Re: [Freeipa-users] can't get sudo to work.

[Lukas Slebodnik]

On (24/08/16 06:55), Tony Brian Albers wrote:
>And indeed the compat tree was disabled.
>
>Guess I forgot to reenable it after copying the db to a testing
>environment.
>
>Thanks guys, sudo is working fine now.
>
BTW it would work with upstream 1.13.4 even with disabled
compat tree (or 1.13.3 in el6)

LS

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] can't get sudo to work.

[Tony Brian Albers]

And indeed the compat tree was disabled.

Guess I forgot to reenable it after copying the db to a testing
environment.

Thanks guys, sudo is working fine now.

/tony

On Tue, 2016-08-23 at 10:13 -0400, Rob Crittenden wrote:
> Pavel Březina wrote:
> > On 08/23/2016 01:55 PM, Tony Brian Albers wrote:
> >> Here you are:
> >>
> >>
> >> [root ~]# ldapsearch -Y GSSAPI -b $dc
> >> '(ou=*)' -s onelevel
> >
> >> # profile, $domain
> >> dn: ou=profile,$dc
> >> objectClass: top
> >> objectClass: organizationalUnit
> >> ou: profiles
> >> ou: profile
> >>
> >> # search result
> >> search: 4
> >> result: 0 Success
> >>
> >> # numResponses: 2
> >> # numEntries: 1
> >
> >
> > Sudo rules are not downloaded by SSSD because ou=sudoers is missing on
> > the IPA server, or it may have incorrect ACL. Does someone from IPA team
> > know why?
> 
> Perhaps the compat tree is disabled:
> 
> $ ipa-compat-manage status
> 
> rob
> 
> 

-- 
Best regards,

Tony Albers
Systems administrator, IT-development
State and University Library, Victor Albecks Vej 1, 8000 Aarhus C, Denmark.
Tel: +45 8946 2316




-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] can't get sudo to work.

[Rob Crittenden]

Pavel Březina wrote:

On 08/23/2016 01:55 PM, Tony Brian Albers wrote:

Here you are:


[root ~]# ldapsearch -Y GSSAPI -b $dc
'(ou=*)' -s onelevel



# profile, $domain
dn: ou=profile,$dc
objectClass: top
objectClass: organizationalUnit
ou: profiles
ou: profile

# search result
search: 4
result: 0 Success

# numResponses: 2
# numEntries: 1



Sudo rules are not downloaded by SSSD because ou=sudoers is missing on
the IPA server, or it may have incorrect ACL. Does someone from IPA team
know why?


Perhaps the compat tree is disabled:

$ ipa-compat-manage status

rob


--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] can't get sudo to work.

[Jeff Goddard]

Not sure if it's related or not but I also reported an instance of similar
behavior of this on Ubuntu 16.0.1

On Tue, Aug 23, 2016 at 2:24 AM, Tony Brian Albers 
wrote:

> Hi guys,
>
> I've been trying to get sudo to work for our day-to-day admin who have
> their own usergroup in IPA called subadmin.
>
> For some reason I can't really get sudo to work, I suspect I am missing
> something simple, but I can't really figure out what it is.
>
> This is my config:
>
> # ipa sudorule-find
> ---
> 1 Sudo Rule matched
> ---
>   Rule name: All
>   Enabled: TRUE
>   Host category: all
>   Command category: all
>   User Groups: subadmin
> 
> Number of entries returned 1
> 
> #
>
>
>
>
> # ipa group-find subadmin
> ---
> 1 group matched
> ---
>   Group name: subadmin
>   Description: For daily administration of users and hosts
>   GID: 10003
>   Member users: abr-sadm, pmd-sadm, tba-sadm, bja-sadm, alberto-ibm
>   Roles: Sub-admins
>   Member of Sudo rule: All
> 
> Number of entries returned 1
> 
> #
>
>
>
>
>
> And on a client:
>
> # cat /etc/sssd/sssd.conf
> [domain/kac.lokalnet]
>
> cache_credentials = True
> krb5_store_password_if_offline = True
> ipa_domain = kac.sblokalnet
> id_provider = ipa
> auth_provider = ipa
> access_provider = ipa
> ipa_hostname = kac-man-001.kac.lokalnet
> chpass_provider = ipa
> ipa_server = _srv_, kac-adm-001.kac.lokalnet
> ldap_tls_cacert = /etc/ipa/ca.crt
> autofs_provider = ipa
> ipa_automount_location = default
> krb5_renewable_lifetime = 50d
> krb5_renew_interval = 3600
> [sssd]
> services = nss, sudo, pam, autofs, ssh
> config_file_version = 2
>
> domains = kac.lokalnet
> [nss]
> homedir_substring = /home
>
> [pam]
>
> [sudo]
>
> [autofs]
>
> [ssh]
>
> [pac]
>
> [ifp]
>
>
>
>
>
>
> nsswitch.conf:
>
> passwd: files sss
> shadow: files sss
> group:  files sss
> #initgroups: files
>
> #hosts: db files nisplus nis dns
> hosts:  files dns myhostname
>
> # Example - obey only what nisplus tells us...
> #services:   nisplus [NOTFOUND=return] files
> #networks:   nisplus [NOTFOUND=return] files
> #protocols:  nisplus [NOTFOUND=return] files
> #rpc:nisplus [NOTFOUND=return] files
> #ethers: nisplus [NOTFOUND=return] files
> #netmasks:   nisplus [NOTFOUND=return] files
>
> bootparams: nisplus [NOTFOUND=return] files
>
> ethers: files
> netmasks:   files
> networks:   files
> protocols:  files
> rpc:files
> services:   files sss
>
> netgroup:   files sss
>
> publickey:  nisplus
>
> automount:  sss files
> aliases:files nisplus
> sudoers:files sss
>
>
>
>
> And for a subadmin account:
>
> -sh-4.2$ sudo -l
> [sudo] password for tba-sadm:
> Your password will expire in 6 day(s).
> User tba-sadm is not allowed to run sudo on kac-man-001.
> -sh-4.2$
>
>
>
> Any suggestions?  Help is much appreciated.
>
> TIA
>
> /tony
>
> --
> Best regards,
>
> Tony Albers
> Systems administrator, IT-development
> State and University Library, Victor Albecks Vej 1, 8000 Aarhus C, Denmark.
> Tel: +45 8946 2316
>
>
>
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>



