Re: [Freeipa-users] sudo - differences between Centos 6.5 and Centos 7.0?

2016-07-14 Thread Lukas Slebodnik
On (14/07/16 13:52), Tomas Simecek wrote:
>Hi Lukas,
>sorry to say, but nothing helps.
>
>I have just updated IPA server, so that now it is:
>[root@svlxxipap ~]# cat /etc/redhat-release
>CentOS Linux release 7.2.1511 (Core)
>
>with:
>[root@svlxxipap ~]# rpm -qa|grep ipa
>ipa-server-trust-ad-4.2.0-15.0.1.el7.centos.17.x86_64
>libipa_hbac-1.13.0-40.el7_2.9.x86_64
>ipa-python-4.2.0-15.0.1.el7.centos.17.x86_64
>ipa-server-dns-4.2.0-15.0.1.el7.centos.17.x86_64
>python-iniparse-0.4-9.el7.noarch
>ipa-server-4.2.0-15.0.1.el7.centos.17.x86_64
>sssd-ipa-1.13.0-40.el7_2.9.x86_64
>ipa-admintools-4.2.0-15.0.1.el7.centos.17.x86_64
>python-libipa_hbac-1.13.0-40.el7_2.9.x86_64
>ipa-client-4.2.0-15.0.1.el7.centos.17.x86_64
>
It has to work with IPA on CentOS 7.2
and sssd-1.13.3-22.el6_8.4 on client.

>I have also changed sudoers to sudo in sssd.conf as you suggested and
>restarted sssd.
>No difference, still:
>[simecek.to...@sd-stc.cz@zp-cml-test ~]$ sudo service sshd restart
>[sudo] password for simecek.to...@sd-stc.cz:
>simecek.to...@sd-stc.cz is not in the sudoers file.  This incident will be
>reported.
>
>I guess I will pilot some more IPA clients to make sure it works reliably
>and if yes, I guess we will be able to live with the fact that older
>Linuxes doe not offer sudo to AD clients.
>
I assume you meant AD users from trust.

But previously, you provided data and user was member of group which
should be alowed to use sudo rules.

I would like to find out why sudo rules were not fetched from IPA.

I would like to see full log file + dump of sssd cache.
Please:
* clean cache and log files on *IPA server*
  rm -f /var/lib/sss/db/* /var/log/sssd/*
* enable debug_level=9 in domain section and sudo
* restart sssd on *IPA server*

* clean cache and log files on *IPA client*
  rm -f /var/lib/sss/db/* /var/log/sssd/*
* enable debug_level=9 in domain section and sudo
* restart sssd *IPA client*


* authernticate with user simecek.to...@sd-stc.cz
* call id simecek.to...@sd-stc.cz
* try sudo.

* send all sssd log files + sssd.conf
* provide dump of sssd cache
  ldbsearch -H /var/lib/sss/db/cache_$domain.ldb
(utility ldbsearch is part of package ldb-tools


Please provide log files, sssd.conf and dump of sssd cache
from client and also from IPA server.

Thank you very much for patience.

LS

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project


Re: [Freeipa-users] sudo - differences between Centos 6.5 and Centos 7.0?

2016-07-14 Thread Tomas Simecek
Hi Lukas,
sorry to say, but nothing helps.

I have just updated IPA server, so that now it is:
[root@svlxxipap ~]# cat /etc/redhat-release
CentOS Linux release 7.2.1511 (Core)

with:
[root@svlxxipap ~]# rpm -qa|grep ipa
ipa-server-trust-ad-4.2.0-15.0.1.el7.centos.17.x86_64
libipa_hbac-1.13.0-40.el7_2.9.x86_64
ipa-python-4.2.0-15.0.1.el7.centos.17.x86_64
ipa-server-dns-4.2.0-15.0.1.el7.centos.17.x86_64
python-iniparse-0.4-9.el7.noarch
ipa-server-4.2.0-15.0.1.el7.centos.17.x86_64
sssd-ipa-1.13.0-40.el7_2.9.x86_64
ipa-admintools-4.2.0-15.0.1.el7.centos.17.x86_64
python-libipa_hbac-1.13.0-40.el7_2.9.x86_64
ipa-client-4.2.0-15.0.1.el7.centos.17.x86_64

I have also changed sudoers to sudo in sssd.conf as you suggested and
restarted sssd.
No difference, still:
[simecek.to...@sd-stc.cz@zp-cml-test ~]$ sudo service sshd restart
[sudo] password for simecek.to...@sd-stc.cz:
simecek.to...@sd-stc.cz is not in the sudoers file.  This incident will be
reported.

I guess I will pilot some more IPA clients to make sure it works reliably
and if yes, I guess we will be able to live with the fact that older
Linuxes doe not offer sudo to AD clients.

Or do you think there is something more to try?

Thanks

T.

2016-07-14 13:32 GMT+02:00 Lukas Slebodnik :

> On (14/07/16 13:06), Tomas Simecek wrote:
> >Hi Lukas,
> >I did as you said.
> >Logs are attached to this mail.
> >
> Thank you very much for provided data.
>
> The main problem is that full refresh of sudo rules did not store any
> rules.
>
> It might be caused by following errors which might be caused by issues
> with old buggy IPA server on CentOS 7.0
>
> [ipa_s2n_save_objects] (0x2000): Updating memberships for
> borek.pa...@sd-stc.cz
> [sysdb_mod_group_member] (0x0080): ldb_modify failed: [No such
> object](32)[ldb_wait: No such object (32)]
> [sysdb_mod_group_member] (0x0400): Error: 2 (No such file or directory)
> [sysdb_update_members_ex] (0x0020): Could not add member [
> borek.pa...@sd-stc.cz] to group [name=acco...@sd-stc.cz,cn=groups,cn=
> sd-stc.cz,cn=sysdb]. Skipping.
> [sysdb_mod_group_member] (0x0080): ldb_modify failed: [No such
> object](32)[ldb_wait: No such object (32)]
> [sysdb_mod_group_member] (0x0400): Error: 2 (No such file or directory)
> [sysdb_update_members_ex] (0x0020): Could not add member [
> borek.pa...@sd-stc.cz] to group [name=borek.pa...@sd-stc.cz,cn=groups,cn=
> sd-stc.cz,cn=sysdb]. Skipping.
>
> Attached is a reduced log.
>
> You might try new feature in sssd-1.13 on el6 which will
> avoid using compat tree for sudo.
>
> Try to change ldap_sudo_search_base from
> ou=sudoers,dc=linuxdomain,dc=cz -> cn=sudo,dc=linuxdomain,dc=cz
>
> It does not mean that it will solve issue with extop plugin
> on IPA server (ipa_s2n_save_objects)
>
> If it does not help then please provide the same data as in previous mail.
> BTW I strogly suspect issues on IPA server on CentOS 7.0.
> It might work on CentOS 7.0 client only by chance.
>
> LS
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] sudo - differences between Centos 6.5 and Centos 7.0?

2016-07-14 Thread Lukas Slebodnik
On (14/07/16 13:06), Tomas Simecek wrote:
>Hi Lukas,
>I did as you said.
>Logs are attached to this mail.
>
Thank you very much for provided data.

The main problem is that full refresh of sudo rules did not store any rules.

It might be caused by following errors which might be caused by issues
with old buggy IPA server on CentOS 7.0

[ipa_s2n_save_objects] (0x2000): Updating memberships for borek.pa...@sd-stc.cz
[sysdb_mod_group_member] (0x0080): ldb_modify failed: [No such 
object](32)[ldb_wait: No such object (32)]
[sysdb_mod_group_member] (0x0400): Error: 2 (No such file or directory)
[sysdb_update_members_ex] (0x0020): Could not add member 
[borek.pa...@sd-stc.cz] to group 
[name=acco...@sd-stc.cz,cn=groups,cn=sd-stc.cz,cn=sysdb]. Skipping.
[sysdb_mod_group_member] (0x0080): ldb_modify failed: [No such 
object](32)[ldb_wait: No such object (32)]
[sysdb_mod_group_member] (0x0400): Error: 2 (No such file or directory)
[sysdb_update_members_ex] (0x0020): Could not add member 
[borek.pa...@sd-stc.cz] to group 
[name=borek.pa...@sd-stc.cz,cn=groups,cn=sd-stc.cz,cn=sysdb]. Skipping.

Attached is a reduced log.

You might try new feature in sssd-1.13 on el6 which will
avoid using compat tree for sudo.

Try to change ldap_sudo_search_base from
ou=sudoers,dc=linuxdomain,dc=cz -> cn=sudo,dc=linuxdomain,dc=cz

It does not mean that it will solve issue with extop plugin
on IPA server (ipa_s2n_save_objects)

If it does not help then please provide the same data as in previous mail.
BTW I strogly suspect issues on IPA server on CentOS 7.0.
It might work on CentOS 7.0 client only by chance.

LS

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project


Re: [Freeipa-users] sudo - differences between Centos 6.5 and Centos 7.0?

2016-07-14 Thread Lukas Slebodnik
On (14/07/16 12:43), Tomas Simecek wrote:
>Thanks Lukas,
>to be honest I am not sure what do you mean by "Please test with id
>simecek.to...@sd-stc.cz."
>It is the user I am testing with all the time.
>
>Here is what I see on client where sudo does not work:
>[simecek.to...@sd-stc.cz@zp-cml-test ~]$ id
>uid=988604700(simecek.to...@sd-stc.cz) gid=988604700(simecek.to...@sd-stc.cz)
>groups=988604700(simecek.to...@sd-stc.cz),43124(grpunixadmins),988600513(domain
>us...@sd-stc.cz),988604182(acco...@sd-stc.cz),988604754(mfcr_...@sd-stc.cz
>),988604825(unixadm...@sd-stc.cz),988604833(wifiadm...@sd-stc.cz)
>
hmm, the user is member of grpunixadmins. Then I wonder why sssd could not find
a sudo rules for the user.

I would like to see full log file + dump of sssd cache.
Please:
* clean cache and log files on client
  rm -f /var/lib/sss/db/* /var/log/sssd/*
* enable debug_level=9 in domain section and sudo
* restart sssd
* authernticate with usersimecek.to...@sd-stc.cz
* try sudo.
* send all sssd log files
* provide dump of sssd cache
  ldbsearch -H /var/lib/sss/db/cache_$domain.ldb
  (utility ldbsearch is part of package ldb-tools

LS

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project


Re: [Freeipa-users] sudo - differences between Centos 6.5 and Centos 7.0?

2016-07-14 Thread Tomas Simecek
Thanks Lukas,
to be honest I am not sure what do you mean by "Please test with id
simecek.to...@sd-stc.cz."
It is the user I am testing with all the time.

