Update with success! (but embarrassment)
I apologize for putting everyone through the ringer on this one. Here is what
I found.
I mentioned at one point that my domainname/nisdomainname/dnsdomainname did not
all return my correct domain, but that I had fixed this. As it turned out, I
had a
Okay,
Rule name: test4
Enabled: TRUE
Command category: all
Users: asteinfeld
Hosts: dbduwdu062.dbr.roche.com
Host Groups: tempsudo
Client dbduwdu062 is matched in the rule by both the hosts and groups entry.
/etc/nsswitch.conf has:
Netgroups: files sss
Getent netgroup
On 10/17/2012 07:26 AM, Macklin, Jason wrote:
Okay,
Rule name: test4
Enabled: TRUE
Command category: all
Users: asteinfeld
Hosts: dbduwdu062.dbr.roche.com
Host Groups: tempsudo
Client dbduwdu062 is matched in the rule by both the hosts and groups entry.
/etc/nsswitch.conf
ldapsearch -Y GSSAPI -H ldap://dbduvdu145.dbr.roche.com
ou=SUDOers,dc=dbr,dc=roche,dc=com
SASL/GSSAPI authentication started
SASL username: ad...@dbr.roche.com
SASL SSF: 56
SASL data security layer installed.
# extended LDIF
#
# LDAPv3
# base (default) with scope subtree
# filter:
On Wed, 2012-10-17 at 09:53 -0600, Rich Megginson wrote:
On 10/17/2012 07:26 AM, Macklin, Jason wrote:
Okay,
Rule name: test4
Enabled: TRUE
Command category: all
Users: asteinfeld
Hosts: dbduwdu062.dbr.roche.com
Host Groups: tempsudo
Client dbduwdu062 is
On 10/17/2012 10:46 AM, Simo Sorce wrote:
On Wed, 2012-10-17 at 09:53 -0600, Rich Megginson wrote:
On 10/17/2012 07:26 AM, Macklin, Jason wrote:
Okay,
Rule name: test4
Enabled: TRUE
Command category: all
Users: asteinfeld
Hosts: dbduwdu062.dbr.roche.com
Host Groups:
On 10/17/2012 12:33 PM, Macklin, Jason wrote:
ldapsearch -Y GSSAPI -H ldap://dbduvdu145.dbr.roche.com
ou=SUDOers,dc=dbr,dc=roche,dc=com
You are missing -b
ldapsearch -Y GSSAPI -H ldap://dbduvdu145.dbr.roche.com -b
ou=SUDOers,dc=dbr,dc=roche,dc=com
Currently the command treats it as filter and
On 10/17/2012 10:33 AM, Macklin, Jason wrote:
ldapsearch -Y GSSAPI -H ldap://dbduvdu145.dbr.roche.com
ou=SUDOers,dc=dbr,dc=roche,dc=com
SASL/GSSAPI authentication started
SASL username: ad...@dbr.roche.com
SASL SSF: 56
SASL data security layer installed.
# extended LDIF
#
# LDAPv3
# base
Thanks guys! Adding the -b did make a world of difference though it still
doesn't make anything too obvious... at least to me.
[jmacklin@dbduwdu062 Desktop]$ ldapsearch -Y GSSAPI -H
ldap://dbduvdu145.dbr.roche.com -b ou=SUDOers,dc=dbr,dc=roche,dc=com
SASL/GSSAPI authentication started
SASL
None of my users have an LDAP password being requested by running that command
(except the admin user).
Does each user account require an ldap account to go along with their login
account? I just get the following over and over no matter which account I
switch in the command...
On 10/17/2012 11:13 AM, Macklin, Jason wrote:
None of my users have an LDAP password being requested by running that command
(except the admin user).
Does each user account require an ldap account to go along with their login
account? I just get the following over and over no matter which
ldapsearch -xLLL -H ldap://dbduvdu145.dbr.roche.com -D cn=directory manager
-W uid=asteinfeld \* krbPwdLockoutDuration ?
Enter LDAP Password:
ldap_bind: Invalid credentials (49)
I know this user password because I reset it for the purpose of troubleshooting
this issue with that account. I also
Macklin, Jason wrote:
ldapsearch -xLLL -H ldap://dbduvdu145.dbr.roche.com -D cn=directory manager
-W uid=asteinfeld \* krbPwdLockoutDuration ?
Enter LDAP Password:
ldap_bind: Invalid credentials (49)
I know this user password because I reset it for the purpose of troubleshooting
this issue
I assume that this iteration was with the correct credentials as it responds
with something other then Invalid Credentials
ldapsearch -xLLL -H ldap://dbduvdu145.dbr.roche.com -D cn=directory manager
-W uid=asteinfeld \* krbPwdLockoutDuration ?
