[Freeipa-users] Managing Sudo through FreeIPA

Dmitri Pal dpal at redhat.com
Thu Nov 8 21:09:42 UTC 2012 

On 11/08/2012 01:15 PM, William Muriithi wrote:
> FYI
>
> Got it working, credit to JR for pointing I need to assign a password
> to sudo account on LDAP and use it for binding.

Great to hear!

> Thanks a lot
>
> William
>
> On 8 November 2012 12:11, William Muriithi <william.muriithi at gmail.com> wrote:
>> Steven,
>>
>> Thanks for the pointers. I remember finding a post on this, but having
>> problem finding it now
>>> I assume rhel6.3 by the el6 in the rpm....
>>>
>>> 1) Make sure the host and IPA server are fully patched/updated.
>> I am current already
>>
>>> 2) Edit nsswitch.conf to have "sudoers: files ldap" as the last line, may or may not be there.
>> Done
>>
>>> 3) add lines to /etc/sudo-ldap.conf, takes a recent upgrade/patch of 6.3 for that file to "appear"  Im not at work so I odnt have a pastable set
>> Yes, the file was there already.  Wonder if you can paste it now.
>> Mine was like this
>>
>> uri ldap://ipa1-yyz-int.example.loc
>>
>> sudoers_base ou=SUDOers,dc=example,dc=loc
>>
>> ssl              start_tls
>> tls_checkpeer    (yes)
>> tls_cacertfile   /etc/ipa/ca.crt
>>
>>
>>> 4) Add "nisdomainname example.com" to /etc/rc.d/rc.local.
>> Done
>>> 5) Add or enable the sudo "connection" user in IPA with a password.
>> ?  Lost me here, mind explaining a bit please if you have a chance?
>>> 6) reboot the host
>>>
>>> If it doesnt work set the debug level in sudo-ldap.conf to 2 and re-try to see the output..restart sssd.
>>>
>> sh-4.1$ sudo less /var/log/secure
>> LDAP Config Summary
>> ===================
>> uri              ldap://ipa1-yyz-int.example.loc
>> ldap_version     3
>> sudoers_base     ou=SUDOers,dc=example,dc=loc
>> binddn           (anonymous)
>> bindpw           (anonymous)
>> ssl              start_tls
>> tls_checkpeer    (no)
>> tls_cacertfile   /etc/ipa/ca.crt
>> ===================
>> sudo: ldap_set_option: debug -> 0
>> sudo: ldap_set_option: tls_checkpeer -> 0
>> sudo: ldap_set_option: tls_cacertfile -> /etc/ipa/ca.crt
>> sudo: ldap_set_option: tls_cacert -> /etc/ipa/ca.crt
>> sudo: ldap_initialize(ld, ldap://ipa1-yyz-int.example.loc)
>> sudo: ldap_set_option: ldap_version -> 3
>> sudo: ldap_start_tls_s() ok
>> sudo: ldap_sasl_bind_s() ok
>> sudo: no default options found in ou=SUDOers,dc=example,dc=loc
>> sudo: ldap search
>> '(|(sudoUser=williamm)(sudoUser=%williamm)(sudoUser=%operations)(sudoUser=ALL))'
>> sudo: ldap search 'sudoUser=+*'
>> sudo: user_matches=0
>> sudo: host_matches=0
>> sudo: sudo_ldap_lookup(0)=0x60
>> [sudo] password for williamm:
>> williamm is not in the sudoers file.  This incident will be reported.
>>
>>
>> Thank you again for your help
>>
>> Regards,
>>
>> William
>>> regards
>>> Steven Jones
>>> Technical Specialist - Linux RHCE
>>> Victoria University, Wellington, NZ
>>> 0064 4 463 6272
>>>
>>>
>>>
>>> ________________________________________
>>> From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of William Muriithi [william.muriithi at gmail.com]
>>> Sent: Thursday, 8 November 2012 10:28 a.m.
>>> To: freeipa-users at redhat.com
>>> Subject: [Freeipa-users] Managing Sudo through FreeIPA
>>>
>>> Hello
>>>
>>> I have been trying to setup user access through sudo file managed by
>>> FreeIPA and it don't seem to be working.  I am not sure how to go
>>> about fixing it, but I guess the best place to start is ask what I
>>> should expect the IPA installation script should set up and what
>>> should be done manually
>>>
>>> [root at demo2 wmuriithi]# rpm -qa | grep sssd
