[Freeipa-users] sudo rules user and host group bugs?
Steven Jones
Steven.Jones at vuw.ac.nz
Mon Jul 15 23:14:45 UTC 2013
Hi,
This is a known issue Ive suffered a long time with. What would be interesting is adding another host to the host group could well work fine, that will really make you bang your head against the wall..
2 possibilities, stop the sssd daemon on the problem host, delete its cache and start it, that might fix it.
Otherwise best to,
All RH support could come up with is delete the HBAC rule, sudo rule, user group and host group and re-do it, then it will probably work fine.
regards
Steven Jones
Technical Specialist - Linux RHCE
Victoria University, Wellington, NZ
0064 4 463 6272
________________________________
From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Tovey, Mark [MTovey at go2uti.com]
Sent: Tuesday, 16 July 2013 10:54 a.m.
To: James Hogarth
Cc: Freeipa-users at redhat.com
Subject: Re: [Freeipa-users] sudo rules user and host group bugs?
I checked that and it is set correctly:
[user1 at host1 ~]$ nisdomainname
my_domain.com
If I try to run a command with the hosts specified indirectly through a host group, it fails:
[user1 at host1 ~]$ sudo -i -u serv_account
LDAP Config Summary
===================
uri ldap://ipa_server.my_domain.com
ldap_version 3
sudoers_base ou=SUDOers,dc=my_domain,dc=com
binddn uid=sudo,cn=sysaccounts,cn=etc,dc=my_domain,dc=com
bindpw **********
bind_timelimit 5000
timelimit 15
ssl start_tls
tls_checkpeer (yes)
tls_cacertfile /etc/ipa/ca.crt
===================
sudo: ldap_initialize(ld, ldap://ipa_server.my_domain.com)
sudo: ldap_set_option: debug -> 0
sudo: ldap_set_option: ldap_version -> 3
sudo: ldap_set_option: tls_checkpeer -> 1
sudo: ldap_set_option: tls_cacertfile -> /etc/ipa/ca.crt
sudo: ldap_set_option: timelimit -> 15
sudo: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT, 5)
sudo: ldap_start_tls_s() ok
sudo: ldap_sasl_bind_s() ok
sudo: no default options found!
sudo: ldap search '(|(sudoUser=user1)(sudoUser=%user1)(sudoUser=%user1s)(sudoUser=ALL))'
sudo: found:cn=my_sudo_rule,ou=sudoers,dc=my_domain,dc=com
sudo: ldap sudoHost '+hgroup1' ... not
sudo: ldap search 'sudoUser=+*'
sudo: user_matches=1
sudo: host_matches=0
sudo: sudo_ldap_lookup(0)=0x40
[sudo] password for user1:
Sorry, try again.
[sudo] password for user1:
sudo: 1 incorrect password attempt
But if I remove the host group from the sudo rule and directly add the hosts that were in the host group, it works fine:
<snip>
sudo: ldap_start_tls_s() ok
sudo: ldap_sasl_bind_s() ok
sudo: no default options found!
sudo: ldap search '(|(sudoUser=user1)(sudoUser=%user1)(sudoUser=%user1s)(sudoUser=ALL))'
sudo: found:cn=my_sudo_rule,ou=sudoers,dc=my_domain,dc=com
sudo: ldap sudoHost 'host1.my_domain.com' ... MATCH!
sudo: ldap sudoRunAsUser 'serv_account' ... MATCH!
sudo: ldap sudoCommand 'ALL' ... MATCH!
sudo: Command allowed
sudo: user_matches=1
sudo: host_matches=1
sudo: sudo_ldap_lookup(0)=0x02
[sudo] password for user1:
[serv_account at host1 ~]$
So something isn’t lining up correctly with host groups in sudo rules somewhere. I just haven’t been able to track it down.
Thanks,
-Mark
________________________________________________________________
Mark Tovey - UNIX Engineer | Service Strategy & Design
UTi<http://www.go2uti.com/> | 400 SW Sixth Ave, Suite 1100 | Portland | Oregon | 97204 | USA
MTovey at go2uti.com<mailto:MTovey at go2uti.com> | O / C +1 503 953-1389 | Skype: mark.tovey2
From: James Hogarth [mailto:james.hogarth at gmail.com]
Sent: Monday, July 15, 2013 1:11 PM
To: Tovey, Mark
Subject: Re: [Freeipa-users] sudo rules user and host group bugs?
>
>
> Did anyone find a solution for this? I am having the same experience.
>
>
>
Wow that was a mess...
To use hostgroups for sudo ensure nisdomainname is set on the hosts to the IPA domain.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130715/11633c43/attachment.htm>
More information about the Freeipa-users
mailing list