[Freeipa-users] Configuring SUDO on centos and RHEL 5 clients
Chamambo Martin
chamambom at afri-com.net
Thu Apr 9 07:33:25 UTC 2015
Good day
I have managed to follow this guide
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/htm
l/Deployment_Guide/SSSD-Troubleshooting.html#idp21135920 and I have
configured my sssd.conf file as follows
PLEASE NOTE THAT THE SAME USER IS WORKING ON RHEL 6 AND CENTOS 6 CLIENTS so
sudo is working on the other clients except this centos 5 machine
[root at pinnochio db]# cat /etc/sssd/sssd.conf
[sssd]
config_file_version = 2
services = nss, pam
domains = ai.co.zw
[nss]
[sudo]
[pam]
debug_level = 6
cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = ai.co.zw
id_provider = ipa
auth_provider = ipa
access_provider = ipa
chpass_provider = ipa
ipa_server = _srv_, cyclops.ai.co.zw
ldap_tls_cacert = /etc/ipa/ca.crt
sudo_provider = ldap
ldap_uri = ldap://cyclops.ai.co.zw
ldap_sudo_search_base = ou=sudoers,dc=cyclops,dc=ai,dc=co,dc=zw
ldap_sasl_mech = GSSAPI
ldap_sasl_authid = host/pinnochio.ai.co.zw
ldap_sasl_realm = AI.CO.ZW
krb5_server = cyclops.ai.co.zw
[root at pinnochio db]#
And im still getting
[admin at pinnochio ~]$ sudo -l
[sudo] password for admin:
Sorry, user admin may not run sudo on pinnochio.
[admin at pinnochio ~]$
Error message below when debug level is set at 6
(Thu Apr 9 09:32:01 2015) [sssd[be[ai.co.zw]]] [sdap_get_generic_step] (6):
calling ldap_search_ext with
[(&(uid=admin)(objectclass=posixAccount))][cn=accounts,dc=ai,dc=co,dc=zw].
(Thu Apr 9 09:32:02 2015) [sssd[be[ai.co.zw]]] [sdap_get_generic_done] (6):
Search result: Success(0), (null)
(Thu Apr 9 09:32:02 2015) [sssd[be[ai.co.zw]]] [sdap_save_user] (6):
Storing info for user admin
(Thu Apr 9 09:32:02 2015) [sssd[be[ai.co.zw]]] [sdap_get_generic_step] (6):
calling ldap_search_ext with
[(&(objectclass=posixGroup)(cn=*))][cn=admins,cn=groups,cn=accounts,dc=ai,dc
=co,dc=zw].
(Thu Apr 9 09:32:02 2015) [sssd[be[ai.co.zw]]] [sdap_get_generic_done] (6):
Search result: Success(0), (null)
(Thu Apr 9 09:32:02 2015) [sssd[be[ai.co.zw]]] [sdap_get_generic_step] (6):
calling ldap_search_ext with
[(&(objectclass=posixGroup)(cn=*))][cn=Replication
Administrators,cn=privileges,cn=pbac,dc=ai,dc=co,dc=zw].
(Thu Apr 9 09:32:02 2015) [sssd[be[ai.co.zw]]] [sdap_get_generic_done] (6):
Search result: Success(0), (null)
(Thu Apr 9 09:32:02 2015) [sssd[be[ai.co.zw]]] [sdap_initgr_nested_search]
(2): Search for group cn=Replication
Administrators,cn=privileges,cn=pbac,dc=ai,dc=co,dc=zw, returned 0 results.
Skipping
(Thu Apr 9 09:32:02 2015) [sssd[be[ai.co.zw]]] [sdap_get_generic_step] (6):
calling ldap_search_ext with [(&(objectclass=posixGroup)(cn=*))][cn=Add
Replication Agreements,cn=permissions,cn=pbac,dc=ai,dc=co,dc=zw].
