Re: [Freeipa-users] SSS for sudoers confusion
On Tue, 11 Mar 2014, David Taylor wrote: @Dmitri - Thank you for your reply, that is actually one of the documents I read, however there seem to be some steps missing as with the configuration elements in place sudo doesn't work dtaylor is not allowed to run sudo on ipa-client. This incident will be reported. There is some note about configuring a password on the ldap user however following the suggestions I found didn't actually work. From your original email I can see that you put sudo provider configuration into wrong section in sssd.conf. No wonder it does not work. Any provider configuration must be in the domain section. In RHEL 6.5 and before you can do like I describe here: https://www.redhat.com/archives/freeipa-users/2013-June/msg00064.html In Fedora 20 you don't need to add anything for IPA case because sssd will set everything up by default for IPA provider. Did you actually read man page sssd-sudo(5)? It has exact configuration changes you need to do. Best regards David Taylor -Original Message- From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Dmitri Pal Sent: Tuesday, 11 March 2014 10:49 AM To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] SSS for sudoers confusion On 03/10/2014 07:34 PM, David Taylor wrote: Hi all, I'm in the process of testing IPA server for centralised authentication of our linux hosts. We run CentOS 6.5 and it's all new so we have no legacy issues. In the lab I've set up an IPA server with the yum install and used a local bind instance which all seems to be working correctly. Where the issues begin is with the sudoers functionality. After reading the manual and consulting Google sensei I found a number of resources that talk about setting up ldap either natively in the nsswitch.conf file or via sssd, I've tried a number of slightly different configurations on the client side with little effect. So the question is "what is the process for configuring an IPA system to handle sudo functionality". Any help is greatly appreciated. http://www.freeipa.org/images/7/77/Freeipa30_SSSD_SUDO_Integration.pdf --nssswitch.conf-- # # /etc/nsswitch.conf # # An example Name Service Switch config file. This file should be # sorted with the most-used services at the beginning. # # The entry '[NOTFOUND=return]' means that the search for an # entry should stop if the search in the previous entry turned # up nothing. Note that if the search failed due to some other reason # (like no NIS server responding) then the search continues with the # next entry. # # Valid entries include: # # nisplus Use NIS+ (NIS version 3) # nis Use NIS (NIS version 2), also called YP # dns Use DNS (Domain Name Service) # files Use the local files # db Use the local database (.db) files # compat Use NIS on compat mode # hesiod Use Hesiod for user lookups # [NOTFOUND=return] Stop searching if not found so far # # To use db, put the "db" in front of "files" for entries you want to be # looked up first in the databases # # Example: #passwd:db files nisplus nis #shadow:db files nisplus nis #group: db files nisplus nis passwd: files sss shadow: files sss group: files sss #hosts: db files nisplus nis dns hosts: files dns # Example - obey only what nisplus tells us... #services: nisplus [NOTFOUND=return] files #networks: nisplus [NOTFOUND=return] files #protocols: nisplus [NOTFOUND=return] files #rpc:nisplus [NOTFOUND=return] files #ethers: nisplus [NOTFOUND=return] files #netmasks: nisplus [NOTFOUND=return] files bootparams: nisplus [NOTFOUND=return] files ethers: files netmasks: files networks: files protocols: files rpc:files services: files sss sudoers:files sss netgroup: files sss publickey: nisplus automount: files sss aliases:files nisplus -- - --- sssd.conf- --- [domain/test.example.net] cache_credentials = True krb5_store_password_if_offline = True krb5_realm = TEST.EXAMPLE.NET krb5_server = ipa-server-1.test.example.net ipa_domain = test.example.net id_provider = ipa auth_provider = ipa access_provider = ipa ipa_hostname = ipa-server-1.test.example.net chpass_provider = ipa ipa_dyndns_update = True ipa_server = _srv_, ipa-server-1.test.example.net ldap_tls_cacert = /etc/ipa/ca.crt ldap_uri = ldap://ipa-server-1.test.example.net [sssd] services = nss, pam, ssh, sudo config_file_version = 2 sudo_provider = ldap ldap_sudo
