Re: [Freeipa-users] can't get sudo to work.
On (24/08/16 06:55), Tony Brian Albers wrote: >And indeed the compat tree was disabled. > >Guess I forgot to reenable it after copying the db to a testing >environment. > >Thanks guys, sudo is working fine now. > BTW it would work with upstream 1.13.4 even with disabled compat tree (or 1.13.3 in el6) LS -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] can't get sudo to work.
And indeed the compat tree was disabled. Guess I forgot to reenable it after copying the db to a testing environment. Thanks guys, sudo is working fine now. /tony On Tue, 2016-08-23 at 10:13 -0400, Rob Crittenden wrote: > Pavel Březina wrote: > > On 08/23/2016 01:55 PM, Tony Brian Albers wrote: > >> Here you are: > >> > >> > >> [root ~]# ldapsearch -Y GSSAPI -b $dc > >> '(ou=*)' -s onelevel > > > >> # profile, $domain > >> dn: ou=profile,$dc > >> objectClass: top > >> objectClass: organizationalUnit > >> ou: profiles > >> ou: profile > >> > >> # search result > >> search: 4 > >> result: 0 Success > >> > >> # numResponses: 2 > >> # numEntries: 1 > > > > > > Sudo rules are not downloaded by SSSD because ou=sudoers is missing on > > the IPA server, or it may have incorrect ACL. Does someone from IPA team > > know why? > > Perhaps the compat tree is disabled: > > $ ipa-compat-manage status > > rob > > -- Best regards, Tony Albers Systems administrator, IT-development State and University Library, Victor Albecks Vej 1, 8000 Aarhus C, Denmark. Tel: +45 8946 2316 -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] can't get sudo to work.
Pavel Březina wrote: On 08/23/2016 01:55 PM, Tony Brian Albers wrote: Here you are: [root ~]# ldapsearch -Y GSSAPI -b $dc '(ou=*)' -s onelevel # profile, $domain dn: ou=profile,$dc objectClass: top objectClass: organizationalUnit ou: profiles ou: profile # search result search: 4 result: 0 Success # numResponses: 2 # numEntries: 1 Sudo rules are not downloaded by SSSD because ou=sudoers is missing on the IPA server, or it may have incorrect ACL. Does someone from IPA team know why? Perhaps the compat tree is disabled: $ ipa-compat-manage status rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] can't get sudo to work.
Not sure if it's related or not but I also reported an instance of similar behavior of this on Ubuntu 16.0.1 On Tue, Aug 23, 2016 at 2:24 AM, Tony Brian Alberswrote: > Hi guys, > > I've been trying to get sudo to work for our day-to-day admin who have > their own usergroup in IPA called subadmin. > > For some reason I can't really get sudo to work, I suspect I am missing > something simple, but I can't really figure out what it is. > > This is my config: > > # ipa sudorule-find > --- > 1 Sudo Rule matched > --- > Rule name: All > Enabled: TRUE > Host category: all > Command category: all > User Groups: subadmin > > Number of entries returned 1 > > # > > > > > # ipa group-find subadmin > --- > 1 group matched > --- > Group name: subadmin > Description: For daily administration of users and hosts > GID: 10003 > Member users: abr-sadm, pmd-sadm, tba-sadm, bja-sadm, alberto-ibm > Roles: Sub-admins > Member of Sudo rule: All > > Number of entries returned 1 > > # > > > > > > And on a client: > > # cat /etc/sssd/sssd.conf > [domain/kac.lokalnet] > > cache_credentials = True > krb5_store_password_if_offline = True > ipa_domain = kac.sblokalnet > id_provider = ipa > auth_provider = ipa > access_provider = ipa > ipa_hostname = kac-man-001.kac.lokalnet > chpass_provider = ipa > ipa_server = _srv_, kac-adm-001.kac.lokalnet > ldap_tls_cacert = /etc/ipa/ca.crt > autofs_provider = ipa > ipa_automount_location = default > krb5_renewable_lifetime = 50d > krb5_renew_interval = 3600 > [sssd] > services = nss, sudo, pam, autofs, ssh > config_file_version = 2 > > domains = kac.lokalnet > [nss] > homedir_substring = /home > > [pam] > > [sudo] > > [autofs] > > [ssh] > > [pac] > > [ifp] > > > > > > > nsswitch.conf: > > passwd: files sss > shadow: files sss > group: files sss > #initgroups: files > > #hosts: db files nisplus nis dns > hosts: files dns myhostname > > # Example - obey only what nisplus tells us... > #services: nisplus [NOTFOUND=return] files > #networks: nisplus [NOTFOUND=return] files > #protocols: nisplus [NOTFOUND=return] files > #rpc:nisplus [NOTFOUND=return] files > #ethers: nisplus [NOTFOUND=return] files > #netmasks: nisplus [NOTFOUND=return] files > > bootparams: nisplus [NOTFOUND=return] files > > ethers: files > netmasks: files > networks: files > protocols: files > rpc:files > services: files sss > > netgroup: files sss > > publickey: nisplus > > automount: sss files > aliases:files nisplus > sudoers:files sss > > > > > And for a subadmin account: > > -sh-4.2$ sudo -l > [sudo] password for tba-sadm: > Your password will expire in 6 day(s). > User tba-sadm is not allowed to run sudo on kac-man-001. > -sh-4.2$ > > > > Any suggestions? Help is much appreciated. > > TIA > > /tony > > -- > Best regards, > > Tony Albers > Systems administrator, IT-development > State and University Library, Victor Albecks Vej 1, 8000 Aarhus C, Denmark. > Tel: +45 8946 2316 > > > > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > Jeff -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] can't get sudo to work.
On 08/23/2016 11:26 AM, Tony Brian Albers wrote: Thanks Jakub, I've attached a file with the output from looking in the log files mentioned in the link you gave me. I'm not sure exactly what is wrong, I don't know how to interpret messages like: name 'tba-sadm' matched without domain, user is tba -sadm (is that good or bad?) Any advice is appreciated. Hi, unfortunately the attached file is empty. Can you resend it? You can send it to me privately if you want. I will need both sssd and sudo logs (both described in the troubleshooting page). Thank you. /tony -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] can't get sudo to work.
Thanks Jakub, I've attached a file with the output from looking in the log files mentioned in the link you gave me. I'm not sure exactly what is wrong, I don't know how to interpret messages like: name 'tba-sadm' matched without domain, user is tba -sadm (is that good or bad?) Any advice is appreciated. /tony On Tue, 2016-08-23 at 09:17 +0200, Jakub Hrozek wrote: > On Tue, Aug 23, 2016 at 07:11:44AM +, Tony Brian Albers wrote: > > Thanks Simon, > > > > Is this a known issue? We're on Centos 7.2 and yes, the sssd version is > > 1.13 > > > > /tony > > IIRC Simpson's issue was related to using AD trusts and > default_domain_suffix. I would recommend looking at logs first before > jumping to conclusions. > -- Best regards, Tony Albers Systems administrator, IT-development State and University Library, Victor Albecks Vej 1, 8000 Aarhus C, Denmark. Tel: +45 8946 2316 -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] can't get sudo to work.
On Tue, Aug 23, 2016 at 07:11:44AM +, Tony Brian Albers wrote: > Thanks Simon, > > Is this a known issue? We're on Centos 7.2 and yes, the sssd version is > 1.13 > > /tony IIRC Simpson's issue was related to using AD trusts and default_domain_suffix. I would recommend looking at logs first before jumping to conclusions. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] can't get sudo to work.
On Tue, Aug 23, 2016 at 06:24:23AM +, Tony Brian Albers wrote: > Hi guys, > > I've been trying to get sudo to work for our day-to-day admin who have > their own usergroup in IPA called subadmin. > > For some reason I can't really get sudo to work, I suspect I am missing > something simple, but I can't really figure out what it is. This might be helpful: https://fedorahosted.org/sssd/wiki/HOWTO_Troubleshoot_SUDO -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] can't get sudo to work.
