[Freeipa-users] FreeIPA, version: 4.1.0 and sudo configuration

Chamambo Martin chamambom at afri-com.net
Wed Apr 8 08:00:50 UTC 2015 

I have these logs and cant seem to make sense of them  


I have created the hostgroup mailservers and have added the sudo rule that
allows the users to execute sudo vim anyfile

(Wed Apr  8 09:58:45 2015) [sssd[be[ai.co.zw]]] [fo_resolve_service_send]
(0x0100): Trying to resolve service 'IPA'
(Wed Apr  8 09:58:45 2015) [sssd[be[ai.co.zw]]] [be_resolve_server_process]
(0x0200): Found address for server cyclops.ai.co.zw: [41.57.64.54] TTL 300
(Wed Apr  8 09:58:45 2015) [sssd[be[ai.co.zw]]] [ipa_resolve_callback]
(0x0400): Constructed uri 'ldap://cyclops.ai.co.zw'
(Wed Apr  8 09:58:45 2015) [sssd[be[ai.co.zw]]] [write_pipe_handler]
(0x0400): All data has been sent!
(Wed Apr  8 09:58:47 2015) [sssd[be[ai.co.zw]]] [read_pipe_handler]
(0x0400): EOF received, client finished
(Wed Apr  8 09:58:47 2015) [sssd[be[ai.co.zw]]] [fo_set_port_status]
(0x0100): Marking port 0 of server 'cyclops.ai.co.zw' as 'working'
(Wed Apr  8 09:58:47 2015) [sssd[be[ai.co.zw]]] [set_server_common_status]
(0x0100): Marking server 'cyclops.ai.co.zw' as 'working'
(Wed Apr  8 09:58:47 2015) [sssd[be[ai.co.zw]]] [fo_set_port_status]
(0x0400): Marking port 0 of duplicate server 'cyclops.ai.co.zw' as 'working'
(Wed Apr  8 09:58:47 2015) [sssd[be[ai.co.zw]]] [switch_creds] (0x0200):
Switch user to [1468200000][1468200000].
(Wed Apr  8 09:58:47 2015) [sssd[be[ai.co.zw]]] [switch_creds] (0x0200):
Switch user to [0][0].
(Wed Apr  8 09:58:47 2015) [sssd[be[ai.co.zw]]]
[safe_remove_old_ccache_file] (0x0400): New and old ccache file are the
same, none will be deleted.
(Wed Apr  8 09:58:47 2015) [sssd[be[ai.co.zw]]] [be_pam_handler_callback]
(0x0100): Backend returned: (0, 0, <NULL>) [Success]
(Wed Apr  8 09:58:47 2015) [sssd[be[ai.co.zw]]] [be_pam_handler_callback]
(0x0100): Sending result [0][ai.co.zw]
(Wed Apr  8 09:58:47 2015) [sssd[be[ai.co.zw]]] [be_pam_handler_callback]
(0x0100): Sent result [0][ai.co.zw]
(Wed Apr  8 09:58:47 2015) [sssd[be[ai.co.zw]]] [child_sig_handler]
(0x0100): child [1794] finished successfully.
(Wed Apr  8 09:58:48 2015) [sssd[be[ai.co.zw]]] [be_req_set_domain]
(0x0400): Changing request domain from [ai.co.zw] to [ai.co.zw]
(Wed Apr  8 09:58:48 2015) [sssd[be[ai.co.zw]]] [be_pam_handler] (0x0100):
Got request with the following data
(Wed Apr  8 09:58:48 2015) [sssd[be[ai.co.zw]]] [pam_print_data] (0x0100):
command: PAM_ACCT_MGMT
(Wed Apr  8 09:58:48 2015) [sssd[be[ai.co.zw]]] [pam_print_data] (0x0100):
domain: ai.co.zw
(Wed Apr  8 09:58:48 2015) [sssd[be[ai.co.zw]]] [pam_print_data] (0x0100):
user: admin
(Wed Apr  8 09:58:48 2015) [sssd[be[ai.co.zw]]] [pam_print_data] (0x0100):
service: sudo
(Wed Apr  8 09:58:48 2015) [sssd[be[ai.co.zw]]] [pam_print_data] (0x0100):
tty: /dev/pts/1
(Wed Apr  8 09:58:48 2015) [sssd[be[ai.co.zw]]] [pam_print_data] (0x0100):
ruser: admin
(Wed Apr  8 09:58:48 2015) [sssd[be[ai.co.zw]]] [pam_print_data] (0x0100):
rhost: 
(Wed Apr  8 09:58:48 2015) [sssd[be[ai.co.zw]]] [pam_print_data] (0x0100):
