[Freeipa-users] sudo rules user and host group bugs?
Tovey, Mark
MTovey at go2uti.com
Tue Jul 16 21:13:00 UTC 2013
We are using sssd. The sssd.conf file is mostly unchanged from how it was installed by the ipa-client-install script:
[sssd]
config_file_version = 2
services = nss, pam
domains = my_domain.com
[nss]
[pam]
[domain/my_domain.com]
cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = my_domain.com
id_provider = ipa
auth_provider = ipa
access_provider = ipa
chpass_provider = ipa
ipa_server = _srv_, ipa_server.my_domain.com
ldap_tls_cacert = /etc/ipa/ca.crt
debug_level = 6
And the nsswitch.conf file:
passwd: files sss
shadow: files sss
group: files sss
hosts: files dns
bootparams: nisplus [NOTFOUND=return] files
ethers: files
netmasks: files
networks: files
protocols: files
rpc: files
services: files
netgroup: files sss
publickey: nisplus
automount: files ldap
aliases: files
sudoers: files ldap
Thanks,
-Mark
________________________________________________________________
Mark Tovey - UNIX Engineer | Service Strategy & Design
UTi | 400 SW Sixth Ave, Suite 1100 | Portland | Oregon | 97204 | USA
MTovey at go2uti.com | O / C +1 503 953-1389 | Skype: mark.tovey2
-----Original Message-----
From: freeipa-users-bounces at redhat.com [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Dmitri Pal
Sent: Tuesday, July 16, 2013 12:51 PM
To: freeipa-users at redhat.com
Subject: Re: [Freeipa-users] sudo rules user and host group bugs?
On 07/16/2013 02:11 PM, Tovey, Mark wrote:
> My environment consists of OEL 5.5 clients with ipa-client-2.1.3 and the server is OEL 6.4 with ipa-server-3.0.0. We chose these because we were able to find RPM packages for them. We would prefer to go with the latest versions, but we did not want to spend the time building installation packages just yet. Again, we are just evaluating at this point. So far, so good, except for this one point.
> The doman name, host name, and nsswitch.conf files are all properly configured. But I do not have any netgroups defined (the getent command doesn't return anything and there is no /etc/netgroup file). After you asked about that, I started looking into the documentation on netgroups. The IPA documentation for sudo states that "Identity Management creates two groups, a visible host group and a shadow netgroup. sudo itself only supports NIS-style netgroups for group formats." But when I look in the Netgroups area, I do not see any netgroups defined. I used Apache Directory Studio to look around the Directory Server, and I can see "cn=hgroup1,cn=ng,cn=alt,dc=my_domain,dc=com", along with "cn=hgroup1,cn=hostgroups,cn=accounts,dc=my_domain,dc=com". This seems to reflect what was stated in the documentation.
> But I am still stumped. I cannot get sudo to work with host groups; I have to directly add each server to the sudo rule.
> Thanks,
> -Mark
So can it seems that the first thing you need to to do is to make sure your netgroups work.
If domain and host are properly set then it might be the wrong base in your LDAP search for the netgroups.
Are you using SSSD for netgroups or something else?
Can you please share your sssd.conf and area where it configures netgroups?
Also is sss in the nsswitch.conf for netgroups map?
>
>
> ________________________________________________________________
> Mark Tovey - UNIX Engineer | Service Strategy & Design UTi | 400 SW
> Sixth Ave, Suite 1100 | Portland | Oregon | 97204 | USA
> MTovey at go2uti.com | O / C +1 503 953-1389 | Skype: mark.tovey2
>
> -----Original Message-----
> From: Martin Kosek [mailto:mkosek at redhat.com]
> Sent: Tuesday, July 16, 2013 12:34 AM
> To: Tovey, Mark
> Cc: Steven Jones; James Hogarth; Freeipa-users at redhat.com; Pavel
> Brezina
> Subject: Re: [Freeipa-users] sudo rules user and host group bugs?
>
> Just checking, did you try troubleshooting hints from JR I found at the top of the thread? I did not find an information about that.
>
> ~~~~
> Can you confirm that the output of the following commands:
> 1. $ domainname
> * does it match your domain?
> 2. $ hostname
> * does match match your fqdn?
> 3. $ getent netgroup esolutions-sandbox-hosts
> * does this list your host?
> 4. Does /etc/nsswitch.conf contain the line: "netgroup: files sss"?
>
>
> Another important Sudo Troubleshooting step is to edit: /etc/sudo-ldap.conf (or /etc/ldap.conf, depending on what version of RHEL/Sudo you're running):
>
> At the top, add the line: sudoers_debug 2
>
> Then try another sudo command. sudo -l for example.
> ~~~~
>
> For example, it would help to know that netgroup list (step 3) works or domainname is set correctly (step 1).
