[Freeipa-users] Sudo Commands and groups confusion

Sina Owolabi shinacalypse at gmail.com
Wed Jun 12 18:21:30 UTC 2013 

I rebooted one of the servers and it worked!
Thanks a lot


On Wed, Jun 12, 2013 at 6:29 PM, Sina Owolabi <shinacalypse at gmail.com>wrote:

> Thank you for the reply Alex, though I'm a little confused that I am
> answering the correct email.
> I have taken a look at the example sssd.conf you advised, and I'm a little
> curious if the configuration supports having multiple IPA servers? I have a
> multi-master setup with two servers. I tried to add both servers to the
> ldap uri and to the krb5 section byt the service refused to start.
> Also I have to note that this not being able to sudo only seems to affect
> physical servers, and not the virtual machines I have applied it against.
> Also unfortunately, this didnt work either.. I guess I will try a reboot
> first if I can.
>
> sudo debug:
>
> [root at waphost IPA-configs]# su - oowolabi
>
> [oowolabi at waphost ~]$ sudo service httpd status
> sudo: ldap_set_option: debug -> 0
> sudo: ldap_set_option: tls_checkpeer -> 1
> sudo: ldap_set_option: tls_cacertfile -> /etc/ipa/ca.crt
> sudo: ldap_set_option: tls_cacert -> /etc/ipa/ca.crt
> sudo: ldap_set_option: ldap_version -> 3
> sudo: ldap_set_option: timelimit -> 15
> sudo: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT, 5)
> sudo: ldap_start_tls_s() ok
> sudo: ldap_sasl_bind_s() ok
> sudo: Looking for cn=defaults: cn=defaults
> sudo: no default options found in ou=SUDOers,dc=qrios,dc=com
> sudo: ldap search
> '(|(sudoUser=oowolabi)(sudoUser=%oowolabi)(sudoUser=%#721800009)(sudoUser=%admins)(sudoUser=%employees)(sudoUser=%qrios)(sudoUser=%#721800000)(sudoUser=%#721800006)(sudoUser=%#721800008)(sudoUser=ALL))'
> sudo: searching from base 'ou=SUDOers,dc=qrios,dc=com'
> sudo: adding search result
> sudo: result now has 0 entries
> sudo: ldap search '(sudoUser=+*)'
> sudo: searching from base 'ou=SUDOers,dc=qrios,dc=com'
> sudo: adding search result
> sudo: result now has 0 entries
> sudo: sorting remaining 0 entries
> sudo: searching LDAP for sudoers entries
> sudo: done with LDAP searches
> sudo: user_matches=1
> sudo: host_matches=0
> sudo: sudo_ldap_lookup(0)=0x40
> [sudo] password for oowolabi:
> oowolabi is not allowed to run sudo on waphost.  This incident will be
> reported.
> [oowolabi at waphost ~]$ exit
>
>
>
> On Wed, Jun 12, 2013 at 10:10 AM, Alexander Bokovoy <abokovoy at redhat.com>wrote:
>
>> On Wed, 12 Jun 2013, Matt . wrote:
>>
>>> Hi,
>>>
>>> A lot of people seem to have problem with Sudo and FreeIPA.
>>>
>>> How to enable sudo is described here:
>>>
>>> http://www.freeipa.org/images/**7/77/Freeipa30_SSSD_SUDO_**
>>> Integration.pdf<http://www.freeipa.org/images/7/77/Freeipa30_SSSD_SUDO_Integration.pdf>
>>>
>>> The problem we are facing, also discussed on IRC is that there is looked
>>> in
>>> the local sudoers file of the client if the loggedin user may sudo. Of
>>> course the username is not known there.
>>>
>> Not sure what exactly is your problem? Could you please rephrase and
>> show it with logs again?
>>
>> If you are using SSSD's sudo integration against IPA server, then here
>> is what you need to get it working on Fedora 18/19 and RHEL 6.4:
>>
>> 1. install libsss_sudo package
>>
>> 2. Add/change following line to /etc/nsswitch.conf
>>
>> sudoers: files sss
>>
>> 3. Make sure your /etc/sssd/sssd.conf looks like this example:
>> http://abbra.fedorapeople.org/**.paste/sssd.conf.example<http://abbra.fedorapeople.org/.paste/sssd.conf.example>
>> 4. Restart sssd
>>
>> These are the only actions I needed to get sudo working for IPA users on
>> Fedora 19 and RHEL 6.4.
>>
>> Please note that    sudoers: files sss
>> gives you chance to have local users configured in local sudoers. If you
>> don't want them to be able to use sudo, just change the line in
>> /etc/nsswitch.conf to
>>    sudoers: sss
>>
>>
>> --
>> / Alexander Bokovoy
>>
>>
>> ______________________________**_________________
>> Freeipa-users mailing list
>> Freeipa-users at redhat.com
>> https://www.redhat.com/**mailman/listinfo/freeipa-users<https://www.redhat.com/mailman/listinfo/freeipa-users>
>>
>
>
>
> --
> best regards,
>
> Sina Owolabi
> +2348034022578
> +2348176469061
>



-- 
best regards,

Sina Owolabi
+2348034022578
+2348176469061
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130612/86997b65/attachment.htm>

More information about the Freeipa-users mailing list