Re: [Freeipa-users] freeIPA client sudo / sssd setup
On 04/08/2014 10:42 PM, Lukas Slebodnik wrote: > On (08/04/14 13:34), Nathan Broadbent wrote: >>> >>> man sssd-sudo says: >>> CONFIGURING SSSD TO FETCH SUDO RULES >>> All configuration that is needed on SSSD side is >>> to extend the list of services with "sudo" in [sssd] section of >>> sssd.conf(5). >>> >>> >>> I would say it is documented, but nobody pointed you to manual pages. >>> >>> >> Ah, you are right, sorry I said it was undocumented. I think it's a good >> idea to enable sssd-sudo by default when we run ipa-client-install, or at >> least, add it as an option to the ipa-client-install script. As a new user, >> I also spent a while trying to figure out why my sudo rules weren't having >> any effect. > > Work in progress > https://fedorahosted.org/freeipa/ticket/3358 > > You can add yourself to CC if you are intrested in this ticket. > > LS Right. From FreeIPA 4.0, after you install an IPA server/client, you get sudo support from the very beginning, no additional configuration needed. All bells and whistles will be included. Martin ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] freeIPA client sudo / sssd setup
> > man sssd-sudo says: > CONFIGURING SSSD TO FETCH SUDO RULES > All configuration that is needed on SSSD side is > to extend the list of services with "sudo" in [sssd] section of > sssd.conf(5). > > > I would say it is documented, but nobody pointed you to manual pages. > > Ah, you are right, sorry I said it was undocumented. I think it's a good idea to enable sssd-sudo by default when we run ipa-client-install, or at least, add it as an option to the ipa-client-install script. As a new user, I also spent a while trying to figure out why my sudo rules weren't having any effect. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] freeIPA client sudo / sssd setup
On (08/04/14 13:34), Nathan Broadbent wrote: >> >> man sssd-sudo says: >> CONFIGURING SSSD TO FETCH SUDO RULES >> All configuration that is needed on SSSD side is >> to extend the list of services with "sudo" in [sssd] section of >> sssd.conf(5). >> >> >> I would say it is documented, but nobody pointed you to manual pages. >> >> >Ah, you are right, sorry I said it was undocumented. I think it's a good >idea to enable sssd-sudo by default when we run ipa-client-install, or at >least, add it as an option to the ipa-client-install script. As a new user, >I also spent a while trying to figure out why my sudo rules weren't having >any effect. Work in progress https://fedorahosted.org/freeipa/ticket/3358 You can add yourself to CC if you are intrested in this ticket. LS ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] freeIPA client sudo / sssd setup
On (08/04/14 12:52), Nathan Broadbent wrote: >> >> I know I'm missing something simple. But I just can't get this ipa >>> client to accept any sudo rules. >>> >>> >I rand into the same issue. It's not documented anywhere, but you need to >enable the 'sudo' service in /etc/sssd/sssd.conf > >You need to change: >[sssd] >services = nss, pam, ssh > >to: >[sssd] >services = nss, pam, ssh, sudo > > >and then restart sssd. (sudo service sssd restart) man sssd-sudo says: CONFIGURING SSSD TO FETCH SUDO RULES All configuration that is needed on SSSD side is to extend the list of services with "sudo" in [sssd] section of sssd.conf(5). I would say it is documented, but nobody pointed you to manual pages. LS ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] freeIPA client sudo / sssd setup
> > I know I'm missing something simple. But I just can't get this ipa >> client to accept any sudo rules. >> >> I rand into the same issue. It's not documented anywhere, but you need to enable the 'sudo' service in /etc/sssd/sssd.conf You need to change: [sssd] services = nss, pam, ssh to: [sssd] services = nss, pam, ssh, sudo and then restart sssd. (sudo service sssd restart) Best, Nathan ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] freeIPA client sudo / sssd setup
