Re: [Freeipa-users] sudo hostgroup sanity check, please?
Further information: I do have: ldap_netgroup_search_base = cn=ng,cn=compat,dc=validdomain,dc=com In /etc/sssd/sssd.conf Is cn=ng,cn=compat correct? --Jason On Tue, Jul 10, 2012 at 2:15 PM, KodaK sako...@gmail.com wrote: I'm running IPA 2.2.0 on RHEL6 Server: [root@validserver ~]# rpm -qa | grep ipa ipa-client-2.2.0-16.el6.x86_64 ipa-pki-common-theme-9.0.3-7.el6.noarch libipa_hbac-python-1.8.0-32.el6.x86_64 ipa-python-2.2.0-16.el6.x86_64 ipa-server-2.2.0-16.el6.x86_64 ipa-server-selinux-2.2.0-16.el6.x86_64 ipa-pki-ca-theme-9.0.3-7.el6.noarch python-iniparse-0.3.1-2.1.el6.noarch libipa_hbac-1.8.0-32.el6.x86_64 ipa-admintools-2.2.0-16.el6.x86_64 Client: [root@validhost ~]# rpm -qa | grep ipa ipa-client-2.2.0-16.el6.x86_64 ipa-pki-common-theme-9.0.3-7.el6.noarch libipa_hbac-python-1.8.0-32.el6.x86_64 ipa-python-2.2.0-16.el6.x86_64 ipa-server-2.2.0-16.el6.x86_64 ipa-server-selinux-2.2.0-16.el6.x86_64 ipa-pki-ca-theme-9.0.3-7.el6.noarch python-iniparse-0.3.1-2.1.el6.noarch libipa_hbac-1.8.0-32.el6.x86_64 ipa-admintools-2.2.0-16.el6.x86_64 My sudo-ldap.conf file: binddn uid=sudo,cn=sysaccounts,cn=etc,dc=validserver,dc=com bindpw validpassword ssl start_tls tls_cacertfile /etc/ipa/ca.crt tls_checkpeer yes bind_timelimit 5 timelimit 15 uri ldap://validserver ldap://validserver2 sudoers_base ou=SUDOers,dc=unix,dc=magellanhealth,dc=com What I'm trying to do: I have a group of users that I'd like to have restart apache on a group of hosts. What I've done: created a user group, created a group of hosts (in a grouplist.) I can successfully run sudo in any configuration, *except* when using a host group. When I try I get: Sorry, user validuser is not allowed to execute '/etc/rc.d/init.d/httpd status' as root on validhost1.fqdn.com. I can edit the same rule, change the host group (that only contains two hosts) and specify the two hosts directly and it works fine. Can someone else just try this and see if I've hit a bug? I'm certain I couldn't have messed up creating the host group, but I suppose it's possible. I get the same behavior when I try a simple /bin/cat command through sudo, too. Is there a special config for using host groups? I suspect I may have missed some obvious documentation. -- The government is going to read our mail anyway, might as well make it tough for them. GPG Public key ID: B6A1A7C6 -- The government is going to read our mail anyway, might as well make it tough for them. GPG Public key ID: B6A1A7C6 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] sudo hostgroup sanity check, please?
On 07/10/2012 03:15 PM, KodaK wrote: I'm running IPA 2.2.0 on RHEL6 Server: [root@validserver ~]# rpm -qa | grep ipa ipa-client-2.2.0-16.el6.x86_64 ipa-pki-common-theme-9.0.3-7.el6.noarch libipa_hbac-python-1.8.0-32.el6.x86_64 ipa-python-2.2.0-16.el6.x86_64 ipa-server-2.2.0-16.el6.x86_64 ipa-server-selinux-2.2.0-16.el6.x86_64 ipa-pki-ca-theme-9.0.3-7.el6.noarch python-iniparse-0.3.1-2.1.el6.noarch libipa_hbac-1.8.0-32.el6.x86_64 ipa-admintools-2.2.0-16.el6.x86_64 Client: [root@validhost ~]# rpm -qa | grep ipa ipa-client-2.2.0-16.el6.x86_64 ipa-pki-common-theme-9.0.3-7.el6.noarch libipa_hbac-python-1.8.0-32.el6.x86_64 ipa-python-2.2.0-16.el6.x86_64 ipa-server-2.2.0-16.el6.x86_64 ipa-server-selinux-2.2.0-16.el6.x86_64 ipa-pki-ca-theme-9.0.3-7.el6.noarch python-iniparse-0.3.1-2.1.el6.noarch libipa_hbac-1.8.0-32.el6.x86_64 ipa-admintools-2.2.0-16.el6.x86_64 My sudo-ldap.conf file: binddn uid=sudo,cn=sysaccounts,cn=etc,dc=validserver,dc=com bindpw validpassword ssl start_tls tls_cacertfile /etc/ipa/ca.crt tls_checkpeer yes bind_timelimit 5 timelimit 15 uri ldap://validserver ldap://validserver2 sudoers_base ou=SUDOers,dc=unix,dc=magellanhealth,dc=com What I'm trying to do: I have a group of users that I'd like to have restart apache on a group of hosts. What I've done: created a user group, created a group of hosts (in a grouplist.) I can successfully run sudo in any configuration, *except* when using a host group. When I try I get: Sorry, user validuser is not allowed to execute '/etc/rc.d/init.d/httpd status' as root on validhost1.fqdn.com. I can edit the same rule, change the host group (that only contains two hosts) and specify the two hosts directly and it works fine. Can someone else just try this and see if I've hit a bug? I'm certain I couldn't have messed up creating the host group, but I suppose it's possible. I get the same behavior when I try a simple /bin/cat command through sudo, too. Is there a special config for using host groups? I suspect I may have missed some obvious documentation. How do your SUDO entries look like? Do you see host netgroup coming over to the system when you enumerate netgroups? Does it have the two hosts you mentioned? -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] sudo hostgroup sanity check, please?
