[Freeipa-users] Sudo works for full access, but not on a per command or host level.

Wed Oct 17 19:26:41 UTC 2012

Rich Megginson wrote:
> On 10/17/2012 12:49 PM, Macklin, Jason wrote:
>> ldapsearch -xLLL -H ldap://dbduvdu145.dbr.roche.com -D "cn=directory
>> manager" -W -b "dc=dbr,dc=roche,dc=com" uid=asteinfeld \*
> <snip>
>>
>> dn: uid=asteinfeld,cn=users,cn=accounts,dc=dbr,dc=roche,dc=com
> ...snip...
>> krbPrincipalName: asteinfeld at DBR.ROCHE.COM
>> krbPasswordExpiration: 20130324201805Z
>> krbLastPwdChange: 20120925201805Z
>> krbLoginFailedCount: 0
>> krbLastSuccessfulAuth: 20121017184614Z
>> krbTicketFlags: 128
>> krbLastFailedAuth: 20121015143818Z
>
> No krbPwdLockoutDuration attribute - so according to ipalockout_preop()
> this means the "Entry permanently locked".  Not sure why.

I don't believe this applies if the attribute doesn't exist. It doesn't 
for any of my test users and it works fine.

>>
>> [jmacklin at dbduwdu062 Desktop]$ ldapsearch -xLLL -H
>> ldap://dbduvdu145.dbr.roche.com -D "cn=directory manager" -W -b
>> "dc=dbr,dc=roche,dc=com" uid=jmacklin \*Enter LDAP Password:
>> dn: uid=jmacklin,cn=users,cn=compat,dc=dbr,dc=roche,dc=com
>> objectClass: posixAccount
>> objectClass: top
>> gecos: Jason Macklin
>> cn: Jason Macklin
>> uidNumber: 2084
>> gidNumber: 2084
>> loginShell: /bin/bash
>> homeDirectory: /home2/jmacklin
>> uid: jmacklin
>>
>> dn: uid=jmacklin,cn=users,cn=accounts,dc=dbr,dc=roche,dc=com
>> displayName: Jason Macklin
>> cn: Jason Macklin
>> objectClass: top
>> objectClass: person
>> objectClass: organizationalperson
>> objectClass: inetorgperson
>> objectClass: inetuser
>> objectClass: posixaccount
>> objectClass: krbprincipalaux
>> objectClass: krbticketpolicyaux
>> objectClass: ipaobject
>> objectClass: mepOriginEntry
>> loginShell: /bin/bash
>> sn: Macklin
>> gecos: Jason Macklin
>> homeDirectory: /home2/jmacklin
>> krbPwdPolicyReference:
>> cn=global_policy,cn=DBR.ROCHE.COM,cn=kerberos,dc=dbr,dc
>>   =roche,dc=com
>> krbPrincipalName: jmacklin at DBR.ROCHE.COM
>> givenName: Jason
>> uid: jmacklin
>> initials: JM
>> uidNumber: 2084
>> gidNumber: 2084
>> ipaUniqueID: 045652b4-8e3c-11e1-831f-005056bb0010
>> mepManagedEntry: cn=jmacklin,cn=groups,cn=accounts,dc=dbr,dc=roche,dc=com
>> memberOf: cn=admins,cn=groups,cn=accounts,dc=dbr,dc=roche,dc=com
>> memberOf: cn=Replication
>> Administrators,cn=privileges,cn=pbac,dc=dbr,dc=roche,
>>   dc=com
>> memberOf: cn=Add Replication
>> Agreements,cn=permissions,cn=pbac,dc=dbr,dc=roche
>>   ,dc=com
>> memberOf: cn=Modify Replication
>> Agreements,cn=permissions,cn=pbac,dc=dbr,dc=ro
>>   che,dc=com
>> memberOf: cn=Remove Replication