Here is what I see on client where sudo does not work:
[simecek.to...@sd-stc.cz@zp-cml-test ~]$ id
uid=988604700(simecek.to...@sd-stc.cz) gid=988604700(simecek.to...@sd-stc.cz)
groups=988604700(simecek.to...@sd-stc.cz),43124(grpunixadmins),988600513(domain
us...@sd-stc.cz),988604182(acco...@sd-stc.cz),988604754(mfcr_...@sd-stc.cz
),988604825(unixadm...@sd-stc.cz),988604833(wifiadm...@sd-stc.cz)

You can see Centos 6.6 client knows about all the groups assigned to the
users, incl. AD groups (unixadmins), which seems funny to me.

You are right, IPA server is Centos 7.0 and functional client is Centos 7.0
as well. Both login and sudo work on client with Centos 7.0.
Rules on IPA server are set to work on both clients, but work only on 7.0.
If I run update on server, it would update ipa-server from v.
4.2.0-15.0.1.el7.centos.6.1 to v. 4.2.0-15.0.1.el7.centos.17.

Does it make sense now?

Thanks

T.


2016-07-14 12:21 GMT+02:00 Lukas Slebodnik :

> On (14/07/16 11:26), Tomas Simecek wrote:
> >Hi Lukas,
> >we have Active Directory group "UnixAdmins"
> >.
> >We have IPA external group ad_admins_external
> >, which has
> >Windows "UnixAdmins" group as a member.
> >We have local IPA group grpunixadmins
> >, which has
> >ad_admins_external group as a member.
> >So from that perspective user simecek.to...@sd-stc.cz is a member of
> >grpunixadmins .
> >That setup works for ssh logins and for sudo on Centos 7.0.
> >
> If user is member of group in IPA it does not mean that
> it's properly propagated to client :-)
>
> I can see few errors in log
> >(Thu Jul 14 09:53:57 2016) [sssd[be[linuxdomain.cz]]]
> >[sysdb_mod_group_member] (0x0080): ldb_modify failed: [No such
> >object](32)[ldb_wait: No such object (32)]
> >(Thu Jul 14 09:53:57 2016) [sssd[be[linuxdomain.cz]]]
> >[sysdb_mod_group_member] (0x0400): Error: 2 (No such file or directory)
> >(Thu Jul 14 09:53:57 2016) [sssd[be[linuxdomain.cz]]]
> >[sysdb_update_members_ex] (0x0020): Could not add member [
> >simecek.to...@sd-stc.cz] to group [name=simecek.to...@sd-stc.cz
> >,cn=groups,cn=sd-stc.cz,cn=sysdb]. Skipping.
> >(Thu Jul 14 09:53:57 2016) [sssd[be[linuxdomain.cz]]]
> >[ipa_s2n_save_objects] (0x2000): Updating memberships for
> >simecek.to...@sd-stc.cz
> >(Thu Jul 14 09:53:57 2016) [sssd[be[linuxdomain.cz]]]
> >[sysdb_mod_group_member] (0x0080): ldb_modify failed: [No such
> >object](32)[ldb_wait: No such object (32)]
> >(Thu Jul 14 09:53:57 2016) [sssd[be[linuxdomain.cz]]]
> >[sysdb_mod_group_member] (0x0400): Error: 2 (No such file or directory)
> >(Thu Jul 14 09:53:57 2016) [sssd[be[linuxdomain.cz]]]
> >[sysdb_update_members_ex] (0x0020): Could not add member [
> >simecek.to...@sd-stc.cz] to group [name=simecek.to...@sd-stc.cz
> >,cn=groups,cn=sd-stc.cz,cn=sysdb]. Skipping.
>
> Please test with id simecek.to...@sd-stc.cz.
> I'm preatty sure that you will not see a group grpunixadmins.
>
> BTW according to domain logs it looks like a bug with extop plugin
> on freeipa server. I assume that ipa server is on CentOS 7.0
> because you mention it works on Centos 7.0.
>
> I would strongly recommend to upgrade server to 7.2
>
> LS
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] sudo - differences between Centos 6.5 and Centos 7.0?

2016-07-14 Thread Lukas Slebodnik
On (14/07/16 11:26), Tomas Simecek wrote:
>Hi Lukas,
>we have Active Directory group "UnixAdmins"
>.
>We have IPA external group ad_admins_external
>, which has
>Windows "UnixAdmins" group as a member.
>We have local IPA group grpunixadmins
>, which has
>ad_admins_external group as a member.
>So from that perspective user simecek.to...@sd-stc.cz is a member of
>grpunixadmins .
>That setup works for ssh logins and for sudo on Centos 7.0.
>
If user is member of group in IPA it does not mean that
it's properly propagated to client :-)

I can see few errors in log
>(Thu Jul 14 09:53:57 2016) [sssd[be[linuxdomain.cz]]]
>[sysdb_mod_group_member] (0x0080): ldb_modify failed: [No such
>object](32)[ldb_wait: No such object (32)]
>(Thu Jul 14 09:53:57 2016) [sssd[be[linuxdomain.cz]]]
>[sysdb_mod_group_member] (0x0400): Error: 2 (No such file or directory)
>(Thu Jul 14 09:53:57 2016) [sssd[be[linuxdomain.cz]]]
>[sysdb_update_members_ex] (0x0020): Could not add member [
>simecek.to...@sd-stc.cz] to group [name=simecek.to...@sd-stc.cz
>,cn=groups,cn=sd-stc.cz,cn=sysdb]. Skipping.
>(Thu Jul 14 09:53:57 2016) [sssd[be[linuxdomain.cz]]]
>[ipa_s2n_save_objects] (0x2000): Updating memberships for
>simecek.to...@sd-stc.cz
>(Thu Jul 14 09:53:57 2016) [sssd[be[linuxdomain.cz]]]
>[sysdb_mod_group_member] (0x0080): ldb_modify failed: [No such
>object](32)[ldb_wait: No such object (32)]
>(Thu Jul 14 09:53:57 2016) [sssd[be[linuxdomain.cz]]]
>[sysdb_mod_group_member] (0x0400): Error: 2 (No such file or directory)
>(Thu Jul 14 09:53:57 2016) [sssd[be[linuxdomain.cz]]]
>[sysdb_update_members_ex] (0x0020): Could not add member [
>simecek.to...@sd-stc.cz] to group [name=simecek.to...@sd-stc.cz
>,cn=groups,cn=sd-stc.cz,cn=sysdb]. Skipping.

Please test with id simecek.to...@sd-stc.cz.
I'm preatty sure that you will not see a group grpunixadmins.

BTW according to domain logs it looks like a bug with extop plugin
on freeipa server. I assume that ipa server is on CentOS 7.0
because you mention it works on Centos 7.0.

I would strongly recommend to upgrade server to 7.2

LS

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project


Re: [Freeipa-users] sudo - differences between Centos 6.5 and Centos 7.0?

2016-07-14 Thread Tomas Simecek
Hi Rob,
thanks, but this is not the case.
Firstly, for initial test purposes I am not limiting sudo to specific
commands, in the rule it is set to "any".
Secondly, it fails even in non-symlink cases:

[root@zp-cml-test ~]# which service
/sbin/service
[root@zp-cml-test ~]# ll /sbin/service
-rwxr-xr-x. 1 root root 1694 Oct 16  2014 /sbin/service
[root@zp-cml-test ~]# logout
[simecek.to...@sd-stc.cz@zp-cml-test ~]$ sudo service sshd restart
[sudo] password for simecek.to...@sd-stc.cz:
simecek.to...@sd-stc.cz is not in the sudoers file.  This incident will be
reported.

Thanks anyway, let me know if something else comes to your mind.

Tomas

2016-07-14 11:51 GMT+02:00 Rob Verduijn :

> hi,
>
> just a long shot here..
>
> I've been battling sudo for a couple days now and found that my issue was
> one related to symlinks
> on centos7 'which cat' says /bin/cat
> but on centos /bin is a symlink to /usr/bin and sudo knows a symlink when
> it sees one and to prevent abuse it requires the 'real' path for the sudo
> rule :  ALL=(ALL) /usr/bin/cat
> on centos6 which cat also says /bin/cat but since /bin is not a symlink it
> requires the sudo rule to be  ALL=(ALL) /bin/cat
> so for the sudo to work on both centos6 and centos7 you would require 2
> sudo rules.
>
> Ignore me if this is irrelevant.
>
> Just my 2 cents
> Rob
>
> 2016-07-14 10:38 GMT+02:00 Lukas Slebodnik :
>
>> On (14/07/16 10:09), Tomas Simecek wrote:
>> >Thanks all of you guys,
>> >I have updated to:
>> >sssd-krb5-common-1.13.3-22.el6_8.4.x86_64
>> >sssd-1.13.3-22.el6_8.4.x86_64
>> >sssd-ldap-1.13.3-22.el6_8.4.x86_64
>> >sssd-client-1.13.3-22.el6_8.4.x86_64
>> >sssd-ad-1.13.3-22.el6_8.4.x86_64
>> >sssd-proxy-1.13.3-22.el6_8.4.x86_64
>> >libsss_idmap-1.13.3-22.el6_8.4.x86_64
>> >sssd-common-1.13.3-22.el6_8.4.x86_64
>> >sssd-ipa-1.13.3-22.el6_8.4.x86_64
>> >python-sssdconfig-1.13.3-22.el6_8.4.noarch
>> >sssd-krb5-1.13.3-22.el6_8.4.x86_64
>> >sssd-common-pac-1.13.3-22.el6_8.4.x86_64
>> >(there does not seem to be libsss_sudo in Centos as suggested by Danila).
>> >and restarted sssd.
>> >
>> >There are two rules enabled. One HBAC as I presented earlier:
>> >  Rule name: Unixari na test servery
>> >  Enabled: TRUE
>> >  User Groups: grpunixadmins
>> >  Hosts: spcss-2t-www.linuxdomain.cz, zp-cml-test.linuxdomain.cz
>> >  Services: login, sshd, sudo, sudo-i, su, su-l
>> >
>> >and one sudo rule:
>> >Rule name: Pokusne
>> >  Enabled: TRUE
>> >  Command category: all
>> >  User Groups: grpunixadmins
>> >  Hosts: spcss-2t-www.linuxdomain.cz, zp-cml-test.linuxdomain.cz
>> >
>> >Default "all-access" rules are disabled.
>> >
>> >When I try to sudo as AD user (member of grpunixadmins) on Centos 6.6, I
>> >still get:
>> >
>> >[simecek.to...@sd-stc.cz@zp-cml-test ~]$ sudo cat /etc/nsswitch.conf
>> >[sudo] password for simecek.to...@sd-stc.cz:
>> >simecek.to...@sd-stc.cz is not in the sudoers file.  This incident will
>> be
>> >reported.
>> >
>> >It works fine on Centos 7 (spcss-2t-www.linuxdomain.cz).
>> >
>> >sssd.conf:
>> >[domain/linuxdomain.cz]
>> >cache_credentials = True
>> >krb5_store_password_if_offline = True
>> >ipa_domain = linuxdomain.cz
>> >id_provider = ipa
>> >krb5_realm = LINUXDOMAIN.CZ
>> >auth_provider = ipa
>> >access_provider = ipa
>> >ipa_hostname = zp-cml-test.linuxdomain.cz
>> >chpass_provider = ipa
>> >ipa_server = svlxxipap.linuxdomain.cz
>> >ldap_tls_cacert = /etc/ipa/ca.crt
>> >override_shell = /bin/bash
>> >sudo_provider = ipa
>> >ldap_uri = ldap://svlxxipap.linuxdomain.cz
>> >ldap_sudo_search_base = ou=sudoers,dc=linuxdomain,dc=cz
>> >ldap_sasl_mech = GSSAPI
>> >#ldap_sasl_authid = host/zp-cml-test.linuxdomain...@linuxdomain.cz
>> >ldap_sasl_authid = host/zp-cml-test.linuxdomain.cz
>> >ldap_sasl_realm = LINUXDOMAIN.CZ
>> >krb5_server = svlxxipap.linuxdomain.cz
>> >debug_level = 0x3ff0
>> >[sssd]
>> >services = nss, sudo, pam, ssh
>> >config_file_version = 2
>> >domains = linuxdomain.cz
>> >[nss]
>> >homedir_substring = /home
>> >[pam]
>> >[sudo]
>> >debug_level = 0x3ff0
>> >[autofs]
>> >[ssh]
>> >[pac]
>> >[ifp]
>> >
>> >
>> >sssd_sudo.log from the moment I tried sudo:
>> >(Thu Jul 14 09:53:41 2016) [sssd[sudo]] [sysdb_search_group_by_gid]
>> >(0x0400): No such entry
>> >(Thu Jul 14 09:53:41 2016) [sssd[sudo]]
>> [sudosrv_get_sudorules_query_cache]
>> >(0x0200): Searching sysdb with
>> >[(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=
>> >simecek.to...@sd-stc.cz)(sudoUser=#988604700)(sudoUser=%domain\
>> >20us...@sd-stc.cz)(sudoUser=%unixadm...@sd-stc.cz
>> >)(sudoUser=%grpunixadmins)(sudoUser=%mfcr_...@sd-stc.cz)(sudoUser=%
>> >acco...@sd-stc.cz)(sudoUser=%wifiadm...@sd-stc.cz
>> >)(sudoUser=+*))(&(dataExpireTimestamp<=1468482821)))]
>> >(Thu Jul 14 09:53:41 2016) [sssd[sudo]] [sudosrv_get_rules] (0x2000):
>> About
>> >to get sudo rules from cache
>> >(Thu Jul 14 09:53:41 2016) [sssd[sudo]] [sysdb_search_group_by_gid]
>> >(0x0400): No such entry
>> >(Thu Jul 14 09:53:41 2016) 

