[Freeipa-users] Sudo not working

Bret Wortman bret.wortman at damascusgrp.com
Wed Oct 31 18:10:47 UTC 2012 

F17.

On Wed, Oct 31, 2012 at 2:04 PM, Rob Crittenden <rcritten at redhat.com> wrote:

> Bret Wortman wrote:
>
>> I had enabled debugging of sudo but am not clear on where that debugging
>> is going. It's not stdout, and I'm not seeing anything in
>> /var/log/messages.
>>
>> I'll try switching to SSS and see what that gets me.
>>
>
> What distro is this? If it is RHEL 6.3 then put the configuration into
> /etc/sudo-ldap.conf instead of /etc/nslcd. The docs are incorrect (we are
> working on getting them fixed).
>
> rob
>
>
>>
>> On Wed, Oct 31, 2012 at 1:33 PM, Stephen Gallagher <sgallagh at redhat.com
>> <mailto:sgallagh at redhat.com>> wrote:
>>
>>     On Wed 31 Oct 2012 11:53:15 AM EDT, Bret Wortman wrote:
>>
>>         I'm pretty certain there's a painfully simple solution to this
>> that
>>         I'm not seeing, but my current configuration isn't picking up the
>>         freeipa sudoer rule that I've set.
>>
>>         /etc/nsswitch.conf specifies:
>>           sudoers:    files ldap
>>
>>         /etc/nslcd.conf contains:
>>
>>         binddn uid=sudo,cn=sysaccounts,cn=__**etc,dc=wedgeofli,dc=me
>>
>>         bindpw password
>>
>>         ssl start_tls
>>         tls_cacertfile /etc/ipa/ca.crt
>>         tls_checkpeer yes
>>
>>         bind_timelimit 5
>>         timelimit 15
>>
>>         uri ldap://fs1.wedgeofli.me <http://fs1.wedgeofli.me>
>>         <http://fs1.wedgeofli.me>
>>
>>         sudoers_base ou=SUDOers,dc=wedgeofli,dc=me
>>
>>
>>         The sssd_DOMAIN.log file contains this when I try to sudo:
>>
>>
>>     <snip>
>>
>>     The SSSD logs aren't showing anything wrong because they have
>>     nothing to do with the execution of the SUDO rules in this
>>     situation. All the SSSD is doing is verifying the authentication
>>     (when sudo prompts you for your password).
>>
>>     The problem with the rule is most likely happening inside SUDO
>>     itself. When you specify 'sudoers: files, ldap' in nsswitch.conf,
>>     it's telling SUDO to use its own internal LDAP driver to look up the
>>     rules. So you need to check sudo logs to see what's happening
>>     (probably you will need to enable debug logging in /etc/sudo.conf).
>>
>>     Recent versions of SUDO (1.8.6 and later) have support for setting
>>     'sudoers: files, sss' in nsswitch.conf which DOES use SSSD (1.9.0
>>     and later) for lookups (and caching) of sudo rules.
>>
>>
>>
>>
>> --
>> Bret Wortman
>> The Damascus Group
>> Fairfax, VA
>> http://bretwortman.com/
>> http://twitter.com/BretWortman
>>
>>
>>
>>
>> --
>> Bret Wortman
>> The Damascus Group
>> Fairfax, VA
>> http://bretwortman.com/
>> http://twitter.com/BretWortman
>>
>>
>>
>> ______________________________**_________________
>> Freeipa-users mailing list
>> Freeipa-users at redhat.com
>> https://www.redhat.com/**mailman/listinfo/freeipa-users<https://www.redhat.com/mailman/listinfo/freeipa-users>
>>
>>
>


-- 
Bret Wortman
The Damascus Group
Fairfax, VA
http://bretwortman.com/
http://twitter.com/BretWortman
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20121031/b13c53cf/attachment.htm>

More information about the Freeipa-users mailing list