Re: [Freeipa-users] sudo rules user and host group bugs?
host1- nisdomainname my_domain.com host1- rpm -q sudo sudo-1.7.2p1-6.el5_5 Thanks, -Mark Mark Tovey - UNIX Engineer | Service Strategy Design UTi | 400 SW Sixth Ave, Suite 1100 | Portland | Oregon | 97204 | USA mto...@go2uti.com | O / C +1 503 953-1389 -Original Message- From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Pavel Brezina Sent: Thursday, July 18, 2013 2:03 AM To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] sudo rules user and host group bugs? On 07/17/2013 06:39 PM, Tovey, Mark wrote: Okay, I get it (pardon my obtuseness). host1- getent netgroup hgroup1 hgroup1 (host1.my_domain.com, -, my_domain.com) So netgroups are working. The host group is defined in IPA and getent is able to access that information. Thanks, -Mark Hi, can you also paste the output of following commands please? $ nisdomainname $ rpm -q sudo Thanks, Pavel. Mark Tovey - UNIX Engineer | Service Strategy Design UTi | 400 SW Sixth Ave, Suite 1100 | Portland | Oregon | 97204 | USA mto...@go2uti.com | O / C +1 503 953-1389 -Original Message- From: Jakub Hrozek [mailto:jhro...@redhat.com] Sent: Wednesday, July 17, 2013 8:58 AM To: Tovey, Mark Cc: d...@redhat.com; freeipa-users@redhat.com Subject: Re: [Freeipa-users] sudo rules user and host group bugs? On Wed, Jul 17, 2013 at 03:01:58PM +, Tovey, Mark wrote: We have sssd-1.5.1-58.el5 and ipa-client-2.1.3-5.el5_9.2 installed. OK, these are recent enough to support netgroups and the compat tree should be configured automatically. Those came out of the 'latest' repository. We do not have any netgroups defined (there is no /etc/netgroup file), so getent does not return anything. Every hostgroup is automatically translated into a netgroup on the server side. You said you have some host groups present, so does getent netgroup name-of-hostgroup return any netgroup data? Thanks, -Mark Mark Tovey - UNIX Engineer | Service Strategy Design UTi | 400 SW Sixth Ave, Suite 1100 | Portland | Oregon | 97204 | USA mto...@go2uti.com | O / C +1 503 953-1389 -Original Message- From: Jakub Hrozek [mailto:jhro...@redhat.com] Sent: Wednesday, July 17, 2013 1:32 AM To: Tovey, Mark Cc: d...@redhat.com; freeipa-users@redhat.com Subject: Re: [Freeipa-users] sudo rules user and host group bugs? On Tue, Jul 16, 2013 at 09:13:00PM +, Tovey, Mark wrote: We are using sssd. The sssd.conf file is mostly unchanged from how it was installed by the ipa-client-install script: Hi Mark, you said your client is OEL *5.5* ? The SSSD first appeared in RHEL (and by extension OEL) in 5.6. Are you running the version from EPEL? I'm not sure if netgroups were even supported in that old version.. What is the output of rpm -q sssd and rpm -q ipa-client ? Does getent netgroup netgroup-name work? [sssd] config_file_version = 2 services = nss, pam domains = my_domain.com [nss] [pam] [domain/my_domain.com] cache_credentials = True krb5_store_password_if_offline = True ipa_domain = my_domain.com id_provider = ipa auth_provider = ipa access_provider = ipa chpass_provider = ipa ipa_server = _srv_, ipa_server.my_domain.com ldap_tls_cacert = /etc/ipa/ca.crt debug_level = 6 And the nsswitch.conf file: passwd: files sss shadow: files sss group: files sss hosts: files dns bootparams: nisplus [NOTFOUND=return] files ethers: files netmasks: files networks: files protocols: files rpc:files services: files netgroup: files sss publickey: nisplus automount: files ldap aliases:files sudoers:files ldap Thanks, -Mark Mark Tovey - UNIX Engineer | Service Strategy Design UTi | 400 SW Sixth Ave, Suite 1100 | Portland | Oregon | 97204 | USA mto...@go2uti.com | O / C +1 503 953-1389 | Skype: mark.tovey2 -Original Message- From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Dmitri Pal Sent: Tuesday, July 16, 2013 12:51 PM To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] sudo rules user and host group bugs? On 07/16/2013 02:11 PM, Tovey, Mark wrote: My environment consists of OEL 5.5 clients with ipa-client-2.1.3 and the server is OEL 6.4 with ipa-server-3.0.0. We chose these because we were able to find RPM packages for them. We would prefer to go with the latest versions, but we did not want to spend the time building installation packages just yet. Again, we are just evaluating at this point. So far, so good, except for this one
Re: [Freeipa-users] sudo rules user and host group bugs?
On Tue, Jul 16, 2013 at 09:13:00PM +, Tovey, Mark wrote: We are using sssd. The sssd.conf file is mostly unchanged from how it was installed by the ipa-client-install script: Hi Mark, you said your client is OEL *5.5* ? The SSSD first appeared in RHEL (and by extension OEL) in 5.6. Are you running the version from EPEL? I'm not sure if netgroups were even supported in that old version.. What is the output of rpm -q sssd and rpm -q ipa-client ? Does getent netgroup netgroup-name work? [sssd] config_file_version = 2 services = nss, pam domains = my_domain.com [nss] [pam] [domain/my_domain.com] cache_credentials = True krb5_store_password_if_offline = True ipa_domain = my_domain.com id_provider = ipa auth_provider = ipa access_provider = ipa chpass_provider = ipa ipa_server = _srv_, ipa_server.my_domain.com ldap_tls_cacert = /etc/ipa/ca.crt debug_level = 6 And the nsswitch.conf file: passwd: files sss shadow: files sss group: files sss hosts: files dns bootparams: nisplus [NOTFOUND=return] files ethers: files netmasks: files networks: files protocols: files rpc:files services: files netgroup: files sss publickey: nisplus automount: files ldap aliases:files sudoers:files ldap Thanks, -Mark Mark Tovey - UNIX Engineer | Service Strategy Design UTi | 400 SW Sixth Ave, Suite 1100 | Portland | Oregon | 97204 | USA mto...@go2uti.com | O / C +1 503 953-1389 | Skype: mark.tovey2 -Original Message- From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Dmitri Pal Sent: Tuesday, July 16, 2013 12:51 PM To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] sudo rules user and host group bugs? On 07/16/2013 02:11 PM, Tovey, Mark wrote: My environment consists of OEL 5.5 clients with ipa-client-2.1.3 and the server is OEL 6.4 with ipa-server-3.0.0. We chose these because we were able to find RPM packages for them. We would prefer to go with the latest versions, but we did not want to spend the time building installation packages just yet. Again, we are just evaluating at this point. So far, so good, except for this one point. The doman name, host name, and nsswitch.conf files are all properly configured. But I do not have any netgroups defined (the getent command doesn't return anything and there is no /etc/netgroup file). After you asked about that, I started looking into the documentation on netgroups. The IPA documentation for sudo states that Identity Management creates two groups, a visible host group and a shadow netgroup. sudo itself only supports NIS-style netgroups for group formats. But when I look in the Netgroups area, I do not see any netgroups defined. I used Apache Directory Studio to look around the Directory Server, and I can see cn=hgroup1,cn=ng,cn=alt,dc=my_domain,dc=com, along with cn=hgroup1,cn=hostgroups,cn=accounts,dc=my_domain,dc=com. This seems to reflect what was stated in the documentation. But I am still stumped. I cannot get sudo to work with host groups; I have to directly add each server to the sudo rule. Thanks, -Mark So can it seems that the first thing you need to to do is to make sure your netgroups work. If domain and host are properly set then it might be the wrong base in your LDAP search for the netgroups. Are you using SSSD for netgroups or something else? Can you please share your sssd.conf and area where it configures netgroups? Also is sss in the nsswitch.conf for netgroups map? Mark Tovey - UNIX Engineer | Service Strategy Design UTi | 400 SW Sixth Ave, Suite 1100 | Portland | Oregon | 97204 | USA mto...@go2uti.com | O / C +1 503 953-1389 | Skype: mark.tovey2 -Original Message- From: Martin Kosek [mailto:mko...@redhat.com] Sent: Tuesday, July 16, 2013 12:34 AM To: Tovey, Mark Cc: Steven Jones; James Hogarth; Freeipa-users@redhat.com; Pavel Brezina Subject: Re: [Freeipa-users] sudo rules user and host group bugs? Just checking, did you try troubleshooting hints from JR I found at the top of the thread? I did not find an information about that. Can you confirm that the output of the following commands: 1. $ domainname * does it match your domain? 2. $ hostname * does match match your fqdn? 3. $ getent netgroup esolutions-sandbox-hosts * does this list your host? 4. Does /etc/nsswitch.conf contain the line: netgroup: files sss? Another important Sudo Troubleshooting step is to edit: /etc/sudo-ldap.conf (or /etc/ldap.conf, depending on what version of RHEL/Sudo you're running): At the top, add the line: sudoers_debug 2 Then try another sudo
Re: [Freeipa-users] sudo rules user and host group bugs?
