[Freeipa-users] sudo with freeIPA
Martin Kosek
mkosek at redhat.com
Mon Aug 25 11:03:28 UTC 2014
On 08/25/2014 12:51 PM, Megan . wrote:
> Good Morning,
>
> I'm very new to freeIPA.
Welcome on board!
> I'm running centOS 6.5 with freeIPA v3
>
> I have the freeIPA server up but i'm working on getting SUDO
> configured. Currently i'm having problems getting sudo commands to
> work on the client. I'm a bit unclear if i have everything configured
> correctly. The only thing that I can figure out might be an issue, is
> when i try the sudo command i see a filter search with
> objectclass=sudoRule but when i check the ldap server it has
> objectclass=sudoRole, so there are no results.
According to
http://www.sudo.ws/sudoers.ldap.man.html
the objectclass in the schema should really read "sudoRole" (I know, may be
confusing).
> Any ideas? Thank you in advance for any advice.
Where do you see the filter?
>
> [tuser2 at map1 ~]$ sudo /sbin/iptables -L
> Enter RSA PIN+token:
> tuser2 is not allowed to run sudo on map1. This incident will be reported.
>
>
> CLIENT:
>
> yum installed libsss_sudo
>
> I added "nisdomainname dir1.server.example.com" to /etc/rc.d/rc.local
>
> **still not sure what this is for **
This is for setting the NIS domain permanently. sudo uses NIS domains when it
uses sudo rules with host groups instead of individual host names.
> Created a sudo user on ldap server
> ldappasswd -x -S -W -h dir1.server.example.com -ZZ -D "cn=Directory
> Manager" uid=sudo,cn=sysaccounts,cn=etc,dc=server,dc=example,dc=com
> **
>
>
> [root at map1 sssd]# cat /etc/nsswitch.conf
> #
> passwd: files sss
> shadow: files sss
> group: files sss
> sudoers: files sss
> sudoers_debug: 1
> #sudoers: files
> hosts: files dns
> bootparams: files
> ethers: files
> netmasks: files
> networks: files
> protocols: files
> rpc: files
> services: files sss
> netgroup: files sss
> publickey: files
> automount: files ldap
> aliases: files
> [root at map1 sssd]#
>
>
>
>
>
> [root at map1 sssd]# cat sssd.conf
> [domain/server.example.com]
>
> debug_level = 5
> cache_credentials = True
> krb5_store_password_if_offline = True
> ipa_domain = server.example.com
> id_provider = ipa
> auth_provider = ipa
> access_provider = ipa
> ipa_hostname = map1.server.example.com
> chpass_provider = ipa
> ipa_server = _srv_, dir1.server.example.com
> ldap_netgroup_search_base = cn=ng,cn=compat,dc=server,dc=example,dc=com
> ldap_tls_cacert = /etc/ipa/ca.crt
>
> sudo_provider = ldap
> ldap_uri = ldap://dir1.server.example.com
> ldap_sudo_search_base = ou=sudoers,dc=server,dc=example,dc=com
> ldap_sasl_mech = GSSAPI
> ldap_sasl_authid = host/dir1.server.example.com
> ldap_sasl_realm = server.example.com
> krb5_server = dir1.server.example.com
>
> [sssd]
> services = nss, pam, ssh, sudo
> config_file_version = 2
>
> domains = server.example.com
> [nss]
>
> [pam]
>
> [sudo]
> debug_level=5
>
> [autofs]
>
> [ssh]
>
> [pac]
>
>
>
>
> from the sssd_sudo.log
>
> (Mon Aug 25 10:36:31 2014) [sssd[sudo]]
> [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with
> [(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=tuser2)(sudoUser=#1079600005)(sudoUser=%tuser2)(sudoUser=+*))(&(dataExpireTimestamp<=1408962991)))]
> (Mon Aug 25 10:36:31 2014) [sssd[sudo]]
> [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with
> [(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=tuser2)(sudoUser=#1079600005)(sudoUser=%tuser2)(sudoUser=+*)))]
> (Mon Aug 25 10:36:33 2014) [sssd[sudo]] [client_recv] (0x0200): Client
> disconnected!
I do not understand why it searches with "sudorule" objectclass. According to
sssd-ldap man page, ldap_sudorule_object_class should default to "sudoRole".
Jakub or Pavel, any idea?
> [root at dir1 ~]# !ldaps
> ldapsearch -h dir1.server.example.com -x -D "cn=Directory Manager" -W
> -b "dc=server,dc=example,dc=com" 'objectclass=sudoRole'
> Enter LDAP Password:
> # extended LDIF
> #
> # LDAPv3
> # base <dc=server,dc=example,dc=com> with scope subtree
> # filter: objectclass=sudoRole
> # requesting: ALL
> #
>
> # test, sudoers, server.example.com
> dn: cn=test,ou=sudoers,dc=server,dc=example,dc=com
> objectClass: sudoRole
> sudoUser: megan2
> sudoUser: tuser2
> sudoHost: map1.server.example.com
> sudoCommand: /sbin/iptables -L
> sudoCommand: /home/tuser1/test.sh
> sudoCommand: test2.sh
> cn: test
>
> # search result
> search: 2
> result: 0 Success
>
> # numResponses: 2
> # numEntries: 1
> [root at dir1 ~]# ldapsearch -h dir1.server.example.com -x -D
> "cn=Directory Manager" -W -b "dc=server,dc=example,dc=com"
> 'objectclass=sudoRule'
> Enter LDAP Password:
> # extended LDIF
> #
> # LDAPv3
> # base <dc=server,dc=example,dc=com> with scope subtree
> # filter: objectclass=sudoRule
> # requesting: ALL
> #
>
> # search result
> search: 2
> result: 0 Success
>
> # numResponses: 1
>
I do not know the root cause, but Pavel or Jakub will be able to provide help.
BTW, FreeIPA 4.0+ enable SUDO via SSSD's sudo provider automatically
(https://fedorahosted.org/freeipa/ticket/3358). This functionality will be also
available in RHEL-6.6.
Martin
More information about the Freeipa-users
mailing list