Have you installed libsss_sudo? Try to follow the instruction here: https://www.redhat.com/archives/freeipa-users/2013-June/msg00064.html and http://www.freeipa.org/images/7/77/Freeipa30_SSSD_SUDO_Integration.pdf 2014-04-08 22:17 GMT+03:00 Mark Gardner : > I know I'm missing something simple. But I just can't get this ipa client > to accept any sudo rules. > > -sh-4.1$ sudo -l > [sudo] password for test...@domain.com: > User test...@domain.com is not allowed to run sudo on cypress. > -sh-4.1$ id > uid=11659(test...@domain.com) gid=11659(test...@domain.com) > groups=11659(testadm@domain. > com),16047(ad_klasadm) > context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 > > -sh-4.1$ kinit admin > Password for ad...@hosted.domain.com: > -sh-4.1$ ipa sudorule-show operations > Rule name: operations > Description: KLAS / System Admins > Enabled: TRUE > Command category: all > Users: localadm > User Groups: ad_operations, ad_operations_external, ad_klasadm, >ad_klasadm_external > > /var/log/sssd/sssd_sudo.log > (Tue Apr 8 15:08:46 2014) [sssd[sudo]] [sudosrv_cmd_parse_query_done] > (0x0200): Requesting rules for [testadm] from [DOMAIN.COM] > (Tue Apr 8 15:08:46 2014) [sssd[sudo]] [sudosrv_get_user] (0x0200): > Requestinginfo about [test...@domain.com] > (Tue Apr 8 15:08:46 2014) [sssd[sudo]] [sudosrv_get_user] (0x0400): > Returning info for user [test...@domain.com] > (Tue Apr 8 15:08:46 2014) [sssd[sudo]] [sudosrv_get_rules] (0x0400): > Retrieving rules for [test...@domain.com] from [DOMAIN.COM] > (Tue Apr 8 15:08:46 2014) [sssd[sudo]] [sysdb_search_group_by_gid] > (0x0400): No such entry > (Tue Apr 8 15:08:46 2014) [sssd[sudo]] > [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with > [(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser= > test...@domain.com > )(sudoUser=#11659)(sudoUser=%ad_klasadm)(sudoUser=+*))(&(dataExpireTimestamp<=1396984126)))] > (Tue Apr 8 15:08:46 2014) [sssd[sudo]] [sysdb_search_group_by_gid] > (0x0400): No such entry > (Tue Apr 8 15:08:46 2014) [sssd[sudo]] > [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with > [(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=test...@domain.com > )(sudoUser=#11659)(sudoUser=%ad_klasadm)(sudoUser=+*)))] > (Tue Apr 8 15:08:46 2014) [sssd[sudo]] [sudosrv_get_sudorules_from_cache] > (0x0400): Returning 1 rules for [test...@domain.com] > (Tue Apr 8 15:08:46 2014) [sssd[sudo]] [client_recv] (0x0200): Client > disconnected! > > > [root@cypress etc]# cat nsswitch.conf > # > # /etc/nsswitch.conf > # > # An example Name Service Switch config file. This file should be > # sorted with the most-used services at the beginning. > # > # The entry '[NOTFOUND=return]' means that the search for an > # entry should stop if the search in the previous entry turned > # up nothing. Note that if the search failed due to some other reason > # (like no NIS server responding) then the search continues with the > # next entry. > # > # Valid entries include: > # > # nisplus Use NIS+ (NIS version 3) > # nis Use NIS (NIS version 2), also called YP > # dns Use DNS (Domain Name Service) > # files Use the local files > # db Use the local database (.db) files > # compat Use NIS on compat mode > # hesiod Use Hesiod for user lookups > # [NOTFOUND=return] Stop searching if not found so far > # > > # To use db, put the "db" in front of "files" for entries you want to be > # looked up first in the databases > # > # Example: > #passwd:db files nisplus nis > #shadow:db files nisplus nis > #group: db files nisplus nis > > passwd: files sss > shadow: files sss > group: files sss > sudoers:files sss > > #hosts: db files nisplus nis dns > hosts: files dns > > # Example - obey only what nisplus tells us... > #services: nisplus [NOTFOUND=return] files > #networks: nisplus [NOTFOUND=return] files > #protocols: nisplus [NOTFOUND=return] files > #rpc:nisplus [NOTFOUND=return] files > #ethers: nisplus [NOTFOUND=return] files > #netmasks: nisplus [NOTFOUND=return] files > > bootparams: nisplus [NOTFOUND=return] files > > ethers: files > netmasks: files > networks: files > protocols: files > rpc:files > services: files sss > > netgroup: files sss > > publickey: nisplus > > automount: files > aliases:files nisplus > > [root@cypress etc]# cd sssd > [root@cypress sssd]# ls > sssd.conf sssd.conf.deleted sssd.conf.sv > [root@cypress sssd]# cat sssd.conf > [domain/hosted.domain.com] > > cache_credentials = True > krb5_store_password_if_offline = True > ipa_domain = hosted.domain.com > id_provider = ipa > auth_provider = ipa > access_provider = ipa > ipa_hostname = cypress.hosted.domain.com > chpass_provider = ipa > ipa_dyndns_update = True > ipa_ser
[Freeipa-users] freeIPA client sudo / sssd setup