Re: [Freeipa-users] sudo - differences between Centos 6.5 and Centos 7.0?

2016-07-14 Thread Rob Verduijn
hi,

just a long shot here..

I've been battling sudo for a couple days now and found that my issue was
one related to symlinks
on centos7 'which cat' says /bin/cat
but on centos /bin is a symlink to /usr/bin and sudo knows a symlink when
it sees one and to prevent abuse it requires the 'real' path for the sudo
rule :  ALL=(ALL) /usr/bin/cat
on centos6 which cat also says /bin/cat but since /bin is not a symlink it
requires the sudo rule to be  ALL=(ALL) /bin/cat
so for the sudo to work on both centos6 and centos7 you would require 2
sudo rules.

Ignore me if this is irrelevant.

Just my 2 cents
Rob

2016-07-14 10:38 GMT+02:00 Lukas Slebodnik :

> On (14/07/16 10:09), Tomas Simecek wrote:
> >Thanks all of you guys,
> >I have updated to:
> >sssd-krb5-common-1.13.3-22.el6_8.4.x86_64
> >sssd-1.13.3-22.el6_8.4.x86_64
> >sssd-ldap-1.13.3-22.el6_8.4.x86_64
> >sssd-client-1.13.3-22.el6_8.4.x86_64
> >sssd-ad-1.13.3-22.el6_8.4.x86_64
> >sssd-proxy-1.13.3-22.el6_8.4.x86_64
> >libsss_idmap-1.13.3-22.el6_8.4.x86_64
> >sssd-common-1.13.3-22.el6_8.4.x86_64
> >sssd-ipa-1.13.3-22.el6_8.4.x86_64
> >python-sssdconfig-1.13.3-22.el6_8.4.noarch
> >sssd-krb5-1.13.3-22.el6_8.4.x86_64
> >sssd-common-pac-1.13.3-22.el6_8.4.x86_64
> >(there does not seem to be libsss_sudo in Centos as suggested by Danila).
> >and restarted sssd.
> >
> >There are two rules enabled. One HBAC as I presented earlier:
> >  Rule name: Unixari na test servery
> >  Enabled: TRUE
> >  User Groups: grpunixadmins
> >  Hosts: spcss-2t-www.linuxdomain.cz, zp-cml-test.linuxdomain.cz
> >  Services: login, sshd, sudo, sudo-i, su, su-l
> >
> >and one sudo rule:
> >Rule name: Pokusne
> >  Enabled: TRUE
> >  Command category: all
> >  User Groups: grpunixadmins
> >  Hosts: spcss-2t-www.linuxdomain.cz, zp-cml-test.linuxdomain.cz
> >
> >Default "all-access" rules are disabled.
> >
> >When I try to sudo as AD user (member of grpunixadmins) on Centos 6.6, I
> >still get:
> >
> >[simecek.to...@sd-stc.cz@zp-cml-test ~]$ sudo cat /etc/nsswitch.conf
> >[sudo] password for simecek.to...@sd-stc.cz:
> >simecek.to...@sd-stc.cz is not in the sudoers file.  This incident will
> be
> >reported.
> >
> >It works fine on Centos 7 (spcss-2t-www.linuxdomain.cz).
> >
> >sssd.conf:
> >[domain/linuxdomain.cz]
> >cache_credentials = True
> >krb5_store_password_if_offline = True
> >ipa_domain = linuxdomain.cz
> >id_provider = ipa
> >krb5_realm = LINUXDOMAIN.CZ
> >auth_provider = ipa
> >access_provider = ipa
> >ipa_hostname = zp-cml-test.linuxdomain.cz
> >chpass_provider = ipa
> >ipa_server = svlxxipap.linuxdomain.cz
> >ldap_tls_cacert = /etc/ipa/ca.crt
> >override_shell = /bin/bash
> >sudo_provider = ipa
> >ldap_uri = ldap://svlxxipap.linuxdomain.cz
> >ldap_sudo_search_base = ou=sudoers,dc=linuxdomain,dc=cz
> >ldap_sasl_mech = GSSAPI
> >#ldap_sasl_authid = host/zp-cml-test.linuxdomain...@linuxdomain.cz
> >ldap_sasl_authid = host/zp-cml-test.linuxdomain.cz
> >ldap_sasl_realm = LINUXDOMAIN.CZ
> >krb5_server = svlxxipap.linuxdomain.cz
> >debug_level = 0x3ff0
> >[sssd]
> >services = nss, sudo, pam, ssh
> >config_file_version = 2
> >domains = linuxdomain.cz
> >[nss]
> >homedir_substring = /home
> >[pam]
> >[sudo]
> >debug_level = 0x3ff0
> >[autofs]
> >[ssh]
> >[pac]
> >[ifp]
> >
> >
> >sssd_sudo.log from the moment I tried sudo:
> >(Thu Jul 14 09:53:41 2016) [sssd[sudo]] [sysdb_search_group_by_gid]
> >(0x0400): No such entry
> >(Thu Jul 14 09:53:41 2016) [sssd[sudo]]
> [sudosrv_get_sudorules_query_cache]
> >(0x0200): Searching sysdb with
> >[(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=
> >simecek.to...@sd-stc.cz)(sudoUser=#988604700)(sudoUser=%domain\
> >20us...@sd-stc.cz)(sudoUser=%unixadm...@sd-stc.cz
> >)(sudoUser=%grpunixadmins)(sudoUser=%mfcr_...@sd-stc.cz)(sudoUser=%
> >acco...@sd-stc.cz)(sudoUser=%wifiadm...@sd-stc.cz
> >)(sudoUser=+*))(&(dataExpireTimestamp<=1468482821)))]
> >(Thu Jul 14 09:53:41 2016) [sssd[sudo]] [sudosrv_get_rules] (0x2000):
> About
> >to get sudo rules from cache
> >(Thu Jul 14 09:53:41 2016) [sssd[sudo]] [sysdb_search_group_by_gid]
> >(0x0400): No such entry
> >(Thu Jul 14 09:53:41 2016) [sssd[sudo]]
> [sudosrv_get_sudorules_query_cache]
> >(0x0200): Searching sysdb with
> >[(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=
> simecek.to...@sd-stc.cz
> >)(sudoUser=#988604700)(sudoUser=%domain\20us...@sd-stc.cz)(sudoUser=%
> >unixadm...@sd-stc.cz)(sudoUser=%grpunixadmins)(sudoUser=%
> mfcr_...@sd-stc.cz
> >)(sudoUser=%acco...@sd-stc.cz)(sudoUser=%wifiadm...@sd-stc.cz
> >)(sudoUser=+*)))]
> >(Thu Jul 14 09:53:41 2016) [sssd[sudo]] [sudosrv_get_sudorules_from_cache]
> >(0x0400): Returning 0 rules for [simecek.to...@sd-stc.cz]
> >(Thu Jul 14 09:53:47 2016) [sssd[sudo]] [client_recv] (0x0200): Client
> >disconnected!
> >(Thu Jul 14 09:53:47 2016) [sssd[sudo]] [client_destructor] (0x2000):
> >Terminated client [0x260b690][17]
> >(Thu Jul 14 09:53:51 2016) [sssd[sudo]] [sbus_message_handler] (0x2000):
> >Received SBUS method 

Re: [Freeipa-users] sudo - differences between Centos 6.5 and Centos 7.0?

2016-07-14 Thread Tomas Simecek
Hi Lukas,
we have Active Directory group "UnixAdmins"
.
We have IPA external group ad_admins_external
, which has
Windows "UnixAdmins" group as a member.
We have local IPA group grpunixadmins
, which has
ad_admins_external group as a member.
So from that perspective user simecek.to...@sd-stc.cz is a member of
grpunixadmins .
That setup works for ssh logins and for sudo on Centos 7.0.

It is as per installation document
https://www.freeipa.org/page/Active_Directory_trust_setup

Correct me if I am wrong, but if it works on Client 1, it should also work
on Client 2.


T.

