[Freeipa-users] sudo with freeIPA

Martin Kosek mkosek at redhat.com
Mon Aug 25 11:03:28 UTC 2014 

On 08/25/2014 12:51 PM, Megan . wrote:
> Good Morning,
> 
> I'm very new to freeIPA.

Welcome on board!

> I'm running centOS 6.5 with freeIPA v3
> 
> I have the freeIPA server up but i'm working on getting SUDO
> configured.  Currently i'm having problems getting sudo commands to
> work on the client.  I'm a bit unclear if i have everything configured
> correctly.  The only thing that I can figure out might be an issue, is
> when i try the sudo command i see a filter search with
> objectclass=sudoRule but when i check the ldap server it has
> objectclass=sudoRole, so there are no results.

According to
http://www.sudo.ws/sudoers.ldap.man.html

the objectclass in the schema should really read "sudoRole" (I know, may be
confusing).

> Any ideas?  Thank you in advance for any advice.

Where do you see the filter?

> 
> [tuser2 at map1 ~]$ sudo /sbin/iptables -L
> Enter RSA PIN+token:
> tuser2 is not allowed to run sudo on map1.  This incident will be reported.
> 
> 
> CLIENT:
> 
> yum installed libsss_sudo
> 
> I added "nisdomainname dir1.server.example.com" to /etc/rc.d/rc.local
> 
> **still not sure what this is for **

This is for setting the NIS domain permanently. sudo uses NIS domains when it
uses sudo rules with host groups instead of individual host names.

> Created a sudo user on ldap server
> ldappasswd -x -S -W -h dir1.server.example.com -ZZ -D "cn=Directory
> Manager" uid=sudo,cn=sysaccounts,cn=etc,dc=server,dc=example,dc=com
> **
> 
> 
> [root at map1 sssd]# cat /etc/nsswitch.conf
> #
> passwd:     files sss
> shadow:     files sss
> group:      files sss
> sudoers:    files sss
> sudoers_debug: 1
> #sudoers:    files
> hosts:      files dns
> bootparams: files
> ethers:     files
> netmasks:   files
> networks:   files
> protocols:  files
> rpc:        files
> services:   files sss
> netgroup:   files sss
> publickey:  files
> automount:  files ldap
> aliases:    files
> [root at map1 sssd]#
> 
> 
> 
> 
> 
> [root at map1 sssd]# cat sssd.conf
> [domain/server.example.com]
> 
> debug_level = 5
> cache_credentials = True
> krb5_store_password_if_offline = True
> ipa_domain = server.example.com
> id_provider = ipa
> auth_provider = ipa
> access_provider = ipa
> ipa_hostname = map1.server.example.com
> chpass_provider = ipa
> ipa_server = _srv_, dir1.server.example.com
> ldap_netgroup_search_base = cn=ng,cn=compat,dc=server,dc=example,dc=com
> ldap_tls_cacert = /etc/ipa/ca.crt
> 
> sudo_provider = ldap
> ldap_uri = ldap://dir1.server.example.com
> ldap_sudo_search_base = ou=sudoers,dc=server,dc=example,dc=com
> ldap_sasl_mech = GSSAPI
> ldap_sasl_authid = host/dir1.server.example.com
> ldap_sasl_realm = server.example.com
> krb5_server = dir1.server.example.com
> 
> [sssd]
> services = nss, pam, ssh, sudo
> config_file_version = 2
> 
> domains = server.example.com
> [nss]
> 
> [pam]
> 
> [sudo]
> debug_level=5
> 
> [autofs]
> 
> [ssh]
> 
> [pac]
> 
> 
> 
> 
> from the sssd_sudo.log
> 
> (Mon Aug 25 10:36:31 2014) [sssd[sudo]]
> [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with
> [(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=tuser2)(sudoUser=#1079600005)(sudoUser=%tuser2)(sudoUser=+*))(&(dataExpireTimestamp<=1408962991)))]
> (Mon Aug 25 10:36:31 2014) [sssd[sudo]]
> [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with
> [(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=tuser2)(sudoUser=#1079600005)(sudoUser=%tuser2)(sudoUser=+*)))]
> (Mon Aug 25 10:36:33 2014) [sssd[sudo]] [client_recv] (0x0200): Client
> disconnected!

I do not understand why it searches with "sudorule" objectclass. According to
sssd-ldap man page, ldap_sudorule_object_class should default to "sudoRole".
Jakub or Pavel, any idea?

> [root at dir1 ~]# !ldaps
> ldapsearch -h dir1.server.example.com  -x -D "cn=Directory Manager" -W
>  -b "dc=server,dc=example,dc=com"  'objectclass=sudoRole'
> Enter LDAP Password:
> # extended LDIF
> #
> # LDAPv3
> # base <dc=server,dc=example,dc=com> with scope subtree
> # filter: objectclass=sudoRole
> # requesting: ALL
> #
> 
> # test, sudoers, server.example.com
> dn: cn=test,ou=sudoers,dc=server,dc=example,dc=com
> objectClass: sudoRole
> sudoUser: megan2
> sudoUser: tuser2
> sudoHost: map1.server.example.com
> sudoCommand: /sbin/iptables -L
> sudoCommand: /home/tuser1/test.sh
> sudoCommand: test2.sh
> cn: test
> 
> # search result
> search: 2
> result: 0 Success
> 
> # numResponses: 2
> # numEntries: 1
> [root at dir1 ~]# ldapsearch -h dir1.server.example.com  -x -D
> "cn=Directory Manager" -W  -b "dc=server,dc=example,dc=com"
> 'objectclass=sudoRule'
> Enter LDAP Password:
> # extended LDIF
> #
> # LDAPv3
> # base <dc=server,dc=example,dc=com> with scope subtree
> # filter: objectclass=sudoRule
> # requesting: ALL
> #
> 
> # search result
> search: 2
> result: 0 Success
> 
> # numResponses: 1
> 

I do not know the root cause, but Pavel or Jakub will be able to provide help.
BTW, FreeIPA 4.0+ enable SUDO via SSSD's sudo provider automatically
(https://fedorahosted.org/freeipa/ticket/3358). This functionality will be also
available in RHEL-6.6.

Martin

More information about the Freeipa-users mailing list