(Thu Apr 9 09:32:02 2015) [sssd[be[ai.co.zw]]] [sdap_get_generic_done] (6):
Search result: Success(0), (null)
(Thu Apr 9 09:32:02 2015) [sssd[be[ai.co.zw]]] [sdap_initgr_nested_search]
(2): Search for group cn=Add Replication
Agreements,cn=permissions,cn=pbac,dc=ai,dc=co,dc=zw, returned 0 results.
Skipping
(Thu Apr 9 09:32:02 2015) [sssd[be[ai.co.zw]]] [sdap_get_generic_step] (6):
calling ldap_search_ext with [(&(objectclass=posixGroup)(cn=*))][cn=Modify
Replication Agreements,cn=permissions,cn=pbac,dc=ai,dc=co,dc=zw].
(Thu Apr 9 09:32:02 2015) [sssd[be[ai.co.zw]]] [sdap_get_generic_done] (6):
Search result: Success(0), (null)
(Thu Apr 9 09:32:02 2015) [sssd[be[ai.co.zw]]] [sdap_initgr_nested_search]
(2): Search for group cn=Modify Replication
Agreements,cn=permissions,cn=pbac,dc=ai,dc=co,dc=zw, returned 0 results.
Skipping
(Thu Apr 9 09:32:02 2015) [sssd[be[ai.co.zw]]] [sdap_get_generic_step] (6):
calling ldap_search_ext with [(&(objectclass=posixGroup)(cn=*))][cn=Remove
Replication Agreements,cn=permissions,cn=pbac,dc=ai,dc=co,dc=zw].
(Thu Apr 9 09:32:02 2015) [sssd[be[ai.co.zw]]] [sdap_get_generic_done] (6):
Search result: Success(0), (null)
(Thu Apr 9 09:32:02 2015) [sssd[be[ai.co.zw]]] [sdap_initgr_nested_search]
(2): Search for group cn=Remove Replication
Agreements,cn=permissions,cn=pbac,dc=ai,dc=co,dc=zw, returned 0 results.
Skipping
(Thu Apr 9 09:32:02 2015) [sssd[be[ai.co.zw]]] [sdap_get_generic_step] (6):
calling ldap_search_ext with [(&(objectclass=posixGroup)(cn=*))][cn=Modify
DNA Range,cn=permissions,cn=pbac,dc=ai,dc=co,dc=zw].
(Thu Apr 9 09:32:02 2015) [sssd[be[ai.co.zw]]] [sdap_get_generic_done] (6):
Search result: Success(0), (null)
(Thu Apr 9 09:32:02 2015) [sssd[be[ai.co.zw]]] [sdap_initgr_nested_search]
(2): Search for group cn=Modify DNA
Range,cn=permissions,cn=pbac,dc=ai,dc=co,dc=zw, returned 0 results. Skipping
(Thu Apr 9 09:32:02 2015) [sssd[be[ai.co.zw]]] [sdap_get_generic_step] (6):
calling ldap_search_ext with [(&(objectclass=posixGroup)(cn=*))][cn=Add
Configuration Sub-Entries,cn=permissions,cn=pbac,dc=ai,dc=co,dc=zw].
(Thu Apr 9 09:32:02 2015) [sssd[be[ai.co.zw]]] [sdap_get_generic_done] (6):
Search result: Success(0), (null)
(Thu Apr 9 09:32:02 2015) [sssd[be[ai.co.zw]]] [sdap_initgr_nested_search]
(2): Search for group cn=Add Configuration
Sub-Entries,cn=permissions,cn=pbac,dc=ai,dc=co,dc=zw, returned 0 results.
Skipping
(Thu Apr 9 09:32:02 2015) [sssd[be[ai.co.zw]]] [sdap_get_generic_step] (6):
calling ldap_search_ext with [(&(objectclass=posixGroup)(cn=*))][cn=Modify
PassSync Managers Configuration,cn=permissions,cn=pbac,dc=ai,dc=co,dc=zw].
(Thu Apr 9 09:32:02 2015) [sssd[be[ai.co.zw]]] [sdap_get_generic_done] (6):
Search result: Success(0), (null)
(Thu Apr 9 09:32:02 2015) [sssd[be[ai.co.zw]]] [sdap_initgr_nested_search]
(2): Search for group cn=Modify PassSync Managers
Configuration,cn=permissions,cn=pbac,dc=ai,dc=co,dc=zw, returned 0 results.
