[Freeipa-users] Freeipa-users Digest, Vol 74, Issue 70

Mon Sep 15 15:10:01 UTC 2014

> Message: 1
> Date: Mon, 15 Sep 2014 13:06:33 +0200
> From: Daniel Kopecek <dkopecek at redhat.com>
> To: Jakub Hrozek <jhrozek at redhat.com>
> Cc: freeipa-users at redhat.com
> Subject: Re: [Freeipa-users] FreeIPA, SSSD, sudo and Local Users
> Message-ID: <20140915130633.77047a43 at dhcp-2-122.brq.redhat.com>
> Content-Type: text/plain; charset=US-ASCII
> 
> Hello,
> 
> On Thu, 11 Sep 2014 16:12:40 +0200
> Jakub Hrozek <jhrozek at redhat.com> wrote:
> 
> > On Wed, Sep 10, 2014 at 09:58:27PM +0000, Trevor T Kates (Services -
> > 6) wrote:
> > > Hi all:
> > >
> > > I'm using FreeIPA 3.0 under CentOS 6.5 and I'm trying to solve a
> > > bit of a quirky problem. From what I've read thus far, sudo under
> > > SSSD can't provide sudo  rules for local users that are not part of
> > > the directory. To get around this, I've been using the
> > > sudo-ldap.conf file to provide sudo with direct access to the
> > > directory. This, however, can't make use of service discovery, so
> > > if the first server in the ldap_uri list is taken down, sudo delays
> > > for the length of the timeout set. My idea for getting around this
> > > has been to use sudo in SSSD for users that are in the directory
> > > and let sudo-ldap take care of local users with a line in
> > > nsswitch.conf like this:
> > >
> > > sudoers: files sss ldap
> >
> > I think this is more of a sudo question and I'm not too familiar with
> > the sudo code to answer this question well. I added the sudo Fedora
> > maintainer to CC, maybe he has some ideas?
> >
> > >
> > > My problem now seems to be that the ldap query is still run even if
> > > a successful hit is made to sssd. Changing the line in
> > > nsswitch.conf to:
> > >
> > > sudoers: files sss [success=return] ldap
> 
> Yes, the "sudoers:" line is parsed by sudo and sudo does support the
> [SUCCESS=return] option. However, this applies only to queries for sudo
> rules.
> 
> Is the LDAP query you're talking about a query for sudo rules or for
> users/groups? Sources for the user and groups dbs are not handled by
> sudo. Sudo just uses the usual glibc calls and they may result in
> queries to ldap and sss too.

The LDAP query in question is a query for sudo rules. This can be seen
when setting sudoers_debug in /etc/sudo-ldap.conf and running sudo -l.
The query is run against sss and then ldap even when [SUCCESS=return] is
present between sss and ldap in /etc/nsswitch.conf. The users/groups dbs
are set to be handled by files/sss in /etc/nsswitch.conf.

> Dan K.

Thanks,

Trevor T. Kates

> > I don't think [success=return] will work here. Despite sudoers being
> > configured in nsswitch.conf, it's not actually a NSS map handled by
> > glibc. sudo itself parses the file..
> >
> > >
> > > doesn't seem to actually work.
> > >
> > > Does anyone have pointers on how I can resolve this particular
> > > problem?
> > >
> > > Thanks!
> > >
> > >
> > > Trevor T. Kates
> > >
> > >
> > >
> > >
> > > CONFIDENTIALITY NOTICE:  This electronic message contains
> > > information which may be legally confidential and or privileged and
> > > does not in any case represent a firm ENERGY COMMODITY bid or offer
> > > relating thereto which binds the sender without an additional
> > > express written confirmation to that effect.  The information is
> > > intended solely for the individual or entity named above and access
> > > by anyone else is unauthorized.  If you are not the intended
> > > recipient, any disclosure, copying, distribution, or use of the
> > > contents of this information is prohibited and may be unlawful.  If
> > > you have received this electronic transmission in error, please
> > > reply immediately to the sender that you have received the message
> > > in error, and delete it.  Thank you.
> > >
> > > --
> > > Manage your subscription for the Freeipa-users mailing list:
> > > https://www.redhat.com/mailman/listinfo/freeipa-users
> > > Go To http://freeipa.org for more info on the project

CONFIDENTIALITY NOTICE:  This electronic message contains information which may be legally confidential and or privileged and does not in any case represent a firm ENERGY COMMODITY bid or offer relating thereto which binds the sender without an additional express written confirmation to that effect.  The information is intended solely for the individual or entity named above and access by anyone else is unauthorized.  If you are not the intended recipient, any disclosure, copying, distribution, or use of the contents of this information is prohibited and may be unlawful.  If you have received this electronic transmission in error, please reply immediately to the sender that you have received the message in error, and delete it.  Thank you.