[Freeipa-users] Sudo configuration question

Wed Dec 21 18:40:07 UTC 2011

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 12/21/2011 09:14 AM, Stephen Gallagher wrote:
> On Wed, 2011-12-21 at 09:08 -0900, Erinn Looney-Triggs wrote:
>> On 12/21/2011 04:37 AM, Stephen Gallagher wrote:
>>> On Tue, 2011-12-20 at 12:59 -0900, Erinn Looney-Triggs wrote:
>>>> I have been working through configuring sudo via IPA and ran into the
>>>> following situation.
>>>>
>>>> There is a directive in the documentation to configure
>>>> /etc/sssd/sssd.conf on the clients with something like the following:
>>>>
>>>> ldap_netgroup_search_base = cn=ng,cn=compat,dc=example,dc=com
>>>>
>>>>
>>>> This is pulled from the docse here for reference:
>>>>
http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/example-configuring-sudo.html
>>>>
>>>> This is fine and causes no problems, however, when I mistakenly left it
>>>> out on a few systems, sudo continued to function, so I am wondering what
>>>> it is that this directive does? Does this get sssd into the loop to
>>>> cache sudo rules for offline use?
>>>>
>>>> Any ideas?
>>> Sorry for the confusion in the other responses to this thread. The short
>>> answer is this: SUDO can use LDAP rules (as you clearly know). It does
>>> this with its own internal LDAP lookup (it doesn't currently go through
>>> SSSD to accomplish this).
>>>
>>> However, SUDO rules can specify netgroups as part of their restrictions
>>> on who can do what (usually these are used to limit functions to certain
>>> hosts). In order to do this, SSSD needs to be configured to look up
>>> netgroups properly so that SUDO can use the 'getnetgrent()' glibc
>>> command to locate the netgroups.
>>>
>>> The doc you are looking at is actually a bit out of date. It's no longer
>>> necessary to provide that option, because if it's unspecified, we set it
>>> automatically to cn=ng,cn=compat,dc=example,dc=com (using the
>>> appropriate base, of course).
>>>
>>> Jan's comments about upstream work were that we recently made changes to
>>> avoid needing to use the compat tree for netgroup lookups and can
>>> instead use FreeIPA's native, custom schema for netgroups. That's not
>>> terribly relevant to you, but it's a useful piece of information.
>>>
>>> So, in short, you don't need to set it, the doc is outdated.
>>>
>>>
>>> _______________________________________________
>>> Freeipa-users mailing list
>>> Freeipa-users at redhat.com
>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>
>> Ok thanks, that makes sense. One final question here, is there a way
>> to verify that sssd is in fact setting this properly? Not that I doubt
>> you of course, it is just a matter of so many versions of sssd in so
>> many places that it would be good to verify that it works
>> automagically on RHEL 5, 6, and whatever else, say Ubuntu etc.
>>
>> -Erinn
>>
>
> You can set 'debug_level = 6' in [domain/<DOMAINNAME>] of sssd.conf and
> restart. If you look in the sssd_<DOMAINNAME>.log, you should see a line
> setting the ldap_netgroup_search_base option.
Great, thank you so much for your time. I really appreciate it.

- -Erinn

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.18 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJO8igHAAoJENetaK3v/E7PHTEH/iFlfavkBEholqDzym2G4PPU
8d8pmL0LLQqnssxFXShMICQqzjnIb+f/TGiBAIBvFaKUzT7UAO9QD5LI42UuoZIw
Npbh2rBTAXQ0nTXRHkA4/VwtCVHWbZFenbfztyR87MrZsv+cNgZQ0PFA2shgu3pb
VzAPx7ow7jPpFrAk/NC1bCJv2rJQZHMWS15zfgV9d0cS1kPfXeAJqQge12zEaFLQ
6EaaavlQulv8KubAJxMa3BL/JTy2cgnHYC32l1zA/RUGBXglceRdAydReoQuXGYm
IcEbhqtpS4PEPlwYoI7Ir21YtUMFomqdpjUSvTOWnC62a7EiI6qyns9DcPgN/PI=
=8wy+
-----END PGP SIGNATURE-----