authtok type: 0
(Wed Apr  8 09:58:48 2015) [sssd[be[ai.co.zw]]] [pam_print_data] (0x0100):
newauthtok type: 0
(Wed Apr  8 09:58:48 2015) [sssd[be[ai.co.zw]]] [pam_print_data] (0x0100):
priv: 0
(Wed Apr  8 09:58:48 2015) [sssd[be[ai.co.zw]]] [pam_print_data] (0x0100):
cli_pid: 1793
(Wed Apr  8 09:58:48 2015) [sssd[be[ai.co.zw]]] [sdap_access_send] (0x0400):
Performing access check for user [admin]
(Wed Apr  8 09:58:48 2015) [sssd[be[ai.co.zw]]] [sdap_account_expired_rhds]
(0x0400): Performing RHDS access check for user [admin]
(Wed Apr  8 09:58:48 2015) [sssd[be[ai.co.zw]]] [sdap_get_generic_ext_step]
(0x0400): calling ldap_search_ext with
[(&(objectClass=ipaHost)(fqdn=ironhide.ai.co.zw))][cn=accounts,dc=ai,dc=co,d
c=zw].
(Wed Apr  8 09:58:48 2015) [sssd[be[ai.co.zw]]] [sdap_get_generic_ext_done]
(0x0400): Search result: Success(0), no errmsg set
(Wed Apr  8 09:58:48 2015) [sssd[be[ai.co.zw]]] [sdap_has_deref_support]
(0x0400): The server supports deref method OpenLDAP
(Wed Apr  8 09:58:48 2015) [sssd[be[ai.co.zw]]] [sdap_x_deref_search_send]
(0x0400): Dereferencing entry
[fqdn=ironhide.ai.co.zw,cn=computers,cn=accounts,dc=ai,dc=co,dc=zw] using
OpenLDAP deref
(Wed Apr  8 09:58:48 2015) [sssd[be[ai.co.zw]]] [sdap_get_generic_ext_step]
(0x0400): calling ldap_search_ext with [no
filter][fqdn=ironhide.ai.co.zw,cn=computers,cn=accounts,dc=ai,dc=co,dc=zw].
(Wed Apr  8 09:58:48 2015) [sssd[be[ai.co.zw]]] [sdap_x_deref_parse_entry]
(0x0400): Got deref control
(Wed Apr  8 09:58:48 2015) [sssd[be[ai.co.zw]]] [sdap_x_deref_parse_entry]
(0x0400): All deref results from a single control parsed
(Wed Apr  8 09:58:48 2015) [sssd[be[ai.co.zw]]] [sdap_get_generic_ext_done]
(0x0400): Search result: Success(0), no errmsg set
(Wed Apr  8 09:58:48 2015) [sssd[be[ai.co.zw]]] [ipa_hostgroup_info_done]
(0x0200): Dereferenced host group: mailservers
(Wed Apr  8 09:58:48 2015) [sssd[be[ai.co.zw]]] [ipa_hbac_service_info_next]
(0x0400): Sending request for next search base:
[cn=hbac,dc=ai,dc=co,dc=zw][2][(objectClass=ipaHBACService)]
(Wed Apr  8 09:58:48 2015) [sssd[be[ai.co.zw]]] [sdap_get_generic_ext_step]
(0x0400): calling ldap_search_ext with
[(objectClass=ipaHBACService)][cn=hbac,dc=ai,dc=co,dc=zw].
(Wed Apr  8 09:58:48 2015) [sssd[be[ai.co.zw]]] [sdap_get_generic_ext_done]
(0x0400): Search result: Success(0), no errmsg set
(Wed Apr  8 09:58:48 2015) [sssd[be[ai.co.zw]]]
[ipa_hbac_servicegroup_info_next] (0x0400): Sending request for next search
base: [cn=hbac,dc=ai,dc=co,dc=zw][2][(objectClass=ipaHBACServiceGroup)]
(Wed Apr  8 09:58:48 2015) [sssd[be[ai.co.zw]]] [sdap_get_generic_ext_step]
(0x0400): calling ldap_search_ext with
[(objectClass=ipaHBACServiceGroup)][cn=hbac,dc=ai,dc=co,dc=zw].
(Wed Apr  8 09:58:48 2015) [sssd[be[ai.co.zw]]] [sdap_get_generic_ext_done]
(0x0400): Search result: Success(0), no errmsg set
(Wed Apr  8 09:58:48 2015) [sssd[be[ai.co.zw]]] [ipa_hbac_rule_info_next]
(0x0400): Sending request for next search base:
[cn=hbac,dc=ai,dc=co,dc=zw][2][(&(objectclass=ipaHBACRule)(ipaenabledflag=TR
UE)(|(hostCategory=all)(memberHost=fqdn=ironhide.ai.co.zw,cn=computers,cn=ac
