Re: [Freeipa-users] Unable to get sudo commend to work...
OK, so it works if you allow all hosts, but fails if you specify a host. This leads me to believe that the host may not know who it is. Run the gamut on local hostname configuration: Check /etc/hosts, is the host listed with the FQDN first? Check hostname -- it should report the FQDN. Check domainname -- it should report the domain. I have a very similar rule, btw: [jebalicki@slpidml01 ~]$ ipa sudorule-show tds-web-restart ipa: INFO: trying https://slpidml01.unix.magellanhealth.com/ipa/xml ipa: INFO: Forwarding 'sudorule_show' to server u'http://slpidml01.unix.magellanhealth.com/ipa/xml' Rule name: tds-web-restart Enabled: TRUE User Groups: admins, tds-webserver-users, unixadmins Host Groups: tdswebhosts Sudo Allow Commands: /etc/rc.d/init.d/httpd [jebalicki@slpidml01 ~]$ On Tue, Aug 14, 2012 at 4:13 PM, Steven Jones steven.jo...@vuw.ac.nz wrote: Hi, I am trying to get a sudo-group command to work such that a group of users can reload apache's configI know the password is fine as I can ssh into the server [thing-sudo@vuwunicocatd001 ~]$ sudo /sbin/service httpd reload LDAP Config Summary === uri ldap://vuwunicoipam001.ods.vuw.ac.nz ldap://vuwunicoipam002.ods.vuw.ac.nz ldap://vuwunicoipam003.ods.vuw.ac.nz ldap_version 3 sudoers_base ou=SUDOers,dc=ods,dc=vuw,dc=ac,dc=nz binddn uid=sudo,cn=sysaccounts,cn=etc,dc=ods,dc=vuw,dc=ac,dc=nz bindpw bind_timelimit 500 ssl start_tls tls_checkpeer(no) tls_cacertfile /etc/ipa/ca.crt === sudo: ldap_set_option: debug - 0 sudo: ldap_set_option: tls_checkpeer - 0 sudo: ldap_set_option: tls_cacertfile - /etc/ipa/ca.crt sudo: ldap_set_option: tls_cacert - /etc/ipa/ca.crt sudo: ldap_initialize(ld, ldap://vuwunicoipam001.ods.vuw.ac.nz ldap://vuwunicoipam002.ods.vuw.ac.nz ldap://vuwunicoipam003.ods.vuw.ac.nz) sudo: ldap_set_option: ldap_version - 3 sudo: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT, 5000) sudo: ldap_start_tls_s() ok sudo: ldap_sasl_bind_s() ok sudo: no default options found in ou=SUDOers,dc=ods,dc=vuw,dc=ac,dc=nz sudo: ldap search '(|(sudoUser=thing-sudo)(sudoUser=%thing-sudo)(sudoUser=%ipausers)(sudoUser=%collectriveaccess-student)(sudoUser=%login04-mysql)(sudoUser=%360-ftp)(sudoUser=%become-mysql-users)(sudoUser=ALL))' sudo: found:cn=sudo-commands-catd-students,ou=sudoers,dc=ods,dc=vuw,dc=ac,dc=nz sudo: ldap sudoHost 'vuwunicocatd001.ods.vuw.ac.nz' ... MATCH! sudo: ldap sudoCommand '/sbin/service httpd reload' ... MATCH! sudo: ldap sudoCommand '/etc/init.d/httpd reload' ... MATCH! sudo: Command allowed sudo: user_matches=1 sudo: host_matches=1 sudo: sudo_ldap_lookup(0)=0x02 [sudo] password for thing-sudo: Sorry, try again. [sudo] password for thing-sudo: Sorry, try again. [sudo] password for thing-sudo: Sorry, try again. sudo: 3 incorrect password attempts [thing-sudo@vuwunicocatd001 ~]$ sudo /sbin/service httpd reload LDAP Config Summary === uri ldap://vuwunicoipam001.ods.vuw.ac.nz ldap://vuwunicoipam002.ods.vuw.ac.nz ldap://vuwunicoipam003.ods.vuw.ac.nz ldap_version 3 sudoers_base ou=SUDOers,dc=ods,dc=vuw,dc=ac,dc=nz binddn