I know I'm missing something simple. But I just can't get this ipa client to accept any sudo rules. -sh-4.1$ sudo -l [sudo] password for test...@domain.com: User test...@domain.com is not allowed to run sudo on cypress. -sh-4.1$ id uid=11659(test...@domain.com) gid=11659(test...@domain.com) groups=11659(testadm@domain. com),16047(ad_klasadm) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 -sh-4.1$ kinit admin Password for ad...@hosted.domain.com: -sh-4.1$ ipa sudorule-show operations Rule name: operations Description: KLAS / System Admins Enabled: TRUE Command category: all Users: localadm User Groups: ad_operations, ad_operations_external, ad_klasadm, ad_klasadm_external /var/log/sssd/sssd_sudo.log (Tue Apr 8 15:08:46 2014) [sssd[sudo]] [sudosrv_cmd_parse_query_done] (0x0200): Requesting rules for [testadm] from [DOMAIN.COM] (Tue Apr 8 15:08:46 2014) [sssd[sudo]] [sudosrv_get_user] (0x0200): Requestinginfo about [test...@domain.com] (Tue Apr 8 15:08:46 2014) [sssd[sudo]] [sudosrv_get_user] (0x0400): Returning info for user [test...@domain.com] (Tue Apr 8 15:08:46 2014) [sssd[sudo]] [sudosrv_get_rules] (0x0400): Retrieving rules for [test...@domain.com] from [DOMAIN.COM] (Tue Apr 8 15:08:46 2014) [sssd[sudo]] [sysdb_search_group_by_gid] (0x0400): No such entry (Tue Apr 8 15:08:46 2014) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser= test...@domain.com )(sudoUser=#11659)(sudoUser=%ad_klasadm)(sudoUser=+*))(&(dataExpireTimestamp<=1396984126)))] (Tue Apr 8 15:08:46 2014) [sssd[sudo]] [sysdb_search_group_by_gid] (0x0400): No such entry (Tue Apr 8 15:08:46 2014) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=test...@domain.com )(sudoUser=#11659)(sudoUser=%ad_klasadm)(sudoUser=+*)))] (Tue Apr 8 15:08:46 2014) [sssd[sudo]] [sudosrv_get_sudorules_from_cache] (0x0400): Returning 1 rules for [test...@domain.com] (Tue Apr 8 15:08:46 2014) [sssd[sudo]] [client_recv] (0x0200): Client disconnected! [root@cypress etc]# cat nsswitch.conf # # /etc/nsswitch.conf # # An example Name Service Switch config file. This file should be # sorted with the most-used services at the beginning. # # The entry '[NOTFOUND=return]' means that the search for an # entry should stop if the search in the previous entry turned # up nothing. Note that if the search failed due to some other reason # (like no NIS server responding) then the search continues with the # next entry. # # Valid entries include: # # nisplus Use NIS+ (NIS version 3) # nis Use NIS (NIS version 2), also called YP # dns Use DNS (Domain Name Service) # files Use the local files # db Use the local database (.db) files # compat Use NIS on compat mode # hesiod Use Hesiod for user lookups # [NOTFOUND=return] Stop searching if not found so far # # To use db, put the "db" in front of "files" for entries you want to be # looked up first in the databases # # Example: #passwd:db files nisplus nis #shadow:db files nisplus nis #group: db files nisplus nis passwd: files sss shadow: files sss group: files sss sudoers:files sss #hosts: db files nisplus nis dns hosts: files dns # Example - obey only what nisplus tells us... #services: nisplus [NOTFOUND=return] files #networks: nisplus [NOTFOUND=return] files #protocols: nisplus [NOTFOUND=return] files #rpc:nisplus [NOTFOUND=return] files #ethers: nisplus [NOTFOUND=return] files #netmasks: nisplus [NOTFOUND=return] files bootparams: nisplus [NOTFOUND=return] files ethers: files netmasks: files networks: files protocols: files rpc:files services: files sss netgroup: files sss publickey: nisplus automount: files aliases:files nisplus [root@cypress etc]# cd sssd [root@cypress sssd]# ls sssd.conf sssd.conf.deleted sssd.conf.sv [root@cypress sssd]# cat sssd.conf [domain/hosted.domain.com] cache_credentials = True krb5_store_password_if_offline = True ipa_domain = hosted.domain.com id_provider = ipa auth_provider = ipa access_provider = ipa ipa_hostname = cypress.hosted.domain.com chpass_provider = ipa ipa_dyndns_update = True ipa_server = _srv_, ipa.hosted.domain.com ldap_tls_cacert = /etc/ipa/ca.crt debug_level=6 # # sudo integration # sudo_provider = ldap ldap_uri = ldap://ipa.hosted.domain.com ldap_sudo_search_base = ou=sudoers,dc=hosted,dc=domain,dc=com ldap_sasl_mech = GSSAPI ldap_sasl_authid = host/cypress.hosted.domain.com ldap_sasl_realm = HOSTED.DOMAIN.COM krb5_server = ipa.hosted.domain.com [sssd] services = nss, pam, ssh, pac, sudo config_file_version = 2 domains = hosted.domain.com debug_level=6 [nss] [pam] [sud