<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<div class="moz-cite-prefix">On 01/02/2015 12:12 PM, Craig White
wrote:<br>
</div>
<blockquote
cite="mid:BLUPR08MB488BC293F0A8F7F53EFB540B35D0@BLUPR08MB488.namprd08.prod.outlook.com"
type="cite">
<meta http-equiv="Content-Type" content="text/html;
charset=ISO-8859-1">
<meta name="Generator" content="Microsoft Word 14 (filtered
medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p
{mso-style-priority:99;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
{mso-style-priority:99;
mso-style-link:"Balloon Text Char";
margin:0in;
margin-bottom:.0001pt;
font-size:8.0pt;
font-family:"Tahoma","sans-serif";}
span.EmailStyle18
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.BalloonTextChar
{mso-style-name:"Balloon Text Char";
mso-style-priority:99;
mso-style-link:"Balloon Text";
font-family:"Tahoma","sans-serif";}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #B5C4DF
1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">
<a class="moz-txt-link-abbreviated" href="mailto:freeipa-users-bounces@redhat.com">freeipa-users-bounces@redhat.com</a>
[<a class="moz-txt-link-freetext" href="mailto:freeipa-users-bounces@redhat.com">mailto:freeipa-users-bounces@redhat.com</a>]
<b>On Behalf Of </b>Chris Card<br>
<b>Sent:</b> Friday, January 02, 2015 8:45 AM<br>
<b>To:</b> Brendan Kearney<br>
<b>Cc:</b> <a class="moz-txt-link-abbreviated" href="mailto:freeipa-users@redhat.com">freeipa-users@redhat.com</a><br>
<b>Subject:</b> Re: [Freeipa-users] ipa / sudoers on
centos 6.3 client<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal" style="margin-bottom:12.0pt"><span
style="font-family:"Calibri","sans-serif""><o:p> </o:p></span></p>
<div>
<div
style="mso-element:para-border-div;border:none;border-bottom:solid
windowtext 1.0pt;padding:0in 0in 1.0pt 0in">
<p class="MsoNormal" style="border:none;padding:0in"><span
style="font-family:"Calibri","sans-serif"">>
Subject: Re: [Freeipa-users] ipa / sudoers on centos
6.3 client<br>
> From: <a moz-do-not-send="true"
href="mailto:bpk678@gmail.com">bpk678@gmail.com</a><br>
> To: <a moz-do-not-send="true"
href="mailto:ctcard@hotmail.com">ctcard@hotmail.com</a><br>
> CC: <a moz-do-not-send="true"
href="mailto:freeipa-users@redhat.com">freeipa-users@redhat.com</a><br>
> Date: Fri, 2 Jan 2015 10:28:16 -0500<br>
> <br>
> On Fri, 2015-01-02 at 15:19 +0000, Chris Card
wrote:<br>
> > I have existing machines running CentOS 6.3
which I want to include in<br>
> > a freeipa domain.<br>
> > <br>
> > The domain controller machine is running
Fedora 21 and<br>
> > freeipa-server-4.1.1-2 while the latest
version of ipa I can find that<br>
> > runs on CentOS 6.3 is
ipa-client-3.0.0-37.el6.x86_64.<br>
> > <br>
> > <br>
> > I have successfully run ipa-client-install
on the CentOS 6.3 client<br>
> > and set up users who can ssh to the client
using ssh-keys.<br>
> > <br>
> > <br>
> > The problem is that I can't get sudo rules
to work. I know that the<br>
> > ipa client software version 3.0.0 doesn't
automatically set up all the<br>
> > configuration for sssd to control sudo
access, but I have set up all<br>
> > the configuration necessary manually:<br>
> > <br>
> > <br>
> > On the client, /etc/nsswitch.conf has <br>
> > <br>
> > <br>
> > sudoers files sss <br>
> > <br>
> > <br>
> > /etc/sssd/sssd/conf has<br>
> > <br>
> > <br>
> > [domain/default]<br>
> > <br>
> > <br>
> > cache_credentials = True<br>
> > krb5_realm = <REALM><br>
> > krb5_server = <ipa server>:88<br>
> > id_provider = ldap<br>
> > auth_provider = ldap<br>
> > chpass_provider = ldap<br>
> > ldap_tls_cacertdir = /etc/openldap/cacerts<br>
> > [domain/<domain>]<br>
> > <br>
> > <br>
> > cache_credentials = True<br>
> > krb5_store_password_if_offline = True<br>
> > ipa_domain = <domain><br>
> > id_provider = ipa<br>
> > auth_provider = ipa<br>
> > access_provider = ipa<br>
> > chpass_provider = ipa<br>