uid=sudo,cn=sysaccounts,cn=etc,dc=ods,dc=vuw,dc=ac,dc=nz bindpw x bind_timelimit 500 ssl start_tls tls_checkpeer(no) tls_cacertfile /etc/ipa/ca.crt === sudo: ldap_set_option: debug - 0 sudo: ldap_set_option: tls_checkpeer - 0 sudo: ldap_set_option: tls_cacertfile - /etc/ipa/ca.crt sudo: ldap_set_option: tls_cacert - /etc/ipa/ca.crt sudo: ldap_initialize(ld, ldap://vuwunicoipam001.ods.vuw.ac.nz ldap://vuwunicoipam002.ods.vuw.ac.nz ldap://vuwunicoipam003.ods.vuw.ac.nz) sudo: ldap_set_option: ldap_version - 3 sudo: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT, 5000) sudo: ldap_start_tls_s() ok sudo: ldap_sasl_bind_s() ok sudo: no default options found in ou=SUDOers,dc=ods,dc=vuw,dc=ac,dc=nz sudo: ldap search '(|(sudoUser=thing-sudo)(sudoUser=%thing-sudo)(sudoUser=%ipausers)(sudoUser=%collectriveaccess-student)(sudoUser=%login04-mysql)(sudoUser=%360-ftp)(sudoUser=%become-mysql-users)(sudoUser=ALL))' sudo: found:cn=sudo-commands-catd-students,ou=sudoers,dc=ods,dc=vuw,dc=ac,dc=nz sudo: ldap sudoHost 'vuwunicocatd001.ods.vuw.ac.nz' ... MATCH! sudo: ldap sudoCommand '/sbin/service httpd reload' ... MATCH! sudo: ldap sudoCommand '/etc/init.d/httpd reload' ... MATCH! sudo: Command allowed sudo: user_matches=1 sudo: host_matches=1 sudo: sudo_ldap_lookup(0)=0x02 [sudo] password for thing-sudo: Sorry, try again. [sudo] password for thing-sudo: Sorry, try again. [sudo] password for thing-sudo: Sorry, try again. sudo: 3 incorrect password attempts [thing-sudo@vuwunicocatd001 ~]$ [thing-sudo@vuwunicocatd001 ~]$ The secure log says system error, unable to read password, === Aug 15
Re: [Freeipa-users] Unable to get sudo commend to work...
Hi, No it fails even if I specify the host, but it works if I re-enable the allowall HBAC rule. So for some reason HBAC is impacting sudo. = [thing-sudo@vuwunicocatd001 ~]$ hostname vuwunicocatd001.ods.vuw.ac.nz [thing-sudo@vuwunicocatd001 ~]$ domainname ods.vuw.ac.nz [thing-sudo@vuwunicocatd001 ~]$ [root@vuwunicocatd001 jonesst1]# more /etc/hosts # not remove the following line, or various programs # that require network functionality will fail. 127.0.0.1 localhost.localdomain localhost 10.70.1.14 vuwunicocatd001.ods.vuw.ac.nz vuwunicocatd001.vuw.ac.nz visualresourcest.vuw.ac.nz vuwunicocatd001 [root@vuwunicocatd001 jonesst1]# more /etc/sysconfig/network NETWORKING=yes HOSTNAME=vuwunicocatd001.ods.vuw.ac.nz GATEWAY=10.70.1.1 NTPSERVERARGS=iburst [root@vuwunicocatd001 jonesst1]# = All looks correct === regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: KodaK [sako...@gmail.com] Sent: Wednesday, 15 August 2012 9:41 a.m. To: Steven Jones Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Unable to get sudo commend to work... OK, so it works if you allow all hosts, but fails if you specify a host. This leads me to believe that the host may not know who it is. Run the gamut on local hostname configuration: Check /etc/hosts, is the host listed with the FQDN first? Check hostname -- it should report the FQDN. Check domainname -- it should report the domain. I have a very similar rule, btw: [jebalicki@slpidml01 ~]$ ipa sudorule-show tds-web-restart ipa: INFO: trying https://slpidml01.unix.magellanhealth.com/ipa/xml ipa: INFO: Forwarding 'sudorule_show' to server u'http://slpidml01.unix.magellanhealth.com/ipa/xml' Rule name: tds-web-restart Enabled: TRUE User Groups: admins, tds-webserver-users, unixadmins Host Groups: tdswebhosts Sudo Allow Commands: /etc/rc.d/init.d/httpd [jebalicki@slpidml01 ~]$ On Tue, Aug 14, 2012 at 4:13 PM, Steven Jones steven.jo...