[Freeipa-users] freeIPA client sudo / sssd setup

Mark Gardner maleko42 at gmail.com
Tue Apr 8 19:17:21 UTC 2014 

I know I'm missing something simple.  But I just can't get this ipa client
to accept any sudo rules.

-sh-4.1$ sudo -l
[sudo] password for testadm at domain.com:
User testadm at domain.com is not allowed to run sudo on cypress.
-sh-4.1$ id
uid=11659(testadm at domain.com) gid=11659(testadm at domain.com)
groups=11659(testadm at domain.
com),160400007(ad_klasadm)
context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

-sh-4.1$ kinit admin
Password for admin at HOSTED.DOMAIN.COM:
-sh-4.1$ ipa sudorule-show operations
  Rule name: operations
  Description: KLAS / System Admins
  Enabled: TRUE
  Command category: all
  Users: localadm
  User Groups: ad_operations, ad_operations_external, ad_klasadm,
               ad_klasadm_external

/var/log/sssd/sssd_sudo.log
(Tue Apr  8 15:08:46 2014) [sssd[sudo]] [sudosrv_cmd_parse_query_done]
(0x0200): Requesting rules for [testadm] from [DOMAIN.COM]
(Tue Apr  8 15:08:46 2014) [sssd[sudo]] [sudosrv_get_user] (0x0200):
Requestinginfo about [testadm at DOMAIN.COM]
(Tue Apr  8 15:08:46 2014) [sssd[sudo]] [sudosrv_get_user] (0x0400):
Returning info for user [testadm at DOMAIN.COM]
(Tue Apr  8 15:08:46 2014) [sssd[sudo]] [sudosrv_get_rules] (0x0400):
Retrieving rules for [testadm at DOMAIN.COM] from [DOMAIN.COM]
(Tue Apr  8 15:08:46 2014) [sssd[sudo]] [sysdb_search_group_by_gid]
(0x0400): No such entry
(Tue Apr  8 15:08:46 2014) [sssd[sudo]] [sudosrv_get_sudorules_query_cache]
(0x0200): Searching sysdb with
[(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=
testadm at DOMAIN.COM
)(sudoUser=#11659)(sudoUser=%ad_klasadm)(sudoUser=+*))(&(dataExpireTimestamp<=1396984126)))]
(Tue Apr  8 15:08:46 2014) [sssd[sudo]] [sysdb_search_group_by_gid]
(0x0400): No such entry
(Tue Apr  8 15:08:46 2014) [sssd[sudo]] [sudosrv_get_sudorules_query_cache]
(0x0200): Searching sysdb with
[(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=testadm at DOMAIN.COM
)(sudoUser=#11659)(sudoUser=%ad_klasadm)(sudoUser=+*)))]
(Tue Apr  8 15:08:46 2014) [sssd[sudo]] [sudosrv_get_sudorules_from_cache]
(0x0400): Returning 1 rules for [testadm at DOMAIN.COM]
(Tue Apr  8 15:08:46 2014) [sssd[sudo]] [client_recv] (0x0200): Client
disconnected!


[root at cypress etc]# cat nsswitch.conf
#
# /etc/nsswitch.conf
#
# An example Name Service Switch config file. This file should be
# sorted with the most-used services at the beginning.
#
# The entry '[NOTFOUND=return]' means that the search for an
# entry should stop if the search in the previous entry turned
# up nothing. Note that if the search failed due to some other reason
# (like no NIS server responding) then the search continues with the
# next entry.
#
# Valid entries include:
#
#       nisplus                 Use NIS+ (NIS version 3)
#       nis                     Use NIS (NIS version 2), also called YP
#       dns                     Use DNS (Domain Name Service)
#       files                   Use the local files
#       db                      Use the local database (.db) files
#       compat                  Use NIS on compat mode
#       hesiod                  Use Hesiod for user lookups
#       [NOTFOUND=return]       Stop searching if not found so far
#

# To use db, put the "db" in front of "files" for entries you want to be
# looked up first in the databases
#
# Example:
#passwd:    db files nisplus nis
#shadow:    db files nisplus nis
#group:     db files nisplus nis

passwd:     files sss
shadow:     files sss
group:      files sss
sudoers:    files sss

#hosts:     db files nisplus nis dns
hosts:      files dns

# Example - obey only what nisplus tells us...
#services:   nisplus [NOTFOUND=return] files
#networks:   nisplus [NOTFOUND=return] files
#protocols:  nisplus [NOTFOUND=return] files
#rpc:        nisplus [NOTFOUND=return] files
#ethers:     nisplus [NOTFOUND=return] files
#netmasks:   nisplus [NOTFOUND=return] files

bootparams: nisplus [NOTFOUND=return] files

ethers:     files
netmasks:   files
networks:   files
protocols:  files
rpc:        files
services:   files sss

netgroup:   files sss

publickey:  nisplus

automount:  files
aliases:    files nisplus

[root at cypress etc]# cd sssd
[root at cypress sssd]# ls
sssd.conf  sssd.conf.deleted  sssd.conf.sv
[root at cypress sssd]# cat sssd.conf
[domain/hosted.domain.com]

cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = hosted.domain.com
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = cypress.hosted.domain.com
chpass_provider = ipa
ipa_dyndns_update = True
ipa_server = _srv_, ipa.hosted.domain.com
ldap_tls_cacert = /etc/ipa/ca.crt
debug_level=6

#
# sudo integration
#
sudo_provider = ldap
ldap_uri = ldap://ipa.hosted.domain.com
ldap_sudo_search_base = ou=sudoers,dc=hosted,dc=domain,dc=com
ldap_sasl_mech = GSSAPI
ldap_sasl_authid = host/cypress.hosted.domain.com
ldap_sasl_realm = HOSTED.DOMAIN.COM
krb5_server = ipa.hosted.domain.com


[sssd]
services = nss, pam, ssh, pac, sudo
config_file_version = 2
domains = hosted.domain.com
debug_level=6

[nss]


[pam]


[sudo]
debug_level=6

[autofs]

[ssh]


[pac]

[root at cypress sssd]#
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20140408/3601dd28/attachment.htm>

More information about the Freeipa-users mailing list