[Freeipa-users] Sudo works for full access, but not on a per command or host level.
Rich Megginson
rmeggins at redhat.com
Wed Oct 17 19:18:22 UTC 2012
On 10/17/2012 12:49 PM, Macklin, Jason wrote:
> ldapsearch -xLLL -H ldap://dbduvdu145.dbr.roche.com -D "cn=directory manager" -W -b "dc=dbr,dc=roche,dc=com" uid=asteinfeld \*
<snip>
>
> dn: uid=asteinfeld,cn=users,cn=accounts,dc=dbr,dc=roche,dc=com
...snip...
> krbPrincipalName: asteinfeld at DBR.ROCHE.COM
> krbPasswordExpiration: 20130324201805Z
> krbLastPwdChange: 20120925201805Z
> krbLoginFailedCount: 0
> krbLastSuccessfulAuth: 20121017184614Z
> krbTicketFlags: 128
> krbLastFailedAuth: 20121015143818Z
No krbPwdLockoutDuration attribute - so according to ipalockout_preop()
this means the "Entry permanently locked". Not sure why.
>
> [jmacklin at dbduwdu062 Desktop]$ ldapsearch -xLLL -H ldap://dbduvdu145.dbr.roche.com -D "cn=directory manager" -W -b "dc=dbr,dc=roche,dc=com" uid=jmacklin \*Enter LDAP Password:
> dn: uid=jmacklin,cn=users,cn=compat,dc=dbr,dc=roche,dc=com
> objectClass: posixAccount
> objectClass: top
> gecos: Jason Macklin
> cn: Jason Macklin
> uidNumber: 2084
> gidNumber: 2084
> loginShell: /bin/bash
> homeDirectory: /home2/jmacklin
> uid: jmacklin
>
> dn: uid=jmacklin,cn=users,cn=accounts,dc=dbr,dc=roche,dc=com
> displayName: Jason Macklin
> cn: Jason Macklin
> objectClass: top
> objectClass: person
> objectClass: organizationalperson
> objectClass: inetorgperson
> objectClass: inetuser
> objectClass: posixaccount
> objectClass: krbprincipalaux
> objectClass: krbticketpolicyaux
> objectClass: ipaobject
> objectClass: mepOriginEntry
> loginShell: /bin/bash
> sn: Macklin
> gecos: Jason Macklin
> homeDirectory: /home2/jmacklin
> krbPwdPolicyReference: cn=global_policy,cn=DBR.ROCHE.COM,cn=kerberos,dc=dbr,dc
> =roche,dc=com
> krbPrincipalName: jmacklin at DBR.ROCHE.COM
> givenName: Jason
> uid: jmacklin
> initials: JM
> uidNumber: 2084
> gidNumber: 2084
> ipaUniqueID: 045652b4-8e3c-11e1-831f-005056bb0010
> mepManagedEntry: cn=jmacklin,cn=groups,cn=accounts,dc=dbr,dc=roche,dc=com
> memberOf: cn=admins,cn=groups,cn=accounts,dc=dbr,dc=roche,dc=com
> memberOf: cn=Replication Administrators,cn=privileges,cn=pbac,dc=dbr,dc=roche,
> dc=com
> memberOf: cn=Add Replication Agreements,cn=permissions,cn=pbac,dc=dbr,dc=roche
> ,dc=com
> memberOf: cn=Modify Replication Agreements,cn=permissions,cn=pbac,dc=dbr,dc=ro
> che,dc=com
> memberOf: cn=Remove Replication Agreements,cn=permissions,cn=pbac,dc=dbr,dc=ro
