services = nss, pam domains = my_domain.com [nss] [pam] [domain/my_domain.com] cache_credentials = True krb5_store_password_if_offline = True ipa_domain = my_domain.com id_provider = ipa auth_provider = ipa access_provider = ipa chpass_provider = ipa ipa_server = _srv_, ipa_server.my_domain.com ldap_tls_cacert = /etc/ipa/ca.crt debug_level = 6 And the nsswitch.conf file: passwd: files sss shadow: files sss group: files sss hosts: files dns bootparams: nisplus [NOTFOUND=return] files ethers: files netmasks: files networks: files protocols: files rpc:files services: files netgroup: files sss publickey: nisplus automount: files ldap aliases:files sudoers:files ldap Thanks, -Mark Mark Tovey - UNIX Engineer | Service Strategy Design UTi | 400 SW Sixth Ave, Suite 1100 | Portland | Oregon | 97204 | USA mto...@go2uti.com | O / C +1 503 953-1389 | Skype: mark.tovey2 -Original Message- From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Dmitri Pal Sent: Tuesday, July 16, 2013 12:51 PM To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] sudo rules user and host group bugs? On 07/16/2013 02:11 PM, Tovey, Mark wrote: My environment consists of OEL 5.5 clients with ipa-client-2.1.3 and the server is OEL 6.4 with ipa-server-3.0.0. We chose these because we were able to find RPM packages for them. We would prefer to go with the latest versions, but we did not want to spend the time building installation packages just yet. Again, we are just evaluating at this point. So far, so good, except for this one point. The doman name, host name, and nsswitch.conf files are all properly configured. But I do not have any netgroups defined (the getent command doesn't return anything and there is no /etc/netgroup file). After you asked about that, I started looking into the documentation on netgroups. The IPA documentation for sudo states that Identity Management creates two groups, a visible host group and a shadow netgroup. sudo itself only supports NIS-style netgroups for group formats. But when I look in the Netgroups area, I do not see any netgroups defined. I used Apache Directory Studio to look around the Directory Server, and I can see cn=hgroup1,cn=ng,cn=alt,dc=my_domain,dc=com, along with cn=hgroup1,cn=hostgroups,cn=accounts,dc=my_domain,dc=com. This seems to reflect what was stated in the documentation. But I am still stumped. I cannot get sudo to work with host groups; I have to directly add each server to the sudo rule. Thanks, -Mark So can it seems that the first thing you need to to do is to make sure your netgroups work. If domain and host are properly set then it might be the wrong base in your LDAP search for the netgroups. Are you using SSSD for netgroups or something else? Can you please share your sssd.conf and area where it configures netgroups? Also is sss in the nsswitch.conf for netgroups map? Mark Tovey - UNIX Engineer | Service Strategy Design UTi | 400 SW Sixth Ave, Suite 1100 | Portland | Oregon | 97204 | USA mto...@go2uti.com | O / C +1 503 953-1389 | Skype: mark.tovey2 -Original Message- From: Martin Kosek [mailto:mko...@redhat.com] Sent: Tuesday, July 16, 2013 12:34 AM To: Tovey, Mark Cc: Steven Jones; James Hogarth; Freeipa-users@redhat.com; Pavel Brezina Subject: Re: [Freeipa-users] sudo rules user and host group bugs? Just checking, did you try troubleshooting hints from JR I found at the top of the thread? I did not find an information about that. Can you confirm that the output of the following commands: 1. $ domainname * does it match your domain? 2. $ hostname * does match match your fqdn? 3. $ getent netgroup esolutions-sandbox-hosts * does this list your host? 4. Does /etc/nsswitch.conf contain the line: netgroup: files sss? Another important Sudo Troubleshooting step is to edit: /etc/sudo-ldap.conf (or /etc/ldap.conf, depending on what version of RHEL/Sudo you're running): At the top, add the line: sudoers_debug 2 Then try another sudo command. sudo -l for example. For example, it would help to know that netgroup list (step 3) works or domainname is set correctly (step 1). Martin On 07/16/2013 06:09 AM, Tovey, Mark wrote: Okay, I stopped sssd on the client and deleted the cache files, removed the sudo rule, started sssd and verified that the rule was gone, stopped sssd and deleted the files again, added the rule back in, restarted sssd, and still it does not work. One note, when I enter the hosts into the sudo
Re: [Freeipa-users] Limit password synchronization from Active Directory