We have sssd-1.5.1-58.el5 and ipa-client-2.1.3-5.el5_9.2 installed. Those came out of the 'latest' repository. We do not have any netgroups defined (there is no /etc/netgroup file), so getent does not return anything. Thanks, -Mark Mark Tovey - UNIX Engineer | Service Strategy Design UTi | 400 SW Sixth Ave, Suite 1100 | Portland | Oregon | 97204 | USA mto...@go2uti.com | O / C +1 503 953-1389 -Original Message- From: Jakub Hrozek [mailto:jhro...@redhat.com] Sent: Wednesday, July 17, 2013 1:32 AM To: Tovey, Mark Cc: d...@redhat.com; freeipa-users@redhat.com Subject: Re: [Freeipa-users] sudo rules user and host group bugs? On Tue, Jul 16, 2013 at 09:13:00PM +, Tovey, Mark wrote: We are using sssd. The sssd.conf file is mostly unchanged from how it was installed by the ipa-client-install script: Hi Mark, you said your client is OEL *5.5* ? The SSSD first appeared in RHEL (and by extension OEL) in 5.6. Are you running the version from EPEL? I'm not sure if netgroups were even supported in that old version.. What is the output of rpm -q sssd and rpm -q ipa-client ? Does getent netgroup netgroup-name work? [sssd] config_file_version = 2 services = nss, pam domains = my_domain.com [nss] [pam] [domain/my_domain.com] cache_credentials = True krb5_store_password_if_offline = True ipa_domain = my_domain.com id_provider = ipa auth_provider = ipa access_provider = ipa chpass_provider = ipa ipa_server = _srv_, ipa_server.my_domain.com ldap_tls_cacert = /etc/ipa/ca.crt debug_level = 6 And the nsswitch.conf file: passwd: files sss shadow: files sss group: files sss hosts: files dns bootparams: nisplus [NOTFOUND=return] files ethers: files netmasks: files networks: files protocols: files rpc:files services: files netgroup: files sss publickey: nisplus automount: files ldap aliases:files sudoers:files ldap Thanks, -Mark Mark Tovey - UNIX Engineer | Service Strategy Design UTi | 400 SW Sixth Ave, Suite 1100 | Portland | Oregon | 97204 | USA mto...@go2uti.com | O / C +1 503 953-1389 | Skype: mark.tovey2 -Original Message- From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Dmitri Pal Sent: Tuesday, July 16, 2013 12:51 PM To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] sudo rules user and host group bugs? On 07/16/2013 02:11 PM, Tovey, Mark wrote: My environment consists of OEL 5.5 clients with ipa-client-2.1.3 and the server is OEL 6.4 with ipa-server-3.0.0. We chose these because we were able to find RPM packages for them. We would prefer to go with the latest versions, but we did not want to spend the time building installation packages just yet. Again, we are just evaluating at this point. So far, so good, except for this one point. The doman name, host name, and nsswitch.conf files are all properly configured. But I do not have any netgroups defined (the getent command doesn't return anything and there is no /etc/netgroup file). After you asked about that, I started looking into the documentation on netgroups. The IPA documentation for sudo states that Identity Management creates two groups, a visible host group and a shadow netgroup. sudo itself only supports NIS-style netgroups for group formats. But when I look in the Netgroups area, I do not see any netgroups defined. I used Apache Directory Studio to look around the Directory Server, and I can see cn=hgroup1,cn=ng,cn=alt,dc=my_domain,dc=com, along with cn=hgroup1,cn=hostgroups,cn=accounts,dc=my_domain,dc=com. This seems to reflect what was stated in the documentation. But I am still stumped. I cannot get sudo to work with host groups; I have to directly add each server to the sudo rule. Thanks, -Mark So can it seems that the first thing you need to to do is to make sure your netgroups work. If domain and host are properly set then it might be the wrong base in your LDAP search for the netgroups. Are you using SSSD for netgroups or something else? Can you please share your sssd.conf and area where it configures netgroups? Also is sss in the nsswitch.conf for netgroups map? Mark Tovey - UNIX Engineer | Service Strategy Design UTi | 400 SW Sixth Ave, Suite 1100 | Portland | Oregon | 97204 | USA mto...@go2uti.com | O / C +1 503 953-1389 | Skype: mark.tovey2 -Original Message- From: Martin Kosek [mailto:mko...@redhat.com] Sent: Tuesday, July 16, 2013 12:34 AM To: Tovey, Mark Cc: Steven Jones; James Hogarth; Freeipa-users@redhat.com; Pavel Brezina Subject: Re: [Freeipa
Re: [Freeipa-users] sudo rules user and host group bugs?
On Wed, Jul 17, 2013 at 03:01:58PM +, Tovey, Mark wrote: We have sssd-1.5.1-58.el5 and ipa-client-2.1.3-5.el5_9.2 installed. OK, these are recent enough to support netgroups and the compat tree should be configured automatically. Those came out of the 'latest' repository. We do not have any netgroups defined (there is no /etc/netgroup file), so getent does not return anything. Every hostgroup is automatically translated into a netgroup on the server side. You said you have some host groups present, so does getent netgroup name-of-hostgroup return any netgroup data? Thanks, -Mark Mark Tovey - UNIX Engineer | Service Strategy Design UTi | 400 SW Sixth Ave, Suite 1100 | Portland | Oregon | 97204 | USA mto...@go2uti.com | O / C +1 503 953-1389 -Original Message- From: Jakub Hrozek [mailto:jhro...@redhat.com] Sent: Wednesday, July 17, 2013 1:32 AM To: Tovey, Mark Cc: d...@redhat.com; freeipa-users@redhat.com Subject: Re: [Freeipa-users] sudo rules user and host group bugs? On Tue, Jul 16, 2013 at 09:13:00PM +, Tovey, Mark wrote: We are using sssd. The sssd.conf file is mostly unchanged from how it was installed by the ipa-client-install script: Hi Mark, you said your client is OEL *5.5* ? The SSSD first appeared in RHEL (and by extension OEL) in 5.6. Are you running the version from EPEL? I'm not sure if netgroups were even supported in that old version.. What is the output of rpm -q sssd and rpm -q ipa-client ? Does getent netgroup netgroup-name work? [sssd] config_file_version = 2 services = nss, pam domains = my_domain.com [nss] [pam] [domain/my_domain.com] cache_credentials = True krb5_store_password_if_offline = True ipa_domain = my_domain.com id_provider = ipa auth_provider = ipa access_provider = ipa chpass_provider = ipa ipa_server = _srv_, ipa_server.my_domain.com ldap_tls_cacert = /etc/ipa/ca.crt debug_level = 6 And the nsswitch.conf file: passwd: files sss shadow: files sss group: files sss hosts: files dns bootparams: nisplus [NOTFOUND=return] files ethers: files netmasks: files networks: files protocols: files rpc:files services: files netgroup: files sss publickey: nisplus automount: files ldap aliases:files sudoers:files ldap Thanks, -Mark Mark Tovey - UNIX Engineer | Service Strategy Design UTi | 400 SW Sixth Ave, Suite 1100 | Portland | Oregon | 97204 | USA mto...@go2uti.com | O / C +1 503 953-1389 | Skype: mark.tovey2 -Original Message- From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Dmitri Pal Sent: Tuesday, July 16, 2013 12:51 PM To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] sudo rules user and host group bugs? On 07/16/2013 02:11 PM, Tovey, Mark wrote: My environment consists of OEL 5.5 clients with ipa-client-2.1.3 and the server is OEL 6.4 with ipa-server-3.0.0. We chose these because we were able to find RPM packages for them. We would prefer to go with the latest versions, but we did not want to spend the time building installation packages just yet. Again, we are just evaluating at this point. So far, so good, except for this one point. The doman name, host name, and nsswitch.conf files are all properly configured. But I do not have any netgroups defined (the getent command doesn't return anything and there is no /etc/netgroup file). After you asked about that, I started looking into the documentation on netgroups. The IPA documentation for sudo states that Identity Management creates two groups, a visible host group and a shadow netgroup. sudo itself only supports NIS-style netgroups for group formats. But when I look in the Netgroups area, I do not see any netgroups defined. I used Apache Directory Studio to look around the Directory Server, and I can see cn=hgroup1,cn=ng,cn=alt,dc=my_domain,dc=com, along with cn=hgroup1,cn=hostgroups,cn=accounts,dc=my_domain,dc=com. This seems to reflect what was stated in the documentation. But I am still stumped. I cannot get sudo to work with host groups; I have to directly add each server to the sudo rule. Thanks, -Mark So can it seems that the first thing you need to to do is to make sure your netgroups work. If domain and host are properly set then it might be the wrong base in your LDAP search for the netgroups. Are you using SSSD for netgroups or something else? Can you please share your sssd.conf and area where it configures netgroups? Also is sss in the nsswitch.conf for netgroups map
Re: [Freeipa-users] sudo rules user and host group bugs?
