Re: [Freeipa-users] Stuck getting sudo working with Ubuntu client
Thanks Timo, And sorry I missed that. How's this? https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/1453253 Thanks again, Andrew On Tue, May 5, 2015 at 2:43 PM, Timo Aaltonen tjaal...@ubuntu.com wrote: On 05.05.2015 23:27, Andrew Sacamano wrote: Thanks again Lukas and Timo, I'm very sorry it took so long for me to get to this - I got pulled into an urgent project at work and am just getting my head above water today. I've filed https://fedorahosted.org/sssd/ticket/2648 err, the bug needs to be on launchpad, since that's where it belongs On Wed, Apr 22, 2015 at 1:16 AM, Timo Aaltonen tjaal...@ubuntu.com mailto:tjaal...@ubuntu.com wrote: On 21.04.2015 22 tel:21.04.2015%2022:45, Lukas Slebodnik wrote: On (20/04/15 17:54), Andrew Sacamano wrote: Thanks again, Lukas! I was wondering if the overlaps of names was a problem, so I redid parts of my IPA setup to rename them - thanks for pointing out the ticket! Also, your suggestion to use ldap_group_object_class = ipaUserGroup worked - which saves me the trouble of tracking that down in six months when my IPA domain grows and the performance issues associated with enumerate begin to manifest. Many thanks - you are extraordinarily helpful. My colleagues and I are quite grateful for all your advice! You are welcome, I'm glad I could help. You can file a ticket to backport patch for ticket #2471 in your distribution. Please do, I've pulled the patch in git but need a bug# for SRU: https://bugs.launchpad.net/ubuntu/+source/sssd/+filebug -- t -- t -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Stuck getting sudo working with Ubuntu client
On Tue, May 05, 2015 at 11:43:34PM +0300, Timo Aaltonen wrote: On 05.05.2015 23:27, Andrew Sacamano wrote: Thanks again Lukas and Timo, I'm very sorry it took so long for me to get to this - I got pulled into an urgent project at work and am just getting my head above water today. I've filed https://fedorahosted.org/sssd/ticket/2648 err, the bug needs to be on launchpad, since that's where it belongs Yep, I closed the upstream ticket and included a link to launchpad. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Stuck getting sudo working with Ubuntu client
Thanks again Lukas and Timo, I'm very sorry it took so long for me to get to this - I got pulled into an urgent project at work and am just getting my head above water today. I've filed https://fedorahosted.org/sssd/ticket/2648 Many thanks again, and please let me know if there is anything I can do to facilitate the process. Cheers, Andrew On Wed, Apr 22, 2015 at 1:16 AM, Timo Aaltonen tjaal...@ubuntu.com wrote: On 21.04.2015 22:45, Lukas Slebodnik wrote: On (20/04/15 17:54), Andrew Sacamano wrote: Thanks again, Lukas! I was wondering if the overlaps of names was a problem, so I redid parts of my IPA setup to rename them - thanks for pointing out the ticket! Also, your suggestion to use ldap_group_object_class = ipaUserGroup worked - which saves me the trouble of tracking that down in six months when my IPA domain grows and the performance issues associated with enumerate begin to manifest. Many thanks - you are extraordinarily helpful. My colleagues and I are quite grateful for all your advice! You are welcome, I'm glad I could help. You can file a ticket to backport patch for ticket #2471 in your distribution. Please do, I've pulled the patch in git but need a bug# for SRU: https://bugs.launchpad.net/ubuntu/+source/sssd/+filebug -- t -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Stuck getting sudo working with Ubuntu client
On 21.04.2015 22:45, Lukas Slebodnik wrote: On (20/04/15 17:54), Andrew Sacamano wrote: Thanks again, Lukas! I was wondering if the overlaps of names was a problem, so I redid parts of my IPA setup to rename them - thanks for pointing out the ticket! Also, your suggestion to use ldap_group_object_class = ipaUserGroup worked - which saves me the trouble of tracking that down in six months when my IPA domain grows and the performance issues associated with enumerate begin to manifest. Many thanks - you are extraordinarily helpful. My colleagues and I are quite grateful for all your advice! You are welcome, I'm glad I could help. You can file a ticket to backport patch for ticket #2471 in your distribution. Please do, I've pulled the patch in git but need a bug# for SRU: https://bugs.launchpad.net/ubuntu/+source/sssd/+filebug -- t -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Stuck getting sudo working with Ubuntu client