Skipping
(Thu Apr 9 09:32:02 2015) [sssd[be[ai.co.zw]]] [sdap_get_generic_step] (6):
calling ldap_search_ext with [(&(objectclass=posixGroup)(cn=*))][cn=Read
PassSync Managers Configuration,cn=permissions,cn=pbac,dc=ai,dc=co,dc=zw].
(Thu Apr 9 09:32:02 2015) [sssd[be[ai.co.zw]]] [sdap_get_generic_done] (6):
Search result: Success(0), (null)
(Thu Apr 9 09:32:02 2015) [sssd[be[ai.co.zw]]] [sdap_initgr_nested_search]
(2): Search for group cn=Read PassSync Managers
Configuration,cn=permissions,cn=pbac,dc=ai,dc=co,dc=zw, returned 0 results.
Skipping
(Thu Apr 9 09:32:02 2015) [sssd[be[ai.co.zw]]] [sdap_get_generic_step] (6):
calling ldap_search_ext with [(&(objectclass=posixGroup)(cn=*))][cn=Read DNA
Range,cn=permissions,cn=pbac,dc=ai,dc=co,dc=zw].
(Thu Apr 9 09:32:02 2015) [sssd[be[ai.co.zw]]] [sdap_get_generic_done] (6):
Search result: Success(0), (null)
(Thu Apr 9 09:32:02 2015) [sssd[be[ai.co.zw]]] [sdap_initgr_nested_search]
(2): Search for group cn=Read DNA
Range,cn=permissions,cn=pbac,dc=ai,dc=co,dc=zw, returned 0 results. Skipping
(Thu Apr 9 09:32:02 2015) [sssd[be[ai.co.zw]]] [sdap_get_generic_step] (6):
calling ldap_search_ext with [(&(objectclass=posixGroup)(cn=*))][cn=Read
LDBM Database Configuration,cn=permissions,cn=pbac,dc=ai,dc=co,dc=zw].
(Thu Apr 9 09:32:02 2015) [sssd[be[ai.co.zw]]] [sdap_get_generic_done] (6):
Search result: Success(0), (null)
(Thu Apr 9 09:32:02 2015) [sssd[be[ai.co.zw]]] [sdap_initgr_nested_search]
(2): Search for group cn=Read LDBM Database
Configuration,cn=permissions,cn=pbac,dc=ai,dc=co,dc=zw, returned 0 results.
Skipping
(Thu Apr 9 09:32:02 2015) [sssd[be[ai.co.zw]]] [sdap_get_generic_step] (6):
calling ldap_search_ext with [(&(objectclass=posixGroup)(cn=*))][cn=System:
Read Replication Agreements,cn=permissions,cn=pbac,dc=ai,dc=co,dc=zw].
(Thu Apr 9 09:32:02 2015) [sssd[be[ai.co.zw]]] [sdap_get_generic_done] (6):
Search result: Success(0), (null)
(Thu Apr 9 09:32:02 2015) [sssd[be[ai.co.zw]]] [sdap_initgr_nested_search]
(2): Search for group cn=System: Read Replication
Agreements,cn=permissions,cn=pbac,dc=ai,dc=co,dc=zw, returned 0 results.
Skipping
(Thu Apr 9 09:32:02 2015) [sssd[be[ai.co.zw]]] [sdap_get_generic_step] (6):
calling ldap_search_ext with [(&(objectclass=posixGroup)(cn=*))][cn=Host
Enrollment,cn=privileges,cn=pbac,dc=ai,dc=co,dc=zw].
(Thu Apr 9 09:32:02 2015) [sssd[be[ai.co.zw]]] [sdap_get_generic_done] (6):
Search result: Success(0), (null)
(Thu Apr 9 09:32:02 2015) [sssd[be[ai.co.zw]]] [sdap_initgr_nested_search]
(2): Search for group cn=Host
Enrollment,cn=privileges,cn=pbac,dc=ai,dc=co,dc=zw, returned 0 results.