>>> sssd-client-1.8.0-32.el6.x86_64
>>> sssd-1.8.0-32.el6.x86_64
>>> [root at demo2 wmuriithi]#
>>>
>>>
>>>
>>> [root at demo2 wmuriithi]# rpm -qa | grep sudo
>>> sudo-1.7.4p5-13.el6_3.x86_64
>>>
>>> The only errors related to sudo that I can find is on apache error logs
>>>
>>> [Wed Nov 07 13:16:18 2012] [error] ipa: INFO: admin at EXAMPLE.LOC:
>>> sudorule_add_user(u'read_only_viewiers', all=False, raw=False,
>>> version=u'2.34', group=(u'operations',)): SUCCESS
>>> [Wed Nov 07 13:54:44 2012] [error] ipa: ERROR: release_ipa_ccache:
>>> ccache_name (FILE:/var/run/ipa_memcached/krbcc_3988) != KRB5CCNAME
>>> environment variable (FILE:/tmp/krb5cc_apache_NB7pph)
>>> [Wed Nov 07 13:54:44 2012] [error] ipa: INFO: admin at EXAMPLE.LOC:
>>> sudorule_find(None, sizelimit=0, pkey_only=True): SUCCESS
>>> [Wed Nov 07 13:54:44 2012] [error] ipa: INFO: admin at EXAMPLE.LOC:
>>> batch: sudorule_show(u'Full_Access', all=True): SUCCESS
>>> [Wed Nov 07 13:54:44 2012] [error] ipa: INFO: admin at EXAMPLE.LOC:
>>> batch: sudorule_show(u'read_only_viewiers', all=True): SUCCESS
>>> [Wed Nov 07 13:54:44 2012] [error] ipa: INFO: admin at EXAMPLE.LOC:
>>> batch: sudorule_show(u'developers', all=True): SUCCESS
>>> [Wed Nov 07 13:54:44 2012] [error] ipa: INFO: admin at EXAMPLE.LOC:
>>> batch: sudorule_show(u'operation', all=True): SUCCESS
>>> [Wed Nov 07 13:54:44 2012] [error] ipa: INFO: admin at EXAMPLE.LOC:
>>> batch(({u'params': [[u'Full_Access'], {u'all': True}], u'method':
>>> u'sudorule_show'}, {u'params': [[u'read_only_viewiers'], {u'all':
>>> True}], u'method': u'sudorule_show'}, {u'params': [[u'developers'],
>>> {u'all': True}], u'method': u'sudorule_show'}, {u'params':
>>> [[u'operation'], {u'all': True}], u'method': u'sudorule_show'})):
>>> SUCCESS
>>> [Wed Nov 07 13:54:50 2012] [error] ipa: INFO: admin at EXAMPLE.LOC:
>>> sudorule_show(u'read_only_viewiers', rights=True, all=True): SUCCESS
>>>
>>>
>>> I created the user as below and associated it with a group, which I
>>> then allowed to use less for reading file.  As you can see below, it
>>> seem to does not work.
>>>
>>> Nov  7 16:05:42 demo2 sudo: pam_sss(sudo:auth): authentication
>>> success; logname=williamm uid=0 euid=0 tty=/dev/pts/2 ruser=williamm
>>> rhost= user=williamm
>>> Nov  7 16:05:43 demo2 sudo: williamm : user NOT in sudoers ; TTY=pts/2
>>> ; PWD=/home/wmuriithi ; USER=root ; COMMAND=/usr/bin/less
>>> /var/log/secure
>>>
>>>
>>> - My question is, does the client install script take care of sudo
>>> configuration or is that done manually?  I don't see any sudo related
>>> flag on the client installation script.
>>>
>>> - I have tried configuring sssd for sudo use and it didn't go well.
>>> Last time I messed around with LDAP managed sudo, I have to install a
>>> LDAP capable sudo package.  The ipa-client install did not install
>>> this package. Does IPA sudo management work differently?
>>>
>>> - Where would I check for logs?  I checked sssd logs and they are empty.
>>>
>>> - I am missing the basedn configuration on  sssd configuration.  From
>>> this bug, it should have been setup by installer, oddly though it was
>>> not setup and the bug is closed. I attempted to fix it by adding the
>>> line below but it make sudo completely unusable.  It could not find
>>> any valid users apparently
>>>
>>> https://fedorahosted.org/freeipa/ticket/932
>>>
>>> ldap_netgroup_search_base = cn=ng,cn=compat,dc=example,dc=loc
>>>
>>> Nov  7 16:05:42 demo2 sudo: pam_sss(sudo:auth): authentication
>>> success; logname=williamm uid=0 euid=0 tty=/dev/pts/2 ruser=williamm
>>> rhost= user=williamm