On Jul 10, 2012, at 12:28 PM, KodaK wrote: Further information: I do have: ldap_netgroup_search_base = cn=ng,cn=compat,dc=validdomain,dc=com Go ahead and remove this line. Previous legacy versions of sssd required it. I believe it just gets in the way now. You also want to run: $ domainanme Make sure it comes back with your domain, if not, please set your domainname. (/etc/rc.local is currently the place recommended to set this value) Netgroups will come back as a tuple like: (testhost.domain.com, -, domain.com) Sudo will do the netgroup look up and wants to see that the hostname matches the hostname of the server, and that the domain also matches. You can double-check this by doing: getent netgroup hostgroup-name It should return a tuple like the one above. If you are still having difficulty, you can add sudoers_debug 2 in your /etc/sudo-ldap.conf file then re-run your sudo command. IT should show the various tests it performs and the output of the FreeIPA server. It wants to match, user, host, and command. In /etc/sssd/sssd.conf Is cn=ng,cn=compat correct? --Jason On Tue, Jul 10, 2012 at 2:15 PM, KodaK sako...@gmail.com wrote: I'm running IPA 2.2.0 on RHEL6 Server: [root@validserver ~]# rpm -qa | grep ipa ipa-client-2.2.0-16.el6.x86_64 ipa-pki-common-theme-9.0.3-7.el6.noarch libipa_hbac-python-1.8.0-32.el6.x86_64 ipa-python-2.2.0-16.el6.x86_64 ipa-server-2.2.0-16.el6.x86_64 ipa-server-selinux-2.2.0-16.el6.x86_64 ipa-pki-ca-theme-9.0.3-7.el6.noarch python-iniparse-0.3.1-2.1.el6.noarch libipa_hbac-1.8.0-32.el6.x86_64 ipa-admintools-2.2.0-16.el6.x86_64 Client: [root@validhost ~]# rpm -qa | grep ipa ipa-client-2.2.0-16.el6.x86_64 ipa-pki-common-theme-9.0.3-7.el6.noarch libipa_hbac-python-1.8.0-32.el6.x86_64 ipa-python-2.2.0-16.el6.x86_64 ipa-server-2.2.0-16.el6.x86_64 ipa-server-selinux-2.2.0-16.el6.x86_64 ipa-pki-ca-theme-9.0.3-7.el6.noarch python-iniparse-0.3.1-2.1.el6.noarch libipa_hbac-1.8.0-32.el6.x86_64 ipa-admintools-2.2.0-16.el6.x86_64 My sudo-ldap.conf file: binddn uid=sudo,cn=sysaccounts,cn=etc,dc=validserver,dc=com bindpw validpassword ssl start_tls tls_cacertfile /etc/ipa/ca.crt tls_checkpeer yes bind_timelimit 5 timelimit 15 uri ldap://validserver ldap://validserver2 sudoers_base ou=SUDOers,dc=unix,dc=magellanhealth,dc=com What I'm trying to do: I have a group of users that I'd like to have restart apache on a group of hosts. What I've done: created a user group, created a group of hosts (in a grouplist.) I can successfully run sudo in any configuration, *except* when using a host group. When I try I get: Sorry, user validuser is not allowed to execute '/etc/rc.d/init.d/httpd status' as root on validhost1.fqdn.com. I can edit the same rule, change the host group (that only contains two hosts) and specify the two hosts directly and it works fine. Can someone else just try this and see if I've hit a bug? I'm certain I couldn't have messed up creating the host group, but I suppose it's possible. I get the same behavior when I try a simple /bin/cat command through sudo, too. Is there a special config for using host groups? I suspect I may have missed some obvious documentation. -- The government is going to read our mail anyway, might as well make it tough for them. GPG Public key ID: B6A1A7C6 -- The government is going to read our mail anyway, might as well make it tough for them. GPG Public key ID: B6A1A7C6 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] sudo hostgroup sanity check, please?
On Tue, Jul 10, 2012 at 02:15:41PM -0500, KodaK wrote: [snip] My sudo-ldap.conf file: binddn uid=sudo,cn=sysaccounts,cn=etc,dc=validserver,dc=com bindpw validpassword ssl start_tls tls_cacertfile /etc/ipa/ca.crt tls_checkpeer yes bind_timelimit 5 timelimit 15 uri ldap://validserver ldap://validserver2 This may be unrelated, but keep in mind that these should be FQDNs, because that's what the directory server SSL certificates have in them, and a client will check that the name in the certificate the server uses to identify itself matches the name that the client thinks the server has, which the client derives from the URI values given here. sudoers_base ou=SUDOers,dc=unix,dc=magellanhealth,dc=com Assuming your domain name is UNIX.MAGELLANHEALTH.COM and you haven't changed the configuration for the Schema Compatibility plugin, this looks correct. If your domain name is something else, you'll need to change this setting to ou=SUDOers,$basedn, where basedn is the value listed in your server's /etc/ipa/default.conf file. HTH, Nalin ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users