<html> <head> <style></style></head> <body class='hmmessage'><div dir='ltr'> <div>> Subject: Re: [Freeipa-users] ipa / sudoers on centos 6.3 client > From: bpk678@gmail.com > To: ctcard@hotmail.com > CC: freeipa-users@redhat.com > Date: Fri, 2 Jan 2015 10:28:16 -0500 > > On Fri, 2015-01-02 at 15:19 +0000, Chris Card wrote: > > I have existing machines running CentOS 6.3 which I want to include in > > a freeipa domain. > > > > The domain controller machine is running Fedora 21 and > > freeipa-server-4.1.1-2 while the latest version of ipa I can find that > > runs on CentOS 6.3 is ipa-client-3.0.0-37.el6.x86_64. > > > > > > I have successfully run ipa-client-install on the CentOS 6.3 client > > and set up users who can ssh to the client using ssh-keys. > > > > > > The problem is that I can't get sudo rules to work. I know that the > > ipa client software version 3.0.0 doesn't automatically set up all the > > configuration for sssd to control sudo access, but I have set up all > > the configuration necessary manually: > > > > > > On the client, /etc/nsswitch.conf has > > > > > > sudoers files sss > > > > > > /etc/sssd/sssd/conf has > > > > > > [domain/default] > > > > > > cache_credentials = True > > krb5_realm = <REALM> > > krb5_server = <ipa server>:88 > > id_provider = ldap > > auth_provider = ldap > > chpass_provider = ldap > > ldap_tls_cacertdir = /etc/openldap/cacerts > > [domain/<domain>] > > > > > > cache_credentials = True > > krb5_store_password_if_offline = True > > ipa_domain = <domain> > > id_provider = ipa > > auth_provider = ipa > > access_provider = ipa > > chpass_provider = ipa > > ipa_dyndns_update = True > > ipa_server = <ipa server> > > ldap_tls_cacert = /etc/ipa/ca.crt > > sudo_provider = ldap > > ldap_uri = ldap://<ipa server> > > ldap_sudo_search_base = ou=sudoers,<domain base dn> > > ldap_sasl_mech = GSSAPI > > ldap_sasl_authid = host/<client fqdn> > > ldap_sasl_realm = <REALM> > > krb5_server = <ipa server> > > debug_level = 9 > > [sssd] > > services = nss, pam, ssh, sudo > > config_file_version = 2 > > > > > > domains = <domain>, default > > debug_level = 9 > > [nss] > > debug_level = 9 > > > > > > [pam] > > debug_level = 9 > > > > > > [sudo] > > debug_level = 9 > > [autofs] > > > > > > I have validated the ldap sasl configuration using ldapsearch, so I'm > > sure they are correct. > > > > > > The nisdomainname command returns the domain name. > > > > > > The sudo rules are: > > # ipa sudorule-find > > -------------------- > > 2 Sudo Rules matched > > -------------------- > > Rule name: sudo-host1 > > Enabled: TRUE > > Command category: all > > RunAs User category: all > > User Groups: host1-rw > > Host Groups: host1 > > Sudo Option: -authenticate > > > > > > Rule name: sudo-host2 > > Enabled: TRUE > > User Groups: host2-rw > > Host Groups: host2 > > Sudo Option: -authenticate > > ---------------------------- > > Number of entries returned 2 > > ---------------------------- > > > > > > When a user in user group host1-rw sshs to a client in host group > > host1 and runs "sudo su -" the user gets prompted for a password even > > though the sudo option -authenticate is set. > > I'm not convinced that sudo is even attempting to use sssd, but I'm > > not sure how to confirm this. > > > > > > I have seen some references to /etc/sudo-ldap.conf in online > > discussions of similar issues. This file exists on my client, but > > everything is commented out. Do I need to put the ldap client > > configuration in /etc/sudo-ldap.conf as well as /etc/sssd/sssd.conf > > for CentOS 6.3 clients? > > > > > > Any ideas about how to work out what is failing? > > > > > > Chris > > > try "!authenticate" (without the quotes), not "-authenticate" (again, > no quotes). That made no difference (though I think you're correct that -authenticate is wrong).</div><div> </div><div>Chris </div> </div></body> </html>