Thanks Simon, Is this a known issue? We're on Centos 7.2 and yes, the sssd version is 1.13 /tony On Tue, 2016-08-23 at 06:49 +, Simpson Lachlan wrote: > What version of sssd are you using? > > We found that it wouldn't work w sssd<1.14 > > On the IPA server, it would say "yep rule applies", but then on any > particular machine it wouldn't (well, it would - but only intermittently). > > There's a COPR repo for Centos7 if you aren't on Fedora/RedHat. > > Cheers > L. > > -Original Message- > From: freeipa-users-boun...@redhat.com > [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Tony Brian Albers > Sent: Tuesday, 23 August 2016 4:24 PM > To: freeipa-users@redhat.com > Subject: [Freeipa-users] can't get sudo to work. > > Hi guys, > > I've been trying to get sudo to work for our day-to-day admin who have their > own usergroup in IPA called subadmin. > > For some reason I can't really get sudo to work, I suspect I am missing > something simple, but I can't really figure out what it is. > > This is my config: > > # ipa sudorule-find > --- > 1 Sudo Rule matched > --- > Rule name: All > Enabled: TRUE > Host category: all > Command category: all > User Groups: subadmin > > Number of entries returned 1 > > # > > > > > # ipa group-find subadmin > --- > 1 group matched > --- > Group name: subadmin > Description: For daily administration of users and hosts > GID: 10003 > Member users: abr-sadm, pmd-sadm, tba-sadm, bja-sadm, alberto-ibm > Roles: Sub-admins > Member of Sudo rule: All > > Number of entries returned 1 > > # > > > > > > And on a client: > > # cat /etc/sssd/sssd.conf > [domain/kac.lokalnet] > > cache_credentials = True > krb5_store_password_if_offline = True > ipa_domain = kac.sblokalnet > id_provider = ipa > auth_provider = ipa > access_provider = ipa > ipa_hostname = kac-man-001.kac.lokalnet > chpass_provider = ipa > ipa_server = _srv_, kac-adm-001.kac.lokalnet ldap_tls_cacert = > /etc/ipa/ca.crt autofs_provider = ipa ipa_automount_location = default > krb5_renewable_lifetime = 50d krb5_renew_interval = 3600 [sssd] services = > nss, sudo, pam, autofs, ssh config_file_version = 2 > > domains = kac.lokalnet > [nss] > homedir_substring = /home > > [pam] > > [sudo] > > [autofs] > > [ssh] > > [pac] > > [ifp] > > > > > > > nsswitch.conf: > > passwd: files sss > shadow: files sss > group: files sss > #initgroups: files > > #hosts: db files nisplus nis dns > hosts: files dns myhostname > > # Example - obey only what nisplus tells us... > #services: nisplus [NOTFOUND=return] files > #networks: nisplus [NOTFOUND=return] files > #protocols: nisplus [NOTFOUND=return] files > #rpc:nisplus [NOTFOUND=return] files > #ethers: nisplus [NOTFOUND=return] files > #netmasks: nisplus [NOTFOUND=return] files > > bootparams: nisplus [NOTFOUND=return] files > > ethers: files > netmasks: files > networks: files > protocols: files > rpc:files > services: files sss > > netgroup: files sss > > publickey: nisplus > > automount: sss files > aliases:files nisplus > sudoers:files sss > > > > > And for a subadmin account: > > -sh-4.2$ sudo -l > [sudo] password for tba-sadm: > Your password will expire in 6 day(s). > User tba-sadm is not allowed to run sudo on kac-man-001. > -sh-4.2$ > > > > Any suggestions? Help is much appreciated. > > TIA > > /tony > > -- > Best regards, > > Tony Albers > Systems administrator, IT-development > State and University Library, Victor Albecks Vej 1, 8000 Aarhus C, Denmark. > Tel: +45 8946 2316 > > > > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > This email (including any attachments or links) may contain > confidential and/or legally privileged information and is > intended only to be read or used by the addressee. If you > are not the intended addressee, any use, distribution, > disclosure or copying of this email is strictly > prohibited. > Confidentiality and legal privilege attached to this email > (including any attachments) are not waived or lost by > reason of its mistaken delivery to you. > If you have received this email in error, please delete it > and notify us immediately by telephone or email. Peter > MacCallum Cancer Centre provides no guarantee that this > transmission is free of virus or that it has not been > intercepted or altered and will not be liable for any delay > in its receipt. > -- Best regards, Tony Albers Systems administrator, IT-development State and University Library, Victor Albecks Vej 1, 8000 Aarhus C, Denmark. Tel: +45 8946 2316 -- Manage your subscription for
Re: [Freeipa-users] can't get sudo to work.
