[Freeipa-users] Sudo not working
Bret Wortman
bret.wortman at damascusgrp.com
Thu Nov 1 12:26:50 UTC 2012
To close the loop:
I did the following to clear the credential problem. I suspect that I
hadn't properly run kinit before doing these steps the first time:
-sh-4.2$ kinit
Password for bretw at WEDGEOFLI.ME:
-sh-4.2$ sudo su -
sudo: ldap_sasl_bind_s(): Invalid credentials
[sudo] password for bretw:
bretw is not in the sudoers file. This incident will be reported.
-sh-4.2$ ldapsearch -x ou=SUDOers,dc=wedgeofli,dc=me
# extended LDIF
#
# LDAPv3
# base <dc=wedgeofli,dc=me> (default) with scope subtree
# filter: ou=SUDOers,dc=wedgeofli,dc=me
# requesting: ALL
#
# search result
search: 2
result: 0 Success
# numResponses: 1
-sh-4.2$ ldapsearch ou=SUDOers,dc=wedgeofli,dc=me
SASL/EXTERNAL authentication started
ldap_sasl_interactive_bind_s: Unknown authentication method (-6)
additional info: SASL(-4): no mechanism available:
-sh-4.2$ ldapsearch -x ou=SUDOers,dc=wedgeofli,dc=me
# extended LDIF
#
# LDAPv3
# base <dc=wedgeofli,dc=me> (default) with scope subtree
# filter: ou=SUDOers,dc=wedgeofli,dc=me
# requesting: ALL
#
# search result
search: 2
result: 0 Success
# numResponses: 1
-sh-4.2$ ldapsearch -D uid=sudo,cn=sysaccounts,cn=etc,dc=wedgeofli,dc=me -w
password ou=SUDOers,dc=wedgeofli,dc=me
ldap_bind: Invalid credentials (49)
-sh-4.2$ ldappasswd -Y GSSAPI -S -h
fs1.wedgeofli.meuid=sudo,cn=sysaccounts,cn=etc,dc=wedgeofli,dc=me
New password:
Re-enter new password:
SASL/GSSAPI authentication started
SASL username: bretw at WEDGEOFLI.ME
SASL SSF: 56
SASL data security layer installed.
-sh-4.2$ ldapsearch -D uid=sudo,cn=sysaccounts,cn=etc,dc=wedgeofli,dc=me -w
password ou=SUDOers,dc=wedgeofli,dc=me
# extended LDIF
#
# LDAPv3
# base <dc=wedgeofli,dc=me> (default) with scope subtree
# filter: ou=SUDOers,dc=wedgeofli,dc=me
# requesting: ALL
#
# search result
search: 2
result: 0 Success
# numResponses: 1
-sh-4.2$ sudo su -
[sudo] password for bretw:
[root at fs1 ~]#
On Thu, Nov 1, 2012 at 7:58 AM, Bret Wortman
<bret.wortman at damascusgrp.com>wrote:
> That's got me closer now, as I'm at least getting an error message on
> stdout:
>
> [root at fs1 etc]# more nslcd.conf
> binddn uid=sudo,cn=sysaccounts,cn=etc,dc=wedgeofli,dc=me
> bindpw password
>
> ssl start_tls
> tls_cacertfile /etc/ipa/ca.crt
> tls_checkpeer yes
>
> bind_timelimit 5
> timelimit 15
>
> uri ldap://fs1.wedgeofli.me
> sudoers_base ou=SUDOers,dc=wedgeofli,dc=me
> [root at fs1 etc]# sudo su -
> sudo: ldap_sasl_bind_s(): Invalid credentials
> [root at fs1 ~]#
>
> So I'm off to figure out where my credentials are wrong. Thanks again,
> Rob, Stephen & Pavel.