Skipping
(Thu Apr 9 09:32:02 2015) [sssd[be[ai.co.zw]]] [sdap_get_generic_step] (6):
calling ldap_search_ext with [(&(objectclass=posixGroup)(cn=*))][cn=System:
Add krbPrincipalName to a Host,cn=permissions,cn=pbac,dc=ai,dc=co,dc=zw].
(Thu Apr 9 09:32:02 2015) [sssd[be[ai.co.zw]]] [sdap_get_generic_done] (6):
Search result: Success(0), (null)
(Thu Apr 9 09:32:02 2015) [sssd[be[ai.co.zw]]] [sdap_initgr_nested_search]
(2): Search for group cn=System: Add krbPrincipalName to a
Host,cn=permissions,cn=pbac,dc=ai,dc=co,dc=zw, returned 0 results. Skipping
(Thu Apr 9 09:32:02 2015) [sssd[be[ai.co.zw]]] [sdap_get_generic_step] (6):
calling ldap_search_ext with [(&(objectclass=posixGroup)(cn=*))][cn=System:
Enroll a Host,cn=permissions,cn=pbac,dc=ai,dc=co,dc=zw].
(Thu Apr 9 09:32:02 2015) [sssd[be[ai.co.zw]]] [sdap_get_generic_done] (6):
Search result: Success(0), (null)
(Thu Apr 9 09:32:02 2015) [sssd[be[ai.co.zw]]] [sdap_initgr_nested_search]
(2): Search for group cn=System: Enroll a
Host,cn=permissions,cn=pbac,dc=ai,dc=co,dc=zw, returned 0 results. Skipping
(Thu Apr 9 09:32:02 2015) [sssd[be[ai.co.zw]]] [sdap_get_generic_step] (6):
calling ldap_search_ext with [(&(objectclass=posixGroup)(cn=*))][cn=System:
Manage Host Certificates,cn=permissions,cn=pbac,dc=ai,dc=co,dc=zw].
(Thu Apr 9 09:32:02 2015) [sssd[be[ai.co.zw]]] [sdap_get_generic_done] (6):
Search result: Success(0), (null)
(Thu Apr 9 09:32:02 2015) [sssd[be[ai.co.zw]]] [sdap_initgr_nested_search]
(2): Search for group cn=System: Manage Host
Certificates,cn=permissions,cn=pbac,dc=ai,dc=co,dc=zw, returned 0 results.
Skipping
(Thu Apr 9 09:32:02 2015) [sssd[be[ai.co.zw]]] [sdap_get_generic_step] (6):
calling ldap_search_ext with [(&(objectclass=posixGroup)(cn=*))][cn=System:
Manage Host Enrollment Password,cn=permissions,cn=pbac,dc=ai,dc=co,dc=zw].
(Thu Apr 9 09:32:02 2015) [sssd[be[ai.co.zw]]] [sdap_get_generic_done] (6):
Search result: Success(0), (null)
(Thu Apr 9 09:32:02 2015) [sssd[be[ai.co.zw]]] [sdap_initgr_nested_search]
(2): Search for group cn=System: Manage Host Enrollment
Password,cn=permissions,cn=pbac,dc=ai,dc=co,dc=zw, returned 0 results.
Skipping
(Thu Apr 9 09:32:02 2015) [sssd[be[ai.co.zw]]] [sdap_get_generic_step] (6):
calling ldap_search_ext with [(&(objectclass=posixGroup)(cn=*))][cn=System:
Manage Host Keytab,cn=permissions,cn=pbac,dc=ai,dc=co,dc=zw].
(Thu Apr 9 09:32:02 2015) [sssd[be[ai.co.zw]]] [sdap_get_generic_done] (6):
Search result: Success(0), (null)
(Thu Apr 9 09:32:02 2015) [sssd[be[ai.co.zw]]] [sdap_initgr_nested_search]
(2): Search for group cn=System: Manage Host
Keytab,cn=permissions,cn=pbac,dc=ai,dc=co,dc=zw, returned 0 results.