>> Agreements,cn=permissions,cn=pbac,dc=dbr,dc=ro
>>   che,dc=com
>> memberOf: cn=Host Enrollment,cn=privileges,cn=pbac,dc=dbr,dc=roche,dc=com
>> memberOf: cn=Manage host
>> keytab,cn=permissions,cn=pbac,dc=dbr,dc=roche,dc=com
>> memberOf: cn=Enroll a host,cn=permissions,cn=pbac,dc=dbr,dc=roche,dc=com
>> memberOf: cn=Add krbPrincipalName to a
>> host,cn=permissions,cn=pbac,dc=dbr,dc=r
>>   oche,dc=com
>> memberOf: cn=Unlock user
>> accounts,cn=permissions,cn=pbac,dc=dbr,dc=roche,dc=co
>>   m
>> memberOf: cn=Manage service
>> keytab,cn=permissions,cn=pbac,dc=dbr,dc=roche,dc=c
>>   om
>> memberOf: cn=dbr,cn=groups,cn=accounts,dc=dbr,dc=roche,dc=com
>> memberOf:
>> ipaUniqueID=23216c12-9934-11e1-bd4c-005056bb0010,cn=sudorules,cn=sud
>>   o,dc=dbr,dc=roche,dc=com
>> krbLastFailedAuth: 20121017164159Z
>> krbPrincipalKey::
>> MIIC4qADAgEBoQMCAQGiAwIBBaMDAgEBpIICyjCCAsYwbaAgMB6gAwIBAKEX
>>
>> BBVEQlIuUk9DSEUuQ09Nam1hY2tsaW6hSTBHoAMCARKhQAQ+IACOG0H0Ebd8nSSY6zU3Y29ZHtQ9a
>>
>>
>> sC2QJFL/lnbaFO1DYG15WjJYXnJ7k3m0LN0aTyjvz7FN4OWMF4tvvowXaAgMB6gAwIBAKEXBBVEQl
>>
>>
>> IuUk9DSEUuQ09Nam1hY2tsaW6hOTA3oAMCARGhMAQuEAD6UdNSe/mp8qqi4OuT7HOqIs80DFQDRny
>>
>>
>> 37aZaD4lYrFsnQiBtpnpMnNSxADBloCAwHqADAgEAoRcEFURCUi5ST0NIRS5DT01qbWFja2xpbqFB
>>
>>
>> MD+gAwIBEKE4BDYYADAQZLDW61U+4aEZT4b+/X/OpiQLHTQlyIUolm9EjVG4wXu+8Mn4lMYMZyR/F
>>
>>
>> Gw6NWeeq1kwXaAgMB6gAwIBAKEXBBVEQlIuUk9DSEUuQ09Nam1hY2tsaW6hOTA3oAMCARehMAQuEA
>>
>>
>> CiWDGd28XkiaDAwpGyK0MqSawLCXs+jKOFAA5BoSpayVTJJqjzAwSEitSu5zBVoCAwHqADAgEAoRc
>>
>>
>> EFURCUi5ST0NIRS5DT01qbWFja2xpbqExMC+gAwIBCKEoBCYIAKL5bzV4nQide/+6/2FE5LxYGULv
>>
>>
>> 8Ws/Uu0RXrwAnR8/ZuUh0TBVoCAwHqADAgEAoRcEFURCUi5ST0NIRS5DT01qbWFja2xpbqExMC+gA
>>
>>
>> wIBA6EoBCYIANgV0agxRmfBwY2Cb7gPlm1oWDY5qhZidd8a0KmeIlBG56XLZjAzoTEwL6ADAgEBoS
>>
>>
>> gEJggAo/BQC7g4SWQY0UkU7rvoOAXwobVlAZn8mesgQEznRDr2+bxjME2gGDAWoAMCAQWhDwQNREJ
>>
>>
>> SLlJPQ0hFLkNPTaExMC+gAwIBAaEoBCYIAMDDcwjYU6jLJTnE+Lzs0Ulxgf4FDEnTRXTjfJBqXIJb
>>
>>   R5aBPg==
>> krbLastPwdChange: 20120809140419Z
>> krbPasswordExpiration: 20130205140419Z
>> userPassword::
>> e1NTSEF9a0NXcUxTc1JOQ2tEUVlLVVF4VTdJLzh1TXREVnBWZjlnMWRxa0E9PQ=
>>   =
>> krbExtraData:: AAJjwyNQa2FkbWluZEBEQlIuUk9DSEUuQ09NAA==
>> krbLastSuccessfulAuth: 20121017184444Z
>> krbLoginFailedCount: 0
>> krbTicketFlags: 128
>>
>> So with all of that output, I would like to mention the discrepancy
>> with ldap.conf.  Just trying to get any "sudo" working on RHEL 6.3 was
>> problematic until I stumbled upon a post that mentioned
>> creating/editing /etc/sudo-ldap.conf rather then /etc/ldap.conf or
>> /etc/openldap/ldap.conf.  If I remove the /etc/sudo-ldap.conf then I
>> have no sudo capabilities at all.