Jeff
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] can't get sudo to work.

[Pavel Březina]

On 08/23/2016 11:26 AM, Tony Brian Albers wrote:

Thanks Jakub,

I've attached a file with the output from looking in the log files
mentioned in the link you gave me.

I'm not sure exactly what is wrong, I don't know how to interpret
messages like: name 'tba-sadm' matched without domain, user is tba
-sadm   (is that good or bad?)

Any advice is appreciated.


Hi,
unfortunately the attached file is empty. Can you resend it? You can 
send it to me privately if you want. I will need both sssd and sudo logs 
(both described in the troubleshooting page).


Thank you.



/tony


--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] can't get sudo to work.

[Tony Brian Albers]

Thanks Jakub,

I've attached a file with the output from looking in the log files
mentioned in the link you gave me.

I'm not sure exactly what is wrong, I don't know how to interpret
messages like: name 'tba-sadm' matched without domain, user is tba
-sadm   (is that good or bad?)

Any advice is appreciated.

/tony


On Tue, 2016-08-23 at 09:17 +0200, Jakub Hrozek wrote:
> On Tue, Aug 23, 2016 at 07:11:44AM +, Tony Brian Albers wrote:
> > Thanks Simon,
> > 
> > Is this a known issue?  We're on Centos 7.2 and yes, the sssd version is
> > 1.13
> > 
> > /tony
> 
> IIRC Simpson's issue was related to using AD trusts and
> default_domain_suffix. I would recommend looking at logs first before
> jumping to conclusions.
> 

-- 
Best regards,

Tony Albers
Systems administrator, IT-development
State and University Library, Victor Albecks Vej 1, 8000 Aarhus C, Denmark.
Tel: +45 8946 2316



-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] can't get sudo to work.

[Jakub Hrozek]

On Tue, Aug 23, 2016 at 07:11:44AM +, Tony Brian Albers wrote:
> Thanks Simon,
> 
> Is this a known issue?  We're on Centos 7.2 and yes, the sssd version is
> 1.13
> 
> /tony

IIRC Simpson's issue was related to using AD trusts and
default_domain_suffix. I would recommend looking at logs first before
jumping to conclusions.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] can't get sudo to work.

[Jakub Hrozek]

On Tue, Aug 23, 2016 at 06:24:23AM +, Tony Brian Albers wrote:
> Hi guys,
> 
> I've been trying to get sudo to work for our day-to-day admin who have
> their own usergroup in IPA called subadmin.
> 
> For some reason I can't really get sudo to work, I suspect I am missing
> something simple, but I can't really figure out what it is.

This might be helpful:
https://fedorahosted.org/sssd/wiki/HOWTO_Troubleshoot_SUDO

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] can't get sudo to work.