Re: [Freeipa-users] SSS for sudoers confusion
@Dmitri - Thank you for your reply, that is actually one of the documents I read, however there seem to be some steps missing as with the configuration elements in place sudo doesn't work dtaylor is not allowed to run sudo on ipa-client. This incident will be reported. There is some note about configuring a password on the ldap user however following the suggestions I found didn't actually work. Best regards David Taylor -Original Message- From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Dmitri Pal Sent: Tuesday, 11 March 2014 10:49 AM To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] SSS for sudoers confusion On 03/10/2014 07:34 PM, David Taylor wrote: > Hi all, > I'm in the process of testing IPA server for centralised > authentication of our linux hosts. We run CentOS 6.5 and it's all new > so we have no legacy issues. > > In the lab I've set up an IPA server with the yum install and used a > local bind instance which all seems to be working correctly. Where the > issues begin is with the sudoers functionality. After reading the > manual and consulting Google sensei I found a number of resources that > talk about setting up ldap either natively in the nsswitch.conf file > or via sssd, I've tried a number of slightly different configurations > on the client side with little effect. So the question is "what is the > process for configuring an IPA system to handle sudo functionality". > > Any help is greatly appreciated. http://www.freeipa.org/images/7/77/Freeipa30_SSSD_SUDO_Integration.pdf > > --nssswitch.conf-- > > # > # /etc/nsswitch.conf > # > # An example Name Service Switch config file. This file should be # > sorted with the most-used services at the beginning. > # > # The entry '[NOTFOUND=return]' means that the search for an # entry > should stop if the search in the previous entry turned # up nothing. > Note that if the search failed due to some other reason # (like no NIS > server responding) then the search continues with the # next entry. > # > # Valid entries include: > # > # nisplus Use NIS+ (NIS version 3) > # nis Use NIS (NIS version 2), also called YP > # dns Use DNS (Domain Name Service) > # files Use the local files > # db Use the local database (.db) files > # compat Use NIS on compat mode > # hesiod Use Hesiod for user lookups > # [NOTFOUND=return] Stop searching if not found so far > # > > # To use db, put the "db" in front of "files" for entries you want to > be # looked up first in the databases # # Example: > #passwd:db files nisplus nis > #shadow:db files nisplus nis > #group: db files nisplus nis > > passwd: files sss > shadow: files sss > group: files sss > > #hosts: db files nisplus nis dns > hosts: files dns > > # Example - obey only what nisplus tells us... > #services: nisplus [NOTFOUND=return] files > #networks: nisplus [NOTFOUND=return] files > #protocols: nisplus [NOTFOUND=return] files > #rpc:nisplus [NOTFOUND=return] files > #ethers: nisplus [NOTFOUND=return] files > #netmasks: nisplus [NOTFOUND=return] files > > bootparams: nisplus [NOTFOUND=return] files > > ethers: files > netmasks: files > networks: files > protocols: files > rpc:files > services: files sss > sudoers:files sss > netgroup: files sss > > publickey: nisplus > > automount: files sss > aliases:files nisplus > > -- > > - > --- > sssd.conf- > > --- > [domain/test.example.net] > > cache_credentials = True > krb5_store_password_if_offline = True > krb5_realm = TEST.EXAMPLE.NET > krb5_server = ipa-server-1.test.example.net ipa_domain = > test.example.net id_provider = ipa auth_provider = ipa access_provider > = ipa ipa_hostname = ipa-server-1.test.example.net chpass_provider = > ipa ipa_dyndns_update = True ipa_server = _srv_, > ipa-server-1.test.example.net ldap_tls_cacert = /etc/ipa/ca.crt > ldap_uri = ldap://ipa-server-1.test.example.net > > [sssd] > services = nss, pam, ssh, sudo > config_file_version = 2 > sudo_provider = ldap > ldap_sudo_search_base = ou=sudoers,dc=test,dc=example,dc=net > ldap_sasl_mech = GSSAPI > ldap_sasl_authid = host/ipa-c
