[Freeipa-users] Managing Sudo through FreeIPA
William Muriithi
william.muriithi at gmail.com
Thu Nov 8 18:15:50 UTC 2012
FYI
Got it working, credit to JR for pointing I need to assign a password
to sudo account on LDAP and use it for binding.
Thanks a lot
William
On 8 November 2012 12:11, William Muriithi <william.muriithi at gmail.com> wrote:
> Steven,
>
> Thanks for the pointers. I remember finding a post on this, but having
> problem finding it now
>>
>> I assume rhel6.3 by the el6 in the rpm....
>>
>> 1) Make sure the host and IPA server are fully patched/updated.
> I am current already
>
>> 2) Edit nsswitch.conf to have "sudoers: files ldap" as the last line, may or may not be there.
>
> Done
>
>> 3) add lines to /etc/sudo-ldap.conf, takes a recent upgrade/patch of 6.3 for that file to "appear" Im not at work so I odnt have a pastable set
> Yes, the file was there already. Wonder if you can paste it now.
> Mine was like this
>
> uri ldap://ipa1-yyz-int.example.loc
>
> sudoers_base ou=SUDOers,dc=example,dc=loc
>
> ssl start_tls
> tls_checkpeer (yes)
> tls_cacertfile /etc/ipa/ca.crt
>
>
>> 4) Add "nisdomainname example.com" to /etc/rc.d/rc.local.
> Done
>> 5) Add or enable the sudo "connection" user in IPA with a password.
> ? Lost me here, mind explaining a bit please if you have a chance?
>> 6) reboot the host
>>
>> If it doesnt work set the debug level in sudo-ldap.conf to 2 and re-try to see the output..restart sssd.
>>
> sh-4.1$ sudo less /var/log/secure
> LDAP Config Summary
> ===================
> uri ldap://ipa1-yyz-int.example.loc
> ldap_version 3
> sudoers_base ou=SUDOers,dc=example,dc=loc
> binddn (anonymous)
> bindpw (anonymous)
> ssl start_tls
> tls_checkpeer (no)
> tls_cacertfile /etc/ipa/ca.crt
> ===================
> sudo: ldap_set_option: debug -> 0
> sudo: ldap_set_option: tls_checkpeer -> 0
> sudo: ldap_set_option: tls_cacertfile -> /etc/ipa/ca.crt
> sudo: ldap_set_option: tls_cacert -> /etc/ipa/ca.crt
> sudo: ldap_initialize(ld, ldap://ipa1-yyz-int.example.loc)
> sudo: ldap_set_option: ldap_version -> 3
> sudo: ldap_start_tls_s() ok
> sudo: ldap_sasl_bind_s() ok
> sudo: no default options found in ou=SUDOers,dc=example,dc=loc
> sudo: ldap search
> '(|(sudoUser=williamm)(sudoUser=%williamm)(sudoUser=%operations)(sudoUser=ALL))'
> sudo: ldap search 'sudoUser=+*'
> sudo: user_matches=0
> sudo: host_matches=0
> sudo: sudo_ldap_lookup(0)=0x60
> [sudo] password for williamm:
> williamm is not in the sudoers file. This incident will be reported.
>
>
> Thank you again for your help
>
> Regards,
>
> William
>> regards
>> Steven Jones
>> Technical Specialist - Linux RHCE
>> Victoria University, Wellington, NZ
>> 0064 4 463 6272
>>
>>
>>
>> ________________________________________
>> From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of William Muriithi [william.muriithi at gmail.com]
>> Sent: Thursday, 8 November 2012 10:28 a.m.