2016-07-14 10:38 GMT+02:00 Lukas Slebodnik :

> On (14/07/16 10:09), Tomas Simecek wrote:
> >Thanks all of you guys,
> >I have updated to:
> >sssd-krb5-common-1.13.3-22.el6_8.4.x86_64
> >sssd-1.13.3-22.el6_8.4.x86_64
> >sssd-ldap-1.13.3-22.el6_8.4.x86_64
> >sssd-client-1.13.3-22.el6_8.4.x86_64
> >sssd-ad-1.13.3-22.el6_8.4.x86_64
> >sssd-proxy-1.13.3-22.el6_8.4.x86_64
> >libsss_idmap-1.13.3-22.el6_8.4.x86_64
> >sssd-common-1.13.3-22.el6_8.4.x86_64
> >sssd-ipa-1.13.3-22.el6_8.4.x86_64
> >python-sssdconfig-1.13.3-22.el6_8.4.noarch
> >sssd-krb5-1.13.3-22.el6_8.4.x86_64
> >sssd-common-pac-1.13.3-22.el6_8.4.x86_64
> >(there does not seem to be libsss_sudo in Centos as suggested by Danila).
> >and restarted sssd.
> >
> >There are two rules enabled. One HBAC as I presented earlier:
> >  Rule name: Unixari na test servery
> >  Enabled: TRUE
> >  User Groups: grpunixadmins
> >  Hosts: spcss-2t-www.linuxdomain.cz, zp-cml-test.linuxdomain.cz
> >  Services: login, sshd, sudo, sudo-i, su, su-l
> >
> >and one sudo rule:
> >Rule name: Pokusne
> >  Enabled: TRUE
> >  Command category: all
> >  User Groups: grpunixadmins
> >  Hosts: spcss-2t-www.linuxdomain.cz, zp-cml-test.linuxdomain.cz
> >
> >Default "all-access" rules are disabled.
> >
> >When I try to sudo as AD user (member of grpunixadmins) on Centos 6.6, I
> >still get:
> >
> >[simecek.to...@sd-stc.cz@zp-cml-test ~]$ sudo cat /etc/nsswitch.conf
> >[sudo] password for simecek.to...@sd-stc.cz:
> >simecek.to...@sd-stc.cz is not in the sudoers file.  This incident will
> be
> >reported.
> >
> >It works fine on Centos 7 (spcss-2t-www.linuxdomain.cz).
> >
> >sssd.conf:
> >[domain/linuxdomain.cz]
> >cache_credentials = True
> >krb5_store_password_if_offline = True
> >ipa_domain = linuxdomain.cz
> >id_provider = ipa
> >krb5_realm = LINUXDOMAIN.CZ
> >auth_provider = ipa
> >access_provider = ipa
> >ipa_hostname = zp-cml-test.linuxdomain.cz
> >chpass_provider = ipa
> >ipa_server = svlxxipap.linuxdomain.cz
> >ldap_tls_cacert = /etc/ipa/ca.crt
> >override_shell = /bin/bash
> >sudo_provider = ipa
> >ldap_uri = ldap://svlxxipap.linuxdomain.cz
> >ldap_sudo_search_base = ou=sudoers,dc=linuxdomain,dc=cz
> >ldap_sasl_mech = GSSAPI
> >#ldap_sasl_authid = host/zp-cml-test.linuxdomain...@linuxdomain.cz
> >ldap_sasl_authid = host/zp-cml-test.linuxdomain.cz
> >ldap_sasl_realm = LINUXDOMAIN.CZ
> >krb5_server = svlxxipap.linuxdomain.cz
> >debug_level = 0x3ff0
> >[sssd]
> >services = nss, sudo, pam, ssh
> >config_file_version = 2
> >domains = linuxdomain.cz
> >[nss]
> >homedir_substring = /home
> >[pam]
> >[sudo]
> >debug_level = 0x3ff0
> >[autofs]
> >[ssh]
> >[pac]
> >[ifp]
> >
> >
> >sssd_sudo.log from the moment I tried sudo:
> >(Thu Jul 14 09:53:41 2016) [sssd[sudo]] [sysdb_search_group_by_gid]
> >(0x0400): No such entry
> >(Thu Jul 14 09:53:41 2016) [sssd[sudo]]
> [sudosrv_get_sudorules_query_cache]
> >(0x0200): Searching sysdb with
> >[(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=
> >simecek.to...@sd-stc.cz)(sudoUser=#988604700)(sudoUser=%domain\
> >20us...@sd-stc.cz)(sudoUser=%unixadm...@sd-stc.cz
> >)(sudoUser=%grpunixadmins)(sudoUser=%mfcr_...@sd-stc.cz)(sudoUser=%
> >acco...@sd-stc.cz)(sudoUser=%wifiadm...@sd-stc.cz
> >)(sudoUser=+*))(&(dataExpireTimestamp<=1468482821)))]
> >(Thu Jul 14 09:53:41 2016) [sssd[sudo]] [sudosrv_get_rules] (0x2000):
> About
> >to get sudo rules from cache
> >(Thu Jul 14 09:53:41 2016) [sssd[sudo]] [sysdb_search_group_by_gid]
> >(0x0400): No such entry
> >(Thu Jul 14 09:53:41 2016) [sssd[sudo]]
> [sudosrv_get_sudorules_query_cache]
> >(0x0200): Searching sysdb with
> >[(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=
> simecek.to...@sd-stc.cz
> >)(sudoUser=#988604700)(sudoUser=%domain\20us...@sd-stc.cz)(sudoUser=%
> >unixadm...@sd-stc.cz)(sudoUser=%grpunixadmins)(sudoUser=%
> mfcr_...@sd-stc.cz
> >)(sudoUser=%acco...@sd-stc.cz)(sudoUser=%wifiadm...@sd-stc.cz
> >)(sudoUser=+*)))]
> >(Thu Jul 14 09:53:41 2016) [sssd[sudo]] [sudosrv_get_sudorules_from_cache]
> >(0x0400): Returning 0 rules for [simecek.to...@sd-stc.cz]
> >(Thu Jul 14 09:53:47 2016) [sssd[sudo]] [client_recv] (0x0200): Client
> >disconnected!
> >(Thu Jul 14 

Re: [Freeipa-users] sudo - differences between Centos 6.5 and Centos 7.0?

2016-07-14 Thread Lukas Slebodnik
On (14/07/16 10:09), Tomas Simecek wrote:
>Thanks all of you guys,
>I have updated to:
>sssd-krb5-common-1.13.3-22.el6_8.4.x86_64
>sssd-1.13.3-22.el6_8.4.x86_64
>sssd-ldap-1.13.3-22.el6_8.4.x86_64
>sssd-client-1.13.3-22.el6_8.4.x86_64
>sssd-ad-1.13.3-22.el6_8.4.x86_64
>sssd-proxy-1.13.3-22.el6_8.4.x86_64
>libsss_idmap-1.13.3-22.el6_8.4.x86_64
>sssd-common-1.13.3-22.el6_8.4.x86_64
>sssd-ipa-1.13.3-22.el6_8.4.x86_64
>python-sssdconfig-1.13.3-22.el6_8.4.noarch
>sssd-krb5-1.13.3-22.el6_8.4.x86_64
>sssd-common-pac-1.13.3-22.el6_8.4.x86_64
>(there does not seem to be libsss_sudo in Centos as suggested by Danila).
>and restarted sssd.
>
>There are two rules enabled. One HBAC as I presented earlier:
>  Rule name: Unixari na test servery
>  Enabled: TRUE
>  User Groups: grpunixadmins
>  Hosts: spcss-2t-www.linuxdomain.cz, zp-cml-test.linuxdomain.cz
>  Services: login, sshd, sudo, sudo-i, su, su-l
>
>and one sudo rule:
>Rule name: Pokusne
>  Enabled: TRUE
>  Command category: all
>  User Groups: grpunixadmins
>  Hosts: spcss-2t-www.linuxdomain.cz, zp-cml-test.linuxdomain.cz
>
>Default "all-access" rules are disabled.
>
>When I try to sudo as AD user (member of grpunixadmins) on Centos 6.6, I
>still get:
>
>[simecek.to...@sd-stc.cz@zp-cml-test ~]$ sudo cat /etc/nsswitch.conf
>[sudo] password for simecek.to...@sd-stc.cz:
>simecek.to...@sd-stc.cz is not in the sudoers file.  This incident will be
>reported.
>
>It works fine on Centos 7 (spcss-2t-www.linuxdomain.cz).
>
>sssd.conf:
>[domain/linuxdomain.cz]
>cache_credentials = True
>krb5_store_password_if_offline = True
>ipa_domain = linuxdomain.cz
>id_provider = ipa
>krb5_realm = LINUXDOMAIN.CZ
>auth_provider = ipa
>access_provider = ipa
>ipa_hostname = zp-cml-test.linuxdomain.cz
>chpass_provider = ipa
>ipa_server = svlxxipap.linuxdomain.cz
>ldap_tls_cacert = /etc/ipa/ca.crt
>override_shell = /bin/bash
>sudo_provider = ipa
>ldap_uri = ldap://svlxxipap.linuxdomain.cz
>ldap_sudo_search_base = ou=sudoers,dc=linuxdomain,dc=cz
>ldap_sasl_mech = GSSAPI
>#ldap_sasl_authid = host/zp-cml-test.linuxdomain...@linuxdomain.cz
>ldap_sasl_authid = host/zp-cml-test.linuxdomain.cz
>ldap_sasl_realm = LINUXDOMAIN.CZ
>krb5_server = svlxxipap.linuxdomain.cz
>debug_level = 0x3ff0
>[sssd]
>services = nss, sudo, pam, ssh
>config_file_version = 2
>domains = linuxdomain.cz
>[nss]
>homedir_substring = /home
>[pam]
>[sudo]
>debug_level = 0x3ff0
>[autofs]
>[ssh]
>[pac]
>[ifp]
>
>
>sssd_sudo.log from the moment I tried sudo:
>(Thu Jul 14 09:53:41 2016) [sssd[sudo]] [sysdb_search_group_by_gid]
>(0x0400): No such entry
>(Thu Jul 14 09:53:41 2016) [sssd[sudo]] [sudosrv_get_sudorules_query_cache]
>(0x0200): Searching sysdb with
>[(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=
>simecek.to...@sd-stc.cz)(sudoUser=#988604700)(sudoUser=%domain\
>20us...@sd-stc.cz)(sudoUser=%unixadm...@sd-stc.cz
>)(sudoUser=%grpunixadmins)(sudoUser=%mfcr_...@sd-stc.cz)(sudoUser=%
>acco...@sd-stc.cz)(sudoUser=%wifiadm...@sd-stc.cz
>)(sudoUser=+*))(&(dataExpireTimestamp<=1468482821)))]
>(Thu Jul 14 09:53:41 2016) [sssd[sudo]] [sudosrv_get_rules] (0x2000): About
>to get sudo rules from cache
>(Thu Jul 14 09:53:41 2016) [sssd[sudo]] [sysdb_search_group_by_gid]
>(0x0400): No such entry
>(Thu Jul 14 09:53:41 2016) [sssd[sudo]] [sudosrv_get_sudorules_query_cache]
>(0x0200): Searching sysdb with
>[(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=simecek.to...@sd-stc.cz
>)(sudoUser=#988604700)(sudoUser=%domain\20us...@sd-stc.cz)(sudoUser=%
>unixadm...@sd-stc.cz)(sudoUser=%grpunixadmins)(sudoUser=%mfcr_...@sd-stc.cz
>)(sudoUser=%acco...@sd-stc.cz)(sudoUser=%wifiadm...@sd-stc.cz
>)(sudoUser=+*)))]
>(Thu Jul 14 09:53:41 2016) [sssd[sudo]] [sudosrv_get_sudorules_from_cache]
>(0x0400): Returning 0 rules for [simecek.to...@sd-stc.cz]
>(Thu Jul 14 09:53:47 2016) [sssd[sudo]] [client_recv] (0x0200): Client
>disconnected!
>(Thu Jul 14 09:53:47 2016) [sssd[sudo]] [client_destructor] (0x2000):
>Terminated client [0x260b690][17]
>(Thu Jul 14 09:53:51 2016) [sssd[sudo]] [sbus_message_handler] (0x2000):
>Received SBUS method org.freedesktop.sssd.service.ping on path
>/org/freedesktop/sssd/service
>(Thu Jul 14 09:53:51 2016) [sssd[sudo]] [sbus_get_sender_id_send] (0x2000):
>Not a sysbus message, quit
>(Thu Jul 14 09:53:55 2016) [sssd[sudo]] [accept_fd_handler] (0x0400):
>Client connected!
>(Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sss_cmd_get_version] (0x0200):
>Received client version [1].
>(Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sss_cmd_get_version] (0x0200):
>Offered version [1].
>(Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sudosrv_cmd] (0x2000): Using
>protocol version [1]
>(Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sss_parse_name_for_domains]
>(0x0200): name 'simecek.to...@sd-stc.cz' matched expression for domain '
>sd-stc.cz', user is simecek.tomas
>(Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sss_parse_name_for_domains]
>(0x0200): name 'simecek.to...@sd-stc.cz' matched expression for domain '
>sd-stc.cz', user is simecek.tomas

