[Freeipa-users] Sudo not working
Dmitri Pal
dpal at redhat.com
Thu Nov 1 15:14:09 UTC 2012
On 11/01/2012 08:26 AM, Bret Wortman wrote:
> To close the loop:
>
> I did the following to clear the credential problem. I suspect that I
> hadn't properly run kinit before doing these steps the first time:
>
> -sh-4.2$ kinit
> Password for bretw at WEDGEOFLI.ME <mailto:bretw at WEDGEOFLI.ME>:
> -sh-4.2$ sudo su -
> sudo: ldap_sasl_bind_s(): Invalid credentials
> [sudo] password for bretw:
> bretw is not in the sudoers file. This incident will be reported.
This seems to suggest that it tries to use sudoers file instead of LDAP.
> -sh-4.2$ ldapsearch -x ou=SUDOers,dc=wedgeofli,dc=me
> # extended LDIF
> #
> # LDAPv3
> # base <dc=wedgeofli,dc=me> (default) with scope subtree
> # filter: ou=SUDOers,dc=wedgeofli,dc=me
> # requesting: ALL
> #
>
> # search result
> search: 2
> result: 0 Success
>
> # numResponses: 1
If you used kinit you then can use -Y GSSAPI to use kerberos credential
for the authentication.
> -sh-4.2$ ldapsearch ou=SUDOers,dc=wedgeofli,dc=me
> SASL/EXTERNAL authentication started
> ldap_sasl_interactive_bind_s: Unknown authentication method (-6)
> additional info: SASL(-4): no mechanism available:
> -sh-4.2$ ldapsearch -x ou=SUDOers,dc=wedgeofli,dc=me
> # extended LDIF
> #
> # LDAPv3
> # base <dc=wedgeofli,dc=me> (default) with scope subtree
> # filter: ou=SUDOers,dc=wedgeofli,dc=me
> # requesting: ALL
> #
>
> # search result
> search: 2
> result: 0 Success
>
> # numResponses: 1
> -sh-4.2$ ldapsearch -D
> uid=sudo,cn=sysaccounts,cn=etc,dc=wedgeofli,dc=me -w password
> ou=SUDOers,dc=wedgeofli,dc=me
> ldap_bind: Invalid credentials (49)
>
> -sh-4.2$ ldappasswd -Y GSSAPI -S -h fs1.wedgeofli.me
> <http://fs1.wedgeofli.me>
> uid=sudo,cn=sysaccounts,cn=etc,dc=wedgeofli,dc=me
> New password:
> Re-enter new password:
> SASL/GSSAPI authentication started
> SASL username: bretw at WEDGEOFLI.ME <mailto:bretw at WEDGEOFLI.ME>
> SASL SSF: 56
> SASL data security layer installed.
> -sh-4.2$ ldapsearch -D
> uid=sudo,cn=sysaccounts,cn=etc,dc=wedgeofli,dc=me -w password
> ou=SUDOers,dc=wedgeofli,dc=me
> # extended LDIF
> #
> # LDAPv3
> # base <dc=wedgeofli,dc=me> (default) with scope subtree
> # filter: ou=SUDOers,dc=wedgeofli,dc=me
> # requesting: ALL
> #
>
> # search result
> search: 2
> result: 0 Success
>
> # numResponses: 1
> -sh-4.2$ sudo su -
> [sudo] password for bretw:
> [root at fs1 ~]#
>
> On Thu, Nov 1, 2012 at 7:58 AM, Bret Wortman
> <bret.wortman at damascusgrp.com <mailto:bret.wortman at damascusgrp.com>>
> wrote:
>
> That's got me closer now, as I'm at least getting an error message
> on stdout:
>
> [root at fs1 etc]# more nslcd.conf
> binddn uid=sudo,cn=sysaccounts,cn=etc,dc=wedgeofli,dc=me
> bindpw password
>
> ssl start_tls
> tls_cacertfile /etc/ipa/ca.crt
> tls_checkpeer yes
>
> bind_timelimit 5
> timelimit 15
>
> uri ldap://fs1.wedgeofli.me <http://fs1.wedgeofli.me>
> sudoers_base ou=SUDOers,dc=wedgeofli,dc=me
> [root at fs1 etc]# sudo su -
> sudo: ldap_sasl_bind_s(): Invalid credentials
> [root at fs1 ~]#
>
> So I'm off to figure out where my credentials are wrong. Thanks
> again, Rob, Stephen & Pavel.