>> To: freeipa-users at redhat.com
>> Subject: [Freeipa-users] Managing Sudo through FreeIPA
>>
>> Hello
>>
>> I have been trying to setup user access through sudo file managed by
>> FreeIPA and it don't seem to be working. I am not sure how to go
>> about fixing it, but I guess the best place to start is ask what I
>> should expect the IPA installation script should set up and what
>> should be done manually
>>
>> [root at demo2 wmuriithi]# rpm -qa | grep sssd
>> sssd-client-1.8.0-32.el6.x86_64
>> sssd-1.8.0-32.el6.x86_64
>> [root at demo2 wmuriithi]#
>>
>>
>>
>> [root at demo2 wmuriithi]# rpm -qa | grep sudo
>> sudo-1.7.4p5-13.el6_3.x86_64
>>
>> The only errors related to sudo that I can find is on apache error logs
>>
>> [Wed Nov 07 13:16:18 2012] [error] ipa: INFO: admin at EXAMPLE.LOC:
>> sudorule_add_user(u'read_only_viewiers', all=False, raw=False,
>> version=u'2.34', group=(u'operations',)): SUCCESS
>> [Wed Nov 07 13:54:44 2012] [error] ipa: ERROR: release_ipa_ccache:
>> ccache_name (FILE:/var/run/ipa_memcached/krbcc_3988) != KRB5CCNAME
>> environment variable (FILE:/tmp/krb5cc_apache_NB7pph)
>> [Wed Nov 07 13:54:44 2012] [error] ipa: INFO: admin at EXAMPLE.LOC:
>> sudorule_find(None, sizelimit=0, pkey_only=True): SUCCESS
>> [Wed Nov 07 13:54:44 2012] [error] ipa: INFO: admin at EXAMPLE.LOC:
>> batch: sudorule_show(u'Full_Access', all=True): SUCCESS
>> [Wed Nov 07 13:54:44 2012] [error] ipa: INFO: admin at EXAMPLE.LOC:
>> batch: sudorule_show(u'read_only_viewiers', all=True): SUCCESS
>> [Wed Nov 07 13:54:44 2012] [error] ipa: INFO: admin at EXAMPLE.LOC:
>> batch: sudorule_show(u'developers', all=True): SUCCESS
>> [Wed Nov 07 13:54:44 2012] [error] ipa: INFO: admin at EXAMPLE.LOC:
>> batch: sudorule_show(u'operation', all=True): SUCCESS
>> [Wed Nov 07 13:54:44 2012] [error] ipa: INFO: admin at EXAMPLE.LOC:
>> batch(({u'params': [[u'Full_Access'], {u'all': True}], u'method':
>> u'sudorule_show'}, {u'params': [[u'read_only_viewiers'], {u'all':
>> True}], u'method': u'sudorule_show'}, {u'params': [[u'developers'],
>> {u'all': True}], u'method': u'sudorule_show'}, {u'params':
>> [[u'operation'], {u'all': True}], u'method': u'sudorule_show'})):
>> SUCCESS
>> [Wed Nov 07 13:54:50 2012] [error] ipa: INFO: admin at EXAMPLE.LOC:
>> sudorule_show(u'read_only_viewiers', rights=True, all=True): SUCCESS
>>
>>
>> I created the user as below and associated it with a group, which I
>> then allowed to use less for reading file. As you can see below, it
>> seem to does not work.
>>
>> Nov 7 16:05:42 demo2 sudo: pam_sss(sudo:auth): authentication
>> success; logname=williamm uid=0 euid=0 tty=/dev/pts/2 ruser=williamm
>> rhost= user=williamm
>> Nov 7 16:05:43 demo2 sudo: williamm : user NOT in sudoers ; TTY=pts/2
>> ; PWD=/home/wmuriithi ; USER=root ; COMMAND=/usr/bin/less
>> /var/log/secure
>>
>>
>> - My question is, does the client install script take care of sudo
>> configuration or is that done manually? I don't see any sudo related
>> flag on the client installation script.
>>
>> - I have tried configuring sssd for sudo use and it didn't go well.
>> Last time I messed around with LDAP managed sudo, I have to install a
>> LDAP capable sudo package. The ipa-client install did not install
>> this package. Does IPA sudo management work differently?
>>
>> - Where would I check for logs? I checked sssd logs and they are empty.
