[Freeipa-users] ipa / sudoers on centos 6.3 client

Brendan Kearney bpk678 at gmail.com
Fri Jan 2 15:28:16 UTC 2015 

On Fri, 2015-01-02 at 15:19 +0000, Chris Card wrote:
> I have existing machines running CentOS 6.3 which I want to include in
> a freeipa domain.
> 
> The domain controller machine is running Fedora 21 and
> freeipa-server-4.1.1-2 while the latest version of ipa I can find that
> runs on CentOS 6.3 is ipa-client-3.0.0-37.el6.x86_64.
> 
> 
> I have successfully run ipa-client-install on the CentOS 6.3 client
> and set up users who can ssh to the client using ssh-keys.
> 
> 
> The problem is that I can't get sudo rules to work. I know that the
> ipa client software version 3.0.0 doesn't automatically set up all the
> configuration for sssd to control sudo access, but I have set up all
> the configuration necessary manually:
> 
> 
> On the client, /etc/nsswitch.conf has 
> 
> 
>       sudoers files sss   
> 
> 
> /etc/sssd/sssd/conf has
> 
> 
> [domain/default]
> 
> 
> cache_credentials = True
> krb5_realm = <REALM>
> krb5_server = <ipa server>:88
> id_provider = ldap
> auth_provider = ldap
> chpass_provider = ldap
> ldap_tls_cacertdir = /etc/openldap/cacerts
> [domain/<domain>]
> 
> 
> cache_credentials = True
> krb5_store_password_if_offline = True
> ipa_domain = <domain>
> id_provider = ipa
> auth_provider = ipa
> access_provider = ipa
> chpass_provider = ipa
> ipa_dyndns_update = True
> ipa_server = <ipa server>
> ldap_tls_cacert = /etc/ipa/ca.crt
> sudo_provider = ldap
> ldap_uri = ldap://<ipa server>
> ldap_sudo_search_base = ou=sudoers,<domain base dn>
> ldap_sasl_mech = GSSAPI
> ldap_sasl_authid = host/<client fqdn>
> ldap_sasl_realm = <REALM>
> krb5_server = <ipa server>
> debug_level = 9
> [sssd]
> services = nss, pam, ssh, sudo
> config_file_version = 2
> 
> 
> domains = <domain>, default
> debug_level = 9
> [nss]
> debug_level = 9
> 
> 
> [pam]
> debug_level = 9
> 
> 
> [sudo]
> debug_level = 9
> [autofs]
> 
> 
> I have validated the ldap sasl configuration using ldapsearch, so I'm
> sure they are correct.
> 
> 
> The nisdomainname command returns the domain name.
> 
> 
> The sudo rules are:
> # ipa sudorule-find
> --------------------
> 2 Sudo Rules matched
> --------------------
>   Rule name: sudo-host1
>   Enabled: TRUE
>   Command category: all
>   RunAs User category: all
>   User Groups: host1-rw
>   Host Groups: host1
>   Sudo Option: -authenticate
> 
> 
>   Rule name: sudo-host2
>   Enabled: TRUE
>   User Groups: host2-rw
>   Host Groups: host2
>   Sudo Option: -authenticate
> ----------------------------
> Number of entries returned 2
> ----------------------------
> 
> 
> When a user in user group host1-rw sshs to a client in host group
> host1 and runs "sudo su -" the user gets prompted for a password even
> though the sudo option -authenticate is set.
> I'm not convinced that sudo is even attempting to use sssd, but I'm
> not sure how to confirm this.
> 
> 
> I have seen some references to /etc/sudo-ldap.conf in online
> discussions of similar issues. This file exists on my client, but
> everything is commented out. Do I need to put the ldap client
> configuration in /etc/sudo-ldap.conf as well as /etc/sssd/sssd.conf
> for CentOS 6.3 clients?
> 
> 
> Any ideas about how to work out what is failing?
> 
> 
> Chris
> 
try "!authenticate" (without the quotes), not  "-authenticate" (again,
no quotes).

More information about the Freeipa-users mailing list