Ouch! The AD admins have already expressed an unwillingness to move some users into a separate container. And I don't want to have several thousand unnecessary entries in my IPA system. It looks like password synchronization is not going to be an option. Thanks, -Mark Mark Tovey - UNIX Engineer | Service Strategy Design UTihttp://www.go2uti.com/ | 400 SW Sixth Ave, Suite 1100 | Portland | Oregon | 97204 | USA mto...@go2uti.commailto:mto...@go2uti.com | O / C +1 503 953-1389 | Skype: mark.tovey2 From: Rich Megginson [mailto:rmegg...@redhat.com] Sent: Tuesday, July 16, 2013 1:00 PM To: Tovey, Mark Cc: Freeipa-users@redhat.com Subject: Re: [Freeipa-users] Limit password synchronization from Active Directory On 07/16/2013 01:48 PM, Tovey, Mark wrote: Is there a way to limit what user accounts are synchronized from Active Directory? There are around 15,000 entries in our production AD system, but probably only about 300 of those need to have an account in the IPA system. Can we set an attribute in the user information in AD that would flag that this is a candidate for replication, and lack of that attribute would cause an account to be skipped? No. The only thing you can do is create a special container (cn=IPA users or ou=IPA users or something like that), move the users you want to sync into that container, and sync only that container. Thanks, -Mark Mark Tovey - UNIX Engineer | Service Strategy Design UTihttp://www.go2uti.com/ | 400 SW Sixth Ave, Suite 1100 | Portland | Oregon | 97204 | USA mto...@go2uti.commailto:mto...@go2uti.com | O / C +1 503 953-1389 | Skype: mark.tovey2 ___ Freeipa-users mailing list Freeipa-users@redhat.commailto:Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Limit password synchronization from Active Directory
At the end of the day, all we really need is password and preferably account disabling synchronized. The rest is not absolutely necessary. I saw that part of the documentation, but did not fully understand it (in a hurry!). Now that I see it in a different light, it becomes much clearer. I will look into this. Thanks, -Mark Mark Tovey - UNIX Engineer | Service Strategy Design UTihttp://www.go2uti.com/ | 400 SW Sixth Ave, Suite 1100 | Portland | Oregon | 97204 | USA mto...@go2uti.commailto:mto...@go2uti.com | O / C +1 503 953-1389 From: Rich Megginson [mailto:rmegg...@redhat.com] Sent: Tuesday, July 16, 2013 3:17 PM To: Tovey, Mark Cc: Freeipa-users@redhat.com Subject: Re: [Freeipa-users] Limit password synchronization from Active Directory On 07/16/2013 04:06 PM, Tovey, Mark wrote: Ouch! The AD admins have already expressed an unwillingness to move some users into a separate container. And I don't want to have several thousand unnecessary entries in my IPA system. It looks like password synchronization is not going to be an option. With 389 it is possible to disable sync of AD user creation to DS. https://access.redhat.com/site/documentation/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/Using_Windows_Sync-Synchronizing_Users.html 12.4.4.2. Configuring User Sync in the Command Line To disable user sync, set nsds7NewWinUserSyncEnabled: off Then, you will add the ntUser objectclass to each IPA user you want to sync, and at the same time add the attribute ntUserDomainID: username (corresponds to the AD user samAccountName attribute). This will link the IPA user entry to the corresponding AD user entry. You mention password sync and user sync - I'm not sure if you mean them separately, or if you are implying that they have to be used together - they do not. You should be able to install PassSync on your domain controllers _without configuring a winsync agreement in IPA_. PassSync should then just ignore password changes for users that it cannot find in IPA. Thanks, -Mark Mark Tovey - UNIX Engineer | Service Strategy Design UTihttp://www.go2uti.com/ | 400 SW Sixth Ave, Suite 1100 | Portland | Oregon | 97204 | USA mto...@go2uti.commailto:mto...@go2uti.com | O / C +1 503 953-1389 | Skype: mark.tovey2 From: Rich Megginson [mailto:rmegg...@redhat.com] Sent: Tuesday, July 16, 2013 1:00 PM To: Tovey, Mark Cc: Freeipa-users@redhat.commailto:Freeipa-users@redhat.com Subject: Re: [Freeipa-users] Limit password synchronization from Active Directory On 07/16/2013 01:48 PM, Tovey, Mark wrote: Is there a way to limit what user accounts are synchronized from Active Directory? There are around 15,000 entries in our production AD system, but probably only about 300 of those need to have an account in the IPA system. Can we set an attribute in the user information in AD that would flag that this is a candidate for replication, and lack of that attribute would cause an account to be skipped? No. The only thing you can do is create a special container (cn=IPA users or ou=IPA users or something like that), move the users you want to sync into that container, and sync only that container. Thanks, -Mark Mark Tovey - UNIX Engineer | Service Strategy Design UTihttp://www.go2uti.com/ | 400 SW Sixth Ave, Suite 1100 | Portland | Oregon | 97204 | USA mto...@go2uti.commailto:mto...@go2uti.com | O / C +1 503 953-1389 | Skype: mark.tovey2 ___ Freeipa-users mailing list Freeipa-users@redhat.commailto:Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Limit password synchronization from Active Directory