Re: [Freeipa-users] sudo - differences between Centos 6.5 and Centos 7.0?

2016-07-14 Thread Lukas Slebodnik
On (13/07/16 10:32), Danila Ladner wrote:
>Update to this one:
>It has been running smoothly on 6.5
>
>[root@dev-zlei.sec1 ~]# cat /etc/redhat-release
>CentOS release 6.5 (Final)
>
>[root@dev-zlei.sec1 ~]# rpm -qa | grep sssd
>sssd-client-1.12.4-47.el6.x86_64
>sssd-ldap-1.12.4-47.el6.x86_64
>sssd-ad-1.12.4-47.el6.x86_64
>python-sssdconfig-1.12.4-47.el6.noarch
>sssd-common-1.12.4-47.el6.x86_64
>sssd-proxy-1.12.4-47.el6.x86_64
>sssd-common-pac-1.12.4-47.el6.x86_64
>sssd-krb5-1.12.4-47.el6.x86_64
>sssd-ipa-1.12.4-47.el6.x86_64
>sssd-krb5-common-1.12.4-47.el6.x86_64
>sssd-1.12.4-47.el6.x86_64
>
+1 for latest sssd even on CentOS 6.5.

If you have a problem with 1.12 (from 6.7)
then we can look into log files.
Because there is a still a chance that oyu just hit
a bug in 1.11 which is solved in 1.12

If it will not work then please provide
sssd.conf + log files with high debug_level sssd_sudo.log
and sssd_$domain.log

LS

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project


Re: [Freeipa-users] sudo - differences between Centos 6.5 and Centos 7.0?

2016-07-13 Thread Danila Ladner
Update to this one:
It has been running smoothly on 6.5

[root@dev-zlei.sec1 ~]# cat /etc/redhat-release
CentOS release 6.5 (Final)

[root@dev-zlei.sec1 ~]# rpm -qa | grep sssd
sssd-client-1.12.4-47.el6.x86_64
sssd-ldap-1.12.4-47.el6.x86_64
sssd-ad-1.12.4-47.el6.x86_64
python-sssdconfig-1.12.4-47.el6.noarch
sssd-common-1.12.4-47.el6.x86_64
sssd-proxy-1.12.4-47.el6.x86_64
sssd-common-pac-1.12.4-47.el6.x86_64
sssd-krb5-1.12.4-47.el6.x86_64
sssd-ipa-1.12.4-47.el6.x86_64
sssd-krb5-common-1.12.4-47.el6.x86_64
sssd-1.12.4-47.el6.x86_64

On Wed, Jul 13, 2016 at 9:56 AM, Tomas Simecek 
wrote:

> Thanks,
> I will try. But I am afraid to update to more recent version then those in
> official repos.
>
> Thanks anyway.
>
> T.
>
> 2016-07-13 15:39 GMT+02:00 :
>
>> Update to at least 1.12 sssd and libsss_sudo. As I recall sudo ipa
>> provider did not work under 1.11
>>
>> Sent from my iPhone
>>
>> On Jul 13, 2016, at 9:02 AM, Tomas Simecek 
>> wrote:
>>
>> Hi,
>> versions are:
>> sssd-client-1.11.6-30.el6.x86_64
>> sssd-ipa-1.11.6-30.el6.x86_64
>> ipa-client-3.0.0-50.el6.centos.1.x86_64
>> as part of:
>> CentOS release 6.6 (Final)
>>
>> T.
>>
>> 2016-07-13 14:52 GMT+02:00 :
>>
>>> Again what is client version on 6.5?
>>>
>>>
>>> Sent from my iPhone
>>>
>>> On Jul 13, 2016, at 8:25 AM, Tomas Simecek 
>>> wrote:
>>>
>>> Thanks for your information Lukas,
>>> I have changed sudo_provider to ipa, restarted sssd and no difference.
>>> Logfile still says "Access granted by HBAC rule..." and sudo says
>>> simecek.to...@sd-stc.cz is not allowed to run sudo on zp-cml-test.
>>>
>>> Btw. man sssd-sudo says:
>>> The following example shows how to configure SSSD to download
>>> sudo rules from an LDAP server.
>>>
>>>[sssd]
>>>config_file_version = 2
>>>services = nss, pam, sudo
>>>domains = EXAMPLE
>>>
>>>[domain/EXAMPLE]
>>>id_provider = ldap
>>>
>>> so I am not that sure what should be set on my version of sssd.
>>>
>>> Any idea?
>>>
>>> Thanks
>>>
>>> T.
>>>
>>> 2016-07-13 13:44 GMT+02:00 Lukas Slebodnik :
>>>
 On (13/07/16 13:36), Tomas Simecek wrote:
 >Lukas,
 >yes, I went through that guide and I configured sssd.conf as per the
 doc
 >(you can see it in the beginning of the thread).
 >
 >Actually the installation is:
 >[root@zp-cml-test sssd]# cat /etc/redhat-release
 >CentOS release 6.6 (Final)
 >
 >and versions are:
 >[root@zp-cml-test sssd]# rpm -qa |grep sssd
 >sssd-proxy-1.11.6-30.el6.x86_64
 >sssd-common-pac-1.11.6-30.el6.x86_64
 >sssd-ipa-1.11.6-30.el6.x86_64
 >sssd-1.11.6-30.el6.x86_64
 >sssd-common-1.11.6-30.el6.x86_64
 >sssd-ad-1.11.6-30.el6.x86_64
 >sssd-ldap-1.11.6-30.el6.x86_64
 >python-sssdconfig-1.11.6-30.el6.noarch
 >sssd-krb5-common-1.11.6-30.el6.x86_64
 >sssd-krb5-1.11.6-30.el6.x86_64
 >sssd-client-1.11.6-30.el6.x86_64
 >
 1.11 has sudo_provider=ipa

 @see instructions in man sssd-sudo how to configure it.
 It should avoid issues with two different providers (ipa and ldap)

 >
 >There are some reasons why not to upgrade to later versions, believe
 me, I
 >would do it if I could :-)
 >
 You can at least try to upgrade sssd from 6.8 if you do not want
 to upgrade whole OS.

 LS

>>>
>>> --
>>> Manage your subscription for the Freeipa-users mailing list:
>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>> Go to http://freeipa.org for more info on the project
>>>
>>>
>>
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] sudo - differences between Centos 6.5 and Centos 7.0?

2016-07-13 Thread Tomas Simecek
Thanks,
I will try. But I am afraid to update to more recent version then those in
official repos.

Thanks anyway.

T.

2016-07-13 15:39 GMT+02:00 :

> Update to at least 1.12 sssd and libsss_sudo. As I recall sudo ipa
> provider did not work under 1.11
>
> Sent from my iPhone
>
> On Jul 13, 2016, at 9:02 AM, Tomas Simecek 
> wrote:
>
> Hi,
> versions are:
> sssd-client-1.11.6-30.el6.x86_64
> sssd-ipa-1.11.6-30.el6.x86_64
> ipa-client-3.0.0-50.el6.centos.1.x86_64
> as part of:
> CentOS release 6.6 (Final)
>
> T.
>
> 2016-07-13 14:52 GMT+02:00 :
>
>> Again what is client version on 6.5?
>>
>>
>> Sent from my iPhone
>>
>> On Jul 13, 2016, at 8:25 AM, Tomas Simecek 
>> wrote:
>>
>> Thanks for your information Lukas,
>> I have changed sudo_provider to ipa, restarted sssd and no difference.
>> Logfile still says "Access granted by HBAC rule..." and sudo says
>> simecek.to...@sd-stc.cz is not allowed to run sudo on zp-cml-test.
>>
>> Btw. man sssd-sudo says:
>> The following example shows how to configure SSSD to download
>> sudo rules from an LDAP server.
>>
>>[sssd]
>>config_file_version = 2
>>services = nss, pam, sudo
>>domains = EXAMPLE
>>
>>[domain/EXAMPLE]
>>id_provider = ldap
>>
>> so I am not that sure what should be set on my version of sssd.
>>
>> Any idea?
>>
>> Thanks
>>
>> T.
>>
>> 2016-07-13 13:44 GMT+02:00 Lukas Slebodnik :
>>
>>> On (13/07/16 13:36), Tomas Simecek wrote:
>>> >Lukas,
>>> >yes, I went through that guide and I configured sssd.conf as per the doc
>>> >(you can see it in the beginning of the thread).
>>> >
>>> >Actually the installation is:
>>> >[root@zp-cml-test sssd]# cat /etc/redhat-release
>>> >CentOS release 6.6 (Final)
>>> >
>>> >and versions are:
>>> >[root@zp-cml-test sssd]# rpm -qa |grep sssd
>>> >sssd-proxy-1.11.6-30.el6.x86_64
>>> >sssd-common-pac-1.11.6-30.el6.x86_64
>>> >sssd-ipa-1.11.6-30.el6.x86_64
>>> >sssd-1.11.6-30.el6.x86_64
>>> >sssd-common-1.11.6-30.el6.x86_64
>>> >sssd-ad-1.11.6-30.el6.x86_64
>>> >sssd-ldap-1.11.6-30.el6.x86_64
>>> >python-sssdconfig-1.11.6-30.el6.noarch
>>> >sssd-krb5-common-1.11.6-30.el6.x86_64
>>> >sssd-krb5-1.11.6-30.el6.x86_64
>>> >sssd-client-1.11.6-30.el6.x86_64
>>> >
>>> 1.11 has sudo_provider=ipa
>>>
>>> @see instructions in man sssd-sudo how to configure it.
>>> It should avoid issues with two different providers (ipa and ldap)
>>>
>>> >
>>> >There are some reasons why not to upgrade to later versions, believe
>>> me, I
>>> >would do it if I could :-)
>>> >
>>> You can at least try to upgrade sssd from 6.8 if you do not want
>>> to upgrade whole OS.
>>>
>>> LS
>>>
>>
>> --
>> Manage your subscription for the Freeipa-users mailing list:
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>> Go to http://freeipa.org for more info on the project
>>
>>
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] sudo - differences between Centos 6.5 and Centos 7.0?

