[Freeipa-users] ipa / sudoers on centos 6.3 client

Fri Jan 2 19:14:57 UTC 2015

On 01/02/2015 12:12 PM, Craig White wrote:
>
> *From:*freeipa-users-bounces at redhat.com 
> [mailto:freeipa-users-bounces at redhat.com] *On Behalf Of *Chris Card
> *Sent:* Friday, January 02, 2015 8:45 AM
> *To:* Brendan Kearney
> *Cc:* freeipa-users at redhat.com
> *Subject:* Re: [Freeipa-users] ipa / sudoers on centos 6.3 client
>
> > Subject: Re: [Freeipa-users] ipa / sudoers on centos 6.3 client
> > From: bpk678 at gmail.com <mailto:bpk678 at gmail.com>
> > To: ctcard at hotmail.com <mailto:ctcard at hotmail.com>
> > CC: freeipa-users at redhat.com <mailto:freeipa-users at redhat.com>
> > Date: Fri, 2 Jan 2015 10:28:16 -0500
> >
> > On Fri, 2015-01-02 at 15:19 +0000, Chris Card wrote:
> > > I have existing machines running CentOS 6.3 which I want to include in
> > > a freeipa domain.
> > >
> > > The domain controller machine is running Fedora 21 and
> > > freeipa-server-4.1.1-2 while the latest version of ipa I can find that
> > > runs on CentOS 6.3 is ipa-client-3.0.0-37.el6.x86_64.
> > >
> > >
> > > I have successfully run ipa-client-install on the CentOS 6.3 client
> > > and set up users who can ssh to the client using ssh-keys.
> > >
> > >
> > > The problem is that I can't get sudo rules to work. I know that the
> > > ipa client software version 3.0.0 doesn't automatically set up all the
> > > configuration for sssd to control sudo access, but I have set up all
> > > the configuration necessary manually:
> > >
> > >
> > > On the client, /etc/nsswitch.conf has
> > >
> > >
> > > sudoers files sss
> > >
> > >
> > > /etc/sssd/sssd/conf has
> > >
> > >
> > > [domain/default]
> > >
> > >
> > > cache_credentials = True
> > > krb5_realm = <REALM>
> > > krb5_server = <ipa server>:88
> > > id_provider = ldap
> > > auth_provider = ldap
> > > chpass_provider = ldap
> > > ldap_tls_cacertdir = /etc/openldap/cacerts
> > > [domain/<domain>]
> > >
> > >
> > > cache_credentials = True
> > > krb5_store_password_if_offline = True
> > > ipa_domain = <domain>
> > > id_provider = ipa
> > > auth_provider = ipa
> > > access_provider = ipa
> > > chpass_provider = ipa
> > > ipa_dyndns_update = True
> > > ipa_server = <ipa server>
> > > ldap_tls_cacert = /etc/ipa/ca.crt
> > > sudo_provider = ldap
> > > ldap_uri = ldap://<ipa server>
> > > ldap_sudo_search_base = ou=sudoers,<domain base dn>
> > > ldap_sasl_mech = GSSAPI
> > > ldap_sasl_authid = host/<client fqdn>
> > > ldap_sasl_realm = <REALM>
> > > krb5_server = <ipa server>
> > > debug_level = 9
> > > [sssd]
> > > services = nss, pam, ssh, sudo
> > > config_file_version = 2
> > >
> > >
> > > domains = <domain>, default
> > > debug_level = 9
> > > [nss]
> > > debug_level = 9
> > >
> > >
> > > [pam]
> > > debug_level = 9
> > >
> > >
> > > [sudo]
> > > debug_level = 9
> > > [autofs]
> > >
> > >
> > > I have validated the ldap sasl configuration using ldapsearch, so I'm
> > > sure they are correct.
> > >
> > >
> > > The nisdomainname command returns the domain name.
> > >
> > >
> > > The sudo rules are:
> > > # ipa sudorule-find
> > > --------------------
> > > 2 Sudo Rules matched
> > > --------------------
> > > Rule name: sudo-host1
> > > Enabled: TRUE
> > > Command category: all
> > > RunAs User category: all
> > > User Groups: host1-rw
> > > Host Groups: host1
> > > Sudo Option: -authenticate
> > >
> > >
> > > Rule name: sudo-host2
> > > Enabled: TRUE
> > > User Groups: host2-rw
> > > Host Groups: host2
> > > Sudo Option: -authenticate
> > > ----------------------------
> > > Number of entries returned 2
> > > ----------------------------
> > >
> > >
> > > When a user in user group host1-rw sshs to a client in host group
> > > host1 and runs "sudo su -" the user gets prompted for a password even
> > > though the sudo option -authenticate is set.
> > > I'm not convinced that sudo is even attempting to use sssd, but I'm
> > > not sure how to confirm this.
> > >
> > >
> > > I have seen some references to /etc/sudo-ldap.conf in online
> > > discussions of similar issues. This file exists on my client, but
> > > everything is commented out. Do I need to put the ldap client
> > > configuration in /etc/sudo-ldap.conf as well as /etc/sssd/sssd.conf
> > > for CentOS 6.3 clients?
> > >
> > >
> > > Any ideas about how to work out what is failing?
> > >
> > >
> > > Chris
> > >
> > try "!authenticate" (without the quotes), not "-authenticate" (again,
> > no quotes).
> That made no difference (though I think you're correct that 
> -authenticate is wrong).
>
> Sudo didn't work correctly for me until I updated to RHEL 6.6 which 
> had sssd-1.11
>
> Just saying...
>
> Craig
>
>
>

I think 6.3 is the last version where SUDO integration with SSSD does 
not work out of box.
You would need to configure SUDO independently from SSSD in the old way 
using direct LDAP connection.
AFAIR the configurtion is in the sudo-ldap.conf.

Find the RHEL 6.3 manual online. I think the doc is correct except that 
it mentions ldap.conf instead of sudo-ldap.
Sorry if the names above are not spelled right (may be it is sudo_ldap 
or something like), I was writing from the top of my head.

-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150102/fe685f13/attachment.htm>