> che,dc=com
> memberOf: cn=Host Enrollment,cn=privileges,cn=pbac,dc=dbr,dc=roche,dc=com
> memberOf: cn=Manage host keytab,cn=permissions,cn=pbac,dc=dbr,dc=roche,dc=com
> memberOf: cn=Enroll a host,cn=permissions,cn=pbac,dc=dbr,dc=roche,dc=com
> memberOf: cn=Add krbPrincipalName to a host,cn=permissions,cn=pbac,dc=dbr,dc=r
> oche,dc=com
> memberOf: cn=Unlock user accounts,cn=permissions,cn=pbac,dc=dbr,dc=roche,dc=co
> m
> memberOf: cn=Manage service keytab,cn=permissions,cn=pbac,dc=dbr,dc=roche,dc=c
> om
> memberOf: cn=dbr,cn=groups,cn=accounts,dc=dbr,dc=roche,dc=com
> memberOf: ipaUniqueID=23216c12-9934-11e1-bd4c-005056bb0010,cn=sudorules,cn=sud
> o,dc=dbr,dc=roche,dc=com
> krbLastFailedAuth: 20121017164159Z
> krbPrincipalKey:: MIIC4qADAgEBoQMCAQGiAwIBBaMDAgEBpIICyjCCAsYwbaAgMB6gAwIBAKEX
> BBVEQlIuUk9DSEUuQ09Nam1hY2tsaW6hSTBHoAMCARKhQAQ+IACOG0H0Ebd8nSSY6zU3Y29ZHtQ9a
> sC2QJFL/lnbaFO1DYG15WjJYXnJ7k3m0LN0aTyjvz7FN4OWMF4tvvowXaAgMB6gAwIBAKEXBBVEQl
> IuUk9DSEUuQ09Nam1hY2tsaW6hOTA3oAMCARGhMAQuEAD6UdNSe/mp8qqi4OuT7HOqIs80DFQDRny
> 37aZaD4lYrFsnQiBtpnpMnNSxADBloCAwHqADAgEAoRcEFURCUi5ST0NIRS5DT01qbWFja2xpbqFB
> MD+gAwIBEKE4BDYYADAQZLDW61U+4aEZT4b+/X/OpiQLHTQlyIUolm9EjVG4wXu+8Mn4lMYMZyR/F
> Gw6NWeeq1kwXaAgMB6gAwIBAKEXBBVEQlIuUk9DSEUuQ09Nam1hY2tsaW6hOTA3oAMCARehMAQuEA
> CiWDGd28XkiaDAwpGyK0MqSawLCXs+jKOFAA5BoSpayVTJJqjzAwSEitSu5zBVoCAwHqADAgEAoRc
> EFURCUi5ST0NIRS5DT01qbWFja2xpbqExMC+gAwIBCKEoBCYIAKL5bzV4nQide/+6/2FE5LxYGULv
> 8Ws/Uu0RXrwAnR8/ZuUh0TBVoCAwHqADAgEAoRcEFURCUi5ST0NIRS5DT01qbWFja2xpbqExMC+gA
> wIBA6EoBCYIANgV0agxRmfBwY2Cb7gPlm1oWDY5qhZidd8a0KmeIlBG56XLZjAzoTEwL6ADAgEBoS
> gEJggAo/BQC7g4SWQY0UkU7rvoOAXwobVlAZn8mesgQEznRDr2+bxjME2gGDAWoAMCAQWhDwQNREJ
> SLlJPQ0hFLkNPTaExMC+gAwIBAaEoBCYIAMDDcwjYU6jLJTnE+Lzs0Ulxgf4FDEnTRXTjfJBqXIJb
> R5aBPg==
> krbLastPwdChange: 20120809140419Z
> krbPasswordExpiration: 20130205140419Z
> userPassword:: e1NTSEF9a0NXcUxTc1JOQ2tEUVlLVVF4VTdJLzh1TXREVnBWZjlnMWRxa0E9PQ=
> =
> krbExtraData:: AAJjwyNQa2FkbWluZEBEQlIuUk9DSEUuQ09NAA==
> krbLastSuccessfulAuth: 20121017184444Z
> krbLoginFailedCount: 0
> krbTicketFlags: 128
>
> So with all of that output, I would like to mention the discrepancy with ldap.conf. Just trying to get any "sudo" working on RHEL 6.3 was problematic until I stumbled upon a post that mentioned creating/editing /etc/sudo-ldap.conf rather then /etc/ldap.conf or /etc/openldap/ldap.conf. If I remove the /etc/sudo-ldap.conf then I have no sudo capabilities at all.
