[Freeipa-users] Sudo not working
Rob Crittenden
rcritten at redhat.com
Wed Oct 31 18:20:00 UTC 2012
Bret Wortman wrote:
> F17.
I think you want /etc/ldap.conf then. The easiest way to be sure the
right file is being used is to add sudoers_debug 1 to the file. This
will present a lot of extra output so you'll know the file is being read.
rob
>
> On Wed, Oct 31, 2012 at 2:04 PM, Rob Crittenden <rcritten at redhat.com
> <mailto:rcritten at redhat.com>> wrote:
>
> Bret Wortman wrote:
>
> I had enabled debugging of sudo but am not clear on where that
> debugging
> is going. It's not stdout, and I'm not seeing anything in
> /var/log/messages.
>
> I'll try switching to SSS and see what that gets me.
>
>
> What distro is this? If it is RHEL 6.3 then put the configuration
> into /etc/sudo-ldap.conf instead of /etc/nslcd. The docs are
> incorrect (we are working on getting them fixed).
>
> rob
>
>
>
> On Wed, Oct 31, 2012 at 1:33 PM, Stephen Gallagher
> <sgallagh at redhat.com <mailto:sgallagh at redhat.com>
> <mailto:sgallagh at redhat.com <mailto:sgallagh at redhat.com>>> wrote:
>
> On Wed 31 Oct 2012 11:53:15 AM EDT, Bret Wortman wrote:
>
> I'm pretty certain there's a painfully simple solution
> to this that
> I'm not seeing, but my current configuration isn't
> picking up the
> freeipa sudoer rule that I've set.
>
> /etc/nsswitch.conf specifies:
> sudoers: files ldap
>
> /etc/nslcd.conf contains:
>
> binddn
> uid=sudo,cn=sysaccounts,cn=____etc,dc=wedgeofli,dc=me
>
> bindpw password
>
> ssl start_tls
> tls_cacertfile /etc/ipa/ca.crt
> tls_checkpeer yes
>
> bind_timelimit 5
> timelimit 15
>
> uri ldap://fs1.wedgeofli.me <http://fs1.wedgeofli.me>
> <http://fs1.wedgeofli.me>
> <http://fs1.wedgeofli.me>
>
> sudoers_base ou=SUDOers,dc=wedgeofli,dc=me
>
>
> The sssd_DOMAIN.log file contains this when I try to sudo:
>
>
> <snip>
>
> The SSSD logs aren't showing anything wrong because they have
> nothing to do with the execution of the SUDO rules in this
> situation. All the SSSD is doing is verifying the
> authentication
> (when sudo prompts you for your password).
>
> The problem with the rule is most likely happening inside SUDO
> itself. When you specify 'sudoers: files, ldap' in
> nsswitch.conf,
> it's telling SUDO to use its own internal LDAP driver to
> look up the
> rules. So you need to check sudo logs to see what's happening
> (probably you will need to enable debug logging in
> /etc/sudo.conf).
>
> Recent versions of SUDO (1.8.6 and later) have support for
> setting
> 'sudoers: files, sss' in nsswitch.conf which DOES use SSSD
> (1.9.0
> and later) for lookups (and caching) of sudo rules.
>
>
>
>
> --
> Bret Wortman
> The Damascus Group
> Fairfax, VA
> http://bretwortman.com/
> http://twitter.com/BretWortman
>
>
>
>
> --
> Bret Wortman
> The Damascus Group
> Fairfax, VA
> http://bretwortman.com/
> http://twitter.com/BretWortman
>
>
>
> _________________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>
> https://www.redhat.com/__mailman/listinfo/freeipa-users
> <https://www.redhat.com/mailman/listinfo/freeipa-users>
>
>
>
>
>
> --
> Bret Wortman
> The Damascus Group
> Fairfax, VA
> http://bretwortman.com/
> http://twitter.com/BretWortman
>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
More information about the Freeipa-users
mailing list