On (20/04/15 17:54), Andrew Sacamano wrote: Thanks again, Lukas! I was wondering if the overlaps of names was a problem, so I redid parts of my IPA setup to rename them - thanks for pointing out the ticket! Also, your suggestion to use ldap_group_object_class = ipaUserGroup worked - which saves me the trouble of tracking that down in six months when my IPA domain grows and the performance issues associated with enumerate begin to manifest. Many thanks - you are extraordinarily helpful. My colleagues and I are quite grateful for all your advice! You are welcome, I'm glad I could help. You can file a ticket to backport patch for ticket #2471 in your distribution. LS -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Stuck getting sudo working with Ubuntu client
Thanks again, Lukas! I was wondering if the overlaps of names was a problem, so I redid parts of my IPA setup to rename them - thanks for pointing out the ticket! Also, your suggestion to use ldap_group_object_class = ipaUserGroup worked - which saves me the trouble of tracking that down in six months when my IPA domain grows and the performance issues associated with enumerate begin to manifest. Many thanks - you are extraordinarily helpful. My colleagues and I are quite grateful for all your advice! Thanks again, Andrew On Mon, Apr 20, 2015 at 1:29 AM, Lukas Slebodnik lsleb...@redhat.com wrote: On (19/04/15 12:51), Andrew Sacamano wrote: Thanks again Lukas, These turned out to be very helpful debugging suggestions, and were the critical part of getting the problem solved - the pointer to ldb-tools was extremely helpful in identifying where the issue was happening! With them, I was able to see the right sudo rules were being cached, and that the change from sudo working to sudo not working happened not because of the host, but because of the user, and in particular, the user being a listed explicitly, or only as part of a group. The user's groups were being listed in the user's entry in the cache, but not when running the id command. Some quick googling, and I discovered that in Ubuntu 14.04, the sssd option enumerate defaults to false, which meant that the group memberships were not taking effect, which meant that sudo rules based on membership in a group weren't working. Setting enumerate to true got everything working. If you have a problem with id might be caused by https://fedorahosted.org/sssd/ticket/2471 You can fix the bug with ammending configuration. put ldap_group_object_class = ipaUserGroup into domain section of sssd.conf It should work even with disabled enumeration. LS -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Stuck getting sudo working with Ubuntu client
On (19/04/15 12:51), Andrew Sacamano wrote: Thanks again Lukas, These turned out to be very helpful debugging suggestions, and were the critical part of getting the problem solved - the pointer to ldb-tools was extremely helpful in identifying where the issue was happening! With them, I was able to see the right sudo rules were being cached, and that the change from sudo working to sudo not working happened not because of the host, but because of the user, and in particular, the user being a listed explicitly, or only as part of a group. The user's groups were being listed in the user's entry in the cache, but not when running the id command. Some quick googling, and I discovered that in Ubuntu 14.04, the sssd option enumerate defaults to false, which meant that the group memberships were not taking effect, which meant that sudo rules based on membership in a group weren't working. Setting enumerate to true got everything working. If you have a problem with id might be caused by https://fedorahosted.org/sssd/ticket/2471 You can fix the bug with ammending configuration. put ldap_group_object_class = ipaUserGroup into domain section of sssd.conf It should work even with disabled enumeration. LS -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Stuck getting sudo working with Ubuntu client
On 04/19/2015 02:51 PM, Andrew Sacamano wrote: Thanks again Lukas, These turned out to be very helpful debugging suggestions, and were the critical part of getting the problem solved - the pointer to ldb-tools was extremely helpful in identifying where the issue was happening! With them, I was able to see the right sudo rules were being cached, and that the change from sudo working to sudo not working happened not because of the host, but because of the user, and in particular, the user being a listed explicitly, or only as part of a group. The user's groups were being listed in the user's entry in the cache, but not when running the id command. Some quick googling, and I discovered that in Ubuntu 14.04, the sssd option enumerate defaults to false, which meant that the group memberships were not taking effect, which meant that sudo rules based on membership in a group weren't working. Setting enumerate to true got everything working. Enumerate is generally discouraged. The fact that enumeration helped means that something was not correct in the cache. It seems it just masked the issue not solved it. Many thanks again! -Andrew -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Stuck getting sudo working with Ubuntu client
