Re: [Freeipa-users] Sudo issues with FreeIPA
Hi Lukas, Does the LDAP entry need to be removed or just modified? Could the LDAP entry be a sudo policy assigned to the user? In my tests with modified sudo policies the cache entries would persists even after they were invalidated and the user re-authenticated with the LDAP server. Unless I wanted to wait for a smart refresh of the cache I had to delete the entry from the cache with ldbdel and then restart the SSSD daemon. I wonder if there is a better way to refresh the cache on demand. Thanks, Dimitar On Sat, Dec 21, 2013 at 3:28 PM, Lukas Slebodnik lsleb...@redhat.comwrote: On (20/12/13 18:42), Dimitar Georgievski wrote: Hi Dmitri, One follow up question about the management of the SSSD local cache. I've tried to clean cache entries with the sss_cache utility, but it looks like this utility is not working. I was able to confirm with ldbsearch that records for specific entries were not removed from the cache. This seems to be a bug. I can use ldpdel with a restart of the SSSD daemon, but just wanted to confirm with you. I suspect you would know more about this problem. Unfortunately I wasn't able to find any info yet about this potential bug. thanks Dimitar sss_cache does not remove users from cache (sss_cache -U) This utility sets expiration of account to the past (unix time with value 1), because user needs to be able authenticate offline. Entry will be removed from cache if user try to authenticate online and entry is removed from LDAP. LS ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Sudo issues with FreeIPA
On (23/12/13 10:16), Dimitar Georgievski wrote: Hi Lukas, Does the LDAP entry need to be removed or just modified? Could the LDAP entry be a sudo policy assigned to the user? sudo rules are special case, I didn't noticed anything about sudo rules in the previous mail. There is periodical task in the sssd for refreshing sudo rules because of current ldap schema. In my tests with modified sudo policies the cache entries would persists even after they were invalidated and the user re-authenticated with the LDAP server. Unless I wanted to wait for a smart refresh of the cache I had to delete the entry from the cache with ldbdel and then restart the SSSD daemon. I wonder if there is a better way to refresh the cache on demand. sss_cache does not work with sudo rules. If you are testing something, you can manually remove sssd cache (rm /var/lib/sss/db/cache_*.ldb). If you don't like behaviour in production, you can decrease interval of refresh update. man sssd-sudo - THE SUDO RULE CACHING MECHANISM and for sudo configuration options: man sssd-ldap - SUDO OPTIONS LS ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Sudo issues with FreeIPA
On (20/12/13 18:42), Dimitar Georgievski wrote: Hi Dmitri, One follow up question about the management of the SSSD local cache. I've tried to clean cache entries with the sss_cache utility, but it looks like this utility is not working. I was able to confirm with ldbsearch that records for specific entries were not removed from the cache. This seems to be a bug. I can use ldpdel with a restart of the SSSD daemon, but just wanted to confirm with you. I suspect you would know more about this problem. Unfortunately I wasn't able to find any info yet about this potential bug. thanks Dimitar sss_cache does not remove users from cache (sss_cache -U) This utility sets expiration of account to the past (unix time with value 1), because user needs to be able authenticate offline. Entry will be removed from cache if user try to authenticate online and entry is removed from LDAP. LS ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Sudo issues with FreeIPA
Hi Dmitri, One follow up question about the management of the SSSD local cache. I've tried to clean cache entries with the sss_cache utility, but it looks like this utility is not working. I was able to confirm with ldbsearch that records for specific entries were not removed from the cache. This seems to be a bug. I can use ldpdel with a restart of the SSSD daemon, but just wanted to confirm with you. I suspect you would know more about this problem. Unfortunately I wasn't able to find any info yet about this potential bug. thanks Dimitar On Tue, Dec 17, 2013 at 10:40 PM, Dimitar Georgievski mitk...@gmail.comwrote: Thanks Dmitri. Those settings for ldap in sssd.conf fixed the issue. Dimitar On Tue, Dec 17, 2013 at 6:47 PM, Dmitri Pal d...@redhat.com wrote: On 12/17/2013 06:34 PM, Dimitar Georgievski wrote: Hi, I am running FreeIPA 3.3.3 on CentOS 6.5. Everything works fine except that I have problem enforcing sudo policies on the hosts that are part of the managed domain. When trying to run the following simple command as a user managed by FreeIPA I got the following response: * sudo /usr/bin/vim test.txt * *jsmith is not allowed to run sudo on myhost. This incident will be reported.* I might have missed in the configuration of the serve or SSSD on the client host. Is there any guideline for sudo integration with FreeIPA? The following is the SSSD configuration on the client host: [domain/example.net] cache_credentials = True krb5_store_password_if_offline = True ipa_domain = example.net id_provider = ipa auth_provider = ipa access_provider = ipa sudo_provider = ldap ldap_tls_cacert = /etc/ipa/ca.crt ipa_hostname = ipaserver.example.net chpass_provider = ipa ipa_server = _srv_ ipa_backup_server = replica.example.net dns_discovery_domain = example.net [sssd] services = nss, pam, ssh, sudo config_file_version = 2 domains = example.net [nss] [pam] [sudo] debug_level = 0x3ff0 [autofs] [ssh] [pac] Thanks, Dimitar ___ Freeipa-users mailing listFreeipa-users@redhat.comhttps://www.redhat.com/mailman/listinfo/freeipa-users http://www.freeipa.org/images/7/77/Freeipa30_SSSD_SUDO_Integration.pdf -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs?www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Sudo issues with FreeIPA
Thanks Dmitri. Those settings for ldap in sssd.conf fixed the issue. Dimitar On Tue, Dec 17, 2013 at 6:47 PM, Dmitri Pal d...@redhat.com wrote: On 12/17/2013 06:34 PM, Dimitar Georgievski wrote: Hi, I am running FreeIPA 3.3.3 on CentOS 6.5. Everything works fine except that I have problem enforcing sudo policies on the hosts that are part of the managed domain. When trying to run the following simple command as a user managed by FreeIPA I got the following response: * sudo /usr/bin/vim test.txt * *jsmith is not allowed to run sudo on myhost. This incident will be reported.* I might have missed in the configuration of the serve or SSSD on the client host. Is there any guideline for sudo integration with FreeIPA? The following is the SSSD configuration on the client host: [domain/example.net] cache_credentials = True krb5_store_password_if_offline = True ipa_domain = example.net id_provider = ipa auth_provider = ipa access_provider = ipa sudo_provider = ldap ldap_tls_cacert = /etc/ipa/ca.crt ipa_hostname = ipaserver.example.net chpass_provider = ipa ipa_server = _srv_ ipa_backup_server = replica.example.net dns_discovery_domain = example.net [sssd] services = nss, pam, ssh, sudo config_file_version = 2 domains = example.net [nss] [pam] [sudo] debug_level = 0x3ff0 [autofs] [ssh] [pac] Thanks, Dimitar ___ Freeipa-users mailing listFreeipa-users@redhat.comhttps://www.redhat.com/mailman/listinfo/freeipa-users http://www.freeipa.org/images/7/77/Freeipa30_SSSD_SUDO_Integration.pdf -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs?www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users