[Tony Brian Albers]

Thanks Simon,

Is this a known issue?  We're on Centos 7.2 and yes, the sssd version is
1.13

/tony

On Tue, 2016-08-23 at 06:49 +, Simpson Lachlan wrote:
> What version of sssd are you using?
> 
> We found that it wouldn't work w sssd<1.14
> 
> On the IPA server, it would say "yep rule applies", but then on any 
> particular machine it wouldn't (well, it would - but only intermittently).
> 
> There's a COPR repo for Centos7 if you aren't on Fedora/RedHat.
> 
> Cheers
> L.
> 
> -Original Message-
> From: freeipa-users-boun...@redhat.com 
> [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Tony Brian Albers
> Sent: Tuesday, 23 August 2016 4:24 PM
> To: freeipa-users@redhat.com
> Subject: [Freeipa-users] can't get sudo to work.
> 
> Hi guys,
> 
> I've been trying to get sudo to work for our day-to-day admin who have their 
> own usergroup in IPA called subadmin.
> 
> For some reason I can't really get sudo to work, I suspect I am missing 
> something simple, but I can't really figure out what it is.
> 
> This is my config:
> 
> # ipa sudorule-find
> ---
> 1 Sudo Rule matched
> ---
>   Rule name: All
>   Enabled: TRUE
>   Host category: all
>   Command category: all
>   User Groups: subadmin
> 
> Number of entries returned 1
> 
> #
> 
> 
> 
> 
> # ipa group-find subadmin
> ---
> 1 group matched
> ---
>   Group name: subadmin
>   Description: For daily administration of users and hosts
>   GID: 10003
>   Member users: abr-sadm, pmd-sadm, tba-sadm, bja-sadm, alberto-ibm
>   Roles: Sub-admins
>   Member of Sudo rule: All
> 
> Number of entries returned 1
> 
> #
> 
> 
> 
> 
> 
> And on a client:
> 
> # cat /etc/sssd/sssd.conf
> [domain/kac.lokalnet]
> 
> cache_credentials = True
> krb5_store_password_if_offline = True
> ipa_domain = kac.sblokalnet
> id_provider = ipa
> auth_provider = ipa
> access_provider = ipa
> ipa_hostname = kac-man-001.kac.lokalnet
> chpass_provider = ipa
> ipa_server = _srv_, kac-adm-001.kac.lokalnet ldap_tls_cacert = 
> /etc/ipa/ca.crt autofs_provider = ipa ipa_automount_location = default 
> krb5_renewable_lifetime = 50d krb5_renew_interval = 3600 [sssd] services = 
> nss, sudo, pam, autofs, ssh config_file_version = 2
> 
> domains = kac.lokalnet
> [nss]
> homedir_substring = /home
> 
> [pam]
> 
> [sudo]
> 
> [autofs]
> 
> [ssh]
> 
> [pac]
> 
> [ifp]
> 
> 
> 
> 
> 
> 
> nsswitch.conf:
> 
> passwd: files sss
> shadow: files sss
> group:  files sss
> #initgroups: files
> 
> #hosts: db files nisplus nis dns
> hosts:  files dns myhostname
> 
> # Example - obey only what nisplus tells us...
> #services:   nisplus [NOTFOUND=return] files
> #networks:   nisplus [NOTFOUND=return] files
> #protocols:  nisplus [NOTFOUND=return] files
> #rpc:nisplus [NOTFOUND=return] files
> #ethers: nisplus [NOTFOUND=return] files
> #netmasks:   nisplus [NOTFOUND=return] files 
> 
> bootparams: nisplus [NOTFOUND=return] files
> 
> ethers: files
> netmasks:   files
> networks:   files
> protocols:  files
> rpc:files
> services:   files sss
> 
> netgroup:   files sss
> 
> publickey:  nisplus
> 
> automount:  sss files
> aliases:files nisplus
> sudoers:files sss
> 
> 
> 
> 
> And for a subadmin account:
> 
> -sh-4.2$ sudo -l
> [sudo] password for tba-sadm: 
> Your password will expire in 6 day(s).
> User tba-sadm is not allowed to run sudo on kac-man-001.
> -sh-4.2$
> 
> 
> 
> Any suggestions?  Help is much appreciated.
> 
> TIA
> 
> /tony
> 
> --
> Best regards,
> 
> Tony Albers
> Systems administrator, IT-development
> State and University Library, Victor Albecks Vej 1, 8000 Aarhus C, Denmark.
> Tel: +45 8946 2316
> 
> 
> 
> 
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
> This email (including any attachments or links) may contain 
> confidential and/or legally privileged information and is 
> intended only to be read or used by the addressee.  If you 
> are not the intended addressee, any use, distribution, 
> disclosure or copying of this email is strictly 
> prohibited.  
> Confidentiality and legal privilege attached to this email 
> (including any attachments) are not waived or lost by 
> reason of its mistaken delivery to you.
> If you have received this email in error, please delete it 
> and notify us immediately by telephone or email.  Peter 
> MacCallum Cancer Centre provides no guarantee that this 
> transmission is free of virus or that it has not been 
> intercepted or altered and will not be liable for any delay 
> in its receipt.
> 

-- 
Best regards,

Tony Albers
Systems administrator, IT-development
State and University Library, Victor Albecks Vej 1, 8000 Aarhus C, Denmark.
Tel: +45 8946 2316




-- 
Manage your subscription for 

Re: [Freeipa-users] can't get sudo to work.

