Re: [Freeipa-users] Stuck getting sudo working with Ubuntu client
Thanks Timo, And sorry I missed that. How's this? https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/1453253 Thanks again, Andrew On Tue, May 5, 2015 at 2:43 PM, Timo Aaltonen tjaal...@ubuntu.com wrote: On 05.05.2015 23:27, Andrew Sacamano wrote: Thanks again Lukas and Timo, I'm very sorry it took so long for me to get to this - I got pulled into an urgent project at work and am just getting my head above water today. I've filed https://fedorahosted.org/sssd/ticket/2648 err, the bug needs to be on launchpad, since that's where it belongs On Wed, Apr 22, 2015 at 1:16 AM, Timo Aaltonen tjaal...@ubuntu.com mailto:tjaal...@ubuntu.com wrote: On 21.04.2015 22 tel:21.04.2015%2022:45, Lukas Slebodnik wrote: On (20/04/15 17:54), Andrew Sacamano wrote: Thanks again, Lukas! I was wondering if the overlaps of names was a problem, so I redid parts of my IPA setup to rename them - thanks for pointing out the ticket! Also, your suggestion to use ldap_group_object_class = ipaUserGroup worked - which saves me the trouble of tracking that down in six months when my IPA domain grows and the performance issues associated with enumerate begin to manifest. Many thanks - you are extraordinarily helpful. My colleagues and I are quite grateful for all your advice! You are welcome, I'm glad I could help. You can file a ticket to backport patch for ticket #2471 in your distribution. Please do, I've pulled the patch in git but need a bug# for SRU: https://bugs.launchpad.net/ubuntu/+source/sssd/+filebug -- t -- t -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Stuck getting sudo working with Ubuntu client
On Tue, May 05, 2015 at 11:43:34PM +0300, Timo Aaltonen wrote: On 05.05.2015 23:27, Andrew Sacamano wrote: Thanks again Lukas and Timo, I'm very sorry it took so long for me to get to this - I got pulled into an urgent project at work and am just getting my head above water today. I've filed https://fedorahosted.org/sssd/ticket/2648 err, the bug needs to be on launchpad, since that's where it belongs Yep, I closed the upstream ticket and included a link to launchpad. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Stuck getting sudo working with Ubuntu client
Thanks again Lukas and Timo, I'm very sorry it took so long for me to get to this - I got pulled into an urgent project at work and am just getting my head above water today. I've filed https://fedorahosted.org/sssd/ticket/2648 Many thanks again, and please let me know if there is anything I can do to facilitate the process. Cheers, Andrew On Wed, Apr 22, 2015 at 1:16 AM, Timo Aaltonen tjaal...@ubuntu.com wrote: On 21.04.2015 22:45, Lukas Slebodnik wrote: On (20/04/15 17:54), Andrew Sacamano wrote: Thanks again, Lukas! I was wondering if the overlaps of names was a problem, so I redid parts of my IPA setup to rename them - thanks for pointing out the ticket! Also, your suggestion to use ldap_group_object_class = ipaUserGroup worked - which saves me the trouble of tracking that down in six months when my IPA domain grows and the performance issues associated with enumerate begin to manifest. Many thanks - you are extraordinarily helpful. My colleagues and I are quite grateful for all your advice! You are welcome, I'm glad I could help. You can file a ticket to backport patch for ticket #2471 in your distribution. Please do, I've pulled the patch in git but need a bug# for SRU: https://bugs.launchpad.net/ubuntu/+source/sssd/+filebug -- t -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Stuck getting sudo working with Ubuntu client
On 21.04.2015 22:45, Lukas Slebodnik wrote: On (20/04/15 17:54), Andrew Sacamano wrote: Thanks again, Lukas! I was wondering if the overlaps of names was a problem, so I redid parts of my IPA setup to rename them - thanks for pointing out the ticket! Also, your suggestion to use ldap_group_object_class = ipaUserGroup worked - which saves me the trouble of tracking that down in six months when my IPA domain grows and the performance issues associated with enumerate begin to manifest. Many thanks - you are extraordinarily helpful. My colleagues and I are quite grateful for all your advice! You are welcome, I'm glad I could help. You can file a ticket to backport patch for ticket #2471 in your distribution. Please do, I've pulled the patch in git but need a bug# for SRU: https://bugs.launchpad.net/ubuntu/+source/sssd/+filebug -- t -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Stuck getting sudo working with Ubuntu client
