[Freeipa-users] freeIPA client sudo / sssd setup
Mark Gardner
maleko42 at gmail.com
Tue Apr 8 19:17:21 UTC 2014
I know I'm missing something simple. But I just can't get this ipa client
to accept any sudo rules.
-sh-4.1$ sudo -l
[sudo] password for testadm at domain.com:
User testadm at domain.com is not allowed to run sudo on cypress.
-sh-4.1$ id
uid=11659(testadm at domain.com) gid=11659(testadm at domain.com)
groups=11659(testadm at domain.
com),160400007(ad_klasadm)
context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
-sh-4.1$ kinit admin
Password for admin at HOSTED.DOMAIN.COM:
-sh-4.1$ ipa sudorule-show operations
Rule name: operations
Description: KLAS / System Admins
Enabled: TRUE
Command category: all
Users: localadm
User Groups: ad_operations, ad_operations_external, ad_klasadm,
ad_klasadm_external
/var/log/sssd/sssd_sudo.log
(Tue Apr 8 15:08:46 2014) [sssd[sudo]] [sudosrv_cmd_parse_query_done]
(0x0200): Requesting rules for [testadm] from [DOMAIN.COM]
(Tue Apr 8 15:08:46 2014) [sssd[sudo]] [sudosrv_get_user] (0x0200):
Requestinginfo about [testadm at DOMAIN.COM]
(Tue Apr 8 15:08:46 2014) [sssd[sudo]] [sudosrv_get_user] (0x0400):
Returning info for user [testadm at DOMAIN.COM]
(Tue Apr 8 15:08:46 2014) [sssd[sudo]] [sudosrv_get_rules] (0x0400):
Retrieving rules for [testadm at DOMAIN.COM] from [DOMAIN.COM]
(Tue Apr 8 15:08:46 2014) [sssd[sudo]] [sysdb_search_group_by_gid]
(0x0400): No such entry
(Tue Apr 8 15:08:46 2014) [sssd[sudo]] [sudosrv_get_sudorules_query_cache]
(0x0200): Searching sysdb with
[(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=
testadm at DOMAIN.COM
)(sudoUser=#11659)(sudoUser=%ad_klasadm)(sudoUser=+*))(&(dataExpireTimestamp<=1396984126)))]
(Tue Apr 8 15:08:46 2014) [sssd[sudo]] [sysdb_search_group_by_gid]
(0x0400): No such entry
(Tue Apr 8 15:08:46 2014) [sssd[sudo]] [sudosrv_get_sudorules_query_cache]
(0x0200): Searching sysdb with
[(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=testadm at DOMAIN.COM
)(sudoUser=#11659)(sudoUser=%ad_klasadm)(sudoUser=+*)))]
(Tue Apr 8 15:08:46 2014) [sssd[sudo]] [sudosrv_get_sudorules_from_cache]
(0x0400): Returning 1 rules for [testadm at DOMAIN.COM]
(Tue Apr 8 15:08:46 2014) [sssd[sudo]] [client_recv] (0x0200): Client
disconnected!
[root at cypress etc]# cat nsswitch.conf
#
# /etc/nsswitch.conf
#
# An example Name Service Switch config file. This file should be
# sorted with the most-used services at the beginning.
#
# The entry '[NOTFOUND=return]' means that the search for an
# entry should stop if the search in the previous entry turned
# up nothing. Note that if the search failed due to some other reason
# (like no NIS server responding) then the search continues with the
# next entry.
#
# Valid entries include:
#
# nisplus Use NIS+ (NIS version 3)
# nis Use NIS (NIS version 2), also called YP
# dns Use DNS (Domain Name Service)
# files Use the local files
# db Use the local database (.db) files
# compat Use NIS on compat mode
# hesiod Use Hesiod for user lookups
# [NOTFOUND=return] Stop searching if not found so far
#
# To use db, put the "db" in front of "files" for entries you want to be
# looked up first in the databases
#
# Example:
#passwd: db files nisplus nis
#shadow: db files nisplus nis
#group: db files nisplus nis
passwd: files sss
shadow: files sss
group: files sss
sudoers: files sss
#hosts: db files nisplus nis dns
hosts: files dns
# Example - obey only what nisplus tells us...
#services: nisplus [NOTFOUND=return] files
#networks: nisplus [NOTFOUND=return] files
#protocols: nisplus [NOTFOUND=return] files
#rpc: nisplus [NOTFOUND=return] files
#ethers: nisplus [NOTFOUND=return] files
#netmasks: nisplus [NOTFOUND=return] files
bootparams: nisplus [NOTFOUND=return] files
ethers: files
netmasks: files
networks: files
protocols: files
rpc: files
services: files sss
netgroup: files sss
publickey: nisplus
automount: files
aliases: files nisplus
[root at cypress etc]# cd sssd
[root at cypress sssd]# ls
sssd.conf sssd.conf.deleted sssd.conf.sv
[root at cypress sssd]# cat sssd.conf
[domain/hosted.domain.com]
cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = hosted.domain.com
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = cypress.hosted.domain.com
chpass_provider = ipa
ipa_dyndns_update = True
ipa_server = _srv_, ipa.hosted.domain.com
ldap_tls_cacert = /etc/ipa/ca.crt
debug_level=6
#
# sudo integration
#
sudo_provider = ldap
ldap_uri = ldap://ipa.hosted.domain.com
ldap_sudo_search_base = ou=sudoers,dc=hosted,dc=domain,dc=com
ldap_sasl_mech = GSSAPI
ldap_sasl_authid = host/cypress.hosted.domain.com
ldap_sasl_realm = HOSTED.DOMAIN.COM
krb5_server = ipa.hosted.domain.com
[sssd]
services = nss, pam, ssh, pac, sudo
config_file_version = 2
domains = hosted.domain.com
debug_level=6
[nss]
[pam]
[sudo]
debug_level=6
[autofs]
[ssh]
[pac]
[root at cypress sssd]#
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20140408/3601dd28/attachment.htm>
More information about the Freeipa-users
mailing list