[Freeipa-users] Sudo not working

Rob Crittenden rcritten at redhat.com
Wed Oct 31 18:39:28 UTC 2012


Bret Wortman wrote:
> [root at fs1 etc]# more /etc/ldap.conf
> sudoers_debug: 1
> [root at fs1 etc]# ls -l /etc/ldap.conf
> -rw-r--r--. 1 root root 17 Oct 19 14:54 /etc/ldap.conf
>
> Where should I see the extra output? I've had this set since last Friday
> and I'm not seeing any difference.

Move the contents of /etc/nslcd.conf to this file and add ldap to 
sudoers in /etc/nsswitch.conf.

rob

>
> On Wed, Oct 31, 2012 at 2:20 PM, Rob Crittenden <rcritten at redhat.com
> <mailto:rcritten at redhat.com>> wrote:
>
>     Bret Wortman wrote:
>
>         F17.
>
>
>     I think you want /etc/ldap.conf then. The easiest way to be sure the
>     right file is being used is to add sudoers_debug 1 to the file. This
>     will present a lot of extra output so you'll know the file is being
>     read.
>
>     rob
>
>
>         On Wed, Oct 31, 2012 at 2:04 PM, Rob Crittenden
>         <rcritten at redhat.com <mailto:rcritten at redhat.com>
>         <mailto:rcritten at redhat.com <mailto:rcritten at redhat.com>>> wrote:
>
>              Bret Wortman wrote:
>
>                  I had enabled debugging of sudo but am not clear on
>         where that
>                  debugging
>                  is going. It's not stdout, and I'm not seeing anything in
>                  /var/log/messages.
>
>                  I'll try switching to SSS and see what that gets me.
>
>
>              What distro is this? If it is RHEL 6.3 then put the
>         configuration
>              into /etc/sudo-ldap.conf instead of /etc/nslcd. The docs are
>              incorrect (we are working on getting them fixed).
>
>              rob
>
>
>
>                  On Wed, Oct 31, 2012 at 1:33 PM, Stephen Gallagher
>                  <sgallagh at redhat.com <mailto:sgallagh at redhat.com>
>         <mailto:sgallagh at redhat.com <mailto:sgallagh at redhat.com>>
>                  <mailto:sgallagh at redhat.com
>         <mailto:sgallagh at redhat.com> <mailto:sgallagh at redhat.com
>         <mailto:sgallagh at redhat.com>>>> wrote:
>
>                       On Wed 31 Oct 2012 11:53:15 AM EDT, Bret Wortman
>         wrote:
>
>                           I'm pretty certain there's a painfully simple
>         solution
>                  to this that
>                           I'm not seeing, but my current configuration isn't
>                  picking up the
>                           freeipa sudoer rule that I've set.
>
>                           /etc/nsswitch.conf specifies:
>                             sudoers:    files ldap
>
>                           /etc/nslcd.conf contains:
>
>                           binddn
>                  uid=sudo,cn=sysaccounts,cn=______etc,dc=wedgeofli,dc=me
>
>
>                           bindpw password
>
>                           ssl start_tls
>                           tls_cacertfile /etc/ipa/ca.crt
>                           tls_checkpeer yes
>
>                           bind_timelimit 5
>                           timelimit 15
>
>                           uri ldap://fs1.wedgeofli.me
>         <http://fs1.wedgeofli.me> <http://fs1.wedgeofli.me>
>                  <http://fs1.wedgeofli.me>
>                           <http://fs1.wedgeofli.me>
>
>                           sudoers_base ou=SUDOers,dc=wedgeofli,dc=me
>
>
>                           The sssd_DOMAIN.log file contains this when I
>         try to sudo:
>
>
>                       <snip>
>
>                       The SSSD logs aren't showing anything wrong
>         because they have
>                       nothing to do with the execution of the SUDO rules
>         in this
>                       situation. All the SSSD is doing is verifying the
>                  authentication
>                       (when sudo prompts you for your password).
>
>                       The problem with the rule is most likely happening
>         inside SUDO
>                       itself. When you specify 'sudoers: files, ldap' in
>                  nsswitch.conf,
>                       it's telling SUDO to use its own internal LDAP
>         driver to
>                  look up the
>                       rules. So you need to check sudo logs to see
>         what's happening
>                       (probably you will need to enable debug logging in
>                  /etc/sudo.conf).
>
>                       Recent versions of SUDO (1.8.6 and later) have
>         support for
>                  setting
>                       'sudoers: files, sss' in nsswitch.conf which DOES
>         use SSSD
>                  (1.9.0
>                       and later) for lookups (and caching) of sudo rules.
>
>
>
>
>                  --
>                  Bret Wortman
>                  The Damascus Group
>                  Fairfax, VA
>         http://bretwortman.com/
>         http://twitter.com/BretWortman
>
>
>
>
>                  --
>                  Bret Wortman
>                  The Damascus Group
>                  Fairfax, VA
>         http://bretwortman.com/
>         http://twitter.com/BretWortman
>
>
>
>                  ___________________________________________________
>                  Freeipa-users mailing list
>         Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>
>         <mailto:Freeipa-users at redhat.__com
>         <mailto:Freeipa-users at redhat.com>>
>         https://www.redhat.com/____mailman/listinfo/freeipa-users
>         <https://www.redhat.com/__mailman/listinfo/freeipa-users>
>
>
>         <https://www.redhat.com/__mailman/listinfo/freeipa-users
>         <https://www.redhat.com/mailman/listinfo/freeipa-users>__>
>
>
>
>
>
>         --
>         Bret Wortman
>         The Damascus Group
>         Fairfax, VA
>         http://bretwortman.com/
>         http://twitter.com/BretWortman
>
>
>
>         _________________________________________________
>         Freeipa-users mailing list
>         Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>
>         https://www.redhat.com/__mailman/listinfo/freeipa-users
>         <https://www.redhat.com/mailman/listinfo/freeipa-users>
>
>
>
>
>
> --
> Bret Wortman
> The Damascus Group
> Fairfax, VA
> http://bretwortman.com/
> http://twitter.com/BretWortman
>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>




More information about the Freeipa-users mailing list