Okay, I get it (pardon my obtuseness). host1- getent netgroup hgroup1 hgroup1 (host1.my_domain.com, -, my_domain.com) So netgroups are working. The host group is defined in IPA and getent is able to access that information. Thanks, -Mark Mark Tovey - UNIX Engineer | Service Strategy Design UTi | 400 SW Sixth Ave, Suite 1100 | Portland | Oregon | 97204 | USA mto...@go2uti.com | O / C +1 503 953-1389 -Original Message- From: Jakub Hrozek [mailto:jhro...@redhat.com] Sent: Wednesday, July 17, 2013 8:58 AM To: Tovey, Mark Cc: d...@redhat.com; freeipa-users@redhat.com Subject: Re: [Freeipa-users] sudo rules user and host group bugs? On Wed, Jul 17, 2013 at 03:01:58PM +, Tovey, Mark wrote: We have sssd-1.5.1-58.el5 and ipa-client-2.1.3-5.el5_9.2 installed. OK, these are recent enough to support netgroups and the compat tree should be configured automatically. Those came out of the 'latest' repository. We do not have any netgroups defined (there is no /etc/netgroup file), so getent does not return anything. Every hostgroup is automatically translated into a netgroup on the server side. You said you have some host groups present, so does getent netgroup name-of-hostgroup return any netgroup data? Thanks, -Mark Mark Tovey - UNIX Engineer | Service Strategy Design UTi | 400 SW Sixth Ave, Suite 1100 | Portland | Oregon | 97204 | USA mto...@go2uti.com | O / C +1 503 953-1389 -Original Message- From: Jakub Hrozek [mailto:jhro...@redhat.com] Sent: Wednesday, July 17, 2013 1:32 AM To: Tovey, Mark Cc: d...@redhat.com; freeipa-users@redhat.com Subject: Re: [Freeipa-users] sudo rules user and host group bugs? On Tue, Jul 16, 2013 at 09:13:00PM +, Tovey, Mark wrote: We are using sssd. The sssd.conf file is mostly unchanged from how it was installed by the ipa-client-install script: Hi Mark, you said your client is OEL *5.5* ? The SSSD first appeared in RHEL (and by extension OEL) in 5.6. Are you running the version from EPEL? I'm not sure if netgroups were even supported in that old version.. What is the output of rpm -q sssd and rpm -q ipa-client ? Does getent netgroup netgroup-name work? [sssd] config_file_version = 2 services = nss, pam domains = my_domain.com [nss] [pam] [domain/my_domain.com] cache_credentials = True krb5_store_password_if_offline = True ipa_domain = my_domain.com id_provider = ipa auth_provider = ipa access_provider = ipa chpass_provider = ipa ipa_server = _srv_, ipa_server.my_domain.com ldap_tls_cacert = /etc/ipa/ca.crt debug_level = 6 And the nsswitch.conf file: passwd: files sss shadow: files sss group: files sss hosts: files dns bootparams: nisplus [NOTFOUND=return] files ethers: files netmasks: files networks: files protocols: files rpc:files services: files netgroup: files sss publickey: nisplus automount: files ldap aliases:files sudoers:files ldap Thanks, -Mark Mark Tovey - UNIX Engineer | Service Strategy Design UTi | 400 SW Sixth Ave, Suite 1100 | Portland | Oregon | 97204 | USA mto...@go2uti.com | O / C +1 503 953-1389 | Skype: mark.tovey2 -Original Message- From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Dmitri Pal Sent: Tuesday, July 16, 2013 12:51 PM To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] sudo rules user and host group bugs? On 07/16/2013 02:11 PM, Tovey, Mark wrote: My environment consists of OEL 5.5 clients with ipa-client-2.1.3 and the server is OEL 6.4 with ipa-server-3.0.0. We chose these because we were able to find RPM packages for them. We would prefer to go with the latest versions, but we did not want to spend the time building installation packages just yet. Again, we are just evaluating at this point. So far, so good, except for this one point. The doman name, host name, and nsswitch.conf files are all properly configured. But I do not have any netgroups defined (the getent command doesn't return anything and there is no /etc/netgroup file). After you asked about that, I started looking into the documentation on netgroups. The IPA documentation for sudo states that Identity Management creates two groups, a visible host group and a shadow netgroup. sudo itself only supports NIS-style netgroups for group formats. But when I look in the Netgroups area, I do not see any netgroups defined. I used Apache Directory Studio to look around the Directory Server, and I can see
Re: [Freeipa-users] sudo rules user and host group bugs?
On Wed, Jul 17, 2013 at 04:39:32PM +, Tovey, Mark wrote: Okay, I get it (pardon my obtuseness). host1- getent netgroup hgroup1 hgroup1 (host1.my_domain.com, -, my_domain.com) So netgroups are working. The host group is defined in IPA and getent is able to access that information. Thanks, -Mark OK, good, thanks for checking. Pavel, can you check the sudo output earlier in the thread if you spot anything? ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] sudo rules user and host group bugs?
Just checking, did you try troubleshooting hints from JR I found at the top of the thread? I did not find an information about that. Can you confirm that the output of the following commands: 1. $ domainname * does it match your domain? 2. $ hostname * does match match your fqdn? 3. $ getent netgroup esolutions-sandbox-hosts * does this list your host? 4. Does /etc/nsswitch.conf contain the line: netgroup: files sss? Another important Sudo Troubleshooting step is to edit: /etc/sudo-ldap.conf (or /etc/ldap.conf, depending on what version of RHEL/Sudo you're running): At the top, add the line: sudoers_debug 2 Then try another sudo command. sudo -l for example. For example, it would help to know that netgroup list (step 3) works or domainname is set correctly (step 1). Martin On 07/16/2013 06:09 AM, Tovey, Mark wrote: Okay, I stopped sssd on the client and deleted the cache files, removed the sudo rule, started sssd and verified that the rule was gone, stopped sssd and deleted the files again, added the rule back in, restarted sssd, and still it does not work. One note, when I enter the hosts into the sudo rule in place of the host group, the effect is immediate; I do not need to restart sssd. And the opposite is true too: if I put the host group back, the rule immediately stops working. I don’t think the issue is cache related; it seems to be something else. The serv_account that we are accessing with the sudo rule is external. I wouldn’t expect that to matter, but perhaps it does? I like your idea for the labels; they make sense. Right now we are just evaluating this to see if we want to go this route. So far we like it, but this could be a problem because we have a several hundred hosts that we need to manage. Having to enter each one individually will be problematic. Thanks, -Mark * * ** *Mark Tovey - UNIX Engineer | Service Strategy Design* UTi http://www.go2uti.com/ | 400 SW Sixth Ave, Suite 1100 | Portland | Oregon | 97204 | USA mto...@go2uti.com mailto:mto...@go2uti.com | O / C +1 503 953-1389 | Skype: mark.tovey2 *From:*Steven Jones [mailto:steven.jo...@vuw.ac.nz] *Sent:* Monday, July 15, 2013 4:44 PM *To:* Tovey, Mark; James Hogarth *Cc:* Freeipa-users@redhat.com *Subject:* RE: [Freeipa-users] sudo rules user and host group bugs? option b) delete the rule totally and redo it from scratch. I label rules like this, hb- for a hbac rule su- for a sudo rule sc- for a sudo command group ug- for a user group hg- for a host groups etc etc It makes the logic easier when you go into command line which I find easier to trace with than the gui at time. regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 --- *From:*Tovey, Mark [mto...@go2uti.com] *Sent:* Tuesday, 16 July 2013 11:34 a.m. *To:* Steven Jones; James Hogarth *Cc:* Freeipa-users@redhat.com mailto:Freeipa-users@redhat.com *Subject:* RE: [Freeipa-users] sudo rules user and host group bugs? That didn’t work either. I set up the host group in my sudo rule, stopped sssd, renamed /var/lib/sss/db and created a new db directory, then restarted sssd. New files were created in the db directory, but it still refuses to work unless the hosts are directly specified in the sudo rule. Thanks, -Mark * * ** *Mark Tovey - UNIX Engineer | Service Strategy Design* UTi http://www.go2uti.com/ | 400 SW Sixth Ave, Suite 1100 | Portland | Oregon | 97204 | USA mto...@go2uti.com mailto:mto...@go2uti.com | O / C +1 503 953-1389 | Skype: mark.tovey2 *From:*Steven Jones [mailto:steven.jo...@vuw.ac.nz] *Sent:* Monday, July 15, 2013 4:15 PM *To:* Tovey, Mark; James Hogarth *Cc:* Freeipa-users@redhat.com mailto:Freeipa-users@redhat.com *Subject:* RE: [Freeipa-users] sudo rules user and host group bugs? Hi, This is a known issue Ive suffered a long time with. What would be interesting is adding another host to the host group could well work fine, that will really make you bang your head against the wall.. 2 possibilities, stop the sssd daemon on the problem host, delete its cache and start it, that might fix it. Otherwise best to, All RH support could come up with is delete the HBAC rule, sudo rule, user group and host group and re-do it, then it will probably work fine. regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 --- *From:*freeipa-users-boun...@redhat.com
Re: [Freeipa-users] sudo rules user and host group bugs?