>
> Martin
>
>
> On 07/16/2013 06:09 AM, Tovey, Mark wrote:
>>
>>
>> Okay, I stopped sssd on the client and deleted the cache files,
>> removed the sudo rule, started sssd and verified that the rule was
>> gone, stopped sssd and deleted the files again, added the rule back
>> in, restarted sssd, and still it does not work. One note, when I
>> enter the hosts into the sudo rule in place of the host group, the
>> effect is immediate; I do not need to restart sssd. And the opposite
>> is true too: if I put the host group back, the rule immediately stops
>> working. I don't think the issue is cache related; it seems to be
>> something else. The serv_account that we are accessing with the sudo rule is external. I wouldn't expect that to matter, but perhaps it does?
>>
>>
>>
>> I like your idea for the labels; they make sense. Right now we
>> are just evaluating this to see if we want to go this route. So far
>> we like it, but this could be a problem because we have a several
>> hundred hosts that we need to manage. Having to enter each one individually will be problematic.
>>
>> Thanks,
>>
>> -Mark
>>
>>
>>
>> * *
>>
>> *________________________________________________________________*
>>
>> *Mark Tovey - UNIX Engineer | Service Strategy & Design*
>>
>> UTi <http://www.go2uti.com/> | 400 SW Sixth Ave, Suite 1100 |
>> Portland
>> | Oregon
>> | 97204 | USA
>>
>> MTovey at go2uti.com <mailto:MTovey at go2uti.com> | O / C +1 503 953-1389 | Skype:
>> mark.tovey2
>>
>>
>>
>> *From:*Steven Jones [mailto:Steven.Jones at vuw.ac.nz]
>> *Sent:* Monday, July 15, 2013 4:44 PM
>> *To:* Tovey, Mark; James Hogarth
>> *Cc:* Freeipa-users at redhat.com
>> *Subject:* RE: [Freeipa-users] sudo rules user and host group bugs?
>>
>>
>>
>> option b) delete the rule totally and redo it from scratch.
>>
>> I label rules like this,
>>
>> hb-xxxx for a hbac rule
>>
>> su-xxxx for a sudo rule
>>
>> sc-xxxx for a sudo command group
>>
>> ug-xxxx for a user group
>>
>> hg-xxxx for a host groups
>>
>> etc
>>
>> etc
>>
>> It makes the logic easier when you go into command line which I find
>> easier to trace with than the gui at time.
>>
>>
>>
>> regards
>>
>> Steven Jones
>>
>> Technical Specialist - Linux RHCE
>>
>> Victoria University, Wellington, NZ
>>
>> 0064 4 463 6272
>>
>> ---------------------------------------------------------------------
>> -
>> ---------
>>
>> *From:*Tovey, Mark [MTovey at go2uti.com]
>> *Sent:* Tuesday, 16 July 2013 11:34 a.m.
>> *To:* Steven Jones; James Hogarth
>> *Cc:* Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>
>> *Subject:* RE: [Freeipa-users] sudo rules user and host group bugs?
>>
>>
>>
>> That didn't work either. I set up the host group in my sudo
>> rule, stopped sssd, renamed /var/lib/sss/db and created a new db
>> directory, then restarted sssd. New files were created in the db
>> directory, but it still refuses to work unless the hosts are directly specified in the sudo rule.
>>
>> Thanks,
>>
>> -Mark
>>
>>
>>
>> * *
>>
>> *________________________________________________________________*
>>
>> *Mark Tovey - UNIX Engineer | Service Strategy & Design*
>>
>> UTi <http://www.go2uti.com/> | 400 SW Sixth Ave, Suite 1100 |
>> Portland
>> | Oregon
>> | 97204 | USA
>>
>> MTovey at go2uti.com <mailto:MTovey at go2uti.com> | O / C +1 503 953-1389 | Skype:
>> mark.tovey2
>>
>>
>>
>> *From:*Steven Jones [mailto:Steven.Jones at vuw.ac.nz]
>> *Sent:* Monday, July 15, 2013 4:15 PM
>> *To:* Tovey, Mark; James Hogarth
>> *Cc:* Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>
>> *Subject:* RE: [Freeipa-users] sudo rules user and host group bugs?
>>
>>
>>
>> Hi,
>>
>> This is a known issue Ive suffered a long time with. What would be
>> interesting is adding another host to the host group could well work
>> fine, that will really make you bang your head against the wall..
>>
>> 2 possibilities, stop the sssd daemon on the problem host, delete its
>> cache and start it, that might fix it.
>>
>> Otherwise best to,
>>
>> All RH support could come up with is delete the HBAC rule, sudo rule,
>> user group and host group and re-do it, then it will probably work fine.
>>
>>
>>
>> regards
>>
>> Steven Jones
>>
>> Technical Specialist - Linux RHCE
>>
>> Victoria University, Wellington, NZ
>>
>> 0064 4 463 6272
>>
>> ---------------------------------------------------------------------
>> -
>> ---------
>>
>> *From:*freeipa-users-bounces at redhat.com
>> <mailto:freeipa-users-bounces at redhat.com>
>> [freeipa-users-bounces at redhat.com] on behalf of Tovey, Mark
>> [MTovey at go2uti.com]
>> *Sent:* Tuesday, 16 July 2013 10:54 a.m.
>> *To:* James Hogarth
>> *Cc:* Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>
>> *Subject:* Re: [Freeipa-users] sudo rules user and host group bugs?
