[Freeipa-users] Authenticating sudo with ipa on Centos

Andrew Holway andrew.holway at gmail.com
Fri Oct 18 08:05:27 UTC 2013 

> It is a bit strange that your ipa_domain and ipa_hostname are the same. I
> think the domain should be just local.
>
> I'd run klist -kt /etc/krb5.keytab to see what principals are in there.

ipa_hostname = 192-168-0-110.local
ipa_server = _srv_, 192-168-0-100.local

Hi,

I'm a little confused. They are not the same and these values were
created by the "ipa-client-install" utility.

I think there is some extra magic needed so that I get get sudo
working with ipa...The redhat docs are a little bit lacking for the
less advanced...

https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Deployment_Guide/sssd-ldap-sudo.html




>
>
>>
>> Thanks,
>> Andrew
>>
>>
>> ## I see the following in my clients /var/log/messages after starting
>> sssd on the client.
>>
>> Oct 17 17:35:46 zabbix sssd: Starting up
>> Oct 17 17:35:46 zabbix sssd[be[192-168-0-100.local]]: Starting up
>> Oct 17 17:35:46 zabbix sssd[nss]: Starting up
>> Oct 17 17:35:46 zabbix [sssd[ldap_child[6659]]]: Error processing
>> keytab file [default]: Principal [host/192-168-0-100.local at LOCAL] was
>> not found. Unable to create GSSAPI-encrypted LDAP connection.
>> Oct 17 17:35:46 zabbix sssd[sudo]: Starting up
>> Oct 17 17:35:46 zabbix sssd[ssh]: Starting up
>> Oct 17 17:35:46 zabbix sssd[pac]: Starting up
>> Oct 17 17:35:46 zabbix [sssd[ldap_child[6659]]]: Error writing to key
>> table
>> Oct 17 17:35:46 zabbix sssd[pam]: Starting up
>>
>> ## And the following when user "andrew" tries to sudo on the client.
>>
>> Oct 17 17:37:10 zabbix [sssd[ldap_child[6667]]]: Error processing
>> keytab file [default]: Principal [host/192-168-0-100.local at LOCAL] was
>> not found. Unable to create GSSAPI-encrypted LDAP connection.
>> Oct 17 17:37:10 zabbix [sssd[ldap_child[6667]]]: Error writing to key
>> table
>>
>> ## The user and sudo rules in ipa.
>>
>> [root at 192-168-0-100 ~]# ipa sudorule-show add_sudo
>>    Rule name: add_sudo
>>    Enabled: TRUE
>>    Host category: all
>>    Command category: all
>>    RunAs User category: all
>>    RunAs Group category: all
>>    Users: andrew
>> [root at 192-168-0-100 ~]# ipa user-show andrew
>>    User login: andrew
>>    First name: Andrew
>>    Last name: Holway
>>    Home directory: /home/andrew
>>    Login shell: /bin/bash
>>    Email address: andrew at local.com
>>    UID: 1876600003
>>    GID: 1876600003
>>    Account disabled: False
>>    Password: True
>>    Member of groups: admins, ipausers, trust admins
>>    Member of Sudo rule: add_sudo
>>    Kerberos keys available: True
>>    SSH public key fingerprint:
>> 35:08:9D:5E:F7:96:2A:FA:E4:60:76:4E:8A:12:FE:15 (ssh-dss)
>>
>> ## /etc/sssd/sssd.conf on the client
>>
>>
>> [domain/192-168-0-100.local]
>>
>> cache_credentials = True
>> krb5_store_password_if_offline = True
>> krb5_realm = LOCAL
>> ipa_domain = 192-168-0-100.local
>> id_provider = ipa
>> auth_provider = ipa
>> access_provider = ipa
>> ldap_tls_cacert = /etc/ipa/ca.crt
>> ipa_hostname = 192-168-0-110.local
>> chpass_provider = ipa
>> ipa_server = _srv_, 192-168-0-100.local
>> dns_discovery_domain = 192-168-0-100.local
>>
