[Freeipa-users] sudo rules question on ubuntu 16.0.1
Justin Stephenson
jstephen at redhat.com
Fri Aug 12 19:53:32 UTC 2016
In the CentOS/RHEL 7 version of sssd, a NIS netgroup is created
automatically in the IPA compat tree under 'cn=ng,cn=compat,$suffix'
because sudo has no understanding of hostgroups.
You should be able to query this on a client with
# getent netgroup office
This should return nisNetgroupTriple for each host in the hostgroup
(ipa-client-1.example.com,-,example.com)
(ipa-client-2.example.com,-,example.com)
I would check this in your environment between working and non-working
systems.
I believe in later versions of sssd they added IPA sudo schema support
to eliminate the need for the compat tree so this could be related to
the issue if newer ubuntu clients are not working but CentOS is working.
What version of sssd are you running?
Kind regards,
Justin Stephenson
On 08/12/2016 02:35 PM, Jeff Goddard wrote:
> I made the edit as suggested - removing nis and just leaving sss -
> restarted sssd and then re-tried. I also tried with files sss. Still
> getting the same result.
>
> Thanks,
>
> Jeff
>
> On Fri, Aug 12, 2016 at 2:27 PM, Justin Stephenson
> <jstephen at redhat.com <mailto:jstephen at redhat.com>> wrote:
>
> This looks suspicious
>
> /Aug 12 08:45:00 sudo[31732] val[0]=+office//
> //Aug 12 08:45:00 sudo[31732] -> addr_matches @
> /build/sudo-L2mAoN/sudo-1.8.16/plugins/sudoers/match_addr.c:195//
> //Aug 12 08:45:00 sudo[31732] -> addr_matches_if @
> /build/sudo-L2mAoN/sudo-1.8.16/plugins/sudoers/match_addr.c:56//
> //Aug 12 08:45:00 sudo[31732] <- addr_matches_if @
> /build/sudo-L2mAoN/sudo-1.8.16/plugins/sudoers/match_addr.c:66
> := false//
> //Aug 12 08:45:00 sudo[31732] IP address +office matches local
> host: false @ addr_matches()
> /build/sudo-L2mAoN/sudo-1.8.16/plugins/sudoers/match_addr.c:206//
> //Aug 12 08:45:00 sudo[31732] <- addr_matches @
> /build/sudo-L2mAoN/sudo-1.8.16/plugins/sudoers/match_addr.c:207
> := false//
> //Aug 12 08:45:00 sudo[31732] -> netgr_matches @
> /build/sudo-L2mAoN/sudo-1.8.16/plugins/sudoers/match.c:1015//
> //Aug 12 08:45:00 sudo[31732] -> sudo_getdomainname @
> /build/sudo-L2mAoN/sudo-1.8.16/plugins/sudoers/match.c:953//
> //Aug 12 08:45:00 sudo[31732] <- sudo_getdomainname @
> /build/sudo-L2mAoN/sudo-1.8.16/plugins/sudoers/match.c:992 :=
> (null)//
> //Aug 12 08:45:00 sudo[31732] netgroup office matches
> (//docker-dev-01.internal.emerlyn.com
> <http://docker-dev-01.internal.emerlyn.com>//|//docker-dev-01.internal.emerlyn.com
> <http://docker-dev-01.internal.emerlyn.com>//, jgoddard, ):
> false @ netgr_matches()
> /build/sudo-L2mAoN/sudo-1.8.16/plugins/sudoers/match.c:1041//
> //Aug 12 08:45:00 sudo[31732] <- netgr_matches @
> /build/sudo-L2mAoN/sudo-1.8.16/plugins/sudoers/match.c:1044 :=
> false//
> //Aug 12 08:45:00 sudo[31732] -> hostname_matches @
> /build/sudo-L2mAoN/sudo-1.8.16/plugins/sudoers/match.c:819//
> //Aug 12 08:45:00 sudo[31732] host
> //docker-dev-01.internal.emerlyn.com
> <http://docker-dev-01.internal.emerlyn.com>//matches sudoers
> pattern +office: false @ hostname_matches()
> /build/sudo-L2mAoN/sudo-1.8.16/plugins/sudoers/match.c:829//
> //Aug 12 08:45:00 sudo[31732] <- hostname_matches @
> /build/sudo-L2mAoN/sudo-1.8.16/plugins/sudoers/match.c:830 :=
> false//
> //Aug 12 08:45:00 sudo[31732] sssd/ldap sudoHost '+office' ...
> not//
> //Aug 12 08:45:00 sudo[31732] <- sudo_sss_check_host @
> /build/sudo-L2mAoN/sudo-1.8.16/plugins/sudoers/sssd.c:687 :=
> false/
>
> It doesn't seem to find this host as part of the hostgroup, I
> suspect the problem is because of this entry in nsswitch:
>
> netgroup: nis sss
>
> Could you try just 'sss' or 'files sss' ?
>
> A successful hostgroup match should look something like this instead:
>
> /Aug 12 14:20:32 sudo[25075] val[0]=+nonproduction//
> //Aug 12 14:20:32 sudo[25075] -> addr_matches @
> ./match_addr.c:190//
> //Aug 12 14:20:32 sudo[25075] -> addr_matches_if @
> ./match_addr.c:62//
> //Aug 12 14:20:32 sudo[25075] <- addr_matches_if @
> ./match_addr.c:100 := false//
> //Aug 12 14:20:32 sudo[25075] <- addr_matches @
> ./match_addr.c:200 := false//
> //Aug 12 14:20:32 sudo[25075] ->
> sudo_sss_ipa_hostname_matches @ ./sssd.c:558//
> //Aug 12 14:20:32 sudo[25075] -> hostname_matches @
> ./match.c:740//
> //Aug 12 14:20:32 sudo[25075] <- hostname_matches @
> ./match.c:751 := false//
> //Aug 12 14:20:32 sudo[25075] -> netgr_matches @
> ./match.c:856//
> //Aug 12 14:20:32 sudo[25075]
> (rhel7-ipa-client.example.com
> <http://rhel7-ipa-client.example.com>, *, example.com
> <http://example.com>) found in netgroup nonproduction//
> //Aug 12 14:20:32 sudo[25075] <- netgr_matches @
> ./match.c:909 := true//
> //Aug 12 14:20:32 sudo[25075] IPA hostname
> (rhel7-ipa-client.example.com
> <http://rhel7-ipa-client.example.com>) matches
> +nonproduction => true//
> //Aug 12 14:20:32 sudo[25075] <-
> sudo_sss_ipa_hostname_matches @ ./sssd.c:569 := true//
> //Aug 12 14:20:32 sudo[25075] sssd/ldap sudoHost
> '+nonproduction' ... MATCH!//
> //Aug 12 14:20:32 sudo[25075] <- sudo_sss_check_host @
> ./sssd.c:614 := true/
>
> Kind regards,
> Justin Stephenson
>
>>
>>
>>
>>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160812/b0e7805f/attachment.htm>
More information about the Freeipa-users
mailing list