[Freeipa-users] Sudo Commands and groups confusion

Wed Jun 12 17:29:57 UTC 2013

Thank you for the reply Alex, though I'm a little confused that I am
answering the correct email.
I have taken a look at the example sssd.conf you advised, and I'm a little
curious if the configuration supports having multiple IPA servers? I have a
multi-master setup with two servers. I tried to add both servers to the
ldap uri and to the krb5 section byt the service refused to start.
Also I have to note that this not being able to sudo only seems to affect
physical servers, and not the virtual machines I have applied it against.
Also unfortunately, this didnt work either.. I guess I will try a reboot
first if I can.

sudo debug:

[root at waphost IPA-configs]# su - oowolabi
[oowolabi at waphost ~]$ sudo service httpd status
sudo: ldap_set_option: debug -> 0
sudo: ldap_set_option: tls_checkpeer -> 1
sudo: ldap_set_option: tls_cacertfile -> /etc/ipa/ca.crt
sudo: ldap_set_option: tls_cacert -> /etc/ipa/ca.crt
sudo: ldap_set_option: ldap_version -> 3
sudo: ldap_set_option: timelimit -> 15
sudo: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT, 5)
sudo: ldap_start_tls_s() ok
sudo: ldap_sasl_bind_s() ok
sudo: Looking for cn=defaults: cn=defaults
sudo: no default options found in ou=SUDOers,dc=qrios,dc=com
sudo: ldap search
'(|(sudoUser=oowolabi)(sudoUser=%oowolabi)(sudoUser=%#721800009)(sudoUser=%admins)(sudoUser=%employees)(sudoUser=%qrios)(sudoUser=%#721800000)(sudoUser=%#721800006)(sudoUser=%#721800008)(sudoUser=ALL))'
sudo: searching from base 'ou=SUDOers,dc=qrios,dc=com'
sudo: adding search result
sudo: result now has 0 entries
sudo: ldap search '(sudoUser=+*)'
sudo: searching from base 'ou=SUDOers,dc=qrios,dc=com'
sudo: adding search result
sudo: result now has 0 entries
sudo: sorting remaining 0 entries
sudo: searching LDAP for sudoers entries
sudo: done with LDAP searches
sudo: user_matches=1
sudo: host_matches=0
sudo: sudo_ldap_lookup(0)=0x40
[sudo] password for oowolabi:
oowolabi is not allowed to run sudo on waphost.  This incident will be
reported.
[oowolabi at waphost ~]$ exit

On Wed, Jun 12, 2013 at 10:10 AM, Alexander Bokovoy <abokovoy at redhat.com>wrote:

> On Wed, 12 Jun 2013, Matt . wrote:
>
>> Hi,
>>
>> A lot of people seem to have problem with Sudo and FreeIPA.
>>
>> How to enable sudo is described here:
>>
>> http://www.freeipa.org/images/**7/77/Freeipa30_SSSD_SUDO_**
>> Integration.pdf<http://www.freeipa.org/images/7/77/Freeipa30_SSSD_SUDO_Integration.pdf>
>>
>> The problem we are facing, also discussed on IRC is that there is looked
>> in
>> the local sudoers file of the client if the loggedin user may sudo. Of
>> course the username is not known there.
>>
> Not sure what exactly is your problem? Could you please rephrase and
> show it with logs again?
>
> If you are using SSSD's sudo integration against IPA server, then here
> is what you need to get it working on Fedora 18/19 and RHEL 6.4:
>
> 1. install libsss_sudo package
>
> 2. Add/change following line to /etc/nsswitch.conf
>
> sudoers: files sss
>
> 3. Make sure your /etc/sssd/sssd.conf looks like this example:
> http://abbra.fedorapeople.org/**.paste/sssd.conf.example<http://abbra.fedorapeople.org/.paste/sssd.conf.example>
> 4. Restart sssd
>
> These are the only actions I needed to get sudo working for IPA users on
> Fedora 19 and RHEL 6.4.
>
> Please note that    sudoers: files sss
> gives you chance to have local users configured in local sudoers. If you
> don't want them to be able to use sudo, just change the line in
> /etc/nsswitch.conf to
>    sudoers: sss
>
>
> --
> / Alexander Bokovoy
>
>
> ______________________________**_________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/**mailman/listinfo/freeipa-users<https://www.redhat.com/mailman/listinfo/freeipa-users>
>

-- 
best regards,

Sina Owolabi
+2348034022578
+2348176469061
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130612/fba877c8/attachment.htm>