[Freeipa-users] Authenticating sudo with ipa on Centos

Rob Crittenden rcritten at redhat.com
Mon Oct 21 17:34:17 UTC 2013 

Andrew Holway wrote:
>> It is a bit strange that your ipa_domain and ipa_hostname are the same. I
>> think the domain should be just local.
>>
>> I'd run klist -kt /etc/krb5.keytab to see what principals are in there.
>
> ipa_hostname = 192-168-0-110.local
> ipa_server = _srv_, 192-168-0-100.local
>
> Hi,
>
> I'm a little confused. They are not the same and these values were
> created by the "ipa-client-install" utility.
>
> I think there is some extra magic needed so that I get get sudo
> working with ipa...The redhat docs are a little bit lacking for the
> less advanced...
>
> https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Deployment_Guide/sssd-ldap-sudo.html

Sure, but first we need to make sssd talk to IPA at all, which it isn't.

Like I said, it looks like your sssd configuration is wrong. You can 
always un-enroll and re-enroll the client in order to reset things.

rob

>
>
>
>
>>
>>
>>>
>>> Thanks,
>>> Andrew
>>>
>>>
>>> ## I see the following in my clients /var/log/messages after starting
>>> sssd on the client.
>>>
>>> Oct 17 17:35:46 zabbix sssd: Starting up
>>> Oct 17 17:35:46 zabbix sssd[be[192-168-0-100.local]]: Starting up
>>> Oct 17 17:35:46 zabbix sssd[nss]: Starting up
>>> Oct 17 17:35:46 zabbix [sssd[ldap_child[6659]]]: Error processing
>>> keytab file [default]: Principal [host/192-168-0-100.local at LOCAL] was
>>> not found. Unable to create GSSAPI-encrypted LDAP connection.
>>> Oct 17 17:35:46 zabbix sssd[sudo]: Starting up
>>> Oct 17 17:35:46 zabbix sssd[ssh]: Starting up
>>> Oct 17 17:35:46 zabbix sssd[pac]: Starting up
>>> Oct 17 17:35:46 zabbix [sssd[ldap_child[6659]]]: Error writing to key
>>> table
>>> Oct 17 17:35:46 zabbix sssd[pam]: Starting up
>>>
>>> ## And the following when user "andrew" tries to sudo on the client.
>>>
>>> Oct 17 17:37:10 zabbix [sssd[ldap_child[6667]]]: Error processing
>>> keytab file [default]: Principal [host/192-168-0-100.local at LOCAL] was
>>> not found. Unable to create GSSAPI-encrypted LDAP connection.
>>> Oct 17 17:37:10 zabbix [sssd[ldap_child[6667]]]: Error writing to key
>>> table
>>>
>>> ## The user and sudo rules in ipa.
>>>
>>> [root at 192-168-0-100 ~]# ipa sudorule-show add_sudo
>>>     Rule name: add_sudo
>>>     Enabled: TRUE
>>>     Host category: all
>>>     Command category: all
>>>     RunAs User category: all
>>>     RunAs Group category: all
>>>     Users: andrew
>>> [root at 192-168-0-100 ~]# ipa user-show andrew
>>>     User login: andrew
>>>     First name: Andrew
>>>     Last name: Holway
>>>     Home directory: /home/andrew
>>>     Login shell: /bin/bash
>>>     Email address: andrew at local.com
>>>     UID: 1876600003
>>>     GID: 1876600003
>>>     Account disabled: False
>>>     Password: True
>>>     Member of groups: admins, ipausers, trust admins
>>>     Member of Sudo rule: add_sudo
>>>     Kerberos keys available: True
>>>     SSH public key fingerprint:
>>> 35:08:9D:5E:F7:96:2A:FA:E4:60:76:4E:8A:12:FE:15 (ssh-dss)
>>>
>>> ## /etc/sssd/sssd.conf on the client
>>>
>>>
>>> [domain/192-168-0-100.local]
>>>
>>> cache_credentials = True
>>> krb5_store_password_if_offline = True
>>> krb5_realm = LOCAL
>>> ipa_domain = 192-168-0-100.local
>>> id_provider = ipa
>>> auth_provider = ipa
>>> access_provider = ipa
>>> ldap_tls_cacert = /etc/ipa/ca.crt
>>> ipa_hostname = 192-168-0-110.local
>>> chpass_provider = ipa
>>> ipa_server = _srv_, 192-168-0-100.local