2016-07-13 Thread ladner . danila
Update to at least 1.12 sssd and libsss_sudo. As I recall sudo ipa provider did 
not work under 1.11

Sent from my iPhone

> On Jul 13, 2016, at 9:02 AM, Tomas Simecek  wrote:
> 
> Hi,
> versions are:
> sssd-client-1.11.6-30.el6.x86_64
> sssd-ipa-1.11.6-30.el6.x86_64
> ipa-client-3.0.0-50.el6.centos.1.x86_64
> as part of:
> CentOS release 6.6 (Final)
> 
> T.
> 
> 2016-07-13 14:52 GMT+02:00 :
>> Again what is client version on 6.5?
>> 
>> 
>> Sent from my iPhone
>> 
>>> On Jul 13, 2016, at 8:25 AM, Tomas Simecek  wrote:
>>> 
>>> Thanks for your information Lukas,
>>> I have changed sudo_provider to ipa, restarted sssd and no difference.
>>> Logfile still says "Access granted by HBAC rule..." and sudo says 
>>> simecek.to...@sd-stc.cz is not allowed to run sudo on zp-cml-test.
>>> 
>>> Btw. man sssd-sudo says: 
>>> The following example shows how to configure SSSD to download
>>> sudo rules from an LDAP server.
>>> 
>>>[sssd]
>>>config_file_version = 2
>>>services = nss, pam, sudo
>>>domains = EXAMPLE
>>> 
>>>[domain/EXAMPLE]
>>>id_provider = ldap
>>> 
>>> so I am not that sure what should be set on my version of sssd.
>>> 
>>> Any idea?
>>> 
>>> Thanks
>>> 
>>> T.
>>> 
>>> 2016-07-13 13:44 GMT+02:00 Lukas Slebodnik :
 On (13/07/16 13:36), Tomas Simecek wrote:
 >Lukas,
 >yes, I went through that guide and I configured sssd.conf as per the doc
 >(you can see it in the beginning of the thread).
 >
 >Actually the installation is:
 >[root@zp-cml-test sssd]# cat /etc/redhat-release
 >CentOS release 6.6 (Final)
 >
 >and versions are:
 >[root@zp-cml-test sssd]# rpm -qa |grep sssd
 >sssd-proxy-1.11.6-30.el6.x86_64
 >sssd-common-pac-1.11.6-30.el6.x86_64
 >sssd-ipa-1.11.6-30.el6.x86_64
 >sssd-1.11.6-30.el6.x86_64
 >sssd-common-1.11.6-30.el6.x86_64
 >sssd-ad-1.11.6-30.el6.x86_64
 >sssd-ldap-1.11.6-30.el6.x86_64
 >python-sssdconfig-1.11.6-30.el6.noarch
 >sssd-krb5-common-1.11.6-30.el6.x86_64
 >sssd-krb5-1.11.6-30.el6.x86_64
 >sssd-client-1.11.6-30.el6.x86_64
 >
 1.11 has sudo_provider=ipa
 
 @see instructions in man sssd-sudo how to configure it.
 It should avoid issues with two different providers (ipa and ldap)
 
 >
 >There are some reasons why not to upgrade to later versions, believe me, I
 >would do it if I could :-)
 >
 You can at least try to upgrade sssd from 6.8 if you do not want
 to upgrade whole OS.
 
 LS
>>> 
>>> -- 
>>> Manage your subscription for the Freeipa-users mailing list:
>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>> Go to http://freeipa.org for more info on the project
> 
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] sudo - differences between Centos 6.5 and Centos 7.0?

2016-07-13 Thread Tomas Simecek
Hi,
versions are:
sssd-client-1.11.6-30.el6.x86_64
sssd-ipa-1.11.6-30.el6.x86_64
ipa-client-3.0.0-50.el6.centos.1.x86_64
as part of:
CentOS release 6.6 (Final)

T.

2016-07-13 14:52 GMT+02:00 :

> Again what is client version on 6.5?
>
>
> Sent from my iPhone
>
> On Jul 13, 2016, at 8:25 AM, Tomas Simecek 
> wrote:
>
> Thanks for your information Lukas,
> I have changed sudo_provider to ipa, restarted sssd and no difference.
> Logfile still says "Access granted by HBAC rule..." and sudo says
> simecek.to...@sd-stc.cz is not allowed to run sudo on zp-cml-test.
>
> Btw. man sssd-sudo says:
> The following example shows how to configure SSSD to download
> sudo rules from an LDAP server.
>
>[sssd]
>config_file_version = 2
>services = nss, pam, sudo
>domains = EXAMPLE
>
>[domain/EXAMPLE]
>id_provider = ldap
>
> so I am not that sure what should be set on my version of sssd.
>
> Any idea?
>
> Thanks
>
> T.
>
> 2016-07-13 13:44 GMT+02:00 Lukas Slebodnik :
>
>> On (13/07/16 13:36), Tomas Simecek wrote:
>> >Lukas,
>> >yes, I went through that guide and I configured sssd.conf as per the doc
>> >(you can see it in the beginning of the thread).
>> >
>> >Actually the installation is:
>> >[root@zp-cml-test sssd]# cat /etc/redhat-release
>> >CentOS release 6.6 (Final)
>> >
>> >and versions are:
>> >[root@zp-cml-test sssd]# rpm -qa |grep sssd
>> >sssd-proxy-1.11.6-30.el6.x86_64
>> >sssd-common-pac-1.11.6-30.el6.x86_64
>> >sssd-ipa-1.11.6-30.el6.x86_64
>> >sssd-1.11.6-30.el6.x86_64
>> >sssd-common-1.11.6-30.el6.x86_64
>> >sssd-ad-1.11.6-30.el6.x86_64
>> >sssd-ldap-1.11.6-30.el6.x86_64
>> >python-sssdconfig-1.11.6-30.el6.noarch
>> >sssd-krb5-common-1.11.6-30.el6.x86_64
>> >sssd-krb5-1.11.6-30.el6.x86_64
>> >sssd-client-1.11.6-30.el6.x86_64
>> >
>> 1.11 has sudo_provider=ipa
>>
>> @see instructions in man sssd-sudo how to configure it.
>> It should avoid issues with two different providers (ipa and ldap)
>>
>> >
>> >There are some reasons why not to upgrade to later versions, believe me,
>> I
>> >would do it if I could :-)
>> >
>> You can at least try to upgrade sssd from 6.8 if you do not want
>> to upgrade whole OS.
>>
>> LS
>>
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] sudo - differences between Centos 6.5 and Centos 7.0?

2016-07-13 Thread ladner . danila
Again what is client version on 6.5?


Sent from my iPhone

> On Jul 13, 2016, at 8:25 AM, Tomas Simecek  wrote:
> 
> Thanks for your information Lukas,
> I have changed sudo_provider to ipa, restarted sssd and no difference.
> Logfile still says "Access granted by HBAC rule..." and sudo says 
> simecek.to...@sd-stc.cz is not allowed to run sudo on zp-cml-test.
> 
> Btw. man sssd-sudo says: 
> The following example shows how to configure SSSD to download
> sudo rules from an LDAP server.
> 
>[sssd]
>config_file_version = 2
>services = nss, pam, sudo
>domains = EXAMPLE
> 
>[domain/EXAMPLE]
>id_provider = ldap
> 
> so I am not that sure what should be set on my version of sssd.
> 
> Any idea?
> 
> Thanks
> 
> T.
> 
> 2016-07-13 13:44 GMT+02:00 Lukas Slebodnik :
>> On (13/07/16 13:36), Tomas Simecek wrote:
>> >Lukas,
>> >yes, I went through that guide and I configured sssd.conf as per the doc
>> >(you can see it in the beginning of the thread).
>> >
>> >Actually the installation is:
>> >[root@zp-cml-test sssd]# cat /etc/redhat-release
>> >CentOS release 6.6 (Final)
>> >
>> >and versions are:
>> >[root@zp-cml-test sssd]# rpm -qa |grep sssd
>> >sssd-proxy-1.11.6-30.el6.x86_64
>> >sssd-common-pac-1.11.6-30.el6.x86_64
>> >sssd-ipa-1.11.6-30.el6.x86_64
>> >sssd-1.11.6-30.el6.x86_64
>> >sssd-common-1.11.6-30.el6.x86_64
>> >sssd-ad-1.11.6-30.el6.x86_64
>> >sssd-ldap-1.11.6-30.el6.x86_64
>> >python-sssdconfig-1.11.6-30.el6.noarch
>> >sssd-krb5-common-1.11.6-30.el6.x86_64
>> >sssd-krb5-1.11.6-30.el6.x86_64
>> >sssd-client-1.11.6-30.el6.x86_64
>> >
>> 1.11 has sudo_provider=ipa
>> 
>> @see instructions in man sssd-sudo how to configure it.
>> It should avoid issues with two different providers (ipa and ldap)
>> 
>> >
>> >There are some reasons why not to upgrade to later versions, believe me, I
>> >would do it if I could :-)
>> >
>> You can at least try to upgrade sssd from 6.8 if you do not want
>> to upgrade whole OS.
>> 
>> LS
> 
> -- 
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] sudo - differences between Centos 6.5 and Centos 7.0?

2016-07-13 Thread Tomas Simecek
Thanks for your information Lukas,
I have changed sudo_provider to ipa, restarted sssd and no difference.
Logfile still says "Access granted by HBAC rule..." and sudo says
simecek.to...@sd-stc.cz is not allowed to run sudo on zp-cml-test.

Btw. man sssd-sudo says:
The following example shows how to configure SSSD to download
sudo rules from an LDAP server.