>
>
> Bret
>
> On Wed, Oct 31, 2012 at 2:39 PM, Rob Crittenden <rcritten at redhat.com>wrote:
>
>> Bret Wortman wrote:
>>
>>> [root at fs1 etc]# more /etc/ldap.conf
>>> sudoers_debug: 1
>>> [root at fs1 etc]# ls -l /etc/ldap.conf
>>> -rw-r--r--. 1 root root 17 Oct 19 14:54 /etc/ldap.conf
>>>
>>> Where should I see the extra output? I've had this set since last Friday
>>> and I'm not seeing any difference.
>>>
>>
>> Move the contents of /etc/nslcd.conf to this file and add ldap to sudoers
>> in /etc/nsswitch.conf.
>>
>> rob
>>
>>
>>> On Wed, Oct 31, 2012 at 2:20 PM, Rob Crittenden <rcritten at redhat.com
>>> <mailto:rcritten at redhat.com>> wrote:
>>>
>>> Bret Wortman wrote:
>>>
>>> F17.
>>>
>>>
>>> I think you want /etc/ldap.conf then. The easiest way to be sure the
>>> right file is being used is to add sudoers_debug 1 to the file. This
>>> will present a lot of extra output so you'll know the file is being
>>> read.
>>>
>>> rob
>>>
>>>
>>> On Wed, Oct 31, 2012 at 2:04 PM, Rob Crittenden
>>> <rcritten at redhat.com <mailto:rcritten at redhat.com>
>>> <mailto:rcritten at redhat.com <mailto:rcritten at redhat.com>>>
>>> wrote:
>>>
>>> Bret Wortman wrote:
>>>
>>> I had enabled debugging of sudo but am not clear on
>>> where that
>>> debugging
>>> is going. It's not stdout, and I'm not seeing anything
>>> in
>>> /var/log/messages.
>>>
>>> I'll try switching to SSS and see what that gets me.
>>>
>>>
>>> What distro is this? If it is RHEL 6.3 then put the
>>> configuration
>>> into /etc/sudo-ldap.conf instead of /etc/nslcd. The docs are
>>> incorrect (we are working on getting them fixed).
>>>
>>> rob
>>>
>>>
>>>
>>> On Wed, Oct 31, 2012 at 1:33 PM, Stephen Gallagher
>>> <sgallagh at redhat.com <mailto:sgallagh at redhat.com>
>>> <mailto:sgallagh at redhat.com <mailto:sgallagh at redhat.com>>
>>> <mailto:sgallagh at redhat.com
>>> <mailto:sgallagh at redhat.com> <mailto:sgallagh at redhat.com
>>> <mailto:sgallagh at redhat.com>>>**> wrote:
>>>
>>> On Wed 31 Oct 2012 11:53:15 AM EDT, Bret Wortman
>>> wrote:
>>>
>>> I'm pretty certain there's a painfully simple
>>> solution
>>> to this that
>>> I'm not seeing, but my current configuration
>>> isn't
>>> picking up the
>>> freeipa sudoer rule that I've set.
>>>
>>> /etc/nsswitch.conf specifies:
>>> sudoers: files ldap
>>>
>>> /etc/nslcd.conf contains:
>>>
>>> binddn
>>> uid=sudo,cn=sysaccounts,cn=___**
>>> ___etc,dc=wedgeofli,dc=me
>>>
>>>
>>>
>>> bindpw password
>>>
>>> ssl start_tls
>>> tls_cacertfile /etc/ipa/ca.crt
>>> tls_checkpeer yes
>>>
>>> bind_timelimit 5
>>> timelimit 15
>>>
>>> uri ldap://fs1.wedgeofli.me
>>> <http://fs1.wedgeofli.me> <http://fs1.wedgeofli.me>
>>> <http://fs1.wedgeofli.me>
>>> <http://fs1.wedgeofli.me>
>>>
>>> sudoers_base ou=SUDOers,dc=wedgeofli,dc=me
>>>
>>>
>>> The sssd_DOMAIN.log file contains this when I
>>> try to sudo:
>>>
>>>
>>> <snip>
>>>
>>> The SSSD logs aren't showing anything wrong
>>> because they have
>>> nothing to do with the execution of the SUDO rules
>>> in this
>>> situation. All the SSSD is doing is verifying the
>>> authentication
>>> (when sudo prompts you for your password).
