Re: [Freeipa-users] FreeIPA, SSSD, sudo and Local Users

[Daniel Kopecek]

Hello,

On Thu, 11 Sep 2014 16:12:40 +0200
Jakub Hrozek jhro...@redhat.com wrote:

 On Wed, Sep 10, 2014 at 09:58:27PM +, Trevor T Kates (Services -
 6) wrote:
  Hi all:
  
  I'm using FreeIPA 3.0 under CentOS 6.5 and I'm trying to solve a
  bit of a quirky problem. From what I've read thus far, sudo under
  SSSD can't provide sudo  rules for local users that are not part of
  the directory. To get around this, I've been using the
  sudo-ldap.conf file to provide sudo with direct access to the
  directory. This, however, can't make use of service discovery, so
  if the first server in the ldap_uri list is taken down, sudo delays
  for the length of the timeout set. My idea for getting around this
  has been to use sudo in SSSD for users that are in the directory
  and let sudo-ldap take care of local users with a line in
  nsswitch.conf like this:
  
  sudoers: files sss ldap
 
 I think this is more of a sudo question and I'm not too familiar with
 the sudo code to answer this question well. I added the sudo Fedora
 maintainer to CC, maybe he has some ideas?
 
  
  My problem now seems to be that the ldap query is still run even if
  a successful hit is made to sssd. Changing the line in
  nsswitch.conf to:
  
  sudoers: files sss [success=return] ldap

Yes, the sudoers: line is parsed by sudo and sudo does support the
[SUCCESS=return] option. However, this applies only to queries for sudo
rules. 

Is the LDAP query you're talking about a query for sudo rules or for
users/groups? Sources for the user and groups dbs are not handled by
sudo. Sudo just uses the usual glibc calls and they may result in
queries to ldap and sss too.

Dan K.

 I don't think [success=return] will work here. Despite sudoers being
 configured in nsswitch.conf, it's not actually a NSS map handled by
 glibc. sudo itself parses the file..
 
  
  doesn't seem to actually work.
  
  Does anyone have pointers on how I can resolve this particular
  problem?
  
  Thanks!
  
  
  Trevor T. Kates
  
  
  
  
  CONFIDENTIALITY NOTICE:  This electronic message contains
  information which may be legally confidential and or privileged and
  does not in any case represent a firm ENERGY COMMODITY bid or offer
  relating thereto which binds the sender without an additional
  express written confirmation to that effect.  The information is
  intended solely for the individual or entity named above and access
  by anyone else is unauthorized.  If you are not the intended
  recipient, any disclosure, copying, distribution, or use of the
  contents of this information is prohibited and may be unlawful.  If
  you have received this electronic transmission in error, please
  reply immediately to the sender that you have received the message
  in error, and delete it.  Thank you.
  
  -- 
  Manage your subscription for the Freeipa-users mailing list:
  https://www.redhat.com/mailman/listinfo/freeipa-users
  Go To http://freeipa.org for more info on the project

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] FreeIPA, SSSD, sudo and Local Users

[Jakub Hrozek]

On Wed, Sep 10, 2014 at 09:58:27PM +, Trevor T Kates (Services - 6) wrote:
 Hi all:
 
 I'm using FreeIPA 3.0 under CentOS 6.5 and I'm trying to solve a bit of a 
 quirky
 problem. From what I've read thus far, sudo under SSSD can't provide sudo  
 rules
 for local users that are not part of the directory. To get around this, I've 
 been
 using the sudo-ldap.conf file to provide sudo with direct access to the 
 directory.
 This, however, can't make use of service discovery, so if the first server in 
 the
 ldap_uri list is taken down, sudo delays for the length of the timeout set. My
 idea for getting around this has been to use sudo in SSSD for users that are 
 in
 the directory and let sudo-ldap take care of local users with a line in 
 nsswitch.conf
 like this:
 
 sudoers: files sss ldap

I think this is more of a sudo question and I'm not too familiar with
the sudo code to answer this question well. I added the sudo Fedora
maintainer to CC, maybe he has some ideas?

 
 My problem now seems to be that the ldap query is still run even if a 
 successful hit
 is made to sssd. Changing the line in nsswitch.conf to:
 
 sudoers: files sss [success=return] ldap

I don't think [success=return] will work here. Despite sudoers being
configured in nsswitch.conf, it's not actually a NSS map handled by
glibc. sudo itself parses the file..

 
 doesn't seem to actually work.
 
 Does anyone have pointers on how I can resolve this particular problem?
 
 Thanks!
 
 
 Trevor T. Kates
 
 
 
 
 CONFIDENTIALITY NOTICE:  This electronic message contains information which 
 may be legally confidential and or privileged and does not in any case 
 represent a firm ENERGY COMMODITY bid or offer relating thereto which binds 
 the sender without an additional express written confirmation to that effect. 
  The information is intended solely for the individual or entity named above 
 and access by anyone else is unauthorized.  If you are not the intended 
 recipient, any disclosure, copying, distribution, or use of the contents of 
 this information is prohibited and may be unlawful.  If you have received 
 this electronic transmission in error, please reply immediately to the sender 
 that you have received the message in error, and delete it.  Thank you.
 
 -- 
 Manage your subscription for the Freeipa-users mailing list:
 https://www.redhat.com/mailman/listinfo/freeipa-users
 Go To http://freeipa.org for more info on the project

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project