[Freeipa-users] Authenticating sudo with ipa on Centos
Rob Crittenden
rcritten at redhat.com
Thu Oct 17 21:16:18 UTC 2013
Andrew Holway wrote:
> Hello,
>
> I have set up IPA on a private network and have hit some bumps
> configuring sudo access for the clients.
> kinit seems to work fine for both client and server, user and root.
> When I load the edited /etc/sssd/sssd.conf and try to change user
> passwords I get "System is offline, password change not possible"
>
> Also posted in the centos mailing list:
> http://lists.centos.org/pipermail/centos/2013-October/137683.html
It is a bit strange that your ipa_domain and ipa_hostname are the same.
I think the domain should be just local.
I'd run klist -kt /etc/krb5.keytab to see what principals are in there.
>
> Thanks,
> Andrew
>
>
> ## I see the following in my clients /var/log/messages after starting
> sssd on the client.
>
> Oct 17 17:35:46 zabbix sssd: Starting up
> Oct 17 17:35:46 zabbix sssd[be[192-168-0-100.local]]: Starting up
> Oct 17 17:35:46 zabbix sssd[nss]: Starting up
> Oct 17 17:35:46 zabbix [sssd[ldap_child[6659]]]: Error processing
> keytab file [default]: Principal [host/192-168-0-100.local at LOCAL] was
> not found. Unable to create GSSAPI-encrypted LDAP connection.
> Oct 17 17:35:46 zabbix sssd[sudo]: Starting up
> Oct 17 17:35:46 zabbix sssd[ssh]: Starting up
> Oct 17 17:35:46 zabbix sssd[pac]: Starting up
> Oct 17 17:35:46 zabbix [sssd[ldap_child[6659]]]: Error writing to key table
> Oct 17 17:35:46 zabbix sssd[pam]: Starting up
>
> ## And the following when user "andrew" tries to sudo on the client.
>
> Oct 17 17:37:10 zabbix [sssd[ldap_child[6667]]]: Error processing
> keytab file [default]: Principal [host/192-168-0-100.local at LOCAL] was
> not found. Unable to create GSSAPI-encrypted LDAP connection.
> Oct 17 17:37:10 zabbix [sssd[ldap_child[6667]]]: Error writing to key table
>
> ## The user and sudo rules in ipa.
>
> [root at 192-168-0-100 ~]# ipa sudorule-show add_sudo
> Rule name: add_sudo
> Enabled: TRUE
> Host category: all
> Command category: all
> RunAs User category: all
> RunAs Group category: all
> Users: andrew
> [root at 192-168-0-100 ~]# ipa user-show andrew
> User login: andrew
> First name: Andrew
> Last name: Holway
> Home directory: /home/andrew
> Login shell: /bin/bash
> Email address: andrew at local.com
> UID: 1876600003
> GID: 1876600003
> Account disabled: False
> Password: True
> Member of groups: admins, ipausers, trust admins
> Member of Sudo rule: add_sudo
> Kerberos keys available: True
> SSH public key fingerprint:
> 35:08:9D:5E:F7:96:2A:FA:E4:60:76:4E:8A:12:FE:15 (ssh-dss)
>
> ## /etc/sssd/sssd.conf on the client
>
>
> [domain/192-168-0-100.local]
>
> cache_credentials = True
> krb5_store_password_if_offline = True
> krb5_realm = LOCAL
> ipa_domain = 192-168-0-100.local
> id_provider = ipa
> auth_provider = ipa
> access_provider = ipa
> ldap_tls_cacert = /etc/ipa/ca.crt
> ipa_hostname = 192-168-0-110.local
> chpass_provider = ipa
> ipa_server = _srv_, 192-168-0-100.local
> dns_discovery_domain = 192-168-0-100.local
>
> sudo_provider = ldap
> ldap_uri = ldap://192-168-0-100.local
> ldap_sudo_search_base = ou=sudoers,dc=local
> ldap_sasl_mech = GSSAPI
> ldap_sasl_authid = host/192-168-0-100.local at LOCAL
> ldap_sasl_realm = local
> krb5_server = 192-168-0-100.local
>
> [sssd]
> services = nss, pam, ssh, sudo
> config_file_version = 2
>
> domains = 192-168-0-100.local
> [nss]
>
> [pam]
>
> [sudo]
>
> [autofs]
>
> [ssh]
>
> [pac]
>
>
> ## /etc/nsswitch.conf on client
>
> #
> # An example Name Service Switch config file. This file should be
> # sorted with the most-used services at the beginning.
> #
> # The entry '[NOTFOUND=return]' means that the search for an
> # entry should stop if the search in the previous entry turned
> # up nothing. Note that if the search failed due to some other reason
> # (like no NIS server responding) then the search continues with the
> # next entry.
> #
> # Valid entries include:
> #
> # nisplus Use NIS+ (NIS version 3)
> # nis Use NIS (NIS version 2), also called YP
> # dns Use DNS (Domain Name Service)
> # files Use the local files
> # db Use the local database (.db) files
> # compat Use NIS on compat mode
> # hesiod Use Hesiod for user lookups
> # [NOTFOUND=return] Stop searching if not found so far
> #
>
> # To use db, put the "db" in front of "files" for entries you want to be
> # looked up first in the databases
> #
> # Example:
> #passwd: db files nisplus nis
> #shadow: db files nisplus nis
> #group: db files nisplus nis
>
> passwd: files sss
> shadow: files sss
> group: files sss
>
> #hosts: db files nisplus nis dns
> hosts: files dns
>
> # Example - obey only what nisplus tells us...
> #services: nisplus [NOTFOUND=return] files
> #networks: nisplus [NOTFOUND=return] files
> #protocols: nisplus [NOTFOUND=return] files
> #rpc: nisplus [NOTFOUND=return] files
> #ethers: nisplus [NOTFOUND=return] files
> #netmasks: nisplus [NOTFOUND=return] files
>
> bootparams: nisplus [NOTFOUND=return] files
>
> ethers: files
> netmasks: files
> networks: files
> protocols: files
> rpc: files
> services: files sss
>
> netgroup: files sss
>
> publickey: nisplus
>
> automount: files
> aliases: files nisplus
> sudoers: files sss
>
> ## selinux
>
> SELinux status: disabled on both client and server
>
> ## /etc/krb5.conf on the client
>
> #File modified by ipa-client-install
>
> includedir /var/lib/sss/pubconf/krb5.include.d/
>
> [libdefaults]
> default_realm = LOCAL
> dns_lookup_realm = false
> dns_lookup_kdc = false
> rdns = false
> ticket_lifetime = 24h
> forwardable = yes
>
> [realms]
> LOCAL = {
> kdc = 192-168-0-100.local:88
> master_kdc = 192-168-0-100.local:88
> admin_server = 192-168-0-100.local:749
> default_domain = 192-168-0-100.local
> pkinit_anchors = FILE:/etc/ipa/ca.crt
> }
>
> [domain_realm]
> .192-168-0-100.local = LOCAL
> 192-168-0-100.local = LOCAL
> .local = LOCAL
> local = LOCAL
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
More information about the Freeipa-users
mailing list