@vuw.ac.nz wrote: Hi, I am trying to get a sudo-group command to work such that a group of users can reload apache's configI know the password is fine as I can ssh into the server [thing-sudo@vuwunicocatd001 ~]$ sudo /sbin/service httpd reload LDAP Config Summary === uri ldap://vuwunicoipam001.ods.vuw.ac.nz ldap://vuwunicoipam002.ods.vuw.ac.nz ldap://vuwunicoipam003.ods.vuw.ac.nz ldap_version 3 sudoers_base ou=SUDOers,dc=ods,dc=vuw,dc=ac,dc=nz binddn uid=sudo,cn=sysaccounts,cn=etc,dc=ods,dc=vuw,dc=ac,dc=nz bindpw bind_timelimit 500 ssl start_tls tls_checkpeer(no) tls_cacertfile /etc/ipa/ca.crt === sudo: ldap_set_option: debug - 0 sudo: ldap_set_option: tls_checkpeer - 0 sudo: ldap_set_option: tls_cacertfile - /etc/ipa/ca.crt sudo: ldap_set_option: tls_cacert - /etc/ipa/ca.crt sudo: ldap_initialize(ld, ldap://vuwunicoipam001.ods.vuw.ac.nz ldap://vuwunicoipam002.ods.vuw.ac.nz ldap://vuwunicoipam003.ods.vuw.ac.nz) sudo: ldap_set_option: ldap_version - 3 sudo: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT, 5000) sudo: ldap_start_tls_s() ok sudo: ldap_sasl_bind_s() ok sudo: no default options found in ou=SUDOers,dc=ods,dc=vuw,dc=ac,dc=nz sudo: ldap search '(|(sudoUser=thing-sudo)(sudoUser=%thing-sudo)(sudoUser=%ipausers)(sudoUser=%collectriveaccess-student)(sudoUser=%login04-mysql)(sudoUser=%360-ftp)(sudoUser=%become-mysql-users)(sudoUser=ALL))' sudo: found:cn=sudo-commands-catd-students,ou=sudoers,dc=ods,dc=vuw,dc=ac,dc=nz sudo: ldap sudoHost 'vuwunicocatd001.ods.vuw.ac.nz' ... MATCH! sudo: ldap sudoCommand '/sbin/service httpd reload' ... MATCH! sudo: ldap sudoCommand '/etc/init.d/httpd reload' ... MATCH! sudo: Command allowed sudo: user_matches=1 sudo: host_matches=1 sudo: sudo_ldap_lookup(0)=0x02 [sudo] password for thing-sudo: Sorry, try again. [sudo] password for thing-sudo: Sorry, try again. [sudo] password for thing-sudo: Sorry, try again. sudo: 3 incorrect password attempts [thing-sudo@vuwunicocatd001 ~]$ sudo /sbin/service httpd reload LDAP Config Summary === uri ldap://vuwunicoipam001.ods.vuw.ac.nz ldap://vuwunicoipam002.ods.vuw.ac.nz ldap://vuwunicoipam003.ods.vuw.ac.nz ldap_version 3 sudoers_base ou=SUDOers,dc=ods,dc=vuw,dc=ac,dc=nz binddn uid=sudo,cn=sysaccounts,cn=etc,dc=ods,dc=vuw,dc=ac,dc=nz bindpw x bind_timelimit 500 ssl start_tls tls_checkpeer(no) tls_cacertfile /etc/ipa/ca.crt === sudo: ldap_set_option: debug - 0 sudo: ldap_set_option: tls_checkpeer - 0 sudo: ldap_set_option: tls_cacertfile - /etc/ipa/ca.crt sudo: ldap_set_option: tls_cacert - /etc/ipa/ca.crt sudo: ldap_initialize(ld, ldap://vuwunicoipam001.ods.vuw.ac.nz ldap://vuwunicoipam002.ods.vuw.ac.nz ldap
Re: [Freeipa-users] Unable to get sudo commend to work...