Skipping
(Thu Apr 9 09:32:02 2015) [sssd[be[ai.co.zw]]] [sdap_get_generic_step] (6):
calling ldap_search_ext with [(&(objectclass=posixGroup)(cn=*))][cn=trust
admins,cn=groups,cn=accounts,dc=ai,dc=co,dc=zw].
(Thu Apr 9 09:32:02 2015) [sssd[be[ai.co.zw]]] [sdap_get_generic_done] (6):
Search result: Success(0), (null)
(Thu Apr 9 09:32:02 2015) [sssd[be[ai.co.zw]]] [sdap_initgr_nested_search]
(2): Search for group cn=trust
admins,cn=groups,cn=accounts,dc=ai,dc=co,dc=zw, returned 0 results. Skipping
(Thu Apr 9 09:32:02 2015) [sssd[be[ai.co.zw]]] [acctinfo_callback] (4):
Request processed. Returned 0,0,Success
(Thu Apr 9 09:32:02 2015) [sssd[be[ai.co.zw]]] [be_pam_handler] (4): Got
request with the following data
(Thu Apr 9 09:32:02 2015) [sssd[be[ai.co.zw]]] [pam_print_data] (4):
command: PAM_AUTHENTICATE
(Thu Apr 9 09:32:02 2015) [sssd[be[ai.co.zw]]] [pam_print_data] (4):
domain: ai.co.zw
(Thu Apr 9 09:32:02 2015) [sssd[be[ai.co.zw]]] [pam_print_data] (4): user:
admin
(Thu Apr 9 09:32:02 2015) [sssd[be[ai.co.zw]]] [pam_print_data] (4):
service: sudo
(Thu Apr 9 09:32:02 2015) [sssd[be[ai.co.zw]]] [pam_print_data] (4): tty:
/dev/pts/3
(Thu Apr 9 09:32:02 2015) [sssd[be[ai.co.zw]]] [pam_print_data] (4): ruser:
(Thu Apr 9 09:32:02 2015) [sssd[be[ai.co.zw]]] [pam_print_data] (4): rhost:
(Thu Apr 9 09:32:02 2015) [sssd[be[ai.co.zw]]] [pam_print_data] (4):
authtok type: 1
(Thu Apr 9 09:32:02 2015) [sssd[be[ai.co.zw]]] [pam_print_data] (4):
authtok size: 10
(Thu Apr 9 09:32:02 2015) [sssd[be[ai.co.zw]]] [pam_print_data] (4):
newauthtok type: 0
(Thu Apr 9 09:32:02 2015) [sssd[be[ai.co.zw]]] [pam_print_data] (4):
newauthtok size: 0
(Thu Apr 9 09:32:02 2015) [sssd[be[ai.co.zw]]] [pam_print_data] (4): priv:
0
(Thu Apr 9 09:32:02 2015) [sssd[be[ai.co.zw]]] [pam_print_data] (4):
cli_pid: 3809
(Thu Apr 9 09:32:02 2015) [sssd[be[ai.co.zw]]] [check_for_valid_tgt] (3):
TGT is valid.