>
>
> Bret
>
> On Wed, Oct 31, 2012 at 2:39 PM, Rob Crittenden
> <rcritten at redhat.com <mailto:rcritten at redhat.com>> wrote:
>
> Bret Wortman wrote:
>
> [root at fs1 etc]# more /etc/ldap.conf
> sudoers_debug: 1
> [root at fs1 etc]# ls -l /etc/ldap.conf
> -rw-r--r--. 1 root root 17 Oct 19 14:54 /etc/ldap.conf
>
> Where should I see the extra output? I've had this set
> since last Friday
> and I'm not seeing any difference.
>
>
> Move the contents of /etc/nslcd.conf to this file and add ldap
> to sudoers in /etc/nsswitch.conf.
>
> rob
>
>
> On Wed, Oct 31, 2012 at 2:20 PM, Rob Crittenden
> <rcritten at redhat.com <mailto:rcritten at redhat.com>
> <mailto:rcritten at redhat.com <mailto:rcritten at redhat.com>>>
> wrote:
>
> Bret Wortman wrote:
>
> F17.
>
>
> I think you want /etc/ldap.conf then. The easiest way
> to be sure the
> right file is being used is to add sudoers_debug 1 to
> the file. This
> will present a lot of extra output so you'll know the
> file is being
> read.
>
> rob
>
>
> On Wed, Oct 31, 2012 at 2:04 PM, Rob Crittenden
> <rcritten at redhat.com <mailto:rcritten at redhat.com>
> <mailto:rcritten at redhat.com <mailto:rcritten at redhat.com>>
> <mailto:rcritten at redhat.com
> <mailto:rcritten at redhat.com> <mailto:rcritten at redhat.com
> <mailto:rcritten at redhat.com>>>> wrote:
>
> Bret Wortman wrote:
>
> I had enabled debugging of sudo but am
> not clear on
> where that
> debugging
> is going. It's not stdout, and I'm not
> seeing anything in
> /var/log/messages.
>
> I'll try switching to SSS and see what
> that gets me.
>
>
> What distro is this? If it is RHEL 6.3 then
> put the
> configuration
> into /etc/sudo-ldap.conf instead of
> /etc/nslcd. The docs are
> incorrect (we are working on getting them fixed).
>
> rob
>
>
>
> On Wed, Oct 31, 2012 at 1:33 PM, Stephen
> Gallagher
> <sgallagh at redhat.com
> <mailto:sgallagh at redhat.com> <mailto:sgallagh at redhat.com
> <mailto:sgallagh at redhat.com>>
> <mailto:sgallagh at redhat.com
> <mailto:sgallagh at redhat.com> <mailto:sgallagh at redhat.com
> <mailto:sgallagh at redhat.com>>>
> <mailto:sgallagh at redhat.com
> <mailto:sgallagh at redhat.com>
> <mailto:sgallagh at redhat.com
> <mailto:sgallagh at redhat.com>> <mailto:sgallagh at redhat.com
> <mailto:sgallagh at redhat.com>
> <mailto:sgallagh at redhat.com
> <mailto:sgallagh at redhat.com>>>>> wrote:
>
> On Wed 31 Oct 2012 11:53:15 AM EDT,
> Bret Wortman
> wrote:
>
> I'm pretty certain there's a
> painfully simple
> solution
> to this that
> I'm not seeing, but my current
> configuration isn't
> picking up the
> freeipa sudoer rule that I've set.
