[Freeipa-users] Sudo not working
Rob Crittenden
rcritten at redhat.com
Wed Oct 31 18:39:28 UTC 2012
Bret Wortman wrote:
> [root at fs1 etc]# more /etc/ldap.conf
> sudoers_debug: 1
> [root at fs1 etc]# ls -l /etc/ldap.conf
> -rw-r--r--. 1 root root 17 Oct 19 14:54 /etc/ldap.conf
>
> Where should I see the extra output? I've had this set since last Friday
> and I'm not seeing any difference.
Move the contents of /etc/nslcd.conf to this file and add ldap to
sudoers in /etc/nsswitch.conf.
rob
>
> On Wed, Oct 31, 2012 at 2:20 PM, Rob Crittenden <rcritten at redhat.com
> <mailto:rcritten at redhat.com>> wrote:
>
> Bret Wortman wrote:
>
> F17.
>
>
> I think you want /etc/ldap.conf then. The easiest way to be sure the
> right file is being used is to add sudoers_debug 1 to the file. This
> will present a lot of extra output so you'll know the file is being
> read.
>
> rob
>
>
> On Wed, Oct 31, 2012 at 2:04 PM, Rob Crittenden
> <rcritten at redhat.com <mailto:rcritten at redhat.com>
> <mailto:rcritten at redhat.com <mailto:rcritten at redhat.com>>> wrote:
>
> Bret Wortman wrote:
>
> I had enabled debugging of sudo but am not clear on
> where that
> debugging
> is going. It's not stdout, and I'm not seeing anything in
> /var/log/messages.
>
> I'll try switching to SSS and see what that gets me.
>
>
> What distro is this? If it is RHEL 6.3 then put the
> configuration
> into /etc/sudo-ldap.conf instead of /etc/nslcd. The docs are
> incorrect (we are working on getting them fixed).
>
> rob
>
>
>
> On Wed, Oct 31, 2012 at 1:33 PM, Stephen Gallagher
> <sgallagh at redhat.com <mailto:sgallagh at redhat.com>
> <mailto:sgallagh at redhat.com <mailto:sgallagh at redhat.com>>
> <mailto:sgallagh at redhat.com
> <mailto:sgallagh at redhat.com> <mailto:sgallagh at redhat.com
> <mailto:sgallagh at redhat.com>>>> wrote:
>
> On Wed 31 Oct 2012 11:53:15 AM EDT, Bret Wortman
> wrote:
>
> I'm pretty certain there's a painfully simple
> solution
> to this that
> I'm not seeing, but my current configuration isn't
> picking up the
> freeipa sudoer rule that I've set.
>
> /etc/nsswitch.conf specifies:
> sudoers: files ldap
>
> /etc/nslcd.conf contains:
>
> binddn
> uid=sudo,cn=sysaccounts,cn=______etc,dc=wedgeofli,dc=me
>
>
> bindpw password
>
> ssl start_tls
> tls_cacertfile /etc/ipa/ca.crt
> tls_checkpeer yes
>
> bind_timelimit 5
> timelimit 15
>
> uri ldap://fs1.wedgeofli.me
> <http://fs1.wedgeofli.me> <http://fs1.wedgeofli.me>
> <http://fs1.wedgeofli.me>
> <http://fs1.wedgeofli.me>
>
> sudoers_base ou=SUDOers,dc=wedgeofli,dc=me
>
>
> The sssd_DOMAIN.log file contains this when I
> try to sudo:
>
>
> <snip>
>
> The SSSD logs aren't showing anything wrong
> because they have
> nothing to do with the execution of the SUDO rules
> in this
> situation. All the SSSD is doing is verifying the
> authentication
> (when sudo prompts you for your password).
>
> The problem with the rule is most likely happening
> inside SUDO
> itself. When you specify 'sudoers: files, ldap' in
> nsswitch.conf,
> it's telling SUDO to use its own internal LDAP
> driver to
> look up the
> rules. So you need to check sudo logs to see
> what's happening
> (probably you will need to enable debug logging in
> /etc/sudo.conf).
>
> Recent versions of SUDO (1.8.6 and later) have
> support for
> setting
> 'sudoers: files, sss' in nsswitch.conf which DOES
> use SSSD
> (1.9.0
> and later) for lookups (and caching) of sudo rules.
>
>
>
>
> --
> Bret Wortman
> The Damascus Group
> Fairfax, VA
> http://bretwortman.com/
> http://twitter.com/BretWortman
>
>
>
>
> --
> Bret Wortman
> The Damascus Group
> Fairfax, VA
> http://bretwortman.com/
> http://twitter.com/BretWortman
>
>
>
> ___________________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>
> <mailto:Freeipa-users at redhat.__com
> <mailto:Freeipa-users at redhat.com>>
> https://www.redhat.com/____mailman/listinfo/freeipa-users
> <https://www.redhat.com/__mailman/listinfo/freeipa-users>
>
>
> <https://www.redhat.com/__mailman/listinfo/freeipa-users
> <https://www.redhat.com/mailman/listinfo/freeipa-users>__>
>
>
>
>
>
> --
> Bret Wortman
> The Damascus Group
> Fairfax, VA
> http://bretwortman.com/
> http://twitter.com/BretWortman
>
>
>
> _________________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>
> https://www.redhat.com/__mailman/listinfo/freeipa-users
> <https://www.redhat.com/mailman/listinfo/freeipa-users>
>
>
>
>
>
> --
> Bret Wortman
> The Damascus Group
> Fairfax, VA
> http://bretwortman.com/
> http://twitter.com/BretWortman
>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
More information about the Freeipa-users
mailing list