We can live with that. We want to be able to disable an account in AD and have that flow out to our *nix servers. If we make the procedure to delete the password in AD, that should effectively disable the account in IPA as well. Thanks, -Mark Mark Tovey - UNIX Engineer | Service Strategy Design UTihttp://www.go2uti.com/ | 400 SW Sixth Ave, Suite 1100 | Portland | Oregon | 97204 | USA mto...@go2uti.commailto:mto...@go2uti.com | O / C +1 503 953-1389 From: Rich Megginson [mailto:rmegg...@redhat.com] Sent: Tuesday, July 16, 2013 3:53 PM To: Tovey, Mark Cc: Freeipa-users@redhat.com Subject: Re: [Freeipa-users] Limit password synchronization from Active Directory On 07/16/2013 04:50 PM, Tovey, Mark wrote: At the end of the day, all we really need is password You can do this with just PassSync on AD and without the rest of winsync. and preferably account disabling synchronized. You have to use winsync for that. The rest is not absolutely necessary. I saw that part of the documentation, but did not fully understand it (in a hurry!). Now that I see it in a different light, it becomes much clearer. I will look into this. Thanks, -Mark Mark Tovey - UNIX Engineer | Service Strategy Design UTihttp://www.go2uti.com/ | 400 SW Sixth Ave, Suite 1100 | Portland | Oregon | 97204 | USA mto...@go2uti.commailto:mto...@go2uti.com | O / C +1 503 953-1389 From: Rich Megginson [mailto:rmegg...@redhat.com] Sent: Tuesday, July 16, 2013 3:17 PM To: Tovey, Mark Cc: Freeipa-users@redhat.commailto:Freeipa-users@redhat.com Subject: Re: [Freeipa-users] Limit password synchronization from Active Directory On 07/16/2013 04:06 PM, Tovey, Mark wrote: Ouch! The AD admins have already expressed an unwillingness to move some users into a separate container. And I don't want to have several thousand unnecessary entries in my IPA system. It looks like password synchronization is not going to be an option. With 389 it is possible to disable sync of AD user creation to DS. https://access.redhat.com/site/documentation/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/Using_Windows_Sync-Synchronizing_Users.html 12.4.4.2. Configuring User Sync in the Command Line To disable user sync, set nsds7NewWinUserSyncEnabled: off Then, you will add the ntUser objectclass to each IPA user you want to sync, and at the same time add the attribute ntUserDomainID: username (corresponds to the AD user samAccountName attribute). This will link the IPA user entry to the corresponding AD user entry. You mention password sync and user sync - I'm not sure if you mean them separately, or if you are implying that they have to be used together - they do not. You should be able to install PassSync on your domain controllers _without configuring a winsync agreement in IPA_. PassSync should then just ignore password changes for users that it cannot find in IPA. Thanks, -Mark Mark Tovey - UNIX Engineer | Service Strategy Design UTihttp://www.go2uti.com/ | 400 SW Sixth Ave, Suite 1100 | Portland | Oregon | 97204 | USA mto...@go2uti.commailto:mto...@go2uti.com | O / C +1 503 953-1389 | Skype: mark.tovey2 From: Rich Megginson [mailto:rmegg...@redhat.com] Sent: Tuesday, July 16, 2013 1:00 PM To: Tovey, Mark Cc: Freeipa-users@redhat.commailto:Freeipa-users@redhat.com Subject: Re: [Freeipa-users] Limit password synchronization from Active Directory On 07/16/2013 01:48 PM, Tovey, Mark wrote: Is there a way to limit what user accounts are synchronized from Active Directory? There are around 15,000 entries in our production AD system, but probably only about 300 of those need to have an account in the IPA system. Can we set an attribute in the user information in AD that would flag that this is a candidate for replication, and lack of that attribute would cause an account to be skipped? No. The only thing you can do is create a special container (cn=IPA users or ou=IPA users or something like that), move the users you want to sync into that container, and sync only that container. Thanks, -Mark Mark Tovey - UNIX Engineer | Service Strategy Design UTihttp://www.go2uti.com/ | 400 SW Sixth Ave, Suite 1100 | Portland | Oregon | 97204 | USA mto...@go2uti.commailto:mto...@go2uti.com | O / C +1 503 953-1389 | Skype: mark.tovey2 ___ Freeipa-users mailing list Freeipa-users@redhat.commailto:Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Limit password synchronization from Active Directory