Thanks again Lukas, These turned out to be very helpful debugging suggestions, and were the critical part of getting the problem solved - the pointer to ldb-tools was extremely helpful in identifying where the issue was happening! With them, I was able to see the right sudo rules were being cached, and that the change from sudo working to sudo not working happened not because of the host, but because of the user, and in particular, the user being a listed explicitly, or only as part of a group. The user's groups were being listed in the user's entry in the cache, but not when running the id command. Some quick googling, and I discovered that in Ubuntu 14.04, the sssd option enumerate defaults to false, which meant that the group memberships were not taking effect, which meant that sudo rules based on membership in a group weren't working. Setting enumerate to true got everything working. Many thanks again! -Andrew -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Stuck getting sudo working with Ubuntu client
Hi everyone, I've spent a couple of days digging around the web, watching logs, and poking things, and I'm stuck getting sudo working with IPA on a new box I've just set up. I have had it working in the past on a test box, but something about this box is blocking me, and I can't for the life of me figure out what. The basic symptom is that I can log into the Ubuntu box as an IPA user, but sudo is always denied: [root@security-core-1 log]# ssh dru@jenkins dru@jenkins's password: ... Could not chdir to home directory /home/dru: No such file or directory dru@jenkins:/$ sudo -l [sudo] password for dru: Sorry, user dru may not run sudo on jenkins. I've appended version output, config files, sample logs, and ipa config - which I think is all of the relevant material, but I'll gladly share more if it's needed. Thanks so much in advance for any debugging advice, hints, or help! Cheers, Andrew === Version info === Server: # ipa --version VERSION: 4.1.0, API_VERSION: 2.112 # cat /etc/redhat-release CentOS Linux release 7.1.1503 (Core) Client: # cat /etc/lsb-release DISTRIB_ID=Ubuntu DISTRIB_RELEASE=14.04 DISTRIB_CODENAME=trusty DISTRIB_DESCRIPTION=Ubuntu 14.04.2 LTS #sssd --version 1.11.5 === hostname, nisdomainname, config files, etc. === On the client: # hostname jenkins.us-ca1.prod.mydomain.com # nisdomainname mydomain.com # getent netgroup rdn | grep $HOSTNAME rdn (jenkins.us-ca1.prod.mydomain.com,-,mydomain.com) # cat /etc/sssd/sssd.conf [domain/mydomain.com] cache_credentials = True krb5_store_password_if_offline = True ipa_domain = mydomain.com id_provider = ipa auth_provider = ipa access_provider = ipa ldap_tls_cacert = /etc/ipa/ca.crt ipa_hostname = jenkins.us-ca1.prod.mydomain.com chpass_provider = ipa ipa_server = _srv_, security-core-1.prod.mydomain.com dns_discovery_domain = mydomain.com sudo_provider=ipa [sssd] services = nss, pam, ssh, sudo config_file_version = 2 domains = mydomain.com [nss] [pam] [sudo] debug_level = 9 [autofs] [ssh] [pac] # cat /etc/nsswitch.conf # /etc/nsswitch.conf # # Example configuration of GNU Name Service Switch functionality. # If you have the `glibc-doc-reference' and `info' packages installed, try: # `info libc Name Service Switch' for information about this file. passwd: compat sss group: compat sss shadow: compat hosts: files dns networks: files protocols: db files services: db files ethers: db files rpc:db files netgroup: nis sss sudoers:files sss === Host group user info in IPA === # ipa host-show jenkins.us-ca1.prod.mydomain.com Host name: jenkins.us-ca1.prod.mydomain.com Certificate: ... Principal name: host/jenkins.us-ca1.prod.mydomain@mydomain.com Password: False Member of host-groups: rdn Member of Sudo rule: priv_sudo_anywhere, dru_security Keytab: True Managed by: jenkins.us-ca1.prod.mydomain.com Subject: CN=jenkins.us-ca1.prod.mydomain.com,O=MYDOMAIN.COM Serial Number: 14 Serial Number (hex): 0xE Issuer: CN=Certificate Authority,O=MYDOMAIN.COM Not Before: Fri Apr 10 17:43:10 2015 UTC Not After: Mon Apr 10 17:43:10 2017 UTC Fingerprint (MD5): ... Fingerprint (SHA1): ... SSH public key fingerprint: ... # ipa sudorule-show priv_sudo_anywhere Rule name: priv_sudo_anywhere Description: Allow anyone with priv_sudo_anywhere to actually run sudo anywhere Enabled: TRUE Command category: all RunAs User category: all RunAs Group category: all User Groups: priv_sudo_anywhere