counts,dc=ai,dc=co,dc=zw)(memberHost=cn=mailservers,cn=hostgroups,cn=account
s,dc=ai,dc=co,dc=zw)(memberHost=ipaUniqueID=bacaa788-dac0-11e4-93fe-52540014
3fc1,cn=sudorules,cn=sudo,dc=ai,dc=co,dc=zw)(memberHost=cn=mailservers,cn=ng
,cn=alt,dc=ai,dc=co,dc=zw)))]
(Wed Apr  8 09:58:48 2015) [sssd[be[ai.co.zw]]] [sdap_get_generic_ext_step]
(0x0400): calling ldap_search_ext with
[(&(objectclass=ipaHBACRule)(ipaenabledflag=TRUE)(|(hostCategory=all)(member
Host=fqdn=ironhide.ai.co.zw,cn=computers,cn=accounts,dc=ai,dc=co,dc=zw)(memb
erHost=cn=mailservers,cn=hostgroups,cn=accounts,dc=ai,dc=co,dc=zw)(memberHos
t=ipaUniqueID=bacaa788-dac0-11e4-93fe-525400143fc1,cn=sudorules,cn=sudo,dc=a
i,dc=co,dc=zw)(memberHost=cn=mailservers,cn=ng,cn=alt,dc=ai,dc=co,dc=zw)))][
cn=hbac,dc=ai,dc=co,dc=zw].
(Wed Apr  8 09:58:48 2015) [sssd[be[ai.co.zw]]] [sdap_get_generic_ext_done]
(0x0400): Search result: Success(0), no errmsg set
(Wed Apr  8 09:58:48 2015) [sssd[be[ai.co.zw]]] [hbac_get_category]
(0x0200): Category is set to 'all'.
(Wed Apr  8 09:58:48 2015) [sssd[be[ai.co.zw]]] [hbac_get_category]
(0x0200): Category is set to 'all'.
(Wed Apr  8 09:58:48 2015) [sssd[be[ai.co.zw]]] [hbac_get_category]
(0x0200): Category is set to 'all'.
(Wed Apr  8 09:58:48 2015) [sssd[be[ai.co.zw]]] [hbac_shost_attrs_to_rule]
(0x0400): Processing source hosts for rule [allow_all]
(Wed Apr  8 09:58:48 2015) [sssd[be[ai.co.zw]]] [ipa_hbac_evaluate_rules]
(0x0080): Access granted by HBAC rule [allow_all]
(Wed Apr  8 09:58:48 2015) [sssd[be[ai.co.zw]]] [be_pam_handler_callback]
(0x0100): Backend returned: (0, 0, <NULL>) [Success]
(Wed Apr  8 09:58:48 2015) [sssd[be[ai.co.zw]]] [ipa_get_selinux_send]
(0x0400): Retrieving SELinux user mapping
(Wed Apr  8 09:58:48 2015) [sssd[be[ai.co.zw]]] [sdap_get_generic_ext_step]
(0x0400): calling ldap_search_ext with
[(&(cn=ipaConfig)(objectClass=ipaGuiConfig))][cn=etc,dc=ai,dc=co,dc=zw].
(Wed Apr  8 09:58:48 2015) [sssd[be[ai.co.zw]]] [sdap_get_generic_ext_done]
(0x0400): Search result: Success(0), no errmsg set
(Wed Apr  8 09:58:48 2015) [sssd[be[ai.co.zw]]] [ipa_selinux_get_maps_next]
(0x0400): Trying to fetch SELinux maps with following parameters:
[2][(&(objectclass=ipaselinuxusermap)(ipaEnabledFlag=TRUE))][cn=selinux,dc=a
i,dc=co,dc=zw]
(Wed Apr  8 09:58:48 2015) [sssd[be[ai.co.zw]]] [sdap_get_generic_ext_step]
(0x0400): calling ldap_search_ext with
[(&(objectclass=ipaselinuxusermap)(ipaEnabledFlag=TRUE))][cn=selinux,dc=ai,d
c=co,dc=zw].
(Wed Apr  8 09:58:48 2015) [sssd[be[ai.co.zw]]] [sdap_get_generic_ext_done]
(0x0400): Search result: Success(0), no errmsg set
(Wed Apr  8 09:58:48 2015) [sssd[be[ai.co.zw]]] [ipa_selinux_get_maps_done]
(0x0400): No SELinux user maps found!
(Wed Apr  8 09:58:48 2015) [sssd[be[ai.co.zw]]] [be_pam_handler_callback]
(0x0100): Backend returned: (0, 0, Success) [Success]
(Wed Apr  8 09:58:48 2015) [sssd[be[ai.co.zw]]] [be_pam_handler_callback]
(0x0100): Sending result [0][ai.co.zw]
(Wed Apr  8 09:58:48 2015) [sssd[be[ai.co.zw]]] [be_pam_handler_callback]
(0x0100): Sent result [0][ai.co.zw]