My environment consists of OEL 5.5 clients with ipa-client-2.1.3 and the server is OEL 6.4 with ipa-server-3.0.0. We chose these because we were able to find RPM packages for them. We would prefer to go with the latest versions, but we did not want to spend the time building installation packages just yet. Again, we are just evaluating at this point. So far, so good, except for this one point. The doman name, host name, and nsswitch.conf files are all properly configured. But I do not have any netgroups defined (the getent command doesn't return anything and there is no /etc/netgroup file). After you asked about that, I started looking into the documentation on netgroups. The IPA documentation for sudo states that Identity Management creates two groups, a visible host group and a shadow netgroup. sudo itself only supports NIS-style netgroups for group formats. But when I look in the Netgroups area, I do not see any netgroups defined. I used Apache Directory Studio to look around the Directory Server, and I can see cn=hgroup1,cn=ng,cn=alt,dc=my_domain,dc=com, along with cn=hgroup1,cn=hostgroups,cn=accounts,dc=my_domain,dc=com. This seems to reflect what was stated in the documentation. But I am still stumped. I cannot get sudo to work with host groups; I have to directly add each server to the sudo rule. Thanks, -Mark Mark Tovey - UNIX Engineer | Service Strategy Design UTi | 400 SW Sixth Ave, Suite 1100 | Portland | Oregon | 97204 | USA mto...@go2uti.com | O / C +1 503 953-1389 | Skype: mark.tovey2 -Original Message- From: Martin Kosek [mailto:mko...@redhat.com] Sent: Tuesday, July 16, 2013 12:34 AM To: Tovey, Mark Cc: Steven Jones; James Hogarth; Freeipa-users@redhat.com; Pavel Brezina Subject: Re: [Freeipa-users] sudo rules user and host group bugs? Just checking, did you try troubleshooting hints from JR I found at the top of the thread? I did not find an information about that. Can you confirm that the output of the following commands: 1. $ domainname * does it match your domain? 2. $ hostname * does match match your fqdn? 3. $ getent netgroup esolutions-sandbox-hosts * does this list your host? 4. Does /etc/nsswitch.conf contain the line: netgroup: files sss? Another important Sudo Troubleshooting step is to edit: /etc/sudo-ldap.conf (or /etc/ldap.conf, depending on what version of RHEL/Sudo you're running): At the top, add the line: sudoers_debug 2 Then try another sudo command. sudo -l for example. For example, it would help to know that netgroup list (step 3) works or domainname is set correctly (step 1). Martin On 07/16/2013 06:09 AM, Tovey, Mark wrote: Okay, I stopped sssd on the client and deleted the cache files, removed the sudo rule, started sssd and verified that the rule was gone, stopped sssd and deleted the files again, added the rule back in, restarted sssd, and still it does not work. One note, when I enter the hosts into the sudo rule in place of the host group, the effect is immediate; I do not need to restart sssd. And the opposite is true too: if I put the host group back, the rule immediately stops working. I don't think the issue is cache related; it seems to be something else. The serv_account that we are accessing with the sudo rule is external. I wouldn't expect that to matter, but perhaps it does? I like your idea for the labels; they make sense. Right now we are just evaluating this to see if we want to go this route. So far we like it, but this could be a problem because we have a several hundred hosts that we need to manage. Having to enter each one individually will be problematic. Thanks, -Mark * * ** *Mark Tovey - UNIX Engineer | Service Strategy Design* UTi http://www.go2uti.com/ | 400 SW Sixth Ave, Suite 1100 | Portland | Oregon | 97204 | USA mto...@go2uti.com mailto:mto...@go2uti.com | O / C +1 503 953-1389 | Skype: mark.tovey2 *From:*Steven Jones [mailto:steven.jo...@vuw.ac.nz] *Sent:* Monday, July 15, 2013 4:44 PM *To:* Tovey, Mark; James Hogarth *Cc:* Freeipa-users@redhat.com *Subject:* RE: [Freeipa-users] sudo rules user and host group bugs? option b) delete the rule totally and redo it from scratch. I label rules like this, hb- for a hbac rule su- for a sudo rule sc- for a sudo command group ug- for a user group hg- for a host groups etc etc It makes the logic easier when you go into command line which I find easier to trace with than the gui at time. regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 -- - *From:*Tovey, Mark [mto
Re: [Freeipa-users] sudo rules user and host group bugs?
On 07/16/2013 02:11 PM, Tovey, Mark wrote: My environment consists of OEL 5.5 clients with ipa-client-2.1.3 and the server is OEL 6.4 with ipa-server-3.0.0. We chose these because we were able to find RPM packages for them. We would prefer to go with the latest versions, but we did not want to spend the time building installation packages just yet. Again, we are just evaluating at this point. So far, so good, except for this one point. The doman name, host name, and nsswitch.conf files are all properly configured. But I do not have any netgroups defined (the getent command doesn't return anything and there is no /etc/netgroup file). After you asked about that, I started looking into the documentation on netgroups. The IPA documentation for sudo states that Identity Management creates two groups, a visible host group and a shadow netgroup. sudo itself only supports NIS-style netgroups for group formats. But when I look in the Netgroups area, I do not see any netgroups defined. I used Apache Directory Studio to look around the Directory Server, and I can see cn=hgroup1,cn=ng,cn=alt,dc=my_domain,dc=com, along with cn=hgroup1,cn=hostgroups,cn=accounts,dc=my_domain,dc=com. This seems to reflect what was stated in the documentation. But I am still stumped. I cannot get sudo to work with host groups; I have to directly add each server to the sudo rule. Thanks, -Mark So can it seems that the first thing you need to to do is to make sure your netgroups work. If domain and host are properly set then it might be the wrong base in your LDAP search for the netgroups. Are you using SSSD for netgroups or something else? Can you please share your sssd.conf and area where it configures netgroups? Also is sss in the nsswitch.conf for netgroups map? Mark Tovey - UNIX Engineer | Service Strategy Design UTi | 400 SW Sixth Ave, Suite 1100 | Portland | Oregon | 97204 | USA mto...@go2uti.com | O / C +1 503 953-1389 | Skype: mark.tovey2 -Original Message- From: Martin Kosek [mailto:mko...@redhat.com] Sent: Tuesday, July 16, 2013 12:34 AM To: Tovey, Mark Cc: Steven Jones; James Hogarth; Freeipa-users@redhat.com; Pavel Brezina Subject: Re: [Freeipa-users] sudo rules user and host group bugs? Just checking, did you try troubleshooting hints from JR I found at the top of the thread? I did not find an information about that. Can you confirm that the output of the following commands: 1. $ domainname * does it match your domain? 2. $ hostname * does match match your fqdn? 3. $ getent netgroup esolutions-sandbox-hosts * does this list your host? 4. Does /etc/nsswitch.conf contain the line: netgroup: files sss? Another important Sudo Troubleshooting step is to edit: /etc/sudo-ldap.conf (or /etc/ldap.conf, depending on what version of RHEL/Sudo you're running): At the top, add the line: sudoers_debug 2 Then try another sudo command. sudo -l for example. For example, it would help to know that netgroup list (step 3) works or domainname is set correctly (step 1). Martin On 07/16/2013 06:09 AM, Tovey, Mark wrote: Okay, I stopped sssd on the client and deleted the cache files, removed the sudo rule, started sssd and verified that the rule was gone, stopped sssd and deleted the files again, added the rule back in, restarted sssd, and still it does not work. One note, when I enter the hosts into the sudo rule in place of the host group, the effect is immediate; I do not need to restart sssd. And the opposite is true too: if I put the host group back, the rule immediately stops working. I don't think the issue is cache related; it seems to be something else. The serv_account that we are accessing with the sudo rule is external. I wouldn't expect that to matter, but perhaps it does? I like your idea for the labels; they make sense. Right now we are just evaluating this to see if we want to go this route. So far we like it, but this could be a problem because we have a several hundred hosts that we need to manage. Having to enter each one individually will be problematic. Thanks, -Mark * * ** *Mark Tovey - UNIX Engineer | Service Strategy Design* UTi http://www.go2uti.com/ | 400 SW Sixth Ave, Suite 1100 | Portland | Oregon | 97204 | USA mto...@go2uti.com mailto:mto...@go2uti.com | O / C +1 503 953-1389 | Skype: mark.tovey2 *From:*Steven Jones [mailto:steven.jo...@vuw.ac.nz] *Sent:* Monday, July 15, 2013 4:44 PM *To:* Tovey, Mark; James Hogarth *Cc:* Freeipa-users@redhat.com *Subject:* RE: [Freeipa-users] sudo rules user and host group bugs? option b) delete the rule totally and redo it from scratch. I label rules like this, hb- for a hbac rule su- for a sudo rule sc
Re: [Freeipa-users] sudo rules user and host group bugs?