>>
>> - I am missing the basedn configuration on sssd configuration. From
>> this bug, it should have been setup by installer, oddly though it was
>> not setup and the bug is closed. I attempted to fix it by adding the
>> line below but it make sudo completely unusable. It could not find
>> any valid users apparently
>>
>> https://fedorahosted.org/freeipa/ticket/932
>>
>> ldap_netgroup_search_base = cn=ng,cn=compat,dc=example,dc=loc
>>
>> Nov 7 16:05:42 demo2 sudo: pam_sss(sudo:auth): authentication
>> success; logname=williamm uid=0 euid=0 tty=/dev/pts/2 ruser=williamm
>> rhost= user=williamm
>> Nov 7 16:05:43 demo2 sudo: williamm : user NOT in sudoers ; TTY=pts/2
>> ; PWD=/home/wmuriithi ; USER=root ; COMMAND=/usr/bin/less
>> /var/log/secure
>>
>>
>> Any pointers on why we are going?
>>
>> Thank you a lot in advance.
>>
>> William
>>
>> ----------------------------
>> [root at ipa1-yyz-int wmuriithi]# ipa sudocmd-add --desc='For reading log
>> files' '/usr/bin/less'
>> ----------------------------------
>> Added Sudo Command "/usr/bin/less"
>> ----------------------------------
>> Sudo Command: /usr/bin/less
>> Description: For reading log files
>> [root at ipa1-yyz-int wmuriithi]# ipa sudocmdgroup-add --desc='Read Only
>> Commands' readonly
>> -----------------------------------
>> Added Sudo Command Group "readonly"
>> -----------------------------------
>> Sudo Command Group: readonly
>> Description: Read Only Commands
>> [root at ipa1-yyz-int wmuriithi]# ipa sudocmdgroup-add-member
>> --sudocmds='/usr/bin/less' readonly
>> Sudo Command Group: readonly
>> Description: Read Only Commands
>> Member Sudo commands: /usr/bin/less
>> -------------------------
>> Number of members added 1
>> -------------------------
>> [root at ipa1-yyz-int wmuriithi]# ipa sudorule-add testing_viewiers
>> -----------------------------------
>> Added Sudo Rule "testing_viewiers"
>> -----------------------------------
>> Rule name: testing_viewiers
>> Enabled: TRUE
>> [root at ipa1-yyz-int wmuriithi]# ipa sudorule-add-allow-command
>> --sudocmdgroups=readonly testing_viewiers
>> Rule name: testing_viewiers
>> Enabled: TRUE
>> Sudo Allow Command Groups: readonly
>> -------------------------
>> Number of members added 1
>> -------------------------
>> [root at ipa1-yyz-int wmuriithi]# ipa hostgroup-add demo
>> Description: Demonstration systems
>>>>> Description: Leading and trailing spaces are not allowed
>> Description: Demonstration system
>> ----------------------
>> Added hostgroup "demo"
>> ----------------------
>> Host-group: demo
>> Description: Demonstration system
>> [root at ipa1-yyz-int wmuriithi]# ipa hostgroup-add-member
>> --hosts=demo2.yyz.int.testing.com demo
>> Host-group: demo
>> Description: Demonstration system
>> Member hosts: demo2.yyz.int.testing.com
>> -------------------------
>> Number of members added 1
>> -------------------------
>> [root at ipa1-yyz-int wmuriithi]# ipa sudorule-add-host --hostgroups=demo
>> testing_viewiers
>> Rule name: testing_viewiers
>> Enabled: TRUE
>> Host Groups: demo
>> Sudo Allow Command Groups: readonly
>> -------------------------
>> Number of members added 1
>> -------------------------
>> [root at ipa1-yyz-int wmuriithi]# ipa sudorule-add-user
>> --groups=operations testing_viewiers
>> Rule name: testing_viewiers
>> Enabled: TRUE
>> User Groups: operations
>> Host Groups: demo
>> Sudo Allow Command Groups: readonly
>> -------------------------
>> Number of members added 1
>> -------------------------
>>
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>
>>
>>
>> ------------------------------
>>
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>
>> End of Freeipa-users Digest, Vol 52, Issue 18
>> *********************************************
More information about the Freeipa-users
mailing list