>> sudo_provider = ldap
>> ldap_uri = ldap://192-168-0-100.local
>> ldap_sudo_search_base = ou=sudoers,dc=local
>> ldap_sasl_mech = GSSAPI
>> ldap_sasl_authid = host/192-168-0-100.local at LOCAL
>> ldap_sasl_realm = local
>> krb5_server = 192-168-0-100.local
>>
>> [sssd]
>> services = nss, pam, ssh, sudo
>> config_file_version = 2
>>
>> domains = 192-168-0-100.local
>> [nss]
>>
>> [pam]
>>
>> [sudo]
>>
>> [autofs]
>>
>> [ssh]
>>
>> [pac]
>>
>>
>> ## /etc/nsswitch.conf on client
>>
>> #
>> # An example Name Service Switch config file. This file should be
>> # sorted with the most-used services at the beginning.
>> #
>> # The entry '[NOTFOUND=return]' means that the search for an
>> # entry should stop if the search in the previous entry turned
>> # up nothing. Note that if the search failed due to some other reason
>> # (like no NIS server responding) then the search continues with the
>> # next entry.
>> #
>> # Valid entries include:
>> #
>> # nisplus Use NIS+ (NIS version 3)
>> # nis Use NIS (NIS version 2), also called YP
>> # dns Use DNS (Domain Name Service)
>> # files Use the local files
>> # db Use the local database (.db) files
>> # compat Use NIS on compat mode
>> # hesiod Use Hesiod for user lookups
>> # [NOTFOUND=return] Stop searching if not found so far
>> #
>>
>> # To use db, put the "db" in front of "files" for entries you want to be
>> # looked up first in the databases
>> #
>> # Example:
>> #passwd:    db files nisplus nis
>> #shadow:    db files nisplus nis
>> #group:     db files nisplus nis
>>
>> passwd:     files sss
>> shadow:     files sss
>> group:      files sss
>>
>> #hosts:     db files nisplus nis dns
>> hosts:      files dns
>>
>> # Example - obey only what nisplus tells us...
>> #services:   nisplus [NOTFOUND=return] files
>> #networks:   nisplus [NOTFOUND=return] files
>> #protocols:  nisplus [NOTFOUND=return] files
>> #rpc:        nisplus [NOTFOUND=return] files
>> #ethers:     nisplus [NOTFOUND=return] files
>> #netmasks:   nisplus [NOTFOUND=return] files
>>
>> bootparams: nisplus [NOTFOUND=return] files
>>
>> ethers:     files
>> netmasks:   files
>> networks:   files
>> protocols:  files
>> rpc:        files
>> services:   files sss
>>
>> netgroup:   files sss
>>
>> publickey:  nisplus
>>
>> automount:  files
>> aliases:    files nisplus
>> sudoers: files sss
>>
>> ## selinux
>>
>> SELinux status:                 disabled on both client and server
>>
>> ## /etc/krb5.conf on the client
>>
>> #File modified by ipa-client-install
>>
>> includedir /var/lib/sss/pubconf/krb5.include.d/
>>
>> [libdefaults]
>>    default_realm = LOCAL
>>    dns_lookup_realm = false
>>    dns_lookup_kdc = false
>>    rdns = false
>>    ticket_lifetime = 24h
>>    forwardable = yes
>>
>> [realms]
>>    LOCAL = {
>>      kdc = 192-168-0-100.local:88
>>      master_kdc = 192-168-0-100.local:88
>>      admin_server = 192-168-0-100.local:749
>>      default_domain = 192-168-0-100.local
>>      pkinit_anchors = FILE:/etc/ipa/ca.crt
>>    }
>>
>> [domain_realm]
>>    .192-168-0-100.local = LOCAL
>>    192-168-0-100.local = LOCAL
>>    .local = LOCAL
>>    local = LOCAL
>>
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>
>

More information about the Freeipa-users mailing list