We are using sssd. The sssd.conf file is mostly unchanged from how it was installed by the ipa-client-install script: [sssd] config_file_version = 2 services = nss, pam domains = my_domain.com [nss] [pam] [domain/my_domain.com] cache_credentials = True krb5_store_password_if_offline = True ipa_domain = my_domain.com id_provider = ipa auth_provider = ipa access_provider = ipa chpass_provider = ipa ipa_server = _srv_, ipa_server.my_domain.com ldap_tls_cacert = /etc/ipa/ca.crt debug_level = 6 And the nsswitch.conf file: passwd: files sss shadow: files sss group: files sss hosts: files dns bootparams: nisplus [NOTFOUND=return] files ethers: files netmasks: files networks: files protocols: files rpc:files services: files netgroup: files sss publickey: nisplus automount: files ldap aliases:files sudoers:files ldap Thanks, -Mark Mark Tovey - UNIX Engineer | Service Strategy Design UTi | 400 SW Sixth Ave, Suite 1100 | Portland | Oregon | 97204 | USA mto...@go2uti.com | O / C +1 503 953-1389 | Skype: mark.tovey2 -Original Message- From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Dmitri Pal Sent: Tuesday, July 16, 2013 12:51 PM To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] sudo rules user and host group bugs? On 07/16/2013 02:11 PM, Tovey, Mark wrote: My environment consists of OEL 5.5 clients with ipa-client-2.1.3 and the server is OEL 6.4 with ipa-server-3.0.0. We chose these because we were able to find RPM packages for them. We would prefer to go with the latest versions, but we did not want to spend the time building installation packages just yet. Again, we are just evaluating at this point. So far, so good, except for this one point. The doman name, host name, and nsswitch.conf files are all properly configured. But I do not have any netgroups defined (the getent command doesn't return anything and there is no /etc/netgroup file). After you asked about that, I started looking into the documentation on netgroups. The IPA documentation for sudo states that Identity Management creates two groups, a visible host group and a shadow netgroup. sudo itself only supports NIS-style netgroups for group formats. But when I look in the Netgroups area, I do not see any netgroups defined. I used Apache Directory Studio to look around the Directory Server, and I can see cn=hgroup1,cn=ng,cn=alt,dc=my_domain,dc=com, along with cn=hgroup1,cn=hostgroups,cn=accounts,dc=my_domain,dc=com. This seems to reflect what was stated in the documentation. But I am still stumped. I cannot get sudo to work with host groups; I have to directly add each server to the sudo rule. Thanks, -Mark So can it seems that the first thing you need to to do is to make sure your netgroups work. If domain and host are properly set then it might be the wrong base in your LDAP search for the netgroups. Are you using SSSD for netgroups or something else? Can you please share your sssd.conf and area where it configures netgroups? Also is sss in the nsswitch.conf for netgroups map? Mark Tovey - UNIX Engineer | Service Strategy Design UTi | 400 SW Sixth Ave, Suite 1100 | Portland | Oregon | 97204 | USA mto...@go2uti.com | O / C +1 503 953-1389 | Skype: mark.tovey2 -Original Message- From: Martin Kosek [mailto:mko...@redhat.com] Sent: Tuesday, July 16, 2013 12:34 AM To: Tovey, Mark Cc: Steven Jones; James Hogarth; Freeipa-users@redhat.com; Pavel Brezina Subject: Re: [Freeipa-users] sudo rules user and host group bugs? Just checking, did you try troubleshooting hints from JR I found at the top of the thread? I did not find an information about that. Can you confirm that the output of the following commands: 1. $ domainname * does it match your domain? 2. $ hostname * does match match your fqdn? 3. $ getent netgroup esolutions-sandbox-hosts * does this list your host? 4. Does /etc/nsswitch.conf contain the line: netgroup: files sss? Another important Sudo Troubleshooting step is to edit: /etc/sudo-ldap.conf (or /etc/ldap.conf, depending on what version of RHEL/Sudo you're running): At the top, add the line: sudoers_debug 2 Then try another sudo command. sudo -l for example. For example, it would help to know that netgroup list (step 3) works or domainname is set correctly (step 1). Martin On 07/16/2013 06:09 AM, Tovey, Mark wrote: Okay, I stopped sssd on the client and deleted the cache files, removed the sudo rule, started sssd and verified that the rule was gone, stopped sssd and deleted the files again, added the rule back in, restarted sssd, and still it does not work. One note, when I enter the hosts into the sudo
Re: [Freeipa-users] sudo rules user and host group bugs?
Did anyone find a solution for this? I am having the same experience. Wow that was a mess... To use hostgroups for sudo ensure nisdomainname is set on the hosts to the IPA domain. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] sudo rules user and host group bugs?
I checked that and it is set correctly: [user1@host1 ~]$ nisdomainname my_domain.com If I try to run a command with the hosts specified indirectly through a host group, it fails: [user1@host1 ~]$ sudo -i -u serv_account LDAP Config Summary === uri ldap://ipa_server.my_domain.com ldap_version 3 sudoers_base ou=SUDOers,dc=my_domain,dc=com binddn uid=sudo,cn=sysaccounts,cn=etc,dc=my_domain,dc=com bindpw ** bind_timelimit 5000 timelimit15 ssl start_tls tls_checkpeer(yes) tls_cacertfile /etc/ipa/ca.crt === sudo: ldap_initialize(ld, ldap://ipa_server.my_domain.com) sudo: ldap_set_option: debug - 0 sudo: ldap_set_option: ldap_version - 3 sudo: ldap_set_option: tls_checkpeer - 1 sudo: ldap_set_option: tls_cacertfile - /etc/ipa/ca.crt sudo: ldap_set_option: timelimit - 15 sudo: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT, 5) sudo: ldap_start_tls_s() ok sudo: ldap_sasl_bind_s() ok sudo: no default options found! sudo: ldap search '(|(sudoUser=user1)(sudoUser=%user1)(sudoUser=%user1s)(sudoUser=ALL))' sudo: found:cn=my_sudo_rule,ou=sudoers,dc=my_domain,dc=com sudo: ldap sudoHost '+hgroup1' ... not sudo: ldap search 'sudoUser=+*' sudo: user_matches=1 sudo: host_matches=0 sudo: sudo_ldap_lookup(0)=0x40 [sudo] password for user1: Sorry, try again. [sudo] password for user1: sudo: 1 incorrect password attempt But if I remove the host group from the sudo rule and directly add the hosts that were in the host group, it works fine: snip sudo: ldap_start_tls_s() ok sudo: ldap_sasl_bind_s() ok sudo: no default options found! sudo: ldap search '(|(sudoUser=user1)(sudoUser=%user1)(sudoUser=%user1s)(sudoUser=ALL))' sudo: found:cn=my_sudo_rule,ou=sudoers,dc=my_domain,dc=com sudo: ldap sudoHost 'host1.my_domain.com' ... MATCH! sudo: ldap sudoRunAsUser 'serv_account' ... MATCH! sudo: ldap sudoCommand 'ALL' ... MATCH! sudo: Command allowed sudo: user_matches=1 sudo: host_matches=1 sudo: sudo_ldap_lookup(0)=0x02 [sudo] password for user1: [serv_account@host1 ~]$ So something isn't lining up correctly with host groups in sudo rules somewhere. I just haven't been able to track it down. Thanks, -Mark Mark Tovey - UNIX Engineer | Service Strategy Design UTihttp://www.go2uti.com/ | 400 SW Sixth Ave, Suite 1100 | Portland | Oregon | 97204 | USA mto...@go2uti.commailto:mto...@go2uti.com | O / C +1 503 953-1389 | Skype: mark.tovey2 From: James Hogarth [mailto:james.hoga...@gmail.com] Sent: Monday, July 15, 2013 1:11 PM To: Tovey, Mark Subject: Re: [Freeipa-users] sudo rules user and host group bugs? Did anyone find a solution for this? I am having the same experience. Wow that was a mess... To use hostgroups for sudo ensure nisdomainname is set on the hosts to the IPA domain. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] sudo rules user and host group bugs?