Re: [Freeipa-users] SSS for sudoers confusion
On 03/10/2014 07:34 PM, David Taylor wrote: Hi all, I'm in the process of testing IPA server for centralised authentication of our linux hosts. We run CentOS 6.5 and it's all new so we have no legacy issues. In the lab I've set up an IPA server with the yum install and used a local bind instance which all seems to be working correctly. Where the issues begin is with the sudoers functionality. After reading the manual and consulting Google sensei I found a number of resources that talk about setting up ldap either natively in the nsswitch.conf file or via sssd, I've tried a number of slightly different configurations on the client side with little effect. So the question is "what is the process for configuring an IPA system to handle sudo functionality". Any help is greatly appreciated. http://www.freeipa.org/images/7/77/Freeipa30_SSSD_SUDO_Integration.pdf --nssswitch.conf-- # # /etc/nsswitch.conf # # An example Name Service Switch config file. This file should be # sorted with the most-used services at the beginning. # # The entry '[NOTFOUND=return]' means that the search for an # entry should stop if the search in the previous entry turned # up nothing. Note that if the search failed due to some other reason # (like no NIS server responding) then the search continues with the # next entry. # # Valid entries include: # # nisplus Use NIS+ (NIS version 3) # nis Use NIS (NIS version 2), also called YP # dns Use DNS (Domain Name Service) # files Use the local files # db Use the local database (.db) files # compat Use NIS on compat mode # hesiod Use Hesiod for user lookups # [NOTFOUND=return] Stop searching if not found so far # # To use db, put the "db" in front of "files" for entries you want to be # looked up first in the databases # # Example: #passwd:db files nisplus nis #shadow:db files nisplus nis #group: db files nisplus nis passwd: files sss shadow: files sss group: files sss #hosts: db files nisplus nis dns hosts: files dns # Example - obey only what nisplus tells us... #services: nisplus [NOTFOUND=return] files #networks: nisplus [NOTFOUND=return] files #protocols: nisplus [NOTFOUND=return] files #rpc:nisplus [NOTFOUND=return] files #ethers: nisplus [NOTFOUND=return] files #netmasks: nisplus [NOTFOUND=return] files bootparams: nisplus [NOTFOUND=return] files ethers: files netmasks: files networks: files protocols: files rpc:files services: files sss sudoers:files sss netgroup: files sss publickey: nisplus automount: files sss aliases:files nisplus -- - --- sssd.conf- --- [domain/test.example.net] cache_credentials = True krb5_store_password_if_offline = True krb5_realm = TEST.EXAMPLE.NET krb5_server = ipa-server-1.test.example.net ipa_domain = test.example.net id_provider = ipa auth_provider = ipa access_provider = ipa ipa_hostname = ipa-server-1.test.example.net chpass_provider = ipa ipa_dyndns_update = True ipa_server = _srv_, ipa-server-1.test.example.net ldap_tls_cacert = /etc/ipa/ca.crt ldap_uri = ldap://ipa-server-1.test.example.net [sssd] services = nss, pam, ssh, sudo config_file_version = 2 sudo_provider = ldap ldap_sudo_search_base = ou=sudoers,dc=test,dc=example,dc=net ldap_sasl_mech = GSSAPI ldap_sasl_authid = host/ipa-client.test.example.net ldap_sasl_realm = TEST.EXAMPLE.NET domains = test.example.net [nss] [pam] [sudo] [autofs] [ssh] [pac] -- --- Best regards David Taylor David Taylor Head of Engineering - SpeedCast Pacific Level 1, Unit 4F 12 Lord St, Botany NSW, Australia, 2019 Office +61 2 9531 7555 Direct: +61 2 9086 2787 Mobile: +61 4 3131 1146 24x7 Helpdesk +61 2 9016 3222 Web:http://www.example.com / www.speedcast.com To strengthen our corporate identity in target markets worldwide, effective 18th January, we have commenced operating under the SpeedCast name. Read More ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users