[Freeipa-users] ipa / sudoers on centos 6.3 client

Fri Jan 2 15:45:03 UTC 2015


> Subject: Re: [Freeipa-users] ipa / sudoers on centos 6.3 client
> From: bpk678 at gmail.com
> To: ctcard at hotmail.com
> CC: freeipa-users at redhat.com
> Date: Fri, 2 Jan 2015 10:28:16 -0500
> 
> On Fri, 2015-01-02 at 15:19 +0000, Chris Card wrote:
> > I have existing machines running CentOS 6.3 which I want to include in
> > a freeipa domain.
> > 
> > The domain controller machine is running Fedora 21 and
> > freeipa-server-4.1.1-2 while the latest version of ipa I can find that
> > runs on CentOS 6.3 is ipa-client-3.0.0-37.el6.x86_64.
> > 
> > 
> > I have successfully run ipa-client-install on the CentOS 6.3 client
> > and set up users who can ssh to the client using ssh-keys.
> > 
> > 
> > The problem is that I can't get sudo rules to work. I know that the
> > ipa client software version 3.0.0 doesn't automatically set up all the
> > configuration for sssd to control sudo access, but I have set up all
> > the configuration necessary manually:
> > 
> > 
> > On the client, /etc/nsswitch.conf has 
> > 
> > 
> >       sudoers files sss   
> > 
> > 
> > /etc/sssd/sssd/conf has
> > 
> > 
> > [domain/default]
> > 
> > 
> > cache_credentials = True
> > krb5_realm = <REALM>
> > krb5_server = <ipa server>:88
> > id_provider = ldap
> > auth_provider = ldap
> > chpass_provider = ldap
> > ldap_tls_cacertdir = /etc/openldap/cacerts
> > [domain/<domain>]
> > 
> > 
> > cache_credentials = True
> > krb5_store_password_if_offline = True
> > ipa_domain = <domain>
> > id_provider = ipa
> > auth_provider = ipa
> > access_provider = ipa
> > chpass_provider = ipa
> > ipa_dyndns_update = True
> > ipa_server = <ipa server>
> > ldap_tls_cacert = /etc/ipa/ca.crt
> > sudo_provider = ldap
> > ldap_uri = ldap://<ipa server>
> > ldap_sudo_search_base = ou=sudoers,<domain base dn>
> > ldap_sasl_mech = GSSAPI
> > ldap_sasl_authid = host/<client fqdn>
> > ldap_sasl_realm = <REALM>
> > krb5_server = <ipa server>
> > debug_level = 9
> > [sssd]
> > services = nss, pam, ssh, sudo
> > config_file_version = 2
> > 
> > 
> > domains = <domain>, default
> > debug_level = 9
> > [nss]
> > debug_level = 9
> > 
> > 
> > [pam]
> > debug_level = 9
> > 
> > 
> > [sudo]
> > debug_level = 9
> > [autofs]
> > 
> > 
> > I have validated the ldap sasl configuration using ldapsearch, so I'm
> > sure they are correct.
> > 
> > 
> > The nisdomainname command returns the domain name.
> > 
> > 
> > The sudo rules are:
> > # ipa sudorule-find
> > --------------------
> > 2 Sudo Rules matched
> > --------------------
> >   Rule name: sudo-host1
> >   Enabled: TRUE
> >   Command category: all
> >   RunAs User category: all
> >   User Groups: host1-rw
> >   Host Groups: host1
> >   Sudo Option: -authenticate
> > 
> > 
> >   Rule name: sudo-host2
> >   Enabled: TRUE
> >   User Groups: host2-rw
> >   Host Groups: host2
> >   Sudo Option: -authenticate
> > ----------------------------
> > Number of entries returned 2
> > ----------------------------
> > 
> > 
> > When a user in user group host1-rw sshs to a client in host group
> > host1 and runs "sudo su -" the user gets prompted for a password even
> > though the sudo option -authenticate is set.
> > I'm not convinced that sudo is even attempting to use sssd, but I'm
> > not sure how to confirm this.
> > 
> > 
> > I have seen some references to /etc/sudo-ldap.conf in online
> > discussions of similar issues. This file exists on my client, but
> > everything is commented out. Do I need to put the ldap client
> > configuration in /etc/sudo-ldap.conf as well as /etc/sssd/sssd.conf
> > for CentOS 6.3 clients?
> > 
> > 
> > Any ideas about how to work out what is failing?
> > 
> > 
> > Chris
> > 
> try "!authenticate" (without the quotes), not  "-authenticate" (again,
> no quotes).
That made no difference (though I think you're correct that -authenticate is wrong).
Chris

 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150102/aab444ff/attachment.htm>