You make this difficult! :) But after explaining what we are trying to accomplish here to our AD Architect, he offered some flexibility with the subcontainer option. My users may have to live with two accounts in AD (one for everyday functions like email, the other for extra access like *nix), but that will allow our User Account Management team to enable, disable, and reset accounts from within one tool. Actual server access will still be managed by our Unix team through IPA. Thanks, -Mark Mark Tovey - UNIX Engineer | Service Strategy Design UTihttp://www.go2uti.com/ | 400 SW Sixth Ave, Suite 1100 | Portland | Oregon | 97204 | USA mto...@go2uti.commailto:mto...@go2uti.com | O / C +1 503 953-1389 From: Rich Megginson [mailto:rmegg...@redhat.com] Sent: Tuesday, July 16, 2013 4:06 PM To: Tovey, Mark Cc: Freeipa-users@redhat.com Subject: Re: [Freeipa-users] Limit password synchronization from Active Directory On 07/16/2013 05:00 PM, Tovey, Mark wrote: We can live with that. We want to be able to disable an account in AD and have that flow out to our *nix servers. If we make the procedure to delete the password in AD, that should effectively disable the account in IPA as well. I don't think PassSync will sync password deletion events. Thanks, -Mark Mark Tovey - UNIX Engineer | Service Strategy Design UTihttp://www.go2uti.com/ | 400 SW Sixth Ave, Suite 1100 | Portland | Oregon | 97204 | USA mto...@go2uti.commailto:mto...@go2uti.com | O / C +1 503 953-1389 From: Rich Megginson [mailto:rmegg...@redhat.com] Sent: Tuesday, July 16, 2013 3:53 PM To: Tovey, Mark Cc: Freeipa-users@redhat.commailto:Freeipa-users@redhat.com Subject: Re: [Freeipa-users] Limit password synchronization from Active Directory On 07/16/2013 04:50 PM, Tovey, Mark wrote: At the end of the day, all we really need is password You can do this with just PassSync on AD and without the rest of winsync. and preferably account disabling synchronized. You have to use winsync for that. The rest is not absolutely necessary. I saw that part of the documentation, but did not fully understand it (in a hurry!). Now that I see it in a different light, it becomes much clearer. I will look into this. Thanks, -Mark Mark Tovey - UNIX Engineer | Service Strategy Design UTihttp://www.go2uti.com/ | 400 SW Sixth Ave, Suite 1100 | Portland | Oregon | 97204 | USA mto...@go2uti.commailto:mto...@go2uti.com | O / C +1 503 953-1389 From: Rich Megginson [mailto:rmegg...@redhat.com] Sent: Tuesday, July 16, 2013 3:17 PM To: Tovey, Mark Cc: Freeipa-users@redhat.commailto:Freeipa-users@redhat.com Subject: Re: [Freeipa-users] Limit password synchronization from Active Directory On 07/16/2013 04:06 PM, Tovey, Mark wrote: Ouch! The AD admins have already expressed an unwillingness to move some users into a separate container. And I don't want to have several thousand unnecessary entries in my IPA system. It looks like password synchronization is not going to be an option. With 389 it is possible to disable sync of AD user creation to DS. https://access.redhat.com/site/documentation/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/Using_Windows_Sync-Synchronizing_Users.html 12.4.4.2. Configuring User Sync in the Command Line To disable user sync, set nsds7NewWinUserSyncEnabled: off Then, you will add the ntUser objectclass to each IPA user you want to sync, and at the same time add the attribute ntUserDomainID: username (corresponds to the AD user samAccountName attribute). This will link the IPA user entry to the corresponding AD user entry. You mention password sync and user sync - I'm not sure if you mean them separately, or if you are implying that they have to be used together - they do not. You should be able to install PassSync on your domain controllers _without configuring a winsync agreement in IPA_. PassSync should then just ignore password changes for users that it cannot find in IPA. Thanks, -Mark Mark Tovey - UNIX Engineer | Service Strategy Design UTihttp://www.go2uti.com/ | 400 SW Sixth Ave, Suite 1100 | Portland | Oregon | 97204 | USA mto...@go2uti.commailto:mto...@go2uti.com | O / C +1 503 953-1389 | Skype: mark.tovey2 From: Rich Megginson [mailto:rmegg...@redhat.com] Sent: Tuesday, July 16, 2013 1:00 PM To: Tovey, Mark Cc: Freeipa-users@redhat.commailto:Freeipa-users@redhat.com Subject: Re: [Freeipa-users] Limit password synchronization from Active Directory On 07/16/2013 01:48 PM, Tovey, Mark wrote: Is there a way to limit what user accounts are synchronized from Active Directory? There are around 15,000 entries in our production AD system