Do: ipa hbactest --user=thing-sudo --host=vuwunicocatd001.ods.vuw.ac.nz --service=sudo with the hbac rule on and off. On Tue, Aug 14, 2012 at 4:47 PM, Steven Jones steven.jo...@vuw.ac.nz wrote: Hi, No it fails even if I specify the host, but it works if I re-enable the allowall HBAC rule. So for some reason HBAC is impacting sudo. = [thing-sudo@vuwunicocatd001 ~]$ hostname vuwunicocatd001.ods.vuw.ac.nz [thing-sudo@vuwunicocatd001 ~]$ domainname ods.vuw.ac.nz [thing-sudo@vuwunicocatd001 ~]$ [root@vuwunicocatd001 jonesst1]# more /etc/hosts # not remove the following line, or various programs # that require network functionality will fail. 127.0.0.1 localhost.localdomain localhost 10.70.1.14 vuwunicocatd001.ods.vuw.ac.nz vuwunicocatd001.vuw.ac.nz visualresourcest.vuw.ac.nz vuwunicocatd001 [root@vuwunicocatd001 jonesst1]# more /etc/sysconfig/network NETWORKING=yes HOSTNAME=vuwunicocatd001.ods.vuw.ac.nz GATEWAY=10.70.1.1 NTPSERVERARGS=iburst [root@vuwunicocatd001 jonesst1]# = All looks correct === regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: KodaK [sako...@gmail.com] Sent: Wednesday, 15 August 2012 9:41 a.m. To: Steven Jones Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Unable to get sudo commend to work... OK, so it works if you allow all hosts, but fails if you specify a host. This leads me to believe that the host may not know who it is. Run the gamut on local hostname configuration: Check /etc/hosts, is the host listed with the FQDN first? Check hostname -- it should report the FQDN. Check domainname -- it should report the domain. I have a very similar rule, btw: [jebalicki@slpidml01 ~]$ ipa sudorule-show tds-web-restart ipa: INFO: trying https://slpidml01.unix.magellanhealth.com/ipa/xml ipa: INFO: Forwarding 'sudorule_show' to server u'http://slpidml01.unix.magellanhealth.com/ipa/xml' Rule name: tds-web-restart Enabled: TRUE User Groups: admins, tds-webserver-users, unixadmins Host Groups: tdswebhosts Sudo Allow Commands: /etc/rc.d/init.d/httpd [jebalicki@slpidml01 ~]$ On Tue, Aug 14, 2012 at 4:13 PM, Steven Jones steven.jo...@vuw.ac.nz wrote: Hi, I am trying to get a sudo-group command to work such that a group of users can reload apache's configI know the password is fine as I can ssh into the server [thing-sudo@vuwunicocatd001 ~]$ sudo /sbin/service httpd reload LDAP Config Summary === uri ldap://vuwunicoipam001.ods.vuw.ac.nz ldap://vuwunicoipam002.ods.vuw.ac.nz ldap://vuwunicoipam003.ods.vuw.ac.nz ldap_version 3 sudoers_base ou=SUDOers,dc=ods,dc=vuw,dc=ac,dc=nz binddn uid=sudo,cn=sysaccounts,cn=etc,dc=ods,dc=vuw,dc=ac,dc=nz bindpw bind_timelimit 500 ssl start_tls tls_checkpeer(no) tls_cacertfile /etc/ipa/ca.crt === sudo: ldap_set_option: debug - 0 sudo: ldap_set_option: tls_checkpeer - 0 sudo: ldap_set_option: tls_cacertfile - /etc/ipa/ca.crt sudo: ldap_set_option: tls_cacert - /etc/ipa/ca.crt sudo: ldap_initialize(ld, ldap://vuwunicoipam001.ods.vuw.ac.nz ldap://vuwunicoipam002.ods.vuw.ac.nz ldap://vuwunicoipam003.ods.vuw.ac.nz) sudo: ldap_set_option: ldap_version - 3 sudo: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT, 5000) sudo: ldap_start_tls_s() ok sudo: ldap_sasl_bind_s() ok sudo: no default options found in ou=SUDOers,dc=ods,dc=vuw,dc=ac,dc=nz sudo: ldap search '(|(sudoUser=thing-sudo)(sudoUser=%thing-sudo)(sudoUser=%ipausers)(sudoUser=%collectriveaccess-student)(sudoUser=%login04-mysql)(sudoUser=%360-ftp)(sudoUser=%become-mysql-users)(sudoUser=ALL))' sudo: found:cn=sudo-commands-catd-students,ou=sudoers,dc=ods,dc=vuw,dc=ac,dc=nz sudo: ldap sudoHost 'vuwunicocatd001.ods.vuw.ac.nz' ... MATCH! sudo: ldap sudoCommand '/sbin/service httpd reload' ... MATCH! sudo: ldap sudoCommand '/etc/init.d/httpd reload' ... MATCH! sudo: Command allowed sudo: user_matches=1 sudo: host_matches=1 sudo: sudo_ldap_lookup(0)=0x02 [sudo] password for thing-sudo: Sorry, try again. [sudo] password for thing-sudo: Sorry, try again. [sudo] password for thing-sudo: Sorry, try again. sudo: 3 incorrect password attempts [thing-sudo@vuwunicocatd001 ~]$ sudo /sbin/service httpd reload LDAP Config Summary === uri ldap://vuwunicoipam001.ods.vuw.ac.nz ldap://vuwunicoipam002.ods.vuw.ac.nz ldap://vuwunicoipam003.ods.vuw.ac.nz ldap_version 3 sudoers_base ou=SUDOers,dc=ods,dc=vuw,dc=ac,dc=nz binddn uid=sudo,cn=sysaccounts,cn=etc,dc=ods,dc=vuw,dc=ac,dc=nz bindpw x bind_timelimit 500 ssl start_tls tls_checkpeer(no) tls_cacertfile /etc/ipa/ca.crt === sudo: ldap_set_option: debug - 0 sudo
Re: [Freeipa-users] Unable to get sudo commend to work...
from the bug report, This is mostly misconfiguration, you also need to add sudo to the allowed services in the HBAC rule. So I added sudo and yes it works...they only had ssh. doh. regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: KodaK [sako...@gmail.com] Sent: Wednesday, 15 August 2012 9:59 a.m. To: Steven Jones Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Unable to get sudo commend to work... Do: ipa hbactest --user=thing-sudo --host=vuwunicocatd001.ods.vuw.ac.nz --service=sudo with the hbac rule on and off. On Tue, Aug 14, 2012 at 4:47 PM, Steven Jones steven.jo...@vuw.ac.nz wrote: Hi, No it fails even if I specify the host, but it works if I re-enable the allowall HBAC rule. So for some reason HBAC is impacting sudo. = [thing-sudo@vuwunicocatd001 ~]$ hostname vuwunicocatd001.ods.vuw.ac.nz [thing-sudo@vuwunicocatd001 ~]$ domainname ods.vuw.ac.nz [thing-sudo@vuwunicocatd001 ~]$ [root@vuwunicocatd001 jonesst1]# more /etc/hosts # not remove the following line, or various programs # that require network functionality will fail. 127.0.0.1 localhost.localdomain localhost 10.70.1.14 vuwunicocatd001.ods.vuw.ac.nz vuwunicocatd001.vuw.ac.nz visualresourcest.vuw.ac.nz vuwunicocatd001 [root@vuwunicocatd001 jonesst1]# more /etc/sysconfig/network NETWORKING=yes HOSTNAME=vuwunicocatd001.ods.vuw.ac.nz GATEWAY=10.70.1.1 NTPSERVERARGS=iburst [root@vuwunicocatd001 jonesst1]# = All looks correct === regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: KodaK [sako...