[Freeipa-users] Setting up sudo clients

Dmitri Pal dpal at redhat.com
Wed Jun 6 19:23:24 UTC 2012 

On 06/06/2012 01:59 PM, Joe Linoff wrote:
>
> Hi Folks:
>
>  
>
> I am trying to configure sudo clients using FreeIPA 2.1.3 on CentOS
> 6.2 but it I am running into a problem that I do not know how to
> debug. I used the instructions provided here:
> http://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/example-configuring-sudo.html.
>
>
>  
>
> The server installation went fine and I even did a sudo client
> installation on the server which worked well. Unfortunately, when I
> did the same client setup on another host in the network I got the
> message: <user> not in sudoers files when I tried to execute a command.
>
>  
>
> Here is the output from /var/log/secure on the client. I didn't see
> anything strange on the server. The user name is bigbob.
>
>  
>
> Jun  6 10:38:35 docs unix_chkpwd[8737]: password check failed for user
> (bigbob)
>
> Jun  6 10:38:35 docs sudo: pam_unix(sudo:auth): authentication
> failure; logname=bigbob uid=0 euid=0 tty=/dev/pts/2 ruser=bigbob
> rhost=  user=bigbob
>
> Jun  6 10:38:36 docs sudo: pam_sss(sudo:auth): authentication success;
> logname=bigbob uid=0 euid=0 tty=/dev/pts/2 ruser=bigbob rhost= user=bigbob
>
> Jun  6 10:38:36 docs sudo:   bigbob : user NOT in sudoers ; TTY=pts/2
> ; PWD=/home/bigbob ; USER=root ; COMMAND=/bin/ls
>
> Jun  6 10:44:09 docs unix_chkpwd[8767]: password check failed for user
> (bigbob)
>
> Jun  6 10:44:09 docs sudo: pam_unix(sudo:auth): authentication
> failure; logname=bigbob uid=0 euid=0 tty=/dev/pts/2 ruser=bigbob
> rhost=  user=bigbob
>
> Jun  6 10:44:10 docs sudo: pam_sss(sudo:auth): authentication success;
> logname=bigbob uid=0 euid=0 tty=/dev/pts/2 ruser=bigbob rhost= user=bigbob
>
> Jun  6 10:44:10 docs sudo:   bigbob : user NOT in sudoers ; TTY=pts/2
> ; PWD=/home/bigbob ; USER=root ; COMMAND=/bin/pwd
>
>  
>

Looks like sudo utility is not going over the ldap and tries to find
user in the local file.
Can you bind to the ldap server? Is firewall port open?


> The command "/bin/pwd" is in the sudo commands and in the sudo command
> group.
>
>  
>
> Any help would be greatly appreciated.
>
>  
>
> Here are the setup steps that I performed on the client. The domain is
> foo.example.com.
>
>  
>
> # CITATION:
> http://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/example-configuring-sudo.html
>
>
>  
>
> # ================================================================
>
> # Update /etc/nsswitch.conf
>
> # ================================================================
>
> cat>/etc/nsswitch.conf <<EOF
>
>  
>
> # ================================================================
>
> # FreeIPA sudo support
>
> # ================================================================
>
> sudoers:  files ldap
>
> sudoers_debug: 1
>
> EOF
>
>  
>
> # ================================================================
>
> # Insert this just after the ipa_server line and restart sssd:
>
> # ldap_netgroup_search_base = cn=ng,cn=compat,dc=foo,dc=example,dc=com
>
> # ================================================================
>
> cat/etc/sssd/sssd.conf | \
>
> awk'{print $0;if($1=="ipa_server"){printf("ldap_netgroup_search_base =
> cn=ng,cn=compat,dc=foo,dc=example,dc=com\n");}}'>/tmp/x
>
> cp/tmp/x/etc/sssd/sssd.conf
>
> rm-f /tmp/x
>
> service sssd restart
>
>  
>
> # ================================================================
>
> # Create the /etc/nslcd.conf file
>
> # ================================================================
>
> ls/etc/nslcd.conf
>
> cat>/etc/nslcd.conf <<EOF
>
> binddn uid=sudo,cn=sysaccounts,cn=etc,dc=foo,dc=example,dc=com
>
> bindpw pwd/sudo
>
>  
>
> ssl start_tls
>
> tls_cacertfile /etc/ipa/ca.crt
>
> tls_checkpeer yes
>
>  
>
> bind_timelimit 5
>
> timelimit 15
>
>  
>
> uri ldap://cuthbert.foo.example.com
>
> sudoers_base ou=SUDOers,dc=foo,dc=example,dc=com
>
> EOF
>
>  
>
> # ================================================================
>
> # Set the NIS domain name (even though NIS is not used)
>
> # ================================================================
>
> nisdomainname foo.example.com
>
>  
>
> Thank you,
>
>  
>
> Joe
>
>  
>
>  
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20120606/8bce89bf/attachment.htm>

More information about the Freeipa-users mailing list