[Simpson Lachlan]

What version of sssd are you using?

We found that it wouldn't work w sssd<1.14

On the IPA server, it would say "yep rule applies", but then on any particular 
machine it wouldn't (well, it would - but only intermittently).

There's a COPR repo for Centos7 if you aren't on Fedora/RedHat.

Cheers
L.

-Original Message-
From: freeipa-users-boun...@redhat.com 
[mailto:freeipa-users-boun...@redhat.com] On Behalf Of Tony Brian Albers
Sent: Tuesday, 23 August 2016 4:24 PM
To: freeipa-users@redhat.com
Subject: [Freeipa-users] can't get sudo to work.

Hi guys,

I've been trying to get sudo to work for our day-to-day admin who have their 
own usergroup in IPA called subadmin.

For some reason I can't really get sudo to work, I suspect I am missing 
something simple, but I can't really figure out what it is.

This is my config:

# ipa sudorule-find
---
1 Sudo Rule matched
---
  Rule name: All
  Enabled: TRUE
  Host category: all
  Command category: all
  User Groups: subadmin

Number of entries returned 1

#




# ipa group-find subadmin
---
1 group matched
---
  Group name: subadmin
  Description: For daily administration of users and hosts
  GID: 10003
  Member users: abr-sadm, pmd-sadm, tba-sadm, bja-sadm, alberto-ibm
  Roles: Sub-admins
  Member of Sudo rule: All

Number of entries returned 1

#





And on a client:

# cat /etc/sssd/sssd.conf
[domain/kac.lokalnet]

cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = kac.sblokalnet
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = kac-man-001.kac.lokalnet
chpass_provider = ipa
ipa_server = _srv_, kac-adm-001.kac.lokalnet ldap_tls_cacert = /etc/ipa/ca.crt 
autofs_provider = ipa ipa_automount_location = default krb5_renewable_lifetime 
= 50d krb5_renew_interval = 3600 [sssd] services = nss, sudo, pam, autofs, ssh 
config_file_version = 2

domains = kac.lokalnet
[nss]
homedir_substring = /home

[pam]

[sudo]

[autofs]

[ssh]

[pac]

[ifp]






nsswitch.conf:

passwd: files sss
shadow: files sss
group:  files sss
#initgroups: files

#hosts: db files nisplus nis dns
hosts:  files dns myhostname

# Example - obey only what nisplus tells us...
#services:   nisplus [NOTFOUND=return] files
#networks:   nisplus [NOTFOUND=return] files
#protocols:  nisplus [NOTFOUND=return] files
#rpc:nisplus [NOTFOUND=return] files
#ethers: nisplus [NOTFOUND=return] files
#netmasks:   nisplus [NOTFOUND=return] files 

bootparams: nisplus [NOTFOUND=return] files

ethers: files
netmasks:   files
networks:   files
protocols:  files
rpc:files
services:   files sss

netgroup:   files sss

publickey:  nisplus

automount:  sss files
aliases:files nisplus
sudoers:files sss




And for a subadmin account:

-sh-4.2$ sudo -l
[sudo] password for tba-sadm: 
Your password will expire in 6 day(s).
User tba-sadm is not allowed to run sudo on kac-man-001.
-sh-4.2$



Any suggestions?  Help is much appreciated.

TIA

/tony

--
Best regards,

Tony Albers
Systems administrator, IT-development
State and University Library, Victor Albecks Vej 1, 8000 Aarhus C, Denmark.
Tel: +45 8946 2316




--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
This email (including any attachments or links) may contain 
confidential and/or legally privileged information and is 
intended only to be read or used by the addressee.  If you 
are not the intended addressee, any use, distribution, 
disclosure or copying of this email is strictly 
prohibited.  
Confidentiality and legal privilege attached to this email 
(including any attachments) are not waived or lost by 
reason of its mistaken delivery to you.
If you have received this email in error, please delete it 
and notify us immediately by telephone or email.  Peter 
MacCallum Cancer Centre provides no guarantee that this 
transmission is free of virus or that it has not been 
intercepted or altered and will not be liable for any delay 
in its receipt.


-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project