[Freeipa-users] sudo with freeIPA

[Alexander Bokovoy]

On Mon, 25 Aug 2014, Martin Kosek wrote:
>On 08/25/2014 12:51 PM, Megan . wrote:
>> Good Morning,
>>
>> I'm very new to freeIPA.
>
>Welcome on board!
>
>> I'm running centOS 6.5 with freeIPA v3
>>
>> I have the freeIPA server up but i'm working on getting SUDO
>> configured.  Currently i'm having problems getting sudo commands to
>> work on the client.  I'm a bit unclear if i have everything configured
>> correctly.  The only thing that I can figure out might be an issue, is
>> when i try the sudo command i see a filter search with
>> objectclass=sudoRule but when i check the ldap server it has
>> objectclass=sudoRole, so there are no results.
>
>According to
>http://www.sudo.ws/sudoers.ldap.man.html
>
>the objectclass in the schema should really read "sudoRole" (I know, may be
>confusing).
>
>> Any ideas?  Thank you in advance for any advice.
>
>Where do you see the filter?
>
>>
>> [tuser2 at map1 ~]$ sudo /sbin/iptables -L
>> Enter RSA PIN+token:
>> tuser2 is not allowed to run sudo on map1.  This incident will be reported.
>>
>>
>> CLIENT:
>>
>> yum installed libsss_sudo
>>
>> I added "nisdomainname dir1.server.example.com" to /etc/rc.d/rc.local
>>
>> **still not sure what this is for **
>
>This is for setting the NIS domain permanently. sudo uses NIS domains when it
>uses sudo rules with host groups instead of individual host names.
>
>> Created a sudo user on ldap server
>> ldappasswd -x -S -W -h dir1.server.example.com -ZZ -D "cn=Directory
>> Manager" uid=sudo,cn=sysaccounts,cn=etc,dc=server,dc=example,dc=com
>> **
>>
>>
>> [root at map1 sssd]# cat /etc/nsswitch.conf
>> #
>> passwd:     files sss
>> shadow:     files sss
>> group:      files sss
>> sudoers:    files sss
>> sudoers_debug: 1
>> #sudoers:    files
>> hosts:      files dns
>> bootparams: files
>> ethers:     files
>> netmasks:   files
>> networks:   files
>> protocols:  files
>> rpc:        files
>> services:   files sss
>> netgroup:   files sss
>> publickey:  files
>> automount:  files ldap
>> aliases:    files
>> [root at map1 sssd]#
>>
>>
>>
>>
>>
>> [root at map1 sssd]# cat sssd.conf
>> [domain/server.example.com]
>>
>> debug_level = 5
>> cache_credentials = True
>> krb5_store_password_if_offline = True
>> ipa_domain = server.example.com
>> id_provider = ipa
>> auth_provider = ipa
>> access_provider = ipa
>> ipa_hostname = map1.server.example.com
>> chpass_provider = ipa
>> ipa_server = _srv_, dir1.server.example.com
>> ldap_netgroup_search_base = cn=ng,cn=compat,dc=server,dc=example,dc=com
>> ldap_tls_cacert = /etc/ipa/ca.crt
>>
>> sudo_provider = ldap
>> ldap_uri = ldap://dir1.server.example.com
>> ldap_sudo_search_base = ou=sudoers,dc=server,dc=example,dc=com
>> ldap_sasl_mech = GSSAPI
>> ldap_sasl_authid = host/dir1.server.example.com
>> ldap_sasl_realm = server.example.com
>> krb5_server = dir1.server.example.com
>>
>> [sssd]
>> services = nss, pam, ssh, sudo
>> config_file_version = 2
>>
>> domains = server.example.com
>> [nss]
>>
>> [pam]
>>
>> [sudo]
>> debug_level=5
>>
>> [autofs]
>>
>> [ssh]
>>
>> [pac]
>>
>>
>>
>>
>> from the sssd_sudo.log
>>
>> (Mon Aug 25 10:36:31 2014) [sssd[sudo]]
>> [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with
>> [(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=tuser2)(sudoUser=#1079600005)(sudoUser=%tuser2)(sudoUser=+*))(&(dataExpireTimestamp<=1408962991)))]
>> (Mon Aug 25 10:36:31 2014) [sssd[sudo]]
>> [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with
>> [(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=tuser2)(sudoUser=#1079600005)(sudoUser=%tuser2)(sudoUser=+*)))]
>> (Mon Aug 25 10:36:33 2014) [sssd[sudo]] [client_recv] (0x0200): Client
>> disconnected!
>
>I do not understand why it searches with "sudorule" objectclass. According to
>sssd-ldap man page, ldap_sudorule_object_class should default to "sudoRole".
>Jakub or Pavel, any idea?
It is a search against SSSD's local cache where the object class is
sudoRule. A correct entry for searching against LDAP server should be in the sss_<domain>.log

-- 
/ Alexander Bokovoy