[Freeipa-users] Sudo not working
Pavel Březina
pbrezina at redhat.com
Thu Nov 1 09:12:24 UTC 2012
On 10/31/2012 07:20 PM, Rob Crittenden wrote:
> Bret Wortman wrote:
>> F17.
>
> I think you want /etc/ldap.conf then. The easiest way to be sure the
> right file is being used is to add sudoers_debug 1 to the file. This
> will present a lot of extra output so you'll know the file is being read.
>
> rob
Hi,
I think the easiest way to determine the config file is:
# sudo -V | grep ldap.conf
ldap.conf path: /etc/ldap.conf
(sudo must be executed under root account)
>
>>
>> On Wed, Oct 31, 2012 at 2:04 PM, Rob Crittenden <rcritten at redhat.com
>> <mailto:rcritten at redhat.com>> wrote:
>>
>> Bret Wortman wrote:
>>
>> I had enabled debugging of sudo but am not clear on where that
>> debugging
>> is going. It's not stdout, and I'm not seeing anything in
>> /var/log/messages.
>>
>> I'll try switching to SSS and see what that gets me.
>>
>>
>> What distro is this? If it is RHEL 6.3 then put the configuration
>> into /etc/sudo-ldap.conf instead of /etc/nslcd. The docs are
>> incorrect (we are working on getting them fixed).
>>
>> rob
>>
>>
>>
>> On Wed, Oct 31, 2012 at 1:33 PM, Stephen Gallagher
>> <sgallagh at redhat.com <mailto:sgallagh at redhat.com>
>> <mailto:sgallagh at redhat.com <mailto:sgallagh at redhat.com>>> wrote:
>>
>> On Wed 31 Oct 2012 11:53:15 AM EDT, Bret Wortman wrote:
>>
>> I'm pretty certain there's a painfully simple solution
>> to this that
>> I'm not seeing, but my current configuration isn't
>> picking up the
>> freeipa sudoer rule that I've set.
>>
>> /etc/nsswitch.conf specifies:
>> sudoers: files ldap
>>
>> /etc/nslcd.conf contains:
>>
>> binddn
>> uid=sudo,cn=sysaccounts,cn=____etc,dc=wedgeofli,dc=me
>>
>> bindpw password
>>
>> ssl start_tls
>> tls_cacertfile /etc/ipa/ca.crt
>> tls_checkpeer yes
>>
>> bind_timelimit 5
>> timelimit 15
>>
>> uri ldap://fs1.wedgeofli.me <http://fs1.wedgeofli.me>
>> <http://fs1.wedgeofli.me>
>> <http://fs1.wedgeofli.me>
>>
>> sudoers_base ou=SUDOers,dc=wedgeofli,dc=me
>>
>>
>> The sssd_DOMAIN.log file contains this when I try to
>> sudo:
>>
>>
>> <snip>
>>
>> The SSSD logs aren't showing anything wrong because they
>> have
>> nothing to do with the execution of the SUDO rules in this
>> situation. All the SSSD is doing is verifying the
>> authentication
>> (when sudo prompts you for your password).
>>
>> The problem with the rule is most likely happening inside
>> SUDO
>> itself. When you specify 'sudoers: files, ldap' in
>> nsswitch.conf,
>> it's telling SUDO to use its own internal LDAP driver to
>> look up the
>> rules. So you need to check sudo logs to see what's
>> happening
>> (probably you will need to enable debug logging in
>> /etc/sudo.conf).
>>
>> Recent versions of SUDO (1.8.6 and later) have support for
>> setting
>> 'sudoers: files, sss' in nsswitch.conf which DOES use SSSD
>> (1.9.0
>> and later) for lookups (and caching) of sudo rules.
>>
>>
>>
>>
>> --
>> Bret Wortman
>> The Damascus Group
>> Fairfax, VA
>> http://bretwortman.com/
>> http://twitter.com/BretWortman
>>
>>
>>
>>
>> --
>> Bret Wortman
>> The Damascus Group
>> Fairfax, VA
>> http://bretwortman.com/
>> http://twitter.com/BretWortman
>>
>>
>>
>> _________________________________________________
>> Freeipa-users mailing list
>> Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>
>> https://www.redhat.com/__mailman/listinfo/freeipa-users
>> <https://www.redhat.com/mailman/listinfo/freeipa-users>
>>
>>
>>
>>
>>
>> --
>> Bret Wortman
>> The Damascus Group
>> Fairfax, VA
>> http://bretwortman.com/
>> http://twitter.com/BretWortman
>>
>>
>>
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
More information about the Freeipa-users
mailing list