>>
>>
>>
>>
>>
>> I checked that and it is set correctly:
>>
>>
>>
>> [user1 at host1 ~]$ nisdomainname
>>
>> my_domain.com
>>
>>
>>
>> If I try to run a command with the hosts specified indirectly
>> through a host group, it fails:
>>
>>
>>
>> [user1 at host1 ~]$ sudo -i -u serv_account
>>
>> LDAP Config Summary
>>
>> ===================
>>
>> uri ldap://ipa_server.my_domain.com
>>
>> ldap_version 3
>>
>> sudoers_base ou=SUDOers,dc=my_domain,dc=com
>>
>> binddn uid=sudo,cn=sysaccounts,cn=etc,dc=my_domain,dc=com
>>
>> bindpw **********
>>
>> bind_timelimit 5000
>>
>> timelimit 15
>>
>> ssl start_tls
>>
>> tls_checkpeer (yes)
>>
>> tls_cacertfile /etc/ipa/ca.crt
>>
>> ===================
>>
>> sudo: ldap_initialize(ld, ldap://ipa_server.my_domain.com)
>>
>> sudo: ldap_set_option: debug -> 0
>>
>> sudo: ldap_set_option: ldap_version -> 3
>>
>> sudo: ldap_set_option: tls_checkpeer -> 1
>>
>> sudo: ldap_set_option: tls_cacertfile -> /etc/ipa/ca.crt
>>
>> sudo: ldap_set_option: timelimit -> 15
>>
>> sudo: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT, 5)
>>
>>
>>
>> sudo: ldap_start_tls_s() ok
>>
>> sudo: ldap_sasl_bind_s() ok
>>
>> sudo: no default options found!
>>
>> sudo: ldap search
>> '(|(sudoUser=user1)(sudoUser=%user1)(sudoUser=%user1s)(sudoUser=ALL))'
>>
>> sudo: found:cn=my_sudo_rule,ou=sudoers,dc=my_domain,dc=com
>>
>> sudo: ldap sudoHost '+hgroup1' ... not
>>
>> sudo: ldap search 'sudoUser=+*'
>>
>> sudo: user_matches=1
>>
>> sudo: host_matches=0
>>
>> sudo: sudo_ldap_lookup(0)=0x40
>>
>> [sudo] password for user1:
>>
>> Sorry, try again.
>>
>> [sudo] password for user1:
>>
>> sudo: 1 incorrect password attempt
>>
>>
>>
>>
>>
>> But if I remove the host group from the sudo rule and directly
>> add the hosts that were in the host group, it works fine:
>>
>>
>>
>> <snip>
>>
>>
>>
>> sudo: ldap_start_tls_s() ok
>>
>> sudo: ldap_sasl_bind_s() ok
>>
>> sudo: no default options found!
>>
>> sudo: ldap search
>> '(|(sudoUser=user1)(sudoUser=%user1)(sudoUser=%user1s)(sudoUser=ALL))'
>>
>> sudo: found:cn=my_sudo_rule,ou=sudoers,dc=my_domain,dc=com
>>
>> sudo: ldap sudoHost 'host1.my_domain.com' ... MATCH!
>>
>> sudo: ldap sudoRunAsUser 'serv_account' ... MATCH!
>>
>> sudo: ldap sudoCommand 'ALL' ... MATCH!
>>
>> sudo: Command allowed
>>
>> sudo: user_matches=1
>>
>> sudo: host_matches=1
>>
>> sudo: sudo_ldap_lookup(0)=0x02
>>
>> [sudo] password for user1:
>>
>> [serv_account at host1 ~]$
>>
>>
>>
>>
>>
>> So something isn't lining up correctly with host groups in sudo
>> rules somewhere. I just haven't been able to track it down.
>>
>> Thanks,
>>
>> -Mark
>>
>>
>>
>>
>>
>> * *
>>
>> *________________________________________________________________*
>>
>> *Mark Tovey - UNIX Engineer | Service Strategy & Design*
>>
>> UTi <http://www.go2uti.com/> | 400 SW Sixth Ave, Suite 1100 |
>> Portland
>> | Oregon
>> | 97204 | USA
>>
>> MTovey at go2uti.com <mailto:MTovey at go2uti.com> | O / C +1 503 953-1389 | Skype:
>> mark.tovey2
>>
>>
>>
>> *From:*James Hogarth [mailto:james.hogarth at gmail.com]
>> *Sent:* Monday, July 15, 2013 1:11 PM
>> *To:* Tovey, Mark
>> *Subject:* Re: [Freeipa-users] sudo rules user and host group bugs?
>>
>>
>>
>>
>>>
>>>
>>> Did anyone find a solution for this? I am having the same experience.
>>>
>>>
>>>
>> Wow that was a mess...
>>
>> To use hostgroups for sudo ensure nisdomainname is set on the hosts
>> to the IPA domain.
>>
>>
>>
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
--
Thank you,
Dmitri Pal
Sr. Engineering Manager for IdM portfolio Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
_______________________________________________
Freeipa-users mailing list
Freeipa-users at redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
More information about the Freeipa-users
mailing list