   [sssd]
   config_file_version = 2
   services = nss, pam, sudo
   domains = EXAMPLE

   [domain/EXAMPLE]
   id_provider = ldap

so I am not that sure what should be set on my version of sssd.

Any idea?

Thanks

T.

2016-07-13 13:44 GMT+02:00 Lukas Slebodnik :

> On (13/07/16 13:36), Tomas Simecek wrote:
> >Lukas,
> >yes, I went through that guide and I configured sssd.conf as per the doc
> >(you can see it in the beginning of the thread).
> >
> >Actually the installation is:
> >[root@zp-cml-test sssd]# cat /etc/redhat-release
> >CentOS release 6.6 (Final)
> >
> >and versions are:
> >[root@zp-cml-test sssd]# rpm -qa |grep sssd
> >sssd-proxy-1.11.6-30.el6.x86_64
> >sssd-common-pac-1.11.6-30.el6.x86_64
> >sssd-ipa-1.11.6-30.el6.x86_64
> >sssd-1.11.6-30.el6.x86_64
> >sssd-common-1.11.6-30.el6.x86_64
> >sssd-ad-1.11.6-30.el6.x86_64
> >sssd-ldap-1.11.6-30.el6.x86_64
> >python-sssdconfig-1.11.6-30.el6.noarch
> >sssd-krb5-common-1.11.6-30.el6.x86_64
> >sssd-krb5-1.11.6-30.el6.x86_64
> >sssd-client-1.11.6-30.el6.x86_64
> >
> 1.11 has sudo_provider=ipa
>
> @see instructions in man sssd-sudo how to configure it.
> It should avoid issues with two different providers (ipa and ldap)
>
> >
> >There are some reasons why not to upgrade to later versions, believe me, I
> >would do it if I could :-)
> >
> You can at least try to upgrade sssd from 6.8 if you do not want
> to upgrade whole OS.
>
> LS
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] sudo - differences between Centos 6.5 and Centos 7.0?

2016-07-13 Thread Lukas Slebodnik
On (13/07/16 13:36), Tomas Simecek wrote:
>Lukas,
>yes, I went through that guide and I configured sssd.conf as per the doc
>(you can see it in the beginning of the thread).
>
>Actually the installation is:
>[root@zp-cml-test sssd]# cat /etc/redhat-release
>CentOS release 6.6 (Final)
>
>and versions are:
>[root@zp-cml-test sssd]# rpm -qa |grep sssd
>sssd-proxy-1.11.6-30.el6.x86_64
>sssd-common-pac-1.11.6-30.el6.x86_64
>sssd-ipa-1.11.6-30.el6.x86_64
>sssd-1.11.6-30.el6.x86_64
>sssd-common-1.11.6-30.el6.x86_64
>sssd-ad-1.11.6-30.el6.x86_64
>sssd-ldap-1.11.6-30.el6.x86_64
>python-sssdconfig-1.11.6-30.el6.noarch
>sssd-krb5-common-1.11.6-30.el6.x86_64
>sssd-krb5-1.11.6-30.el6.x86_64
>sssd-client-1.11.6-30.el6.x86_64
>
1.11 has sudo_provider=ipa

@see instructions in man sssd-sudo how to configure it.
It should avoid issues with two different providers (ipa and ldap)

>
>There are some reasons why not to upgrade to later versions, believe me, I
>would do it if I could :-)
>
You can at least try to upgrade sssd from 6.8 if you do not want
to upgrade whole OS.

LS

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project


Re: [Freeipa-users] sudo - differences between Centos 6.5 and Centos 7.0?

2016-07-13 Thread Tomas Simecek
Lukas,
yes, I went through that guide and I configured sssd.conf as per the doc
(you can see it in the beginning of the thread).

Actually the installation is:
[root@zp-cml-test sssd]# cat /etc/redhat-release
CentOS release 6.6 (Final)

and versions are:
[root@zp-cml-test sssd]# rpm -qa |grep sssd
sssd-proxy-1.11.6-30.el6.x86_64
sssd-common-pac-1.11.6-30.el6.x86_64
sssd-ipa-1.11.6-30.el6.x86_64
sssd-1.11.6-30.el6.x86_64
sssd-common-1.11.6-30.el6.x86_64
sssd-ad-1.11.6-30.el6.x86_64
sssd-ldap-1.11.6-30.el6.x86_64
python-sssdconfig-1.11.6-30.el6.noarch
sssd-krb5-common-1.11.6-30.el6.x86_64
sssd-krb5-1.11.6-30.el6.x86_64
sssd-client-1.11.6-30.el6.x86_64


There are some reasons why not to upgrade to later versions, believe me, I
would do it if I could :-)

T.


2016-07-13 13:27 GMT+02:00 Lukas Slebodnik :

> On (13/07/16 11:18), Tomas Simecek wrote:
> >Dear freeIPA gurus,
> >in previous thread (
> >https://www.redhat.com/archives/freeipa-users/2016-July/msg00046.html)
> you
> >helped me make sudo working for AD users on Centos 7.0 (
> >spcss-2t-www.linuxdomain.cz).
> >It was caused by not knowing sudo needs to be enabled in HBAC rules.
> >Now it works properly on Centos 7.0 client.
> >But it does not work on Centos 6.5 (zp-cml-test.linuxdomain.cz) with the
> >same sssd.conf setup.
> >Error message is always:
> >
> A) I would not recommend to use such obsolete distribution as CentOS 6.5
>There is quite old version of sssd (1.9.x) which has some bugs which
>are solved in later versions. Better would be use the latest CentOS 6.8
>or at least CentOS 6.7
>
> B) Have you tried to follow instructions
>https://fedorahosted.org/sssd/wiki/HOWTO_Troubleshoot_SUDO
>
> Please provide any comments how we can improve troubleshooting wiki.
>
> LS
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] sudo - differences between Centos 6.5 and Centos 7.0?

2016-07-13 Thread Lukas Slebodnik
On (13/07/16 11:18), Tomas Simecek wrote:
>Dear freeIPA gurus,
>in previous thread (
>https://www.redhat.com/archives/freeipa-users/2016-July/msg00046.html) you
>helped me make sudo working for AD users on Centos 7.0 (
>spcss-2t-www.linuxdomain.cz).
>It was caused by not knowing sudo needs to be enabled in HBAC rules.
>Now it works properly on Centos 7.0 client.
>But it does not work on Centos 6.5 (zp-cml-test.linuxdomain.cz) with the
>same sssd.conf setup.
>Error message is always:
>
A) I would not recommend to use such obsolete distribution as CentOS 6.5
   There is quite old version of sssd (1.9.x) which has some bugs which
   are solved in later versions. Better would be use the latest CentOS 6.8
   or at least CentOS 6.7

B) Have you tried to follow instructions
   https://fedorahosted.org/sssd/wiki/HOWTO_Troubleshoot_SUDO

Please provide any comments how we can improve troubleshooting wiki.

LS

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project


Re: [Freeipa-users] sudo - differences between Centos 6.5 and Centos 7.0?

2016-07-13 Thread Tomas Simecek
Diky Jakube,
in domain log below I can see that rules were found properly:
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[hbac_service_attrs_to_rule] (0x1000): Processing PAM services for rule
[Unixari na test servery]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[hbac_service_attrs_to_rule] (0x2000): Added service [login] to rule
[Unixari na test servery]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[hbac_service_attrs_to_rule] (0x2000): Added service [sshd] to rule
[Unixari na test servery]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[hbac_service_attrs_to_rule] (0x2000): Added service [sudo] to rule
[Unixari na test servery]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[hbac_service_attrs_to_rule] (0x2000): Added service [sudo-i] to rule
[Unixari na test servery]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[hbac_service_attrs_to_rule] (0x2000): Added service [su] to rule [Unixari
na test servery]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[hbac_service_attrs_to_rule] (0x2000): Added service [su-l] to rule
[Unixari na test servery]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[hbac_thost_attrs_to_rule] (0x1000): Processing target hosts for rule
[Unixari na test servery]

It also matches the rule and says "Access granted":
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[hbac_host_attrs_to_rule] (0x1000):
[fqdn=spcss-2t-www.linuxdomain.cz,cn=computers,cn=accounts,dc=linuxdomain,dc=cz]
does not map to either a host or hostgroup. Skipping
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[hbac_host_attrs_to_rule] (0x2000): Added host [zp-cml-test.linuxdomain.cz]
to rule [Unixari na test servery]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[hbac_shost_attrs_to_rule] (0x0400): Processing source hosts for rule
[Unixari na test servery]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[hbac_shost_attrs_to_rule] (0x2000): Source hosts disabled, setting ALL
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[hbac_eval_user_element] (0x1000): [1] groups for [simecek.to...@sd-stc.cz]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[hbac_eval_user_element] (0x1000): Added group [grpunixadmins] for user [
simecek.to...@sd-stc.cz]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[ipa_hbac_evaluate_rules] (0x0080): Access granted by HBAC rule [Unixari na
test servery]

It also mentiones SELinux, but I know it is disabled.

Any idea what to check next please?
Full part of the log follows:

(Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]] [be_get_account_info]
(0x0100): Got request for [3][1][name=simecek.tomas]
(Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]] [be_req_set_domain]
(0x0400): Changing request domain from [linuxdomain.cz] to [sd-stc.cz]
(Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]]
[ipa_get_subdom_acct_send] (0x0400): Initgroups requests are not handled by
the IPA provider but are resolved by the responder directly from the cache.
(Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]] [acctinfo_callback]
(0x0100): Request processed. Returned 3,95,Account info lookup failed
(Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]]
[sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit
(Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]] [be_req_set_domain]
(0x0400): Changing request domain from [linuxdomain.cz] to [sd-stc.cz]
(Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]] [be_pam_handler]
(0x0100): Got request with the following data
(Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data]
(0x0100): command: PAM_AUTHENTICATE
(Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data]
(0x0100): domain: sd-stc.cz
(Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data]
(0x0100): user: simecek.to...@sd-stc.cz
(Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data]
(0x0100): service: sudo
(Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data]
(0x0100): tty: /dev/pts/0
(Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data]
(0x0100): ruser: simecek.to...@sd-stc.cz
(Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data]
(0x0100): rhost:
(Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data]
(0x0100): authtok type: 1
(Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data]
(0x0100): newauthtok type: 0
(Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data]
(0x0100): priv: 0
(Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data]
(0x0100): cli_pid: 27305
(Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]] [switch_creds]
(0x0200): Switch user to [988604700][988604700].
(Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]]
[sss_krb5_cc_verify_ccache] (0x2000): TGT not found or expired.
(Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]] [switch_creds]
(0x0200): Switch user to [0][0].
(Wed Jul 13 12:05:20 2016) 

Re: [Freeipa-users] sudo - differences between Centos 6.5 and Centos 7.0?