Hi, This is a known issue Ive suffered a long time with. What would be interesting is adding another host to the host group could well work fine, that will really make you bang your head against the wall.. 2 possibilities, stop the sssd daemon on the problem host, delete its cache and start it, that might fix it. Otherwise best to, All RH support could come up with is delete the HBAC rule, sudo rule, user group and host group and re-do it, then it will probably work fine. regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Tovey, Mark [mto...@go2uti.com] Sent: Tuesday, 16 July 2013 10:54 a.m. To: James Hogarth Cc: Freeipa-users@redhat.com Subject: Re: [Freeipa-users] sudo rules user and host group bugs? I checked that and it is set correctly: [user1@host1 ~]$ nisdomainname my_domain.com If I try to run a command with the hosts specified indirectly through a host group, it fails: [user1@host1 ~]$ sudo -i -u serv_account LDAP Config Summary === uri ldap://ipa_server.my_domain.com ldap_version 3 sudoers_base ou=SUDOers,dc=my_domain,dc=com binddn uid=sudo,cn=sysaccounts,cn=etc,dc=my_domain,dc=com bindpw ** bind_timelimit 5000 timelimit15 ssl start_tls tls_checkpeer(yes) tls_cacertfile /etc/ipa/ca.crt === sudo: ldap_initialize(ld, ldap://ipa_server.my_domain.com) sudo: ldap_set_option: debug - 0 sudo: ldap_set_option: ldap_version - 3 sudo: ldap_set_option: tls_checkpeer - 1 sudo: ldap_set_option: tls_cacertfile - /etc/ipa/ca.crt sudo: ldap_set_option: timelimit - 15 sudo: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT, 5) sudo: ldap_start_tls_s() ok sudo: ldap_sasl_bind_s() ok sudo: no default options found! sudo: ldap search '(|(sudoUser=user1)(sudoUser=%user1)(sudoUser=%user1s)(sudoUser=ALL))' sudo: found:cn=my_sudo_rule,ou=sudoers,dc=my_domain,dc=com sudo: ldap sudoHost '+hgroup1' ... not sudo: ldap search 'sudoUser=+*' sudo: user_matches=1 sudo: host_matches=0 sudo: sudo_ldap_lookup(0)=0x40 [sudo] password for user1: Sorry, try again. [sudo] password for user1: sudo: 1 incorrect password attempt But if I remove the host group from the sudo rule and directly add the hosts that were in the host group, it works fine: snip sudo: ldap_start_tls_s() ok sudo: ldap_sasl_bind_s() ok sudo: no default options found! sudo: ldap search '(|(sudoUser=user1)(sudoUser=%user1)(sudoUser=%user1s)(sudoUser=ALL))' sudo: found:cn=my_sudo_rule,ou=sudoers,dc=my_domain,dc=com sudo: ldap sudoHost 'host1.my_domain.com' ... MATCH! sudo: ldap sudoRunAsUser 'serv_account' ... MATCH! sudo: ldap sudoCommand 'ALL' ... MATCH! sudo: Command allowed sudo: user_matches=1 sudo: host_matches=1 sudo: sudo_ldap_lookup(0)=0x02 [sudo] password for user1: [serv_account@host1 ~]$ So something isn’t lining up correctly with host groups in sudo rules somewhere. I just haven’t been able to track it down. Thanks, -Mark Mark Tovey - UNIX Engineer | Service Strategy Design UTihttp://www.go2uti.com/ | 400 SW Sixth Ave, Suite 1100 | Portland | Oregon | 97204 | USA mto...@go2uti.commailto:mto...@go2uti.com | O / C +1 503 953-1389 | Skype: mark.tovey2 From: James Hogarth [mailto:james.hoga...@gmail.com] Sent: Monday, July 15, 2013 1:11 PM To: Tovey, Mark Subject: Re: [Freeipa-users] sudo rules user and host group bugs? Did anyone find a solution for this? I am having the same experience. Wow that was a mess... To use hostgroups for sudo ensure nisdomainname is set on the hosts to the IPA domain. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] sudo rules user and host group bugs?
That didn't work either. I set up the host group in my sudo rule, stopped sssd, renamed /var/lib/sss/db and created a new db directory, then restarted sssd. New files were created in the db directory, but it still refuses to work unless the hosts are directly specified in the sudo rule. Thanks, -Mark Mark Tovey - UNIX Engineer | Service Strategy Design UTihttp://www.go2uti.com/ | 400 SW Sixth Ave, Suite 1100 | Portland | Oregon | 97204 | USA mto...@go2uti.commailto:mto...@go2uti.com | O / C +1 503 953-1389 | Skype: mark.tovey2 From: Steven Jones [mailto:steven.jo...@vuw.ac.nz] Sent: Monday, July 15, 2013 4:15 PM To: Tovey, Mark; James Hogarth Cc: Freeipa-users@redhat.com Subject: RE: [Freeipa-users] sudo rules user and host group bugs? Hi, This is a known issue Ive suffered a long time with. What would be interesting is adding another host to the host group could well work fine, that will really make you bang your head against the wall.. 2 possibilities, stop the sssd daemon on the problem host, delete its cache and start it, that might fix it. Otherwise best to, All RH support could come up with is delete the HBAC rule, sudo rule, user group and host group and re-do it, then it will probably work fine. regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: freeipa-users-boun...@redhat.commailto:freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Tovey, Mark [mto...@go2uti.com] Sent: Tuesday, 16 July 2013 10:54 a.m. To: James Hogarth Cc: Freeipa-users@redhat.commailto:Freeipa-users@redhat.com Subject: Re: [Freeipa-users] sudo rules user and host group bugs? I checked that and it is set correctly: [user1@host1 ~]$ nisdomainname my_domain.com If I try to run a command with the hosts specified indirectly through a host group, it fails: [user1@host1 ~]$ sudo -i -u serv_account LDAP Config Summary === uri ldap://ipa_server.my_domain.com ldap_version 3 sudoers_base ou=SUDOers,dc=my_domain,dc=com binddn uid=sudo,cn=sysaccounts,cn=etc,dc=my_domain,dc=com bindpw ** bind_timelimit 5000 timelimit15 ssl start_tls tls_checkpeer(yes) tls_cacertfile /etc/ipa/ca.crt === sudo: ldap_initialize(ld, ldap://ipa_server.my_domain.com) sudo: ldap_set_option: debug - 0 sudo: ldap_set_option: ldap_version - 3 sudo: ldap_set_option: tls_checkpeer - 1 sudo: ldap_set_option: tls_cacertfile - /etc/ipa/ca.crt sudo: ldap_set_option: timelimit - 15 sudo: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT, 5) sudo: ldap_start_tls_s() ok sudo: ldap_sasl_bind_s() ok sudo: no default options found! sudo: ldap search '(|(sudoUser=user1)(sudoUser=%user1)(sudoUser=%user1s)(sudoUser=ALL))' sudo: found:cn=my_sudo_rule,ou=sudoers,dc=my_domain,dc=com sudo: ldap sudoHost '+hgroup1' ... not sudo: ldap search 'sudoUser=+*' sudo: user_matches=1 sudo: host_matches=0 sudo: sudo_ldap_lookup(0)=0x40 [sudo] password for user1: Sorry, try again. [sudo] password for user1: sudo: 1 incorrect password attempt But if I remove the host group from the sudo rule and directly add the hosts that were in the host group, it works fine: snip sudo: ldap_start_tls_s() ok sudo: ldap_sasl_bind_s() ok sudo: no default options found! sudo: ldap search '(|(sudoUser=user1)(sudoUser=%user1)(sudoUser=%user1s)(sudoUser=ALL))' sudo: found:cn=my_sudo_rule,ou=sudoers,dc=my_domain,dc=com sudo: ldap sudoHost 'host1.my_domain.com' ... MATCH! sudo: ldap sudoRunAsUser 'serv_account' ... MATCH! sudo: ldap sudoCommand 'ALL' ... MATCH! sudo: Command allowed sudo: user_matches=1 sudo: host_matches=1 sudo: sudo_ldap_lookup(0)=0x02 [sudo] password for user1: [serv_account@host1 ~]$ So something isn't lining up correctly with host groups in sudo rules somewhere. I just haven't been able to track it down. Thanks, -Mark Mark Tovey - UNIX Engineer | Service Strategy Design UTihttp://www.go2uti.com/ | 400 SW Sixth Ave, Suite 1100 | Portland | Oregon | 97204 | USA mto...@go2uti.commailto:mto...@go2uti.com | O / C +1 503 953-1389 | Skype: mark.tovey2 From: James Hogarth [mailto:james.hoga...@gmail.com] Sent: Monday, July 15, 2013 1:11 PM To: Tovey, Mark Subject: Re: [Freeipa-users] sudo rules user and host group bugs? Did anyone find a solution for this? I am having the same experience. Wow that was a mess... To use hostgroups for sudo ensure nisdomainname is set on the hosts to the IPA domain. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] sudo rules user and host group bugs?
