[Freeipa-users] freeIPA client sudo / sssd setup
Genadi Postrilko
genadipost at gmail.com
Tue Apr 8 19:30:47 UTC 2014
Have you installed libsss_sudo?
Try to follow the instruction here:
https://www.redhat.com/archives/freeipa-users/2013-June/msg00064.html
and
http://www.freeipa.org/images/7/77/Freeipa30_SSSD_SUDO_Integration.pdf
2014-04-08 22:17 GMT+03:00 Mark Gardner <maleko42 at gmail.com>:
> I know I'm missing something simple. But I just can't get this ipa client
> to accept any sudo rules.
>
> -sh-4.1$ sudo -l
> [sudo] password for testadm at domain.com:
> User testadm at domain.com is not allowed to run sudo on cypress.
> -sh-4.1$ id
> uid=11659(testadm at domain.com) gid=11659(testadm at domain.com)
> groups=11659(testadm at domain.
> com),160400007(ad_klasadm)
> context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
>
> -sh-4.1$ kinit admin
> Password for admin at HOSTED.DOMAIN.COM:
> -sh-4.1$ ipa sudorule-show operations
> Rule name: operations
> Description: KLAS / System Admins
> Enabled: TRUE
> Command category: all
> Users: localadm
> User Groups: ad_operations, ad_operations_external, ad_klasadm,
> ad_klasadm_external
>
> /var/log/sssd/sssd_sudo.log
> (Tue Apr 8 15:08:46 2014) [sssd[sudo]] [sudosrv_cmd_parse_query_done]
> (0x0200): Requesting rules for [testadm] from [DOMAIN.COM]
> (Tue Apr 8 15:08:46 2014) [sssd[sudo]] [sudosrv_get_user] (0x0200):
> Requestinginfo about [testadm at DOMAIN.COM]
> (Tue Apr 8 15:08:46 2014) [sssd[sudo]] [sudosrv_get_user] (0x0400):
> Returning info for user [testadm at DOMAIN.COM]
> (Tue Apr 8 15:08:46 2014) [sssd[sudo]] [sudosrv_get_rules] (0x0400):
> Retrieving rules for [testadm at DOMAIN.COM] from [DOMAIN.COM]
> (Tue Apr 8 15:08:46 2014) [sssd[sudo]] [sysdb_search_group_by_gid]
> (0x0400): No such entry
> (Tue Apr 8 15:08:46 2014) [sssd[sudo]]
> [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with
> [(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=
> testadm at DOMAIN.COM
> )(sudoUser=#11659)(sudoUser=%ad_klasadm)(sudoUser=+*))(&(dataExpireTimestamp<=1396984126)))]
> (Tue Apr 8 15:08:46 2014) [sssd[sudo]] [sysdb_search_group_by_gid]
> (0x0400): No such entry
> (Tue Apr 8 15:08:46 2014) [sssd[sudo]]
> [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with
> [(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=testadm at DOMAIN.COM
> )(sudoUser=#11659)(sudoUser=%ad_klasadm)(sudoUser=+*)))]
> (Tue Apr 8 15:08:46 2014) [sssd[sudo]] [sudosrv_get_sudorules_from_cache]
> (0x0400): Returning 1 rules for [testadm at DOMAIN.COM]
> (Tue Apr 8 15:08:46 2014) [sssd[sudo]] [client_recv] (0x0200): Client
> disconnected!
>
>
> [root at cypress etc]# cat nsswitch.conf
> #
> # /etc/nsswitch.conf
> #
> # An example Name Service Switch config file. This file should be
> # sorted with the most-used services at the beginning.
> #
> # The entry '[NOTFOUND=return]' means that the search for an
> # entry should stop if the search in the previous entry turned
> # up nothing. Note that if the search failed due to some other reason
> # (like no NIS server responding) then the search continues with the
> # next entry.
> #
> # Valid entries include:
> #
> # nisplus Use NIS+ (NIS version 3)
> # nis Use NIS (NIS version 2), also called YP
> # dns Use DNS (Domain Name Service)
> # files Use the local files
> # db Use the local database (.db) files
> # compat Use NIS on compat mode
> # hesiod Use Hesiod for user lookups
> # [NOTFOUND=return] Stop searching if not found so far
> #
>
> # To use db, put the "db" in front of "files" for entries you want to be
> # looked up first in the databases
> #
> # Example:
> #passwd: db files nisplus nis
> #shadow: db files nisplus nis
> #group: db files nisplus nis
>
> passwd: files sss
> shadow: files sss
> group: files sss
> sudoers: files sss
>
> #hosts: db files nisplus nis dns
> hosts: files dns
>
> # Example - obey only what nisplus tells us...
> #services: nisplus [NOTFOUND=return] files
> #networks: nisplus [NOTFOUND=return] files
> #protocols: nisplus [NOTFOUND=return] files
> #rpc: nisplus [NOTFOUND=return] files
> #ethers: nisplus [NOTFOUND=return] files
> #netmasks: nisplus [NOTFOUND=return] files
>
> bootparams: nisplus [NOTFOUND=return] files
>
> ethers: files
> netmasks: files
> networks: files
> protocols: files
> rpc: files
> services: files sss
>
> netgroup: files sss
>
> publickey: nisplus
>
> automount: files
> aliases: files nisplus
>
> [root at cypress etc]# cd sssd
> [root at cypress sssd]# ls
> sssd.conf sssd.conf.deleted sssd.conf.sv
> [root at cypress sssd]# cat sssd.conf
> [domain/hosted.domain.com]
>
> cache_credentials = True
> krb5_store_password_if_offline = True
> ipa_domain = hosted.domain.com
> id_provider = ipa
> auth_provider = ipa
> access_provider = ipa
> ipa_hostname = cypress.hosted.domain.com
> chpass_provider = ipa
> ipa_dyndns_update = True
> ipa_server = _srv_, ipa.hosted.domain.com
> ldap_tls_cacert = /etc/ipa/ca.crt
> debug_level=6
>
> #
> # sudo integration
> #
> sudo_provider = ldap
> ldap_uri = ldap://ipa.hosted.domain.com
> ldap_sudo_search_base = ou=sudoers,dc=hosted,dc=domain,dc=com
> ldap_sasl_mech = GSSAPI
> ldap_sasl_authid = host/cypress.hosted.domain.com
> ldap_sasl_realm = HOSTED.DOMAIN.COM
> krb5_server = ipa.hosted.domain.com
>
>
> [sssd]
> services = nss, pam, ssh, pac, sudo
> config_file_version = 2
> domains = hosted.domain.com
> debug_level=6
>
> [nss]
>
>
> [pam]
>
>
> [sudo]
> debug_level=6
>
> [autofs]
>
> [ssh]
>
>
> [pac]
>
> [root at cypress sssd]#
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20140408/14a80cad/attachment.htm>
More information about the Freeipa-users
mailing list