-----Original Message-----
From: freeipa-users-bounces at redhat.com
[mailto:freeipa-users-bounces at redhat.com] On Behalf Of Jakub Hrozek
Sent: Wednesday, April 08, 2015 9:40 AM
To: freeipa-users at redhat.com
Subject: Re: [Freeipa-users] FreeIPA, version: 4.1.0 and sudo configuration

On Wed, Apr 08, 2015 at 09:25:33AM +0200, Chamambo Martin wrote:
> Good day
> 
> I am running FreeIPA, version: 4.1.0 and everything is working well 
> except SUDO configuration.
> 
> I have 3 questions
> 
> 	1: I have configured the bare minimum sudo configuration without 
> hostgroups and netgroups , just sudo commands and sudo command groups 
> that have been added as sudo rules .....this should work right
>                 2: I have centos 6.6 and redhat 6.6 clients using the 
> sssd service  ,is that enough for sudo to work if the configs are as 
> below

Didn't you start exactly the same thread yesterday? :-)

Can you provide the sudo responder logs as we asked yesterday?

> 
> 
> cat /etc/nsswitch.conf
> 
> sudoers: files sss
> 
> cat /etc/sssd/sssd.conf
> 
> [domain/ai.co.zw]
> 
> debug_level=6
> cache_credentials = True
> krb5_store_password_if_offline = True
> ipa_domain = ai.co.zw
> id_provider = ipa
> auth_provider = ipa
> access_provider = ipa
> ipa_hostname = ironhide.ai.co.zw
> chpass_provider = ipa
> ipa_server = _srv_, cyclops.ai.co.zw
> ldap_tls_cacert = /etc/ipa/ca.crt
> 
> [sssd]
> services = nss, sudo, pam, ssh
> config_file_version = 2
> 
> 
> domains = ai.co.zw
> [nss]
> homedir_substring = /home
> 
> [pam]
> 
> [sudo]
> 
> [autofs]
> 
> [ssh]
> 
> 
> 
> 
> 
> 
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

More information about the Freeipa-users mailing list