[Freeipa-users] Sudo works for full access, but not on a per command or host level.

Rich Megginson rmeggins at redhat.com
Wed Oct 17 16:54:16 UTC 2012 

On 10/17/2012 10:46 AM, Simo Sorce wrote:
> On Wed, 2012-10-17 at 09:53 -0600, Rich Megginson wrote:
>> On 10/17/2012 07:26 AM, Macklin, Jason wrote:
>>> Okay,
>>>
>>>     Rule name: test4
>>>     Enabled: TRUE
>>>     Command category: all
>>>     Users: asteinfeld
>>>     Hosts: dbduwdu062.dbr.roche.com
>>>     Host Groups: tempsudo
>>>
>>> Client dbduwdu062 is matched in the rule by both the hosts and groups entry.
>>>
>>> /etc/nsswitch.conf has:
>>>
>>> 	Netgroups: files sss
>>>
>>> Getent netgroup tempsudo returns:
>>>
>>> 	[jmacklin at dbduwdu062 Desktop]$ getent netgroup tempsudo
>>> 	tempsudo              (dbduwdu063.dbr.roche.com, -, dbr.roche.com) (dbduwdu062.dbr.roche.com, -, dbr.roche.com)
>>>
>>> To the previous ldapsearch request:
>>>
>>> 	[jmacklin at dbduwdu062 Desktop]$ ldapsearch -Y GSSAPI -H ldap://dbduvdu145.dbr.roche.com "ou=SUDOers,dc=dbr,dc=roche,dc=com"
>>> 	SASL/GSSAPI authentication started
>>> 	ldap_sasl_interactive_bind_s: Server is unwilling to perform (53)
>>> 	additional info: Entry permanently locked.
>>>
>>> I am still scratching my head on this one...
>> This means you cannot search using your kerberos ticket because the
>> corresponding entry is locked.  Try using directory manager:
>>
>> ldapsearch -x -D "cn=directory manager" -W -H
>> ldap://dbduvdu145.dbr.roche.com "ou=SUDOers,dc=dbr,dc=roche,dc=com"
>>
> This sounds very wrong.
>
> If the user had a kerberos ticket in the first place it meant it
> successfully authenticated.
>
> If no krb ticket was available GSSAPI would have not started at all.
>
> This look like some odd error in directory server failing to recognize
> valid users ?
Not sure what's going on.  Looking at the code in ipa_lockout.c:
     lockout_duration = slapi_entry_attr_get_uint(policy_entry, 
"krbPwdLockoutDuration");
     if (lockout_duration == 0) {
         errstr = "Entry permanently locked.\n";
         ret = LDAP_UNWILLING_TO_PERFORM;
         goto done;
     }

This means either krbPwdLockoutDuration does not exist at all, or does 
exist and has a value of 0.

Can you do an ldapsearch of your entry like this:

ldapsearch -xLLL -D "cn=directory manager" -W uid=youruserid \* 
krbPwdLockoutDuration
?
>
> Simo.
>

More information about the Freeipa-users mailing list