[Freeipa-users] Sudo works for full access, but not on a per command or host level.
Rich Megginson
rmeggins at redhat.com
Wed Oct 17 16:54:16 UTC 2012
On 10/17/2012 10:46 AM, Simo Sorce wrote:
> On Wed, 2012-10-17 at 09:53 -0600, Rich Megginson wrote:
>> On 10/17/2012 07:26 AM, Macklin, Jason wrote:
>>> Okay,
>>>
>>> Rule name: test4
>>> Enabled: TRUE
>>> Command category: all
>>> Users: asteinfeld
>>> Hosts: dbduwdu062.dbr.roche.com
>>> Host Groups: tempsudo
>>>
>>> Client dbduwdu062 is matched in the rule by both the hosts and groups entry.
>>>
>>> /etc/nsswitch.conf has:
>>>
>>> Netgroups: files sss
>>>
>>> Getent netgroup tempsudo returns:
>>>
>>> [jmacklin at dbduwdu062 Desktop]$ getent netgroup tempsudo
>>> tempsudo (dbduwdu063.dbr.roche.com, -, dbr.roche.com) (dbduwdu062.dbr.roche.com, -, dbr.roche.com)
>>>
>>> To the previous ldapsearch request:
>>>
>>> [jmacklin at dbduwdu062 Desktop]$ ldapsearch -Y GSSAPI -H ldap://dbduvdu145.dbr.roche.com "ou=SUDOers,dc=dbr,dc=roche,dc=com"
>>> SASL/GSSAPI authentication started
>>> ldap_sasl_interactive_bind_s: Server is unwilling to perform (53)
>>> additional info: Entry permanently locked.
>>>
>>> I am still scratching my head on this one...
>> This means you cannot search using your kerberos ticket because the
>> corresponding entry is locked. Try using directory manager:
>>
>> ldapsearch -x -D "cn=directory manager" -W -H
>> ldap://dbduvdu145.dbr.roche.com "ou=SUDOers,dc=dbr,dc=roche,dc=com"
>>
> This sounds very wrong.
>
> If the user had a kerberos ticket in the first place it meant it
> successfully authenticated.
>
> If no krb ticket was available GSSAPI would have not started at all.
>
> This look like some odd error in directory server failing to recognize
> valid users ?
Not sure what's going on. Looking at the code in ipa_lockout.c:
lockout_duration = slapi_entry_attr_get_uint(policy_entry,
"krbPwdLockoutDuration");
if (lockout_duration == 0) {
errstr = "Entry permanently locked.\n";
ret = LDAP_UNWILLING_TO_PERFORM;
goto done;
}
This means either krbPwdLockoutDuration does not exist at all, or does
exist and has a value of 0.
Can you do an ldapsearch of your entry like this:
ldapsearch -xLLL -D "cn=directory manager" -W uid=youruserid \*
krbPwdLockoutDuration
?
>
> Simo.
>
More information about the Freeipa-users
mailing list