>
> /etc/nsswitch.conf specifies:
> sudoers: files ldap
>
> /etc/nslcd.conf contains:
>
> binddn
>
> uid=sudo,cn=sysaccounts,cn=______etc,dc=wedgeofli,dc=me
>
>
>
> bindpw password
>
> ssl start_tls
> tls_cacertfile /etc/ipa/ca.crt
> tls_checkpeer yes
>
> bind_timelimit 5
> timelimit 15
>
> uri ldap://fs1.wedgeofli.me
> <http://fs1.wedgeofli.me>
> <http://fs1.wedgeofli.me> <http://fs1.wedgeofli.me>
> <http://fs1.wedgeofli.me>
> <http://fs1.wedgeofli.me>
>
> sudoers_base
> ou=SUDOers,dc=wedgeofli,dc=me
>
>
> The sssd_DOMAIN.log file
> contains this when I
> try to sudo:
>
>
> <snip>
>
> The SSSD logs aren't showing
> anything wrong
> because they have
> nothing to do with the execution of
> the SUDO rules
> in this
> situation. All the SSSD is doing is
> verifying the
> authentication
> (when sudo prompts you for your
> password).
>
> The problem with the rule is most
> likely happening
> inside SUDO
> itself. When you specify 'sudoers:
> files, ldap' in
> nsswitch.conf,
> it's telling SUDO to use its own
> internal LDAP
> driver to
> look up the
> rules. So you need to check sudo
> logs to see
> what's happening
> (probably you will need to enable
> debug logging in
> /etc/sudo.conf).
>
> Recent versions of SUDO (1.8.6 and
> later) have
> support for
> setting
> 'sudoers: files, sss' in
> nsswitch.conf which DOES
> use SSSD
> (1.9.0
> and later) for lookups (and caching)
> of sudo rules.
>
>
>
>
> --
> Bret Wortman
> The Damascus Group
> Fairfax, VA
> http://bretwortman.com/
> http://twitter.com/BretWortman
>
>
>
>
> --
> Bret Wortman
> The Damascus Group
> Fairfax, VA
> http://bretwortman.com/
> http://twitter.com/BretWortman
>
>
>
>
> ___________________________________________________
>
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> <mailto:Freeipa-users at redhat.com>
> <mailto:Freeipa-users at redhat.com
> <mailto:Freeipa-users at redhat.com>>
> <mailto:Freeipa-users at redhat.
> <mailto:Freeipa-users at redhat.>__com
> <mailto:Freeipa-users at redhat.com
> <mailto:Freeipa-users at redhat.com>>>
>
> https://www.redhat.com/____mailman/listinfo/freeipa-users
>
> <https://www.redhat.com/__mailman/listinfo/freeipa-users>
>
>
>
> <https://www.redhat.com/__mailman/listinfo/freeipa-users
>
> <https://www.redhat.com/mailman/listinfo/freeipa-users>__>
>
>
>
>
>
>
> --
> Bret Wortman
> The Damascus Group
> Fairfax, VA
> http://bretwortman.com/
> http://twitter.com/BretWortman
>
>
>
> _________________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> <mailto:Freeipa-users at redhat.com>
> <mailto:Freeipa-users at redhat.com
> <mailto:Freeipa-users at redhat.com>>
>
> https://www.redhat.com/__mailman/listinfo/freeipa-users
>
> <https://www.redhat.com/mailman/listinfo/freeipa-users>
>
>
>
>
>
> --
> Bret Wortman
> The Damascus Group
> Fairfax, VA
> http://bretwortman.com/
> http://twitter.com/BretWortman
>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
>
>
>
> --
> Bret Wortman
> The Damascus Group
> Fairfax, VA
> http://bretwortman.com/
> http://twitter.com/BretWortman
>
>
>
>
> --
> Bret Wortman
> The Damascus Group
> Fairfax, VA
> http://bretwortman.com/
> http://twitter.com/BretWortman
>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
--
Thank you,
Dmitri Pal
Sr. Engineering Manager for IdM portfolio
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20121101/26f18500/attachment.htm>
More information about the Freeipa-users
mailing list