[Freeipa-users] ipa / sudoers on centos 6.3 client

Craig White CWhite at skytouchtechnology.com
Fri Jan 2 17:12:07 UTC 2015 

From: freeipa-users-bounces at redhat.com [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Chris Card
Sent: Friday, January 02, 2015 8:45 AM
To: Brendan Kearney
Cc: freeipa-users at redhat.com
Subject: Re: [Freeipa-users] ipa / sudoers on centos 6.3 client


> Subject: Re: [Freeipa-users] ipa / sudoers on centos 6.3 client
> From: bpk678 at gmail.com<mailto:bpk678 at gmail.com>
> To: ctcard at hotmail.com<mailto:ctcard at hotmail.com>
> CC: freeipa-users at redhat.com<mailto:freeipa-users at redhat.com>
> Date: Fri, 2 Jan 2015 10:28:16 -0500
>
> On Fri, 2015-01-02 at 15:19 +0000, Chris Card wrote:
> > I have existing machines running CentOS 6.3 which I want to include in
> > a freeipa domain.
> >
> > The domain controller machine is running Fedora 21 and
> > freeipa-server-4.1.1-2 while the latest version of ipa I can find that
> > runs on CentOS 6.3 is ipa-client-3.0.0-37.el6.x86_64.
> >
> >
> > I have successfully run ipa-client-install on the CentOS 6.3 client
> > and set up users who can ssh to the client using ssh-keys.
> >
> >
> > The problem is that I can't get sudo rules to work. I know that the
> > ipa client software version 3.0.0 doesn't automatically set up all the
> > configuration for sssd to control sudo access, but I have set up all
> > the configuration necessary manually:
> >
> >
> > On the client, /etc/nsswitch.conf has
> >
> >
> > sudoers files sss
> >
> >
> > /etc/sssd/sssd/conf has
> >
> >
> > [domain/default]
> >
> >
> > cache_credentials = True
> > krb5_realm = <REALM>
> > krb5_server = <ipa server>:88
> > id_provider = ldap
> > auth_provider = ldap
> > chpass_provider = ldap
> > ldap_tls_cacertdir = /etc/openldap/cacerts
> > [domain/<domain>]
> >
> >
> > cache_credentials = True
> > krb5_store_password_if_offline = True
> > ipa_domain = <domain>
> > id_provider = ipa
> > auth_provider = ipa
> > access_provider = ipa
> > chpass_provider = ipa
> > ipa_dyndns_update = True
> > ipa_server = <ipa server>
> > ldap_tls_cacert = /etc/ipa/ca.crt
> > sudo_provider = ldap
> > ldap_uri = ldap://<ipa server>
> > ldap_sudo_search_base = ou=sudoers,<domain base dn>
> > ldap_sasl_mech = GSSAPI
> > ldap_sasl_authid = host/<client fqdn>
> > ldap_sasl_realm = <REALM>
> > krb5_server = <ipa server>
> > debug_level = 9
> > [sssd]
> > services = nss, pam, ssh, sudo
> > config_file_version = 2
> >
> >
> > domains = <domain>, default
> > debug_level = 9
> > [nss]
> > debug_level = 9
> >
> >
> > [pam]
> > debug_level = 9
> >
> >
> > [sudo]
> > debug_level = 9
> > [autofs]
> >
> >
> > I have validated the ldap sasl configuration using ldapsearch, so I'm
> > sure they are correct.
> >
> >
> > The nisdomainname command returns the domain name.
> >
> >
> > The sudo rules are:
> > # ipa sudorule-find
> > --------------------
> > 2 Sudo Rules matched
> > --------------------
> > Rule name: sudo-host1
> > Enabled: TRUE
> > Command category: all
> > RunAs User category: all
> > User Groups: host1-rw
> > Host Groups: host1
> > Sudo Option: -authenticate
> >
> >
> > Rule name: sudo-host2
> > Enabled: TRUE
> > User Groups: host2-rw
> > Host Groups: host2
> > Sudo Option: -authenticate
> > ----------------------------
> > Number of entries returned 2
> > ----------------------------
> >
> >
> > When a user in user group host1-rw sshs to a client in host group
> > host1 and runs "sudo su -" the user gets prompted for a password even
> > though the sudo option -authenticate is set.
> > I'm not convinced that sudo is even attempting to use sssd, but I'm
> > not sure how to confirm this.
> >
> >
> > I have seen some references to /etc/sudo-ldap.conf in online
> > discussions of similar issues. This file exists on my client, but
> > everything is commented out. Do I need to put the ldap client
> > configuration in /etc/sudo-ldap.conf as well as /etc/sssd/sssd.conf
> > for CentOS 6.3 clients?
> >
> >
> > Any ideas about how to work out what is failing?
> >
> >
> > Chris
> >
> try "!authenticate" (without the quotes), not "-authenticate" (again,
> no quotes).
That made no difference (though I think you're correct that -authenticate is wrong).
Sudo didn't work correctly for me until I updated to RHEL 6.6 which had sssd-1.11
Just saying...
Craig
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150102/63e4d12b/attachment.htm>

More information about the Freeipa-users mailing list