Re: [Freeipa-users] Limit password synchronization from Active Directory
Okay, I can see that I am just going to have to fire this up and play with it until I better understand what I can do and can't do. But it sounds like I have enough options available to me now that I can make something acceptable work. The first step is going to be to get the AD admins to set up the replication on their end. We probably should start with a subcontainer anyway just so that I don't end up with the entire AD system inadvertently being replicated over. Once we are familiar with it, then we can work out what the best configuration will be for how we want to operate. Thanks, -Mark Mark Tovey - UNIX Engineer | Service Strategy Design UTihttp://www.go2uti.com/ | 400 SW Sixth Ave, Suite 1100 | Portland | Oregon | 97204 | USA mto...@go2uti.commailto:mto...@go2uti.com | O / C +1 503 953-1389 From: Rich Megginson [mailto:rmegg...@redhat.com] Sent: Tuesday, July 16, 2013 5:44 PM To: Tovey, Mark Cc: Freeipa-users@redhat.com Subject: Re: [Freeipa-users] Limit password synchronization from Active Directory On 07/16/2013 05:33 PM, Tovey, Mark wrote: You make this difficult!:) But after explaining what we are trying to accomplish here to our AD Architect, he offered some flexibility with the subcontainer option. My users may have to live with two accounts in AD (one for everyday functions like email, the other for extra access like *nix), but that will allow our User Account Management team to enable, disable, and reset accounts from within one tool. Actual server access will still be managed by our Unix team through IPA. You can't just disable sync of AD user creation? And just add the sync attributes to the IPA entries you want to sync? Thanks, -Mark Mark Tovey - UNIX Engineer | Service Strategy Design UTihttp://www.go2uti.com/ | 400 SW Sixth Ave, Suite 1100 | Portland | Oregon | 97204 | USA mto...@go2uti.commailto:mto...@go2uti.com | O / C +1 503 953-1389 From: Rich Megginson [mailto:rmegg...@redhat.com] Sent: Tuesday, July 16, 2013 4:06 PM To: Tovey, Mark Cc: Freeipa-users@redhat.commailto:Freeipa-users@redhat.com Subject: Re: [Freeipa-users] Limit password synchronization from Active Directory On 07/16/2013 05:00 PM, Tovey, Mark wrote: We can live with that. We want to be able to disable an account in AD and have that flow out to our *nix servers. If we make the procedure to delete the password in AD, that should effectively disable the account in IPA as well. I don't think PassSync will sync password deletion events. Thanks, -Mark Mark Tovey - UNIX Engineer | Service Strategy Design UTihttp://www.go2uti.com/ | 400 SW Sixth Ave, Suite 1100 | Portland | Oregon | 97204 | USA mto...@go2uti.commailto:mto...@go2uti.com | O / C +1 503 953-1389 From: Rich Megginson [mailto:rmegg...@redhat.com] Sent: Tuesday, July 16, 2013 3:53 PM To: Tovey, Mark Cc: Freeipa-users@redhat.commailto:Freeipa-users@redhat.com Subject: Re: [Freeipa-users] Limit password synchronization from Active Directory On 07/16/2013 04:50 PM, Tovey, Mark wrote: At the end of the day, all we really need is password You can do this with just PassSync on AD and without the rest of winsync. and preferably account disabling synchronized. You have to use winsync for that. The rest is not absolutely necessary. I saw that part of the documentation, but did not fully understand it (in a hurry!). Now that I see it in a different light, it becomes much clearer. I will look into this. Thanks, -Mark Mark Tovey - UNIX Engineer | Service Strategy Design UTihttp://www.go2uti.com/ | 400 SW Sixth Ave, Suite 1100 | Portland | Oregon | 97204 | USA mto...@go2uti.commailto:mto...@go2uti.com | O / C +1 503 953-1389 From: Rich Megginson [mailto:rmegg...@redhat.com] Sent: Tuesday, July 16, 2013 3:17 PM To: Tovey, Mark Cc: Freeipa-users@redhat.commailto:Freeipa-users@redhat.com Subject: Re: [Freeipa-users] Limit password synchronization from Active Directory On 07/16/2013 04:06 PM, Tovey, Mark wrote: Ouch! The AD admins have already expressed an unwillingness to move some users into a separate container. And I don't want to have several thousand unnecessary entries in my IPA system. It looks like password synchronization is not going to be an option. With 389 it is possible to disable sync of AD user creation to DS. https://access.redhat.com/site/documentation/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/Using_Windows_Sync-Synchronizing_Users.html 12.4.4.2. Configuring User Sync in the Command Line To disable user sync, set nsds7NewWinUserSyncEnabled: off Then, you will add the ntUser objectclass to each IPA user you want to sync, and at the same time
Re: [Freeipa-users] sudo rules user and host group bugs?