>>> Nov  7 16:05:43 demo2 sudo: williamm : user NOT in sudoers ; TTY=pts/2
>>> ; PWD=/home/wmuriithi ; USER=root ; COMMAND=/usr/bin/less
>>> /var/log/secure
>>>
>>>
>>> Any pointers on why we are going?
>>>
>>> Thank you a lot in advance.
>>>
>>> William
>>>
>>> ----------------------------
>>> [root at ipa1-yyz-int wmuriithi]# ipa sudocmd-add --desc='For reading log
>>> files' '/usr/bin/less'
>>> ----------------------------------
>>> Added Sudo Command "/usr/bin/less"
>>> ----------------------------------
>>>   Sudo Command: /usr/bin/less
>>>   Description: For reading log files
>>> [root at ipa1-yyz-int wmuriithi]# ipa sudocmdgroup-add --desc='Read Only
>>> Commands' readonly
>>> -----------------------------------
>>> Added Sudo Command Group "readonly"
>>> -----------------------------------
>>>   Sudo Command Group: readonly
>>>   Description: Read Only Commands
>>> [root at ipa1-yyz-int wmuriithi]# ipa sudocmdgroup-add-member
>>> --sudocmds='/usr/bin/less' readonly
>>>   Sudo Command Group: readonly
>>>   Description: Read Only Commands
>>>   Member Sudo commands: /usr/bin/less
>>> -------------------------
>>> Number of members added 1
>>> -------------------------
>>> [root at ipa1-yyz-int wmuriithi]# ipa sudorule-add testing_viewiers
>>> -----------------------------------
>>> Added Sudo Rule "testing_viewiers"
>>> -----------------------------------
>>>   Rule name: testing_viewiers
>>>   Enabled: TRUE
>>> [root at ipa1-yyz-int wmuriithi]# ipa sudorule-add-allow-command
>>> --sudocmdgroups=readonly  testing_viewiers
>>>   Rule name: testing_viewiers
>>>   Enabled: TRUE
>>>   Sudo Allow Command Groups: readonly
>>> -------------------------
>>> Number of members added 1
>>> -------------------------
>>> [root at ipa1-yyz-int wmuriithi]# ipa hostgroup-add  demo
>>> Description: Demonstration systems
>>>>>> Description: Leading and trailing spaces are not allowed
>>> Description: Demonstration system
>>> ----------------------
>>> Added hostgroup "demo"
>>> ----------------------
>>>   Host-group: demo
>>>   Description: Demonstration system
>>> [root at ipa1-yyz-int wmuriithi]#  ipa hostgroup-add-member
>>> --hosts=demo2.yyz.int.testing.com demo
>>>   Host-group: demo
>>>   Description: Demonstration system
>>>   Member hosts: demo2.yyz.int.testing.com
>>> -------------------------
>>> Number of members added 1
>>> -------------------------
>>> [root at ipa1-yyz-int wmuriithi]# ipa sudorule-add-host --hostgroups=demo
>>>  testing_viewiers
>>>   Rule name: testing_viewiers
>>>   Enabled: TRUE
>>>   Host Groups: demo
>>>   Sudo Allow Command Groups: readonly
>>> -------------------------
>>> Number of members added 1
>>> -------------------------
>>> [root at ipa1-yyz-int wmuriithi]# ipa sudorule-add-user
>>> --groups=operations testing_viewiers
>>>   Rule name: testing_viewiers
>>>   Enabled: TRUE
>>>   User Groups: operations
>>>   Host Groups: demo
>>>   Sudo Allow Command Groups: readonly
>>> -------------------------
>>> Number of members added 1
>>> -------------------------
>>>
>>> _______________________________________________
>>> Freeipa-users mailing list
>>> Freeipa-users at redhat.com
>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>
>>>
>>>
>>> ------------------------------
>>>
>>> _______________________________________________
>>> Freeipa-users mailing list
>>> Freeipa-users at redhat.com
>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>
>>> End of Freeipa-users Digest, Vol 52, Issue 18
>>> *********************************************
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/

More information about the Freeipa-users mailing list