On (20/04/15 17:54), Andrew Sacamano wrote: Thanks again, Lukas! I was wondering if the overlaps of names was a problem, so I redid parts of my IPA setup to rename them - thanks for pointing out the ticket! Also, your suggestion to use ldap_group_object_class = ipaUserGroup worked - which saves me the trouble of tracking that down in six months when my IPA domain grows and the performance issues associated with enumerate begin to manifest. Many thanks - you are extraordinarily helpful. My colleagues and I are quite grateful for all your advice! You are welcome, I'm glad I could help. You can file a ticket to backport patch for ticket #2471 in your distribution. LS -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Stuck getting sudo working with Ubuntu client
Thanks again, Lukas! I was wondering if the overlaps of names was a problem, so I redid parts of my IPA setup to rename them - thanks for pointing out the ticket! Also, your suggestion to use ldap_group_object_class = ipaUserGroup worked - which saves me the trouble of tracking that down in six months when my IPA domain grows and the performance issues associated with enumerate begin to manifest. Many thanks - you are extraordinarily helpful. My colleagues and I are quite grateful for all your advice! Thanks again, Andrew On Mon, Apr 20, 2015 at 1:29 AM, Lukas Slebodnik lsleb...@redhat.com wrote: On (19/04/15 12:51), Andrew Sacamano wrote: Thanks again Lukas, These turned out to be very helpful debugging suggestions, and were the critical part of getting the problem solved - the pointer to ldb-tools was extremely helpful in identifying where the issue was happening! With them, I was able to see the right sudo rules were being cached, and that the change from sudo working to sudo not working happened not because of the host, but because of the user, and in particular, the user being a listed explicitly, or only as part of a group. The user's groups were being listed in the user's entry in the cache, but not when running the id command. Some quick googling, and I discovered that in Ubuntu 14.04, the sssd option enumerate defaults to false, which meant that the group memberships were not taking effect, which meant that sudo rules based on membership in a group weren't working. Setting enumerate to true got everything working. If you have a problem with id might be caused by https://fedorahosted.org/sssd/ticket/2471 You can fix the bug with ammending configuration. put ldap_group_object_class = ipaUserGroup into domain section of sssd.conf It should work even with disabled enumeration. LS -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Stuck getting sudo working with Ubuntu client
On (19/04/15 12:51), Andrew Sacamano wrote: Thanks again Lukas, These turned out to be very helpful debugging suggestions, and were the critical part of getting the problem solved - the pointer to ldb-tools was extremely helpful in identifying where the issue was happening! With them, I was able to see the right sudo rules were being cached, and that the change from sudo working to sudo not working happened not because of the host, but because of the user, and in particular, the user being a listed explicitly, or only as part of a group. The user's groups were being listed in the user's entry in the cache, but not when running the id command. Some quick googling, and I discovered that in Ubuntu 14.04, the sssd option enumerate defaults to false, which meant that the group memberships were not taking effect, which meant that sudo rules based on membership in a group weren't working. Setting enumerate to true got everything working. If you have a problem with id might be caused by https://fedorahosted.org/sssd/ticket/2471 You can fix the bug with ammending configuration. put ldap_group_object_class = ipaUserGroup into domain section of sssd.conf It should work even with disabled enumeration. LS -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Stuck getting sudo working with Ubuntu client
On 04/19/2015 02:51 PM, Andrew Sacamano wrote: Thanks again Lukas, These turned out to be very helpful debugging suggestions, and were the critical part of getting the problem solved - the pointer to ldb-tools was extremely helpful in identifying where the issue was happening! With them, I was able to see the right sudo rules were being cached, and that the change from sudo working to sudo not working happened not because of the host, but because of the user, and in particular, the user being a listed explicitly, or only as part of a group. The user's groups were being listed in the user's entry in the cache, but not when running the id command. Some quick googling, and I discovered that in Ubuntu 14.04, the sssd option enumerate defaults to false, which meant that the group memberships were not taking effect, which meant that sudo rules based on membership in a group weren't working. Setting enumerate to true got everything working. Enumerate is generally discouraged. The fact that enumeration helped means that something was not correct in the cache. It seems it just masked the issue not solved it. Many thanks again! -Andrew -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Stuck getting sudo working with Ubuntu client