> > ipa_dyndns_update = True<br>
> > ipa_server = <ipa server><br>
> > ldap_tls_cacert = /etc/ipa/ca.crt<br>
> > sudo_provider = ldap<br>
> > ldap_uri = <a class="moz-txt-link-freetext" href="ldap://">ldap://</a><ipa server><br>
> > ldap_sudo_search_base =
ou=sudoers,<domain base dn><br>
> > ldap_sasl_mech = GSSAPI<br>
> > ldap_sasl_authid = host/<client fqdn><br>
> > ldap_sasl_realm = <REALM><br>
> > krb5_server = <ipa server><br>
> > debug_level = 9<br>
> > [sssd]<br>
> > services = nss, pam, ssh, sudo<br>
> > config_file_version = 2<br>
> > <br>
> > <br>
> > domains = <domain>, default<br>
> > debug_level = 9<br>
> > [nss]<br>
> > debug_level = 9<br>
> > <br>
> > <br>
> > [pam]<br>
> > debug_level = 9<br>
> > <br>
> > <br>
> > [sudo]<br>
> > debug_level = 9<br>
> > [autofs]<br>
> > <br>
> > <br>
> > I have validated the ldap sasl configuration
using ldapsearch, so I'm<br>
> > sure they are correct.<br>
> > <br>
> > <br>
> > The nisdomainname command returns the domain
name.<br>
> > <br>
> > <br>
> > The sudo rules are:<br>
> > # ipa sudorule-find<br>
> > --------------------<br>
> > 2 Sudo Rules matched<br>
> > --------------------<br>
> > Rule name: sudo-host1<br>
> > Enabled: TRUE<br>
> > Command category: all<br>
> > RunAs User category: all<br>
> > User Groups: host1-rw<br>
> > Host Groups: host1<br>
> > Sudo Option: -authenticate<br>
> > <br>
> > <br>
> > Rule name: sudo-host2<br>
> > Enabled: TRUE<br>
> > User Groups: host2-rw<br>
> > Host Groups: host2<br>
> > Sudo Option: -authenticate<br>
> > ----------------------------<br>
> > Number of entries returned 2<br>
> > ----------------------------<br>
> > <br>
> > <br>
> > When a user in user group host1-rw sshs to a
client in host group<br>
> > host1 and runs "sudo su -" the user gets
prompted for a password even<br>
> > though the sudo option -authenticate is set.<br>
> > I'm not convinced that sudo is even
attempting to use sssd, but I'm<br>
> > not sure how to confirm this.<br>
> > <br>
> > <br>
> > I have seen some references to
/etc/sudo-ldap.conf in online<br>
> > discussions of similar issues. This file
exists on my client, but<br>
> > everything is commented out. Do I need to
put the ldap client<br>
> > configuration in /etc/sudo-ldap.conf as well
as /etc/sssd/sssd.conf<br>
> > for CentOS 6.3 clients?<br>
> > <br>
> > <br>
> > Any ideas about how to work out what is
failing?<br>
> > <br>
> > <br>
> > Chris<br>
> > <br>
> try "!authenticate" (without the quotes), not
"-authenticate" (again,<br>
> no quotes).<br>
That made no difference (though I think you're correct
that -authenticate is wrong).<o:p></o:p></span></p>
</div>
</div>
<div>
<p class="MsoNormal" style="margin-bottom:12.0pt"><span
style="font-family:"Calibri","sans-serif";color:#1F497D">Sudo
didn’t work correctly for me until I updated to RHEL 6.6
which had sssd-1.11<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-bottom:12.0pt"><span
style="font-family:"Calibri","sans-serif";color:#1F497D">Just
saying…<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-bottom:12.0pt"><span
style="font-family:"Calibri","sans-serif";color:#1F497D">Craig</span><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p></o:p></span></p>
</div>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
</blockquote>
<br>
I think 6.3 is the last version where SUDO integration with SSSD
does not work out of box.<br>
You would need to configure SUDO independently from SSSD in the old
way using direct LDAP connection.<br>
AFAIR the configurtion is in the sudo-ldap.conf.<br>
<br>
Find the RHEL 6.3 manual online. I think the doc is correct except
that it mentions ldap.conf instead of sudo-ldap.<br>
Sorry if the names above are not spelled right (may be it is
sudo_ldap or something like), I was writing from the top of my head.<br>
<br>
<br>
<pre class="moz-signature" cols="72">--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.</pre>
</body>
</html>