What version of sssd are you using? We found that it wouldn't work w sssd<1.14 On the IPA server, it would say "yep rule applies", but then on any particular machine it wouldn't (well, it would - but only intermittently). There's a COPR repo for Centos7 if you aren't on Fedora/RedHat. Cheers L. -Original Message- From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Tony Brian Albers Sent: Tuesday, 23 August 2016 4:24 PM To: freeipa-users@redhat.com Subject: [Freeipa-users] can't get sudo to work. Hi guys, I've been trying to get sudo to work for our day-to-day admin who have their own usergroup in IPA called subadmin. For some reason I can't really get sudo to work, I suspect I am missing something simple, but I can't really figure out what it is. This is my config: # ipa sudorule-find --- 1 Sudo Rule matched --- Rule name: All Enabled: TRUE Host category: all Command category: all User Groups: subadmin Number of entries returned 1 # # ipa group-find subadmin --- 1 group matched --- Group name: subadmin Description: For daily administration of users and hosts GID: 10003 Member users: abr-sadm, pmd-sadm, tba-sadm, bja-sadm, alberto-ibm Roles: Sub-admins Member of Sudo rule: All Number of entries returned 1 # And on a client: # cat /etc/sssd/sssd.conf [domain/kac.lokalnet] cache_credentials = True krb5_store_password_if_offline = True ipa_domain = kac.sblokalnet id_provider = ipa auth_provider = ipa access_provider = ipa ipa_hostname = kac-man-001.kac.lokalnet chpass_provider = ipa ipa_server = _srv_, kac-adm-001.kac.lokalnet ldap_tls_cacert = /etc/ipa/ca.crt autofs_provider = ipa ipa_automount_location = default krb5_renewable_lifetime = 50d krb5_renew_interval = 3600 [sssd] services = nss, sudo, pam, autofs, ssh config_file_version = 2 domains = kac.lokalnet [nss] homedir_substring = /home [pam] [sudo] [autofs] [ssh] [pac] [ifp] nsswitch.conf: passwd: files sss shadow: files sss group: files sss #initgroups: files #hosts: db files nisplus nis dns hosts: files dns myhostname # Example - obey only what nisplus tells us... #services: nisplus [NOTFOUND=return] files #networks: nisplus [NOTFOUND=return] files #protocols: nisplus [NOTFOUND=return] files #rpc:nisplus [NOTFOUND=return] files #ethers: nisplus [NOTFOUND=return] files #netmasks: nisplus [NOTFOUND=return] files bootparams: nisplus [NOTFOUND=return] files ethers: files netmasks: files networks: files protocols: files rpc:files services: files sss netgroup: files sss publickey: nisplus automount: sss files aliases:files nisplus sudoers:files sss And for a subadmin account: -sh-4.2$ sudo -l [sudo] password for tba-sadm: Your password will expire in 6 day(s). User tba-sadm is not allowed to run sudo on kac-man-001. -sh-4.2$ Any suggestions? Help is much appreciated. TIA /tony -- Best regards, Tony Albers Systems administrator, IT-development State and University Library, Victor Albecks Vej 1, 8000 Aarhus C, Denmark. Tel: +45 8946 2316 -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project This email (including any attachments or links) may contain confidential and/or legally privileged information and is intended only to be read or used by the addressee. If you are not the intended addressee, any use, distribution, disclosure or copying of this email is strictly prohibited. Confidentiality and legal privilege attached to this email (including any attachments) are not waived or lost by reason of its mistaken delivery to you. If you have received this email in error, please delete it and notify us immediately by telephone or email. Peter MacCallum Cancer Centre provides no guarantee that this transmission is free of virus or that it has not been intercepted or altered and will not be liable for any delay in its receipt. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project