2016-07-13 Thread Jakub Hrozek
On Wed, Jul 13, 2016 at 11:18:21AM +0200, Tomas Simecek wrote:
> Dear freeIPA gurus,
> in previous thread (
> https://www.redhat.com/archives/freeipa-users/2016-July/msg00046.html) you
> helped me make sudo working for AD users on Centos 7.0 (
> spcss-2t-www.linuxdomain.cz).
> It was caused by not knowing sudo needs to be enabled in HBAC rules.
> Now it works properly on Centos 7.0 client.
> But it does not work on Centos 6.5 (zp-cml-test.linuxdomain.cz) with the
> same sssd.conf setup.
> Error message is always:
> 
> [simecek.to...@sd-stc.cz@zp-cml-test ~]$ sudo cat /etc/nsswitch.conf
> [sudo] password for simecek.to...@sd-stc.cz:
> simecek.to...@sd-stc.cz is not allowed to run sudo on zp-cml-test.  This
> incident will be reported.
> 
> Here are my HBAC rules, the second one should apply. It definitely applies
> for Centos 7.0 server:
> [root@svlxxipap ~]# ipa hbacrule-find
> 
> 2 HBAC rules matched
> 
>   Rule name: allow_all
>   User category: all
>   Host category: all
>   Service category: all
>   Description: Allow all users to access any host from any host
>   Enabled: FALSE
> 
>   Rule name: Unixari na test servery
>   Enabled: TRUE
>   User Groups: grpunixadmins
>   Hosts: spcss-2t-www.linuxdomain.cz, zp-cml-test.linuxdomain.cz
>   Services: login, sshd, sudo, sudo-i, su, su-l
> 
> Number of entries returned 2
> 
> 
> This is my /etc/sssd/sssd.conf. It the same like on Centos 7.0 server, just
> with proper server name of course:
> 
> [root@zp-cml-test sssd]# cat /etc/sssd/sssd.conf
> [domain/linuxdomain.cz]
> cache_credentials = True
> krb5_store_password_if_offline = True
> ipa_domain = linuxdomain.cz
> id_provider = ipa
> krb5_realm = LINUXDOMAIN.CZ
> auth_provider = ipa
> access_provider = ipa
> ipa_hostname = zp-cml-test.linuxdomain.cz
> chpass_provider = ipa
> ipa_server = svlxxipap.linuxdomain.cz
> ldap_tls_cacert = /etc/ipa/ca.crt
> override_shell = /bin/bash
> sudo_provider = ldap
> ldap_uri = ldap://svlxxipap.linuxdomain.cz
> ldap_sudo_search_base = ou=sudoers,dc=linuxdomain,dc=cz
> ldap_sasl_mech = GSSAPI
> #ldap_sasl_authid = host/zp-cml-test.linuxdomain...@linuxdomain.cz
> ldap_sasl_authid = host/zp-cml-test.linuxdomain.cz
> ldap_sasl_realm = LINUXDOMAIN.CZ
> krb5_server = svlxxipap.linuxdomain.cz
> 
> [sssd]
> services = nss, sudo, pam, ssh
> config_file_version = 2
> debug_level = 0x3ff0
> domains = linuxdomain.cz
> [nss]
> homedir_substring = /home
> 
> [pam]
> [sudo]
> debug_level = 0x3ff0
> [autofs]
> [ssh]
> [pac]
> [ifp]
> 
> This is output from sssd_sudo.log:
> (Wed Jul 13 08:58:38 2016) [sssd[sudo]] [accept_fd_handler] (0x0400):
> Client connected!
> (Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sss_cmd_get_version] (0x0200):
> Received client version [1].
> (Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sss_cmd_get_version] (0x0200):
> Offered version [1].
> (Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sudosrv_cmd] (0x2000): Using
> protocol version [1]
> (Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sss_parse_name_for_domains]
> (0x0200): name 'simecek.to...@sd-stc.cz' matched expression for domain '
> sd-stc.cz', user is simecek.tomas
> (Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sss_parse_name_for_domains]
> (0x0200): name 'simecek.to...@sd-stc.cz' matched expression for domain '
> sd-stc.cz', user is simecek.tomas
> (Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sudosrv_cmd_parse_query_done]
> (0x0200): Requesting default options for [simecek.tomas] from [sd-stc.cz]
> (Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sudosrv_get_user] (0x0200):
> Requesting info about [simecek.to...@sd-stc.cz]
> (Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sudosrv_get_user] (0x0400):
> Returning info for user [simecek.to...@sd-stc.cz]
> (Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sudosrv_get_rules] (0x0400):
> Retrieving default options for [simecek.to...@sd-stc.cz] from [sd-stc.cz]
> (Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sysdb_search_group_by_gid]
> (0x0400): No such entry
> (Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sudosrv_get_sudorules_query_cache]
> (0x0200): Searching sysdb with
> [(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=
> simecek.to...@sd-stc.cz)(sudoUser=#988604700)(sudoUser=%domain
> us...@sd-stc.cz)(sudoUser=%unixadm...@sd-stc.cz)(sudoUser=%
> mfcr_...@sd-stc.cz)(sudoUser=%acco...@sd-stc.cz)(sudoUser=%w...@sd-stc.cz
> )(sudoUser=%grpunixadmins)(sudoUser=+*))(&(dataExpireTimestamp<=1468393118)))]
> (Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sudosrv_get_rules] (0x2000): About
> to get sudo rules from cache
> (Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sudosrv_get_sudorules_query_cache]
> (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(name=defaults)))]
> (Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sudosrv_get_sudorules_from_cache]
> (0x0400): Returning 0 rules for [@sd-stc.cz]
> (Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sudosrv_cmd] (0x2000): Using
> protocol version [1]
> (Wed Jul 13 08:58:38 2016) 

[Freeipa-users] sudo - differences between Centos 6.5 and Centos 7.0?

2016-07-13 Thread Tomas Simecek
Dear freeIPA gurus,
in previous thread (
https://www.redhat.com/archives/freeipa-users/2016-July/msg00046.html) you
helped me make sudo working for AD users on Centos 7.0 (
spcss-2t-www.linuxdomain.cz).
It was caused by not knowing sudo needs to be enabled in HBAC rules.
Now it works properly on Centos 7.0 client.
But it does not work on Centos 6.5 (zp-cml-test.linuxdomain.cz) with the
same sssd.conf setup.
Error message is always:

[simecek.to...@sd-stc.cz@zp-cml-test ~]$ sudo cat /etc/nsswitch.conf
[sudo] password for simecek.to...@sd-stc.cz:
simecek.to...@sd-stc.cz is not allowed to run sudo on zp-cml-test.  This
incident will be reported.

Here are my HBAC rules, the second one should apply. It definitely applies
for Centos 7.0 server:
[root@svlxxipap ~]# ipa hbacrule-find

2 HBAC rules matched

  Rule name: allow_all
  User category: all
  Host category: all
  Service category: all
  Description: Allow all users to access any host from any host
  Enabled: FALSE

  Rule name: Unixari na test servery
  Enabled: TRUE
  User Groups: grpunixadmins
  Hosts: spcss-2t-www.linuxdomain.cz, zp-cml-test.linuxdomain.cz
  Services: login, sshd, sudo, sudo-i, su, su-l

Number of entries returned 2


This is my /etc/sssd/sssd.conf. It the same like on Centos 7.0 server, just
with proper server name of course:

[root@zp-cml-test sssd]# cat /etc/sssd/sssd.conf
[domain/linuxdomain.cz]
cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = linuxdomain.cz
id_provider = ipa
krb5_realm = LINUXDOMAIN.CZ
auth_provider = ipa
access_provider = ipa
ipa_hostname = zp-cml-test.linuxdomain.cz
chpass_provider = ipa
ipa_server = svlxxipap.linuxdomain.cz
ldap_tls_cacert = /etc/ipa/ca.crt
override_shell = /bin/bash
sudo_provider = ldap
ldap_uri = ldap://svlxxipap.linuxdomain.cz
ldap_sudo_search_base = ou=sudoers,dc=linuxdomain,dc=cz
ldap_sasl_mech = GSSAPI
#ldap_sasl_authid = host/zp-cml-test.linuxdomain...@linuxdomain.cz
ldap_sasl_authid = host/zp-cml-test.linuxdomain.cz
ldap_sasl_realm = LINUXDOMAIN.CZ
krb5_server = svlxxipap.linuxdomain.cz

[sssd]
services = nss, sudo, pam, ssh
config_file_version = 2
debug_level = 0x3ff0
domains = linuxdomain.cz
[nss]
homedir_substring = /home

[pam]
[sudo]
debug_level = 0x3ff0
[autofs]
[ssh]
[pac]
[ifp]

This is output from sssd_sudo.log:
(Wed Jul 13 08:58:38 2016) [sssd[sudo]] [accept_fd_handler] (0x0400):
Client connected!
(Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sss_cmd_get_version] (0x0200):
Received client version [1].
(Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sss_cmd_get_version] (0x0200):
Offered version [1].
(Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sudosrv_cmd] (0x2000): Using
protocol version [1]
(Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sss_parse_name_for_domains]
(0x0200): name 'simecek.to...@sd-stc.cz' matched expression for domain '
sd-stc.cz', user is simecek.tomas
(Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sss_parse_name_for_domains]
(0x0200): name 'simecek.to...@sd-stc.cz' matched expression for domain '
sd-stc.cz', user is simecek.tomas
(Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sudosrv_cmd_parse_query_done]
(0x0200): Requesting default options for [simecek.tomas] from [sd-stc.cz]
(Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sudosrv_get_user] (0x0200):
Requesting info about [simecek.to...@sd-stc.cz]
(Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sudosrv_get_user] (0x0400):
Returning info for user [simecek.to...@sd-stc.cz]
(Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sudosrv_get_rules] (0x0400):
Retrieving default options for [simecek.to...@sd-stc.cz] from [sd-stc.cz]
(Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sysdb_search_group_by_gid]
(0x0400): No such entry
(Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sudosrv_get_sudorules_query_cache]
(0x0200): Searching sysdb with
[(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=
simecek.to...@sd-stc.cz)(sudoUser=#988604700)(sudoUser=%domain
us...@sd-stc.cz)(sudoUser=%unixadm...@sd-stc.cz)(sudoUser=%
mfcr_...@sd-stc.cz)(sudoUser=%acco...@sd-stc.cz)(sudoUser=%w...@sd-stc.cz
)(sudoUser=%grpunixadmins)(sudoUser=+*))(&(dataExpireTimestamp<=1468393118)))]
(Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sudosrv_get_rules] (0x2000): About
to get sudo rules from cache
(Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sudosrv_get_sudorules_query_cache]
(0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(name=defaults)))]
(Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sudosrv_get_sudorules_from_cache]
(0x0400): Returning 0 rules for [@sd-stc.cz]
(Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sudosrv_cmd] (0x2000): Using
protocol version [1]
(Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sss_parse_name_for_domains]
(0x0200): name 'simecek.to...@sd-stc.cz' matched expression for domain '
sd-stc.cz', user is simecek.tomas
(Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sss_parse_name_for_domains]
(0x0200): name 'simecek.to...@sd-stc.cz' matched expression for domain '
sd-stc.cz',