Thanks again Lukas, These turned out to be very helpful debugging suggestions, and were the critical part of getting the problem solved - the pointer to ldb-tools was extremely helpful in identifying where the issue was happening! With them, I was able to see the right sudo rules were being cached, and that the change from sudo working to sudo not working happened not because of the host, but because of the user, and in particular, the user being a listed explicitly, or only as part of a group. The user's groups were being listed in the user's entry in the cache, but not when running the id command. Some quick googling, and I discovered that in Ubuntu 14.04, the sssd option enumerate defaults to false, which meant that the group memberships were not taking effect, which meant that sudo rules based on membership in a group weren't working. Setting enumerate to true got everything working. Many thanks again! -Andrew -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Stuck getting sudo working with Ubuntu client
On (17/04/15 11:32), Andrew Sacamano wrote: Hi everyone, I've spent a couple of days digging around the web, watching logs, and poking things, and I'm stuck getting sudo working with IPA on a new box I've just set up. I have had it working in the past on a test box, but something about this box is blocking me, and I can't for the life of me figure out what. The basic symptom is that I can log into the Ubuntu box as an IPA user, but sudo is always denied: [root@security-core-1 log]# ssh dru@jenkins dru@jenkins's password: ... Could not chdir to home directory /home/dru: No such file or directory dru@jenkins:/$ sudo -l [sudo] password for dru: Sorry, user dru may not run sudo on jenkins. I've appended version output, config files, sample logs, and ipa config - which I think is all of the relevant material, but I'll gladly share more if it's needed. Thanks so much in advance for any debugging advice, hints, or help! I looked to the configuration files and they look good. I have few hints which might help you with troubleshooting * please ensure you have installed package sudo and not sudo-ldap. The second one is not build with sssd support. * please read about sudo caching in sssd man sssd-sudo - THE SUDO RULE CACHING MECHANISM * please test simple sudo rules first. (all hosts, one user instead of groups, ...) * check whether sudo rules are cached by sssd (use ldb-tools) If previous hints does not help then you need to enable debugging in sudo and analyse log file. @see slide 18 in presentation[1] LS [1] http://www.freeipa.org/images/7/77/Freeipa30_SSSD_SUDO_Integration.pdf -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Stuck getting sudo working with Ubuntu client
Thanks Lukas, I'm very glad to have concrete debugging suggestions. I'll investigate as you suggest and report back. Thanks again, Andrew On Fri, Apr 17, 2015 at 2:28 PM, Lukas Slebodnik lsleb...@redhat.com wrote: On (17/04/15 11:32), Andrew Sacamano wrote: Hi everyone, I've spent a couple of days digging around the web, watching logs, and poking things, and I'm stuck getting sudo working with IPA on a new box I've just set up. I have had it working in the past on a test box, but something about this box is blocking me, and I can't for the life of me figure out what. The basic symptom is that I can log into the Ubuntu box as an IPA user, but sudo is always denied: [root@security-core-1 log]# ssh dru@jenkins dru@jenkins's password: ... Could not chdir to home directory /home/dru: No such file or directory dru@jenkins:/$ sudo -l [sudo] password for dru: Sorry, user dru may not run sudo on jenkins. I've appended version output, config files, sample logs, and ipa config - which I think is all of the relevant material, but I'll gladly share more if it's needed. Thanks so much in advance for any debugging advice, hints, or help! I looked to the configuration files and they look good. I have few hints which might help you with troubleshooting * please ensure you have installed package sudo and not sudo-ldap. The second one is not build with sssd support. * please read about sudo caching in sssd man sssd-sudo - THE SUDO RULE CACHING MECHANISM * please test simple sudo rules first. (all hosts, one user instead of groups, ...) * check whether sudo rules are cached by sssd (use ldb-tools) If previous hints does not help then you need to enable debugging in sudo and analyse log file. @see slide 18 in presentation[1] LS [1] http://www.freeipa.org/images/7/77/Freeipa30_SSSD_SUDO_Integration.pdf -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