>
> -----Original Message-----
> From: Rich Megginson [mailto:rmeggins at redhat.com]
> Sent: Wednesday, October 17, 2012 2:06 PM
> To: Macklin, Jason {DASB~Branford}
> Cc: rcritten at redhat.com; freeipa-users at redhat.com
> Subject: Re: [Freeipa-users] Sudo works for full access, but not on a per command or host level.
>
> On 10/17/2012 11:51 AM, Macklin, Jason wrote:
>> I assume that this iteration was with the correct credentials as it responds with something other then "Invalid Credentials"
>>
>> ldapsearch -xLLL -H ldap://dbduvdu145.dbr.roche.com -D "cn=directory manager" -W uid=asteinfeld \* krbPwdLockoutDuration ?
>> Enter LDAP Password:
>> No such object (32)
>>
>> Working account returns same thing...
>>
>> ldapsearch -xLLL -H ldap://dbduvdu145.dbr.roche.com -D "cn=directory manager" -W uid=jmacklin \* krbPwdLockoutDuration ?
>> Enter LDAP Password:
>> No such object (32)
> Sorry, I though ipa would have configured your /etc/openldap/ldap.conf with your base dn. Try this:
>
> ldapsearch -xLLL -H ldap://dbduvdu145.dbr.roche.com -D "cn=directory manager" -W -b "dc=dbr,dc=roche,dc=com" uid=jmacklin \*
>> -----Original Message-----
>> From: Rob Crittenden [mailto:rcritten at redhat.com]
>> Sent: Wednesday, October 17, 2012 1:37 PM
>> To: Macklin, Jason {DASB~Branford}
>> Cc: rmeggins at redhat.com; freeipa-users at redhat.com
>> Subject: Re: [Freeipa-users] Sudo works for full access, but not on a per command or host level.
>>
>> Macklin, Jason wrote:
>>> ldapsearch -xLLL -H ldap://dbduvdu145.dbr.roche.com -D "cn=directory manager" -W uid=asteinfeld \* krbPwdLockoutDuration ?
>>> Enter LDAP Password:
>>> ldap_bind: Invalid credentials (49)
>>>
>>> I know this user password because I reset it for the purpose of troubleshooting this issue with that account. I also get the same response when I use the admin account of my own account.
>> You use the password of the user you are binding as, in this case the directory manager.
>>
>> rob
>>
>>> -----Original Message-----
>>> From: Rich Megginson [mailto:rmeggins at redhat.com]
>>> Sent: Wednesday, October 17, 2012 1:15 PM
>>> To: Macklin, Jason {DASB~Branford}
>>> Cc: simo at redhat.com; freeipa-users at redhat.com
>>> Subject: Re: [Freeipa-users] Sudo works for full access, but not on a per command or host level.
>>>
>>> On 10/17/2012 11:13 AM, Macklin, Jason wrote:
>>>> None of my users have an LDAP password being requested by running that command (except the admin user).
>>>>
>>>> Does each user account require an ldap account to go along with their login account? I just get the following over and over no matter which account I switch in the command...
>>>>
>>>> [jmacklin at dbduwdu062 Desktop]$ ldapsearch -xLLL -D "cn=directory manager" -W uid=admin \* krbPwdLockoutDuration ?
>>>> Enter LDAP Password:
>>>> ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
>>>> [jmacklin at dbduwdu062 Desktop]$ ldapsearch -xLLL -D "cn=directory manager" -W uid=asteinfeld \* krbPwdLockoutDuration ?
>>>> Enter LDAP Password:
>>>> ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
>>>> [jmacklin at dbduwdu062 Desktop]$ ldapsearch -xLLL -D "cn=directory manager" -W uid=jmacklin \* krbPwdLockoutDuration ?
>>>> Enter LDAP Password:
>>>> ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
>>> You have to specify which server to talk to using the -H ldap://fqdn.of.host option.
>>>
>>> _______________________________________________
>>> Freeipa-users mailing list
>>> Freeipa-users at redhat.com
>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>
More information about the Freeipa-users
mailing list