I checked that and it is set correctly: [user1@host1 ~]$ nisdomainname my_domain.com If I try to run a command with the hosts specified indirectly through a host group, it fails: [user1@host1 ~]$ sudo -i -u serv_account LDAP Config Summary === uri ldap://ipa_server.my_domain.com ldap_version 3 sudoers_base ou=SUDOers,dc=my_domain,dc=com binddn uid=sudo,cn=sysaccounts,cn=etc,dc=my_domain,dc=com bindpw ** bind_timelimit 5000 timelimit15 ssl start_tls tls_checkpeer(yes) tls_cacertfile /etc/ipa/ca.crt === sudo: ldap_initialize(ld, ldap://ipa_server.my_domain.com) sudo: ldap_set_option: debug - 0 sudo: ldap_set_option: ldap_version - 3 sudo: ldap_set_option: tls_checkpeer - 1 sudo: ldap_set_option: tls_cacertfile - /etc/ipa/ca.crt sudo: ldap_set_option: timelimit - 15 sudo: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT, 5) sudo: ldap_start_tls_s() ok sudo: ldap_sasl_bind_s() ok sudo: no default options found! sudo: ldap search '(|(sudoUser=user1)(sudoUser=%user1)(sudoUser=%user1s)(sudoUser=ALL))' sudo: found:cn=my_sudo_rule,ou=sudoers,dc=my_domain,dc=com sudo: ldap sudoHost '+hgroup1' ... not sudo: ldap search 'sudoUser=+*' sudo: user_matches=1 sudo: host_matches=0 sudo: sudo_ldap_lookup(0)=0x40 [sudo] password for user1: Sorry, try again. [sudo] password for user1: sudo: 1 incorrect password attempt But if I remove the host group from the sudo rule and directly add the hosts that were in the host group, it works fine: snip sudo: ldap_start_tls_s() ok sudo: ldap_sasl_bind_s() ok sudo: no default options found! sudo: ldap search '(|(sudoUser=user1)(sudoUser=%user1)(sudoUser=%user1s)(sudoUser=ALL))' sudo: found:cn=my_sudo_rule,ou=sudoers,dc=my_domain,dc=com sudo: ldap sudoHost 'host1.my_domain.com' ... MATCH! sudo: ldap sudoRunAsUser 'serv_account' ... MATCH! sudo: ldap sudoCommand 'ALL' ... MATCH! sudo: Command allowed sudo: user_matches=1 sudo: host_matches=1 sudo: sudo_ldap_lookup(0)=0x02 [sudo] password for user1: [serv_account@host1 ~]$ So something isn't lining up correctly with host groups in sudo rules somewhere. I just haven't been able to track it down. Thanks, -Mark Mark Tovey - UNIX Engineer | Service Strategy Design UTihttp://www.go2uti.com/ | 400 SW Sixth Ave, Suite 1100 | Portland | Oregon | 97204 | USA mto...@go2uti.commailto:mto...@go2uti.com | O / C +1 503 953-1389 | Skype: mark.tovey2 From: James Hogarth [mailto:james.hoga...@gmail.com] Sent: Monday, July 15, 2013 1:11 PM To: Tovey, Mark Subject: Re: [Freeipa-users] sudo rules user and host group bugs? Did anyone find a solution for this? I am having the same experience. Wow that was a mess... To use hostgroups for sudo ensure nisdomainname is set on the hosts to the IPA domain. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] sudo rules user and host group bugs?