Okay, I stopped sssd on the client and deleted the cache files, removed the sudo rule, started sssd and verified that the rule was gone, stopped sssd and deleted the files again, added the rule back in, restarted sssd, and still it does not work. One note, when I enter the hosts into the sudo rule in place of the host group, the effect is immediate; I do not need to restart sssd. And the opposite is true too: if I put the host group back, the rule immediately stops working. I don't think the issue is cache related; it seems to be something else. The serv_account that we are accessing with the sudo rule is external. I wouldn't expect that to matter, but perhaps it does? I like your idea for the labels; they make sense. Right now we are just evaluating this to see if we want to go this route. So far we like it, but this could be a problem because we have a several hundred hosts that we need to manage. Having to enter each one individually will be problematic. Thanks, -Mark Mark Tovey - UNIX Engineer | Service Strategy Design UTihttp://www.go2uti.com/ | 400 SW Sixth Ave, Suite 1100 | Portland | Oregon | 97204 | USA mto...@go2uti.commailto:mto...@go2uti.com | O / C +1 503 953-1389 | Skype: mark.tovey2 From: Steven Jones [mailto:steven.jo...@vuw.ac.nz] Sent: Monday, July 15, 2013 4:44 PM To: Tovey, Mark; James Hogarth Cc: Freeipa-users@redhat.com Subject: RE: [Freeipa-users] sudo rules user and host group bugs? option b) delete the rule totally and redo it from scratch. I label rules like this, hb- for a hbac rule su- for a sudo rule sc- for a sudo command group ug- for a user group hg- for a host groups etc etc It makes the logic easier when you go into command line which I find easier to trace with than the gui at time. regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: Tovey, Mark [mto...@go2uti.com] Sent: Tuesday, 16 July 2013 11:34 a.m. To: Steven Jones; James Hogarth Cc: Freeipa-users@redhat.commailto:Freeipa-users@redhat.com Subject: RE: [Freeipa-users] sudo rules user and host group bugs? That didn't work either. I set up the host group in my sudo rule, stopped sssd, renamed /var/lib/sss/db and created a new db directory, then restarted sssd. New files were created in the db directory, but it still refuses to work unless the hosts are directly specified in the sudo rule. Thanks, -Mark Mark Tovey - UNIX Engineer | Service Strategy Design UTihttp://www.go2uti.com/ | 400 SW Sixth Ave, Suite 1100 | Portland | Oregon | 97204 | USA mto...@go2uti.commailto:mto...@go2uti.com | O / C +1 503 953-1389 | Skype: mark.tovey2 From: Steven Jones [mailto:steven.jo...@vuw.ac.nz] Sent: Monday, July 15, 2013 4:15 PM To: Tovey, Mark; James Hogarth Cc: Freeipa-users@redhat.commailto:Freeipa-users@redhat.com Subject: RE: [Freeipa-users] sudo rules user and host group bugs? Hi, This is a known issue Ive suffered a long time with. What would be interesting is adding another host to the host group could well work fine, that will really make you bang your head against the wall.. 2 possibilities, stop the sssd daemon on the problem host, delete its cache and start it, that might fix it. Otherwise best to, All RH support could come up with is delete the HBAC rule, sudo rule, user group and host group and re-do it, then it will probably work fine. regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: freeipa-users-boun...@redhat.commailto:freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Tovey, Mark [mto...@go2uti.com] Sent: Tuesday, 16 July 2013 10:54 a.m. To: James Hogarth Cc: Freeipa-users@redhat.commailto:Freeipa-users@redhat.com Subject: Re: [Freeipa-users] sudo rules user and host group bugs? I checked that and it is set correctly: [user1@host1 ~]$ nisdomainname my_domain.com If I try to run a command with the hosts specified indirectly through a host group, it fails: [user1@host1 ~]$ sudo -i -u serv_account LDAP Config Summary === uri ldap://ipa_server.my_domain.com ldap_version 3 sudoers_base ou=SUDOers,dc=my_domain,dc=com binddn uid=sudo,cn=sysaccounts,cn=etc,dc=my_domain,dc=com bindpw ** bind_timelimit 5000 timelimit15 ssl start_tls tls_checkpeer(yes) tls_cacertfile /etc/ipa/ca.crt === sudo: ldap_initialize(ld, ldap://ipa_server.my_domain.com) sudo: ldap_set_option: debug - 0 sudo: ldap_set_option: ldap_version - 3 sudo: ldap_set_option: tls_checkpeer - 1 sudo: ldap_set_option: tls_cacertfile - /etc/ipa/ca.crt sudo: ldap_set_option
Re: [Freeipa-users] sudo rules user and host group bugs?
On 06/05/2013 11:20 AM, KodaK wrote: I know this has been discussed before, but I didn't see anything with a cursory search. There are bugs when using user and host groups with sudo rules. I have to split out my users and hosts into individual entries. I'm running ipa 3.0.0-26 on RHEL. All I really want to know is if this is fixed upstream. I am not sure I recall a bug you are referring to. A quick scan against the open tickets does not reveal anything like what you describe. Can you provide the description of the issue or point to the earlier thread on the matter? Thanks, --Jason -- The government is going to read our mail anyway, might as well make it tough for them. GPG Public key ID: B6A1A7C6 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] sudo rules user and host group bugs?
On Wed, Jun 05, 2013 at 10:20:24AM -0500, KodaK wrote: I know this has been discussed before, but I didn't see anything with a cursory search. There are bugs when using user and host groups with sudo rules. I have to split out my users and hosts into individual entries. I'm running ipa 3.0.0-26 on RHEL. All I really want to know is if this is fixed upstream. Thanks, --Jason Do you use the SSSD integration? If so, then I can think of one bug that might apply to your situation: https://bugzilla.redhat.com/show_bug.cgi?id=880150 If you fetch sudo rules with nss_ldap, then describing what problems you are seeing in more detail would help. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] sudo rules user and host group bugs?