>>>
>>> The problem with the rule is most likely happening
>>> inside SUDO
>>> itself. When you specify 'sudoers: files, ldap' in
>>> nsswitch.conf,
>>> it's telling SUDO to use its own internal LDAP
>>> driver to
>>> look up the
>>> rules. So you need to check sudo logs to see
>>> what's happening
>>> (probably you will need to enable debug logging in
>>> /etc/sudo.conf).
>>>
>>> Recent versions of SUDO (1.8.6 and later) have
>>> support for
>>> setting
>>> 'sudoers: files, sss' in nsswitch.conf which DOES
>>> use SSSD
>>> (1.9.0
>>> and later) for lookups (and caching) of sudo rules.
>>>
>>>
>>>
>>>
>>> --
>>> Bret Wortman
>>> The Damascus Group
>>> Fairfax, VA
>>> http://bretwortman.com/
>>> http://twitter.com/BretWortman
>>>
>>>
>>>
>>>
>>> --
>>> Bret Wortman
>>> The Damascus Group
>>> Fairfax, VA
>>> http://bretwortman.com/
>>> http://twitter.com/BretWortman
>>>
>>>
>>>
>>> ______________________________**_____________________
>>>
>>> Freeipa-users mailing list
>>> Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.**com<Freeipa-users at redhat.com>
>>> >
>>> <mailto:Freeipa-users at redhat._**_com
>>> <mailto:Freeipa-users at redhat.**com <Freeipa-users at redhat.com>>>
>>> https://www.redhat.com/____**mailman/listinfo/freeipa-users<https://www.redhat.com/____mailman/listinfo/freeipa-users>
>>> <https://www.redhat.com/__**mailman/listinfo/freeipa-users<https://www.redhat.com/__mailman/listinfo/freeipa-users>
>>> **>
>>>
>>>
>>> <https://www.redhat.com/__**mailman/listinfo/freeipa-users<https://www.redhat.com/__mailman/listinfo/freeipa-users>
>>> <https://www.redhat.com/**mailman/listinfo/freeipa-users<https://www.redhat.com/mailman/listinfo/freeipa-users>
>>> **>__>
>>>
>>>
>>>
>>>
>>>
>>>
>>> --
>>> Bret Wortman
>>> The Damascus Group
>>> Fairfax, VA
>>> http://bretwortman.com/
>>> http://twitter.com/BretWortman
>>>
>>>
>>>
>>> ______________________________**___________________
>>> Freeipa-users mailing list
>>> Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.**com<Freeipa-users at redhat.com>
>>> >
>>> https://www.redhat.com/__**mailman/listinfo/freeipa-users<https://www.redhat.com/__mailman/listinfo/freeipa-users>
>>> <https://www.redhat.com/**mailman/listinfo/freeipa-users<https://www.redhat.com/mailman/listinfo/freeipa-users>
>>> **>
>>>
>>>
>>>
>>>
>>>
>>> --
>>> Bret Wortman
>>> The Damascus Group
>>> Fairfax, VA
>>> http://bretwortman.com/
>>> http://twitter.com/BretWortman
>>>
>>>
>>>
>>> ______________________________**_________________
>>> Freeipa-users mailing list
>>> Freeipa-users at redhat.com
>>> https://www.redhat.com/**mailman/listinfo/freeipa-users<https://www.redhat.com/mailman/listinfo/freeipa-users>
>>>
>>>
>>
>
>
> --
> Bret Wortman
> The Damascus Group
> Fairfax, VA
> http://bretwortman.com/
> http://twitter.com/BretWortman
>
>
--
Bret Wortman
The Damascus Group
Fairfax, VA
http://bretwortman.com/
http://twitter.com/BretWortman
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20121101/7494ab2e/attachment.htm>
More information about the Freeipa-users
mailing list