>>> dns_discovery_domain = 192-168-0-100.local
>>>
>>> sudo_provider = ldap
>>> ldap_uri = ldap://192-168-0-100.local
>>> ldap_sudo_search_base = ou=sudoers,dc=local
>>> ldap_sasl_mech = GSSAPI
>>> ldap_sasl_authid = host/192-168-0-100.local at LOCAL
>>> ldap_sasl_realm = local
>>> krb5_server = 192-168-0-100.local
>>>
>>> [sssd]
>>> services = nss, pam, ssh, sudo
>>> config_file_version = 2
>>>
>>> domains = 192-168-0-100.local
>>> [nss]
>>>
>>> [pam]
>>>
>>> [sudo]
>>>
>>> [autofs]
>>>
>>> [ssh]
>>>
>>> [pac]
>>>
>>>
>>> ## /etc/nsswitch.conf on client
>>>
>>> #
>>> # An example Name Service Switch config file. This file should be
>>> # sorted with the most-used services at the beginning.
>>> #
>>> # The entry '[NOTFOUND=return]' means that the search for an
>>> # entry should stop if the search in the previous entry turned
>>> # up nothing. Note that if the search failed due to some other reason
>>> # (like no NIS server responding) then the search continues with the
>>> # next entry.
>>> #
>>> # Valid entries include:
>>> #
>>> # nisplus Use NIS+ (NIS version 3)
>>> # nis Use NIS (NIS version 2), also called YP
>>> # dns Use DNS (Domain Name Service)
>>> # files Use the local files
>>> # db Use the local database (.db) files
>>> # compat Use NIS on compat mode
>>> # hesiod Use Hesiod for user lookups
>>> # [NOTFOUND=return] Stop searching if not found so far
>>> #
>>>
>>> # To use db, put the "db" in front of "files" for entries you want to be
>>> # looked up first in the databases
>>> #
>>> # Example:
>>> #passwd:    db files nisplus nis
>>> #shadow:    db files nisplus nis
>>> #group:     db files nisplus nis
>>>
>>> passwd:     files sss
>>> shadow:     files sss
>>> group:      files sss
>>>
>>> #hosts:     db files nisplus nis dns
>>> hosts:      files dns
>>>
>>> # Example - obey only what nisplus tells us...
>>> #services:   nisplus [NOTFOUND=return] files
>>> #networks:   nisplus [NOTFOUND=return] files
>>> #protocols:  nisplus [NOTFOUND=return] files
>>> #rpc:        nisplus [NOTFOUND=return] files
>>> #ethers:     nisplus [NOTFOUND=return] files
>>> #netmasks:   nisplus [NOTFOUND=return] files
>>>
>>> bootparams: nisplus [NOTFOUND=return] files
>>>
>>> ethers:     files
>>> netmasks:   files
>>> networks:   files
>>> protocols:  files
>>> rpc:        files
>>> services:   files sss
>>>
>>> netgroup:   files sss
>>>
>>> publickey:  nisplus
>>>
>>> automount:  files
>>> aliases:    files nisplus
>>> sudoers: files sss
>>>
>>> ## selinux
>>>
>>> SELinux status:                 disabled on both client and server
>>>
>>> ## /etc/krb5.conf on the client
>>>
>>> #File modified by ipa-client-install
>>>
>>> includedir /var/lib/sss/pubconf/krb5.include.d/
>>>
>>> [libdefaults]
>>>     default_realm = LOCAL
>>>     dns_lookup_realm = false
>>>     dns_lookup_kdc = false
>>>     rdns = false
>>>     ticket_lifetime = 24h
>>>     forwardable = yes
>>>
>>> [realms]
>>>     LOCAL = {
>>>       kdc = 192-168-0-100.local:88
>>>       master_kdc = 192-168-0-100.local:88
>>>       admin_server = 192-168-0-100.local:749
>>>       default_domain = 192-168-0-100.local
>>>       pkinit_anchors = FILE:/etc/ipa/ca.crt
>>>     }
>>>
>>> [domain_realm]
>>>     .192-168-0-100.local = LOCAL
>>>     192-168-0-100.local = LOCAL
>>>     .local = LOCAL
>>>     local = LOCAL
>>>
>>> _______________________________________________
>>> Freeipa-users mailing list
>>> Freeipa-users at redhat.com
>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>
>>

More information about the Freeipa-users mailing list