(Thu Apr 9 09:32:02 2015) [sssd[be[ai.co.zw]]] [fo_resolve_service_send]
(4): Trying to resolve service 'IPA'
(Thu Apr 9 09:32:02 2015) [sssd[be[ai.co.zw]]] [get_server_status] (4):
Hostname resolution expired, resetting the server status of
'cyclops.ai.co.zw'
(Thu Apr 9 09:32:02 2015) [sssd[be[ai.co.zw]]] [set_server_common_status]
(4): Marking server 'cyclops.ai.co.zw' as 'name not resolved'
(Thu Apr 9 09:32:02 2015) [sssd[be[ai.co.zw]]]
[resolv_gethostbyname_files_send] (4): Trying to resolve A record of
'cyclops.ai.co.zw' in files
(Thu Apr 9 09:32:02 2015) [sssd[be[ai.co.zw]]] [set_server_common_status]
(4): Marking server 'cyclops.ai.co.zw' as 'resolving name'
(Thu Apr 9 09:32:02 2015) [sssd[be[ai.co.zw]]]
[resolv_gethostbyname_files_send] (4): Trying to resolve AAAA record of
'cyclops.ai.co.zw' in files
(Thu Apr 9 09:32:02 2015) [sssd[be[ai.co.zw]]] [resolv_gethostbyname_next]
(5): No more address families to retry
(Thu Apr 9 09:32:02 2015) [sssd[be[ai.co.zw]]]
[resolv_gethostbyname_dns_query] (4): Trying to resolve A record of
'cyclops.ai.co.zw' in DNS
(Thu Apr 9 09:32:02 2015) [sssd[be[ai.co.zw]]] [set_server_common_status]
(4): Marking server 'cyclops.ai.co.zw' as 'name resolved'
(Thu Apr 9 09:32:02 2015) [sssd[be[ai.co.zw]]] [be_resolve_server_done]
(4): Found address for server cyclops.ai.co.zw: [41.57.64.54] TTL 300
(Thu Apr 9 09:32:02 2015) [sssd[be[ai.co.zw]]] [ipa_resolve_callback] (6):
Constructed uri 'ldap://cyclops.ai.co.zw'
(Thu Apr 9 09:32:02 2015) [sssd[be[ai.co.zw]]] [write_pipe_handler] (6):
All data has been sent!
(Thu Apr 9 09:32:04 2015) [sssd[be[ai.co.zw]]] [read_pipe_handler] (6): EOF
received, client finished
(Thu Apr 9 09:32:04 2015) [sssd[be[ai.co.zw]]] [fo_set_port_status] (4):
Marking port 0 of server 'cyclops.ai.co.zw' as 'working'
(Thu Apr 9 09:32:04 2015) [sssd[be[ai.co.zw]]] [set_server_common_status]
(4): Marking server 'cyclops.ai.co.zw' as 'working'
(Thu Apr 9 09:32:04 2015) [sssd[be[ai.co.zw]]] [be_pam_handler_callback]
(4): Backend returned: (0, 0, <NULL>) [Success]
(Thu Apr 9 09:32:04 2015) [sssd[be[ai.co.zw]]] [be_pam_handler_callback]
(4): Sending result [0][ai.co.zw]
(Thu Apr 9 09:32:04 2015) [sssd[be[ai.co.zw]]] [be_pam_handler_callback]
(4): Sent result [0][ai.co.zw]
(Thu Apr 9 09:32:04 2015) [sssd[be[ai.co.zw]]] [child_sig_handler] (4):
child [3842] finished successfully.
(Thu Apr 9 09:32:04 2015) [sssd[be[ai.co.zw]]] [be_pam_handler] (4): Got
request with the following data
(Thu Apr 9 09:32:04 2015) [sssd[be[ai.co.zw]]] [pam_print_data] (4):
command: PAM_ACCT_MGMT
(Thu Apr 9 09:32:04 2015) [sssd[be[ai.co.zw]]] [pam_print_data] (4):
domain: ai.co.zw
(Thu Apr 9 09:32:04 2015) [sssd[be[ai.co.zw]]] [pam_print_data] (4): user:
admin
(Thu Apr 9 09:32:04 2015) [sssd[be[ai.co.zw]]] [pam_print_data] (4):
service: sudo
(Thu Apr 9 09:32:04 2015) [sssd[be[ai.co.zw]]] [pam_print_data] (4): tty:
/dev/pts/3
(Thu Apr 9 09:32:04 2015) [sssd[be[ai.co.zw]]] [pam_print_data] (4): ruser:
(Thu Apr 9 09:32:04 2015) [sssd[be[ai.co.zw]]] [pam_print_data] (4): rhost:
(Thu Apr 9 09:32:04 2015) [sssd[be[ai.co.zw]]] [pam_print_data] (4):
authtok type: 0
(Thu Apr 9 09:32:04 2015) [sssd[be[ai.co.zw]]] [pam_print_data] (4):
authtok size: 0
(Thu Apr 9 09:32:04 2015) [sssd[be[ai.co.zw]]] [pam_print_data] (4):
newauthtok type: 0
(Thu Apr 9 09:32:04 2015) [sssd[be[ai.co.zw]]] [pam_print_data] (4):
newauthtok size: 0
(Thu Apr 9 09:32:04 2015) [sssd[be[ai.co.zw]]] [pam_print_data] (4): priv:
0
(Thu Apr 9 09:32:04 2015) [sssd[be[ai.co.zw]]] [pam_print_data] (4):
cli_pid: 3809
(Thu Apr 9 09:32:04 2015) [sssd[be[ai.co.zw]]] [sdap_access_send] (6):
Performing access check for user [admin]
(Thu Apr 9 09:32:04 2015) [sssd[be[ai.co.zw]]] [sdap_account_expired_rhds]
(6): Performing RHDS access check for user [admin]
(Thu Apr 9 09:32:04 2015) [sssd[be[ai.co.zw]]] [sdap_get_generic_step] (6):
calling ldap_search_ext with
[(&(objectClass=ipaHost)(fqdn=pinnochio.ai.co.zw))][dc=ai,dc=co,dc=zw].
(Thu Apr 9 09:32:04 2015) [sssd[be[ai.co.zw]]] [sdap_get_generic_done] (6):
Search result: Success(0), (null)
(Thu Apr 9 09:32:04 2015) [sssd[be[ai.co.zw]]] [sdap_get_generic_step] (6):
calling ldap_search_ext with
[(null)][cn=mailservers,cn=hostgroups,cn=accounts,dc=ai,dc=co,dc=zw].
(Thu Apr 9 09:32:05 2015) [sssd[be[ai.co.zw]]] [sdap_get_generic_done] (6):
Search result: Success(0), (null)
(Thu Apr 9 09:32:05 2015) [sssd[be[ai.co.zw]]] [sdap_get_generic_step] (6):
calling ldap_search_ext with
[(objectClass=ipaHBACService)][dc=ai,dc=co,dc=zw].
(Thu Apr 9 09:32:05 2015) [sssd[be[ai.co.zw]]] [sdap_get_generic_done] (6):
Search result: Success(0), (null)
(Thu Apr 9 09:32:05 2015) [sssd[be[ai.co.zw]]] [sdap_get_generic_step] (6):
calling ldap_search_ext with
[(objectClass=ipaHBACServiceGroup)][dc=ai,dc=co,dc=zw].
(Thu Apr 9 09:32:05 2015) [sssd[be[ai.co.zw]]] [sdap_get_generic_done] (6):
Search result: Success(0), (null)
(Thu Apr 9 09:32:05 2015) [sssd[be[ai.co.zw]]] [sdap_get_generic_step] (6):
calling ldap_search_ext with
[(&(objectclass=ipaHBACRule)(ipaenabledflag=TRUE)(|(hostCategory=all)(member
Host=fqdn=pinnochio.ai.co.zw,cn=computers,cn=accounts,dc=ai,dc=co,dc=zw)(mem
berHost=cn=mailservers,cn=hostgroups,cn=accounts,dc=ai,dc=co,dc=zw)(memberHo
st=ipaUniqueID=bacaa788-dac0-11e4-93fe-525400143fc1,cn=sudorules,cn=sudo,dc=
ai,dc=co,dc=zw)(memberHost=cn=mailservers,cn=ng,cn=alt,dc=ai,dc=co,dc=zw)(me
mberHost=ipaUniqueID=53caae2a-ddf4-11e4-b324-525400143fc1,cn=sudorules,cn=su
do,dc=ai,dc=co,dc=zw)))][dc=ai,dc=co,dc=zw].
(Thu Apr 9 09:32:05 2015) [sssd[be[ai.co.zw]]] [sdap_get_generic_done] (6):
Search result: Success(0), (null)
(Thu Apr 9 09:32:05 2015) [sssd[be[ai.co.zw]]] [hbac_get_category] (5):
Category is set to 'all'.