>>
>> -----Original Message-----
>> From: Rich Megginson [mailto:rmeggins at redhat.com]
>> Sent: Wednesday, October 17, 2012 2:06 PM
>> To: Macklin, Jason {DASB~Branford}
>> Cc: rcritten at redhat.com; freeipa-users at redhat.com
>> Subject: Re: [Freeipa-users] Sudo works for full access, but not on a
>> per command or host level.
>>
>> On 10/17/2012 11:51 AM, Macklin, Jason wrote:
>>> I assume that this iteration was with the correct credentials as it
>>> responds with something other then "Invalid Credentials"
>>>
>>> ldapsearch -xLLL -H ldap://dbduvdu145.dbr.roche.com -D "cn=directory
>>> manager" -W uid=asteinfeld \* krbPwdLockoutDuration ?
>>> Enter LDAP Password:
>>> No such object (32)
>>>
>>> Working account returns same thing...
>>>
>>> ldapsearch -xLLL -H ldap://dbduvdu145.dbr.roche.com -D "cn=directory
>>> manager" -W uid=jmacklin \* krbPwdLockoutDuration ?
>>> Enter LDAP Password:
>>> No such object (32)
>> Sorry, I though ipa would have configured your /etc/openldap/ldap.conf
>> with your base dn.  Try this:
>>
>> ldapsearch -xLLL -H ldap://dbduvdu145.dbr.roche.com -D "cn=directory
>> manager" -W -b "dc=dbr,dc=roche,dc=com" uid=jmacklin \*
>>> -----Original Message-----
>>> From: Rob Crittenden [mailto:rcritten at redhat.com]
>>> Sent: Wednesday, October 17, 2012 1:37 PM
>>> To: Macklin, Jason {DASB~Branford}
>>> Cc: rmeggins at redhat.com; freeipa-users at redhat.com
>>> Subject: Re: [Freeipa-users] Sudo works for full access, but not on a
>>> per command or host level.
>>>
>>> Macklin, Jason wrote:
>>>> ldapsearch -xLLL -H ldap://dbduvdu145.dbr.roche.com -D "cn=directory
>>>> manager" -W uid=asteinfeld \* krbPwdLockoutDuration ?
>>>> Enter LDAP Password:
>>>> ldap_bind: Invalid credentials (49)
>>>>
>>>> I know this user password because I reset it for the purpose of
>>>> troubleshooting this issue with that account. I also get the same
>>>> response when I use the admin account of my own account.
>>> You use the password of the user you are binding as, in this case the
>>> directory manager.
>>>
>>> rob
>>>
>>>> -----Original Message-----
>>>> From: Rich Megginson [mailto:rmeggins at redhat.com]
>>>> Sent: Wednesday, October 17, 2012 1:15 PM
>>>> To: Macklin, Jason {DASB~Branford}
>>>> Cc: simo at redhat.com; freeipa-users at redhat.com
>>>> Subject: Re: [Freeipa-users] Sudo works for full access, but not on
>>>> a per command or host level.
>>>>
>>>> On 10/17/2012 11:13 AM, Macklin, Jason wrote:
>>>>> None of my users have an LDAP password being requested by running
>>>>> that command (except the admin user).
>>>>>
>>>>> Does each user account require an ldap account to go along with
>>>>> their login account?  I just get the following over and over no
>>>>> matter which account I switch in the command...
>>>>>
>>>>> [jmacklin at dbduwdu062 Desktop]$ ldapsearch -xLLL -D "cn=directory
>>>>> manager" -W uid=admin \* krbPwdLockoutDuration ?
>>>>> Enter LDAP Password:
>>>>> ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
>>>>> [jmacklin at dbduwdu062 Desktop]$ ldapsearch -xLLL -D "cn=directory
>>>>> manager" -W uid=asteinfeld \* krbPwdLockoutDuration ?
>>>>> Enter LDAP Password:
>>>>> ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
>>>>> [jmacklin at dbduwdu062 Desktop]$ ldapsearch -xLLL -D "cn=directory
>>>>> manager" -W uid=jmacklin \* krbPwdLockoutDuration ?
>>>>> Enter LDAP Password:
>>>>> ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
>>>> You have to specify which server to talk to using the -H
>>>> ldap://fqdn.of.host option.
>>>>
>>>> _______________________________________________
>>>> Freeipa-users mailing list
>>>> Freeipa-users at redhat.com
>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>>
>