@gmail.com] Sent: Wednesday, 15 August 2012 9:41 a.m. To: Steven Jones Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Unable to get sudo commend to work... OK, so it works if you allow all hosts, but fails if you specify a host. This leads me to believe that the host may not know who it is. Run the gamut on local hostname configuration: Check /etc/hosts, is the host listed with the FQDN first? Check hostname -- it should report the FQDN. Check domainname -- it should report the domain. I have a very similar rule, btw: [jebalicki@slpidml01 ~]$ ipa sudorule-show tds-web-restart ipa: INFO: trying https://slpidml01.unix.magellanhealth.com/ipa/xml ipa: INFO: Forwarding 'sudorule_show' to server u'http://slpidml01.unix.magellanhealth.com/ipa/xml' Rule name: tds-web-restart Enabled: TRUE User Groups: admins, tds-webserver-users, unixadmins Host Groups: tdswebhosts Sudo Allow Commands: /etc/rc.d/init.d/httpd [jebalicki@slpidml01 ~]$ On Tue, Aug 14, 2012 at 4:13 PM, Steven Jones steven.jo...@vuw.ac.nz wrote: Hi, I am trying to get a sudo-group command to work such that a group of users can reload apache's configI know the password is fine as I can ssh into the server [thing-sudo@vuwunicocatd001 ~]$ sudo /sbin/service httpd reload LDAP Config Summary === uri ldap://vuwunicoipam001.ods.vuw.ac.nz ldap://vuwunicoipam002.ods.vuw.ac.nz ldap://vuwunicoipam003.ods.vuw.ac.nz ldap_version 3 sudoers_base ou=SUDOers,dc=ods,dc=vuw,dc=ac,dc=nz binddn uid=sudo,cn=sysaccounts,cn=etc,dc=ods,dc=vuw,dc=ac,dc=nz bindpw bind_timelimit 500 ssl start_tls tls_checkpeer(no) tls_cacertfile /etc/ipa/ca.crt === sudo: ldap_set_option: debug - 0 sudo: ldap_set_option: tls_checkpeer - 0 sudo: ldap_set_option: tls_cacertfile - /etc/ipa/ca.crt sudo: ldap_set_option: tls_cacert - /etc/ipa/ca.crt sudo: ldap_initialize(ld, ldap://vuwunicoipam001.ods.vuw.ac.nz ldap://vuwunicoipam002.ods.vuw.ac.nz ldap://vuwunicoipam003.ods.vuw.ac.nz) sudo: ldap_set_option: ldap_version - 3 sudo: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT, 5000) sudo: ldap_start_tls_s() ok sudo: ldap_sasl_bind_s() ok sudo: no default options found in ou=SUDOers,dc=ods,dc=vuw,dc=ac,dc=nz sudo: ldap search '(|(sudoUser=thing-sudo)(sudoUser=%thing-sudo)(sudoUser=%ipausers)(sudoUser=%collectriveaccess-student)(sudoUser=%login04-mysql)(sudoUser=%360-ftp)(sudoUser=%become-mysql-users)(sudoUser=ALL))' sudo: found:cn=sudo-commands-catd-students,ou=sudoers,dc=ods,dc=vuw,dc=ac,dc=nz sudo: ldap sudoHost 'vuwunicocatd001.ods.vuw.ac.nz' ... MATCH! sudo: ldap sudoCommand '/sbin/service httpd reload' ... MATCH! sudo: ldap sudoCommand '/etc/init.d/httpd reload' ... MATCH! sudo: Command allowed sudo: user_matches=1 sudo: host_matches=1 sudo: sudo_ldap_lookup(0)=0x02 [sudo] password for thing-sudo: Sorry, try again. [sudo] password for thing-sudo: Sorry, try again. [sudo] password for thing-sudo: Sorry, try again. sudo: 3 incorrect password attempts [thing-sudo@vuwunicocatd001 ~]$ sudo /sbin/service httpd reload