That didn't work either. I set up the host group in my sudo rule, stopped sssd, renamed /var/lib/sss/db and created a new db directory, then restarted sssd. New files were created in the db directory, but it still refuses to work unless the hosts are directly specified in the sudo rule. Thanks, -Mark Mark Tovey - UNIX Engineer | Service Strategy Design UTihttp://www.go2uti.com/ | 400 SW Sixth Ave, Suite 1100 | Portland | Oregon | 97204 | USA mto...@go2uti.commailto:mto...@go2uti.com | O / C +1 503 953-1389 | Skype: mark.tovey2 From: Steven Jones [mailto:steven.jo...@vuw.ac.nz] Sent: Monday, July 15, 2013 4:15 PM To: Tovey, Mark; James Hogarth Cc: Freeipa-users@redhat.com Subject: RE: [Freeipa-users] sudo rules user and host group bugs? Hi, This is a known issue Ive suffered a long time with. What would be interesting is adding another host to the host group could well work fine, that will really make you bang your head against the wall.. 2 possibilities, stop the sssd daemon on the problem host, delete its cache and start it, that might fix it. Otherwise best to, All RH support could come up with is delete the HBAC rule, sudo rule, user group and host group and re-do it, then it will probably work fine. regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: freeipa-users-boun...@redhat.commailto:freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Tovey, Mark [mto...@go2uti.com] Sent: Tuesday, 16 July 2013 10:54 a.m. To: James Hogarth Cc: Freeipa-users@redhat.commailto:Freeipa-users@redhat.com Subject: Re: [Freeipa-users] sudo rules user and host group bugs? I checked that and it is set correctly: [user1@host1 ~]$ nisdomainname my_domain.com If I try to run a command with the hosts specified indirectly through a host group, it fails: [user1@host1 ~]$ sudo -i -u serv_account LDAP Config Summary === uri ldap://ipa_server.my_domain.com ldap_version 3 sudoers_base ou=SUDOers,dc=my_domain,dc=com binddn uid=sudo,cn=sysaccounts,cn=etc,dc=my_domain,dc=com bindpw ** bind_timelimit 5000 timelimit15 ssl start_tls tls_checkpeer(yes) tls_cacertfile /etc/ipa/ca.crt === sudo: ldap_initialize(ld, ldap://ipa_server.my_domain.com) sudo: ldap_set_option: debug - 0 sudo: ldap_set_option: ldap_version - 3 sudo: ldap_set_option: tls_checkpeer - 1 sudo: ldap_set_option: tls_cacertfile - /etc/ipa/ca.crt sudo: ldap_set_option: timelimit - 15 sudo: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT, 5) sudo: ldap_start_tls_s() ok sudo: ldap_sasl_bind_s() ok sudo: no default options found! sudo: ldap search '(|(sudoUser=user1)(sudoUser=%user1)(sudoUser=%user1s)(sudoUser=ALL))' sudo: found:cn=my_sudo_rule,ou=sudoers,dc=my_domain,dc=com sudo: ldap sudoHost '+hgroup1' ... not sudo: ldap search 'sudoUser=+*' sudo: user_matches=1 sudo: host_matches=0 sudo: sudo_ldap_lookup(0)=0x40 [sudo] password for user1: Sorry, try again. [sudo] password for user1: sudo: 1 incorrect password attempt But if I remove the host group from the sudo rule and directly add the hosts that were in the host group, it works fine: snip sudo: ldap_start_tls_s() ok sudo: ldap_sasl_bind_s() ok sudo: no default options found! sudo: ldap search '(|(sudoUser=user1)(sudoUser=%user1)(sudoUser=%user1s)(sudoUser=ALL))' sudo: found:cn=my_sudo_rule,ou=sudoers,dc=my_domain,dc=com sudo: ldap sudoHost 'host1.my_domain.com' ... MATCH! sudo: ldap sudoRunAsUser 'serv_account' ... MATCH! sudo: ldap sudoCommand 'ALL' ... MATCH! sudo: Command allowed sudo: user_matches=1 sudo: host_matches=1 sudo: sudo_ldap_lookup(0)=0x02 [sudo] password for user1: [serv_account@host1 ~]$ So something isn't lining up correctly with host groups in sudo rules somewhere. I just haven't been able to track it down. Thanks, -Mark Mark Tovey - UNIX Engineer | Service Strategy Design UTihttp://www.go2uti.com/ | 400 SW Sixth Ave, Suite 1100 | Portland | Oregon | 97204 | USA mto...@go2uti.commailto:mto...@go2uti.com | O / C +1 503 953-1389 | Skype: mark.tovey2 From: James Hogarth [mailto:james.hoga...@gmail.com] Sent: Monday, July 15, 2013 1:11 PM To: Tovey, Mark Subject: Re: [Freeipa-users] sudo rules user and host group bugs? Did anyone find a solution for this? I am having the same experience. Wow that was a mess... To use hostgroups for sudo ensure nisdomainname is set on the hosts to the IPA domain. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] sudo rules user and host group bugs?
