Re: [Freeipa-users] sudo rules in IPA infrastructure
On Sat, May 19, 2012 at 03:11:44PM -0700, David Copperfield wrote: >Hi Jakub and Rich, >Got it. >Thanks a lot on the HBAC and sudoes maps access. I think I got confused >with the graph in the powerpoint > > presentation http://www.redhat.com/summit/2011/presentations/summit/whats_next/friday/pal_crittenden_f_1100_ipa_overview_rev3.pdf. >The graph 'Under the hood' claimed that user/group/netgroup/HBAC will go >through sssd, while other maps (sudo, autofs?) would goes through >nss_ldap. There's no hard rule, we've historically developed support for the most important name-service-switch libc maps such as groups and passwd, then gradually added support for other maps like netgroups depending on demand for them. In some special cases, we even add application-specific responders such as the ones for sudo and autofs in 1.8. These communicate with the app using their own protocol via a unix pipe, not through the name service switch maps (even though both sudo and autofs are configured in the nsswitch.conf file). ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] sudo rules in IPA infrastructure
Hi Jakub and Rich, Got it. Thanks a lot on the HBAC and sudoes maps access. I think I got confused with the graph in the powerpoint presentation http://www.redhat.com/summit/2011/presentations/summit/whats_next/friday/pal_crittenden_f_1100_ipa_overview_rev3.pdf. The graph 'Under the hood' claimed that user/group/netgroup/HBAC will go through sssd, while other maps (sudo, autofs?) would goes through nss_ldap. So it could be that FreeIPA has been further developed to provide DIRECTLY more mappings without the help of pam_(ldap/kerberos) and nss_ldap? To Rich, could you confirm that -- and probably more mappings -- in this version 2.1.3-9 on red hat 6.2? If not, how about 2.2 on Redhat 6.3Beta? Thanks a lot. Have a nice weekend. --Gelen From: Jakub Hrozek To: Gelen James Cc: "freeipa-users@redhat.com" Sent: Saturday, May 19, 2012 10:16 AM Subject: Re: [Freeipa-users] sudo rules in IPA infrastructure On Fri, May 18, 2012 at 02:35:18PM -0700, Gelen James wrote: > Hi all, > Are the sudo rules applied to IPA clients through nss_ldap, instead of > sssd? Neither :-) sudo looks up the user information via the standard name-service-switch maps, so if your machine is configured to fetch user and group information using the sss NSS module in nsswitch.conf, then the requests get to sssd. As Stephen Ingram pointed out elsewhere in this thread, sudo only reads the nss_ldap/nss-pam-ldapd config files but establishes the connection to the LDAP server and fetches the data on its own. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] sudo rules in IPA infrastructure
On Fri, May 18, 2012 at 02:35:18PM -0700, Gelen James wrote: >Hi all, > Are the sudo rules applied to IPA clients through nss_ldap, instead of >sssd? Neither :-) sudo looks up the user information via the standard name-service-switch maps, so if your machine is configured to fetch user and group information using the sss NSS module in nsswitch.conf, then the requests get to sssd. As Stephen Ingram pointed out elsewhere in this thread, sudo only reads the nss_ldap/nss-pam-ldapd config files but establishes the connection to the LDAP server and fetches the data on its own. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] sudo rules in IPA infrastructure
Hi Stephen, That's very helpful. Thanks a lot. --Gelen From: Stephen Ingram To: Gelen James Cc: "freeipa-users@redhat.com" ; Rob Crittenden ; Rich Megginson Sent: Friday, May 18, 2012 2:58 PM Subject: Re: [Freeipa-users] sudo rules in IPA infrastructure On Fri, May 18, 2012 at 2:35 PM, Gelen James wrote: > Hi all, > > Are the sudo rules applied to IPA clients through nss_ldap, instead of > sssd? > > I tried that on Redhat 6.2 clients, and some documents said that sudo rules > would work when enabled inside /etc/nslcd.conf, but we need to hack the > script /etc/init.d/nslcd.conf a little bit -- basically to mess around the > sudo config statement before/after nslcd daemon runs as the latter still can > not handle sudo statements very well. I just got sudo setup on 6.2. You do use /etc/nslcd.conf, but you don't have to install the nslcd daemon to get it working. It just looks to that file for the config. So remove nslcd and then just create the /etc/nslcd.conf from scratch and put in what they specify on the documentation. Make all of the other changes they mention and it will just work! > Then on 5.8, where nslcd daemon is not available, should we edit > /etc/ldap.conf for nss_ldap and how? Please shed a light on this. Thanks a > lot. Type sudo -V to be sure, but look for the ldap.conf path (on my 5.8 it is /etc/ldap.conf). I haven't set this up yet, but I assume that you can just add the config mentioned in the docs to ldap.conf along with all of the other changes and you're off. As it worked perfectly on 6.2, I'm guessing it will also work on 5.8. You can look through bugzilla and see the various discussions about all of this, but suffice it to say there has been a fair amount of discussion as to where to locate this sudo ldap config. I think it is headed for /etc/ldap.sudo or something like that in 6.3, but as long as you put it where sudo is looking for it, everything should work. If you still can't get it to work, Adam Young has written a script that you can look at to explain the process: http://adam.younglogic.com/2011/03/centralized-sudo-with-freeipa/. Steve___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] sudo rules in IPA infrastructure
On Fri, May 18, 2012 at 2:35 PM, Gelen James wrote: > Hi all, > > Are the sudo rules applied to IPA clients through nss_ldap, instead of > sssd? > > I tried that on Redhat 6.2 clients, and some documents said that sudo rules > would work when enabled inside /etc/nslcd.conf, but we need to hack the > script /etc/init.d/nslcd.conf a little bit -- basically to mess around the > sudo config statement before/after nslcd daemon runs as the latter still can > not handle sudo statements very well. I just got sudo setup on 6.2. You do use /etc/nslcd.conf, but you don't have to install the nslcd daemon to get it working. It just looks to that file for the config. So remove nslcd and then just create the /etc/nslcd.conf from scratch and put in what they specify on the documentation. Make all of the other changes they mention and it will just work! > Then on 5.8, where nslcd daemon is not available, should we edit > /etc/ldap.conf for nss_ldap and how? Please shed a light on this. Thanks a > lot. Type sudo -V to be sure, but look for the ldap.conf path (on my 5.8 it is /etc/ldap.conf). I haven't set this up yet, but I assume that you can just add the config mentioned in the docs to ldap.conf along with all of the other changes and you're off. As it worked perfectly on 6.2, I'm guessing it will also work on 5.8. You can look through bugzilla and see the various discussions about all of this, but suffice it to say there has been a fair amount of discussion as to where to locate this sudo ldap config. I think it is headed for /etc/ldap.sudo or something like that in 6.3, but as long as you put it where sudo is looking for it, everything should work. If you still can't get it to work, Adam Young has written a script that you can look at to explain the process: http://adam.younglogic.com/2011/03/centralized-sudo-with-freeipa/. Steve ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