(Thu Apr 9 09:32:05 2015) [sssd[be[ai.co.zw]]] [hbac_get_category] (5):
Category is set to 'all'.
(Thu Apr 9 09:32:05 2015) [sssd[be[ai.co.zw]]] [hbac_get_category] (5):
Category is set to 'all'.
(Thu Apr 9 09:32:05 2015) [sssd[be[ai.co.zw]]] [ipa_hbac_evaluate_rules]
(3): Access granted by HBAC rule [allow_all]
(Thu Apr 9 09:32:05 2015) [sssd[be[ai.co.zw]]] [be_pam_handler_callback]
(4): Backend returned: (0, 0, <NULL>) [Success]
(Thu Apr 9 09:32:05 2015) [sssd[be[ai.co.zw]]] [be_pam_handler_callback]
(4): Sending result [0][ai.co.zw]
(Thu Apr 9 09:32:05 2015) [sssd[be[ai.co.zw]]] [be_pam_handler_callback]
(4): Sent result [0][ai.co.zw]
-----Original Message-----
From: freeipa-users-bounces at redhat.com
[mailto:freeipa-users-bounces at redhat.com] On Behalf Of Dmitri Pal
Sent: Thursday, April 09, 2015 3:47 AM
To: freeipa-users at redhat.com
Subject: Re: [Freeipa-users] Configuring SUDO on centos and RHEL 5 clients
On 04/08/2015 09:04 PM, Martin Chamambo wrote:
> I managed to install my ipa client on centos 5 using this command
> below
>
> ipa-client-install --server cyclops.ai.co.zw --domain ai.co.zw
>
>
> and it worked perfectly , i can getent passwd xxxx for users in the
freeIPA server which is good.
>
> I am now trying to configure SUDO on centos and there seem to be mixed
> views on how i can get it working but i have actually embraced the
> following
>
> Use SSSD, don't use nslcd or anything that has pam_ldap or ldapd in
> the name
>
> and here are my configs
>
> cat /etc/nsswitch
>
> sudoers: files sss
>
>
> cat /etc/sssd/sssd.conf
>
> [root at pinnochio ~]# cat /etc/sssd/sssd.conf [sssd] config_file_version
> = 2 services = nss, pam
>
>
> domains = ai.co.zw
> [nss]
>
> [sudo]
>
> [pam]
>
>
> [domain/ai.co.zw]
> cache_credentials = True
> krb5_store_password_if_offline = True
> ipa_domain = ai.co.zw
> id_provider = ipa
> auth_provider = ipa
> access_provider = ipa
> chpass_provider = ipa
> ipa_server = _srv_, cyclops.ai.co.zw
> ldap_tls_cacert = /etc/ipa/ca.crt
>
>
> wanted to add sudo services and ssh services on the Line services =
> nss, pam and kept getting error
>
> (Thu Apr 9 02:04:35 2015) [sssd] [get_monitor_config] (0): Invalid
> service sudo (Thu Apr 9 02:04:36 2015) [sssd] [get_monitor_config]
> (0): Invalid service sudo (Thu Apr 9 02:08:27 2015) [sssd]
> [get_monitor_config] (0): Invalid service sudo (Thu Apr 9 02:08:59
> 2015) [sssd] [get_monitor_config] (0): Invalid service sudo (Thu Apr
> 9 02:09:35 2015) [sssd] [get_monitor_config] (0): Invalid service sudo
> (Thu Apr 9 02:10:05 2015) [sssd] [get_monitor_config] (0): Invalid
> service ssh
>
>
> i guess there is a different way of configuring SUDO on RHEL 5 or
> centos 5
>
>
The sudo and ssh support was added later than the version of SSSD that runs
on CentOS5.
Also the version of the sudo on 5 does not have integration with SSSD yet.
The recommended approach is to configure sudo using its own LDAP
capabilities as documented in the sudo manuals and man pages for that
version.
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
More information about the Freeipa-users
mailing list