Hi, lately I spent some time with debugging sudo, what I ended up with was: I created sudo rule in ipa called defaults with sudo option fqdn. defaults is being checked by sssd as default setting. I set up NIS domain on hosts same as ipa domain. See getent netgroup hostgroup sudo seems to work fine. On Wed, Jun 5, 2013 at 9:45 PM, Dmitri Pal d...@redhat.com wrote: On 06/05/2013 11:20 AM, KodaK wrote: I know this has been discussed before, but I didn't see anything with a cursory search. There are bugs when using user and host groups with sudo rules. I have to split out my users and hosts into individual entries. I'm running ipa 3.0.0-26 on RHEL. All I really want to know is if this is fixed upstream. I am not sure I recall a bug you are referring to. A quick scan against the open tickets does not reveal anything like what you describe. Can you provide the description of the issue or point to the earlier thread on the matter? Thanks, --Jason -- The government is going to read our mail anyway, might as well make it tough for them. GPG Public key ID: B6A1A7C6 ___ Freeipa-users mailing listFreeipa-users@redhat.comhttps://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs?www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] sudo rules user and host group bugs?
Sorry, for some reason gmail makes me forget about reply all. On Wed, Jun 5, 2013 at 2:45 PM, Dmitri Pal d...@redhat.com wrote: On 06/05/2013 11:20 AM, KodaK wrote: I know this has been discussed before, but I didn't see anything with a cursory search. There are bugs when using user and host groups with sudo rules. I have to split out my users and hosts into individual entries. I'm running ipa 3.0.0-26 on RHEL. All I really want to know is if this is fixed upstream. I am not sure I recall a bug you are referring to. A quick scan against the open tickets does not reveal anything like what you describe. Can you provide the description of the issue or point to the earlier thread on the matter? I'm going off of memory on seeing the previous bug. It very well could be a false memory. I have a rule like this: [jebalicki@mo0033802 ~]$ ipa sudorule-show esolutions-sandbox-root-access Rule name: esolutions-sandbox-root-access Enabled: TRUE Users: slfries, awellard Hosts: slnessbxl01.unix.magellanhealth.com Sudo Allow Commands: /bin/su - This works. However, if I change the rule to use hostgroups instead of listing the hosts individually the rule will not work. The groups still exist and look like this: [jebalicki@mo0033802 ~]$ ipa hostgroup-show esolutions-sandbox-hosts Host-group: esolutions-sandbox-hosts Description: esolutions sandbox hosts Member hosts: slnessbxl01.unix.magellanhealth.com Member of HBAC rule: esolutions-sandbox-access [jebalicki@mo0033802 ~]$ ipa group-show esolutions Group name: esolutions Description: esolutions group GID: 1115600250 Member users: awellard, slfries Member of HBAC rule: esolutions-sandbox-access Client machine is pretty much default-out-of-the-box IRT IPA configuration, here's the installer output (installs during kickstart): [root@slnessbxl01 ~]# cat ks-post.log Discovery was successful! Hostname: slnessbxl01.unix.magellanhealth.com Realm: UNIX.MAGELLANHEALTH.COM http://unix.magellanhealth.com/ DNS Domain: UNIX.MAGELLANHEALTH.COM http://unix.magellanhealth.com/ IPA Server: slpidml01.unix.magellanhealth.com BaseDN: dc=unix,dc=magellanhealth,dc=com Synchronizing time with KDC... Enrolled in IPA realm UNIX.MAGELLANHEALTH.COMhttp://unix.magellanhealth.com/ Created /etc/ipa/default.conf New SSSD config will be created. Configured /etc/sssd/sssd.conf Configured /etc/krb5.conf for IPA realm UNIX.MAGELLANHEALTH.COMhttp://unix.magellanhealth.com/ Warning: Hostname (slnessbxl01.unix.magellanhealth.com) not found in DNS DNS server record set to: slnessbxl01.unix.magellanhealth.com - 10.200.12.104 SSSD enabled NTP enabled Client configuration complete. [root@slnessbxl01 ~]# rpm -qa | grep ipa python-iniparse-0.3.1-2.1.el6.noarch libipa_hbac-python-1.8.0-32.el6.x86_64 libipa_hbac-1.8.0-32.el6.x86_64 ipa-client-2.2.0-16.el6.x86_64 ipa-python-2.2.0-16.el6.x86_64 [root@slnessbxl01 ~]# cat /etc/redhat-release Red Hat Enterprise Linux Server release 6.3 (Santiago) [root@slnessbxl01 ~]# ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] sudo rules user and host group bugs?
On Jun 5, 2013, at 1:47 PM, KodaK wrote: Sorry, for some reason gmail makes me forget about reply all. On Wed, Jun 5, 2013 at 2:45 PM, Dmitri Pal d...@redhat.commailto:d...@redhat.com wrote: On 06/05/2013 11:20 AM, KodaK wrote: I know this has been discussed before, but I didn't see anything with a cursory search. There are bugs when using user and host groups with sudo rules. I have to split out my users and hosts into individual entries. I'm running ipa 3.0.0-26 on RHEL. All I really want to know is if this is fixed upstream. I am not sure I recall a bug you are referring to. A quick scan against the open tickets does not reveal anything like what you describe. Can you provide the description of the issue or point to the earlier thread on the matter? I'm going off of memory on seeing the previous bug. It very well could be a false memory. I have a rule like this: [jebalicki@mo0033802 ~]$ ipa sudorule-show esolutions-sandbox-root-access Rule name: esolutions-sandbox-root-access Enabled: TRUE Users: slfries, awellard Hosts: slnessbxl01.unix.magellanhealth.com Sudo Allow Commands: /bin/su - This works. However, if I change the rule to use hostgroups instead of listing the hosts individually the rule will not work. The groups still exist and look like this: [jebalicki@mo0033802 ~]$ ipa hostgroup-show esolutions-sandbox-hosts Host-group: esolutions-sandbox-hosts Description: esolutions sandbox hosts Member hosts: slnessbxl01.unix.magellanhealth.com Member of HBAC rule: esolutions-sandbox-access [jebalicki@mo0033802 ~]$ ipa group-show esolutions Group name: esolutions Description: esolutions group GID: 1115600250 Member users: awellard, slfries Member of HBAC rule: esolutions-sandbox-access Client machine is pretty much default-out-of-the-box IRT IPA configuration, here's the installer output (installs during kickstart): [root@slnessbxl01 ~]# cat ks-post.log Discovery was successful! Hostname: slnessbxl01.unix.magellanhealth.com Realm: UNIX.MAGELLANHEALTH.COM DNS Domain: UNIX.MAGELLANHEALTH.COM IPA Server: slpidml01.unix.magellanhealth.com BaseDN: dc=unix,dc=magellanhealth,dc=com Synchronizing time with KDC... Enrolled in IPA realm UNIX.MAGELLANHEALTH.COM Created /etc/ipa/default.conf New SSSD config will be created. Configured /etc/sssd/sssd.conf Configured /etc/krb5.conf for IPA realm UNIX.MAGELLANHEALTH.COM Warning: Hostname (slnessbxl01.unix.magellanhealth.com) not found in DNS DNS server record set to: slnessbxl01.unix.magellanhealth.com - 10.200.12.104 SSSD enabled NTP enabled Client configuration complete. [root@slnessbxl01 ~]# rpm -qa | grep ipa python-iniparse-0.3.1-2.1.el6.noarch libipa_hbac-python-1.8.0-32.el6.x86_64 libipa_hbac-1.8.0-32.el6.x86_64 ipa-client-2.2.0-16.el6.x86_64 ipa-python-2.2.0-16.el6.x86_64 [root@slnessbxl01 ~]# cat /etc/redhat-release Red Hat Enterprise Linux Server release 6.3 (Santiago) [root@slnessbxl01 ~]# Troubleshooting: Can you confirm that the output of the following commands: 1. $ domainname * does it match your domain? 2. $ hostname * does match match your fqdn? 3. $ getent netgroup esolutions-sandbox-hosts * does this list your host? 4. Does /etc/nsswitch.conf contain the line: netgroup: files sss? Another important Sudo Troubleshooting step is to edit: /etc/sudo-ldap.conf (or /etc/ldap.conf, depending on what version of RHEL/Sudo you're running): At the top, add the line: sudoers_debug 2 Then try another sudo command. sudo -l for example. This should result in a long list of search criteria and status. The last few lines should indicate where any matches occurred. Keeping your head in the cloud ~ JR Aquino Senior Information Security Specialist, Technical Operations T: +1 805 690 3478 | F: +1 805 879 3730 | M: +1 805 717 0365 GIAC Certified Exploit Researcher and Advanced Penetration Tester | GIAC WebApplication Penetration Tester | GIAC Certified Incident Handler jr.aqu...@citrix.commailto:jr.aqu...@citrix.com [cid:image002.jpg@01CD4A37.5451DC00] Powering mobile workstyles and cloud services ___ Freeipa-users mailing list Freeipa-users@redhat.commailto:Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users inline: image002.jpg___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users