Enter LDAP Password:
No such object (32)
Working
On 10/17/2012 11:51 AM, Macklin, Jason wrote:
I assume that this iteration was with the correct credentials as it responds with
something other then Invalid Credentials
ldapsearch -xLLL -H ldap://dbduvdu145.dbr.roche.com -D cn=directory manager
-W uid=asteinfeld \* krbPwdLockoutDuration ?
ldapsearch -xLLL -H ldap://dbduvdu145.dbr.roche.com -D cn=directory manager
-W -b dc=dbr,dc=roche,dc=com uid=asteinfeld \*
Enter LDAP Password:
dn: uid=asteinfeld,cn=users,cn=compat,dc=dbr,dc=roche,dc=com
objectClass: posixAccount
objectClass: top
gecos: Axel Steinfeld
cn: Axel Steinfeld
On 10/17/2012 01:05 PM, Macklin, Jason wrote:
Thanks guys! Adding the -b did make a world of difference though it still
doesn't make anything too obvious... at least to me.
[jmacklin@dbduwdu062 Desktop]$ ldapsearch -Y GSSAPI -H
ldap://dbduvdu145.dbr.roche.com -b
Yes Dmitri, this is the user I'm doing the tests with on that client. Though I
would expect this user to have sudo capabilities on this host he does not. I
first came across the idea that maybe domainname/nisdomainname/dnsdomainname
did not match and that was causing the problem. I have
On 10/17/2012 12:49 PM, Macklin, Jason wrote:
ldapsearch -xLLL -H ldap://dbduvdu145.dbr.roche.com -D cn=directory manager -W -b
dc=dbr,dc=roche,dc=com uid=asteinfeld \*
snip
dn: uid=asteinfeld,cn=users,cn=accounts,dc=dbr,dc=roche,dc=com
...snip...
krbPrincipalName: asteinf...@dbr.roche.com
On 10/17/2012 03:05 PM, Macklin, Jason wrote:
Yes Dmitri, this is the user I'm doing the tests with on that client. Though
I would expect this user to have sudo capabilities on this host he does not.
I first came across the idea that maybe
domainname/nisdomainname/dnsdomainname did not
Rich Megginson wrote:
On 10/17/2012 12:49 PM, Macklin, Jason wrote:
ldapsearch -xLLL -H ldap://dbduvdu145.dbr.roche.com -D cn=directory
manager -W -b dc=dbr,dc=roche,dc=com uid=asteinfeld \*
snip
dn: uid=asteinfeld,cn=users,cn=accounts,dc=dbr,dc=roche,dc=com
...snip...
krbPrincipalName:
Can you confirm that you have sudoer_debug set to 2?
If I gather correctly, this is on RHEL 6.3? What version of sudo?
I'm seeing different output. Mine includes the number of candidate
results for sudoUser are found.
If you watch /var/log/dirsrv/slapd-REALM/access on your IPA server
you'll
On Wed, Oct 17, 2012 at 2:26 PM, Rob Crittenden rcrit...@redhat.com wrote:
Rich Megginson wrote:
On 10/17/2012 12:49 PM, Macklin, Jason wrote:
ldapsearch -xLLL -H
ldap://dbduvdu145.dbr.roche.**comhttp://dbduvdu145.dbr.roche.com-D
cn=directory
manager -W -b dc=dbr,dc=roche,dc=com
When I become the user in question I see the following in the sssd log.
[ipa_hbac_evaluate_rules] (0x0080): Access granted by HBAC rule
[test]
I think this is a sudo problem before anything else. For a user in which sudo
works, host_matches = 1 always returns when debugging is on.
On 10/16/2012 10:05 AM, Macklin, Jason wrote:
When I become the user in question I see the following in the sssd log.
[ipa_hbac_evaluate_rules] (0x0080): Access granted by HBAC
rule [test]
I think this is a sudo problem before anything else. For a user in
which sudo
Dmitri,
I will give you everything I've got. If I can provide something else, let me
know!
Working User:
Sudo debug output:
[jmacklin@dbduwdu062 log]$ sudo -l
sudo: ldap_set_option: debug - 0
sudo: ldap_set_option: tls_checkpeer - 1
sudo: ldap_set_option: tls_cacertfile - /etc/ipa/ca.crt
Macklin, Jason wrote:
Yes, resolution works correctly at both the host and the freeIPA server.
Dmitri,
I am still quite new to LDAP so I'm not sure exactly what I should be looking
for when running ldapsearch.
The attempts that I have made have been less then fruitful though... examples
On 10/15/2012 04:34 PM, Macklin, Jason wrote:
Hi,
I apologize up front if this is obvious, but I'm having issues
configuring sudo privileges.
I currently have an IPA server running FreeIPA 2.2 with sudo
configured for our administrators on all hosts. This works
fantastic! As
Hi,
my 2 cents,
2 possibilities,
1) There should I think be a HBAC rule and a sudo rule pair, I think you need
both. For the HBAC rule with limited permissions you need the sudo privaledge
and access say ssh and /or login, so at least 2, so when you say 1 it might
be that? I dont know how
On 10/15/2012 04:46 PM, Dmitri Pal wrote:
On 10/15/2012 04:34 PM, Macklin, Jason wrote:
Hi,
I apologize up front if this is obvious, but I'm having issues
configuring sudo privileges.
I currently have an IPA server running FreeIPA 2.2 with sudo
configured for our administrators
30 matches
Mail list logo