Okay, I stopped sssd on the client and deleted the cache files, removed the sudo rule, started sssd and verified that the rule was gone, stopped sssd and deleted the files again, added the rule back in, restarted sssd, and still it does not work. One note, when I enter the hosts into the sudo rule in place of the host group, the effect is immediate; I do not need to restart sssd. And the opposite is true too: if I put the host group back, the rule immediately stops working. I don't think the issue is cache related; it seems to be something else. The serv_account that we are accessing with the sudo rule is external. I wouldn't expect that to matter, but perhaps it does? I like your idea for the labels; they make sense. Right now we are just evaluating this to see if we want to go this route. So far we like it, but this could be a problem because we have a several hundred hosts that we need to manage. Having to enter each one individually will be problematic. Thanks, -Mark Mark Tovey - UNIX Engineer | Service Strategy Design UTihttp://www.go2uti.com/ | 400 SW Sixth Ave, Suite 1100 | Portland | Oregon | 97204 | USA mto...@go2uti.commailto:mto...@go2uti.com | O / C +1 503 953-1389 | Skype: mark.tovey2 From: Steven Jones [mailto:steven.jo...@vuw.ac.nz] Sent: Monday, July 15, 2013 4:44 PM To: Tovey, Mark; James Hogarth Cc: Freeipa-users@redhat.com Subject: RE: [Freeipa-users] sudo rules user and host group bugs? option b) delete the rule totally and redo it from scratch. I label rules like this, hb- for a hbac rule su- for a sudo rule sc- for a sudo command group ug- for a user group hg- for a host groups etc etc It makes the logic easier when you go into command line which I find easier to trace with than the gui at time. regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: Tovey, Mark [mto...@go2uti.com] Sent: Tuesday, 16 July 2013 11:34 a.m. To: Steven Jones; James Hogarth Cc: Freeipa-users@redhat.commailto:Freeipa-users@redhat.com Subject: RE: [Freeipa-users] sudo rules user and host group bugs? That didn't work either. I set up the host group in my sudo rule, stopped sssd, renamed /var/lib/sss/db and created a new db directory, then restarted sssd. New files were created in the db directory, but it still refuses to work unless the hosts are directly specified in the sudo rule. Thanks, -Mark Mark Tovey - UNIX Engineer | Service Strategy Design UTihttp://www.go2uti.com/ | 400 SW Sixth Ave, Suite 1100 | Portland | Oregon | 97204 | USA mto...@go2uti.commailto:mto...@go2uti.com | O / C +1 503 953-1389 | Skype: mark.tovey2 From: Steven Jones [mailto:steven.jo...@vuw.ac.nz] Sent: Monday, July 15, 2013 4:15 PM To: Tovey, Mark; James Hogarth Cc: Freeipa-users@redhat.commailto:Freeipa-users@redhat.com Subject: RE: [Freeipa-users] sudo rules user and host group bugs? Hi, This is a known issue Ive suffered a long time with. What would be interesting is adding another host to the host group could well work fine, that will really make you bang your head against the wall.. 2 possibilities, stop the sssd daemon on the problem host, delete its cache and start it, that might fix it. Otherwise best to, All RH support could come up with is delete the HBAC rule, sudo rule, user group and host group and re-do it, then it will probably work fine. regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: freeipa-users-boun...@redhat.commailto:freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Tovey, Mark [mto...@go2uti.com] Sent: Tuesday, 16 July 2013 10:54 a.m. To: James Hogarth Cc: Freeipa-users@redhat.commailto:Freeipa-users@redhat.com Subject: Re: [Freeipa-users] sudo rules user and host group bugs? I checked that and it is set correctly: [user1@host1 ~]$ nisdomainname my_domain.com If I try to run a command with the hosts specified indirectly through a host group, it fails: [user1@host1 ~]$ sudo -i -u serv_account LDAP Config Summary === uri ldap://ipa_server.my_domain.com ldap_version 3 sudoers_base ou=SUDOers,dc=my_domain,dc=com binddn uid=sudo,cn=sysaccounts,cn=etc,dc=my_domain,dc=com bindpw ** bind_timelimit 5000 timelimit15 ssl start_tls tls_checkpeer(yes) tls_cacertfile /etc/ipa/ca.crt === sudo: ldap_initialize(ld, ldap://ipa_server.my_domain.com) sudo: ldap_set_option: debug - 0 sudo: ldap_set_option: ldap_version - 3 sudo: ldap_set_option: tls_checkpeer - 1 sudo: ldap_set_option: tls_cacertfile - /etc/ipa/ca.crt sudo: ldap_set_option