[Freeipa-users] sudo with freeIPA
Megan .
nagemnna at gmail.com
Mon Aug 25 10:51:27 UTC 2014
Good Morning,
I'm very new to freeIPA. I'm running centOS 6.5 with freeIPA v3
I have the freeIPA server up but i'm working on getting SUDO
configured. Currently i'm having problems getting sudo commands to
work on the client. I'm a bit unclear if i have everything configured
correctly. The only thing that I can figure out might be an issue, is
when i try the sudo command i see a filter search with
objectclass=sudoRule but when i check the ldap server it has
objectclass=sudoRole, so there are no results.
Any ideas? Thank you in advance for any advice.
[tuser2 at map1 ~]$ sudo /sbin/iptables -L
Enter RSA PIN+token:
tuser2 is not allowed to run sudo on map1. This incident will be reported.
CLIENT:
yum installed libsss_sudo
I added "nisdomainname dir1.server.example.com" to /etc/rc.d/rc.local
**still not sure what this is for **
Created a sudo user on ldap server
ldappasswd -x -S -W -h dir1.server.example.com -ZZ -D "cn=Directory
Manager" uid=sudo,cn=sysaccounts,cn=etc,dc=server,dc=example,dc=com
**
[root at map1 sssd]# cat /etc/nsswitch.conf
#
passwd: files sss
shadow: files sss
group: files sss
sudoers: files sss
sudoers_debug: 1
#sudoers: files
hosts: files dns
bootparams: files
ethers: files
netmasks: files
networks: files
protocols: files
rpc: files
services: files sss
netgroup: files sss
publickey: files
automount: files ldap
aliases: files
[root at map1 sssd]#
[root at map1 sssd]# cat sssd.conf
[domain/server.example.com]
debug_level = 5
cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = server.example.com
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = map1.server.example.com
chpass_provider = ipa
ipa_server = _srv_, dir1.server.example.com
ldap_netgroup_search_base = cn=ng,cn=compat,dc=server,dc=example,dc=com
ldap_tls_cacert = /etc/ipa/ca.crt
sudo_provider = ldap
ldap_uri = ldap://dir1.server.example.com
ldap_sudo_search_base = ou=sudoers,dc=server,dc=example,dc=com
ldap_sasl_mech = GSSAPI
ldap_sasl_authid = host/dir1.server.example.com
ldap_sasl_realm = server.example.com
krb5_server = dir1.server.example.com
[sssd]
services = nss, pam, ssh, sudo
config_file_version = 2
domains = server.example.com
[nss]
[pam]
[sudo]
debug_level=5
[autofs]
[ssh]
[pac]
from the sssd_sudo.log
(Mon Aug 25 10:36:31 2014) [sssd[sudo]]
[sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with
[(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=tuser2)(sudoUser=#1079600005)(sudoUser=%tuser2)(sudoUser=+*))(&(dataExpireTimestamp<=1408962991)))]
(Mon Aug 25 10:36:31 2014) [sssd[sudo]]
[sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with
[(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=tuser2)(sudoUser=#1079600005)(sudoUser=%tuser2)(sudoUser=+*)))]
(Mon Aug 25 10:36:33 2014) [sssd[sudo]] [client_recv] (0x0200): Client
disconnected!
[root at dir1 ~]# !ldaps
ldapsearch -h dir1.server.example.com -x -D "cn=Directory Manager" -W
-b "dc=server,dc=example,dc=com" 'objectclass=sudoRole'
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <dc=server,dc=example,dc=com> with scope subtree
# filter: objectclass=sudoRole
# requesting: ALL
#
# test, sudoers, server.example.com
dn: cn=test,ou=sudoers,dc=server,dc=example,dc=com
objectClass: sudoRole
sudoUser: megan2
sudoUser: tuser2
sudoHost: map1.server.example.com
sudoCommand: /sbin/iptables -L
sudoCommand: /home/tuser1/test.sh
sudoCommand: test2.sh
cn: test
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
[root at dir1 ~]# ldapsearch -h dir1.server.example.com -x -D
"cn=Directory Manager" -W -b "dc=server,dc=example,dc=com"
'objectclass=sudoRule'
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <dc=server,dc=example,dc=com> with scope subtree
# filter: objectclass=sudoRule
# requesting: ALL
#
# search result
search: 2
result: 0 Success
# numResponses: 1
More information about the Freeipa-users
mailing list