On 01/07/14 12:18, "Jakub Hrozek" <[email protected]> wrote:
>On Fri, Jun 27, 2014 at 12:24:44PM +0000, Teemu Keinonen wrote: >> Hello, >> >> I’m configuring CentOS 6.5 server to authenticate users and sudo rights >>against local Samba 4.1.8 (compiled from source). Sssd is 1.9.2 from >>package repository. User authentication works OK, I can log in with user >>that exists only in Samba but sudoing with the same user fails. After >>hours of trying I still can’t get it right, sssd_sudo receives 0 rules >>from samba. Doing ldapsearch with criteria from logs do return sudoer >>entries as below. Am I missing something obvious? >> Below are (in order) ldapsearch, ssssd.conf and sssd_default.log (part >>which I think relevant). > >> >> [root@dc1 sssd]# ldapsearch -h dc1 -Y GSSAPI -b >>OU=SUDOers,DC=teemu,DC=local >>'(&(objectClass=sudoRole)(|(!(sudoHost=*))(sudoHost=ALL)(sudoHost=Host01) >>(sudoHost=Host01.example.com)(sudoHost=192.168.0.21)(sudoHost=192.168.0.0 >>/24)(sudoHost=fe80::786b:f4ff:fe87:3314)(sudoHost=fe80::/64)(sudoHost=+*) >>(|(sudoHost=*\\*)(sudoHost=*?*)(sudoHost=*\**)(sudoHost=*[*]*))))' >> SASL/GSSAPI authentication started >> SASL username: [email protected] > >I wonder if this ^^ could be the issue. > >SSSD authenticates as the host itself, you seem to have authenticated as >the administrator. Maybe there are some ACIs on the server preventing >SSSD from accessing the rules? > >Can you try: > kdestroy > kinit -k -t /etc/krb5.sssd.keytab [email protected] > >before the ldapsearch? Here is the result: [root@dc1 sssd]# kdestroy [root@dc1 sssd]# kinit -k -t /etc/krb5.sssd.keytab dc1$TEEMU.LOCAL kinit: Keytab contains no suitable keys for [email protected] while getting initial credentials So I guess the host doesn’t have access. How would I go about adding access rights? Can you point me to a good document source for these matters? And thank you! -TeemuK _______________________________________________ sssd-users mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/sssd-users