Hosts: jenkins.us-ca1.prod.mydomain.com Host Groups: security, dev-infrastructure, rdn, dev, prod # ipa group-show priv_sudo_anywhere Group name: priv_sudo_anywhere Description: Give the privilege to SSH anywhere. GID: 1907 Member users: dru, ... Member groups: role_prod_engineer Member of Sudo rule: priv_sudo_anywhere, ... Member of HBAC rule: sudo_anywhere_anywhere Indirect Member users: === Relevant (I think) log entries === # tail -f /var/log/sssd/sssd_sudo.log ... (Fri Apr 17 17:20:16 2015) [sssd[sudo]] [sbus_dispatch] (0x4000): dbus conn: 0x15b6520 (Fri Apr 17 17:20:16 2015) [sssd[sudo]] [sbus_dispatch] (0x4000): Dispatching. (Fri Apr 17 17:20:16 2015) [sssd[sudo]] [sbus_message_handler] (0x4000): Received SBUS method [ping] (From a different attempt to run sudo) # tail -f /var/log/auth.log ... Apr 17 17:20:55 jenkins sshd[3335]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost= security-core-1.prod.mydomain.com user=dru Apr 17 17:20:55 jenkins sshd[3335]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost= security-core-1.prod.mydomain.com user=dru Apr 17
Re: [Freeipa-users] Stuck getting sudo working with Ubuntu client
On (17/04/15 11:32), Andrew Sacamano wrote: Hi everyone, I've spent a couple of days digging around the web, watching logs, and poking things, and I'm stuck getting sudo working with IPA on a new box I've just set up. I have had it working in the past on a test box, but something about this box is blocking me, and I can't for the life of me figure out what. The basic symptom is that I can log into the Ubuntu box as an IPA user, but sudo is always denied: [root@security-core-1 log]# ssh dru@jenkins dru@jenkins's password: ... Could not chdir to home directory /home/dru: No such file or directory dru@jenkins:/$ sudo -l [sudo] password for dru: Sorry, user dru may not run sudo on jenkins. I've appended version output, config files, sample logs, and ipa config - which I think is all of the relevant material, but I'll gladly share more if it's needed. Thanks so much in advance for any debugging advice, hints, or help! I looked to the configuration files and they look good. I have few hints which might help you with troubleshooting * please ensure you have installed package sudo and not sudo-ldap. The second one is not build with sssd support. * please read about sudo caching in sssd man sssd-sudo - THE SUDO RULE CACHING MECHANISM * please test simple sudo rules first. (all hosts, one user instead of groups, ...) * check whether sudo rules are cached by sssd (use ldb-tools) If previous hints does not help then you need to enable debugging in sudo and analyse log file. @see slide 18 in presentation[1] LS [1] http://www.freeipa.org/images/7/77/Freeipa30_SSSD_SUDO_Integration.pdf -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Stuck getting sudo working with Ubuntu client
Thanks Lukas, I'm very glad to have concrete debugging suggestions. I'll investigate as you suggest and report back. Thanks again, Andrew On Fri, Apr 17, 2015 at 2:28 PM, Lukas Slebodnik lsleb...@redhat.com wrote: On (17/04/15 11:32), Andrew Sacamano wrote: Hi everyone, I've spent a couple of days digging around the web, watching logs, and poking things, and I'm stuck getting sudo working with IPA on a new box I've just set up. I have had it working in the past on a test box, but something about this box is blocking me, and I can't for the life of me figure out what. The basic symptom is that I can log into the Ubuntu box as an IPA user, but sudo is always denied: [root@security-core-1 log]# ssh dru@jenkins dru@jenkins's password: ... Could not chdir to home directory /home/dru: No such file or directory dru@jenkins:/$ sudo -l [sudo] password for dru: Sorry, user dru may not run sudo on jenkins. I've appended version output, config files, sample logs, and ipa config - which I think is all of the relevant material, but I'll gladly share more if it's needed. Thanks so much in advance for any debugging advice, hints, or help! I looked to the configuration files and they look good. I have few hints which might help you with troubleshooting * please ensure you have installed package sudo and not sudo-ldap. The second one is not build with sssd support. * please read about sudo caching in sssd man sssd-sudo - THE SUDO RULE CACHING MECHANISM * please test simple sudo rules first. (all hosts, one user instead of groups, ...) * check whether sudo rules are cached by sssd (use ldb-tools) If previous hints does not help then you need to enable debugging in sudo and analyse log file. @see slide 18 in presentation[1] LS [1] http://www.freeipa.org/images/7/77/Freeipa30_SSSD_SUDO_Integration.pdf -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project