[Freeipa-users] SUDO and group lookup in AD trust
Jakub Hrozek
jhrozek at redhat.com
Thu Aug 25 08:32:53 UTC 2016
yes.
On Thu, Aug 25, 2016 at 10:05:36AM +0200, Troels Hansen wrote:
> Hmm, seems waiting for RHEL 7.3 and SSSD 1.14 will solve this problem....
>
> https://fedorahosted.org/sssd/ticket/2919
>
> Am I correct?
>
> ----- On Aug 25, 2016, at 9:24 AM, Troels Hansen th at casalogic.dk wrote:
>
> > Hmm, sometimes the man page actually helps....
> >
> > It seems setting "default_domain_suffix" to allow users to log in, without the
> > domain part changes use_fully_qualified_names default to true, without the
> > option of setting it false.....
> >
> > So, we have two options:
> > - Have users always use their full login including domain
> > - Setting default_domain_suffix to help the users and efficiently break SUDO?
> >
> > Can this be true?
> >
> >
> > ----- On Aug 25, 2016, at 8:42 AM, Troels Hansen th at casalogic.dk wrote:
> >
> >> Yes and no....
> >>
> >> Have tried setting it to both true and false, but doesn't make a huge
> >> difference.
> >>
> >> Current result with "use_fully_qualified_names = false"
> >>
> >> LDAP search from sssd_sudo.log shows SSSD finding a sudo rule...
> >>
> >> (Thu Aug 25 08:15:27 2016) [sssd[sudo]] [sudosrv_get_sudorules_query_cache]
> >> (0x0200): Searching sysdb with
> >> [(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=drextrha at net.dr.dk)(sudoUser=#1349938498)
> >> .......
> >> (sudoUser=%domain_users)(sudoUser=+*)))]
> >> (Thu Aug 25 08:15:27 2016) [sssd[sudo]] [sort_sudo_rules] (0x0400): Sorting
> >> rules with higher-wins logic
> >> (Thu Aug 25 08:15:27 2016) [sssd[sudo]] [sudosrv_get_sudorules_from_cache]
> >> (0x0400): Returning 1 rules for [drextrha at net.dr.dk]
> >>
> >> SSSD cache shows the sudo rule:
> >>
> >> # ldbsearch -H /var/lib/sss/db/cache_linux.dr.dk.ldb -b cn=sysdb
> >> '(objectClass=sudoRule)'
> >> asq: Unable to register control with rootdse!
> >> # record 1
> >> dn: name=guffe,cn=sudorules,cn=custom,cn=linux.dr.dk,cn=sysdb
> >> cn: guffe
> >> dataExpireTimestamp: 1472110940
> >> entryUSN: 325878
> >> name: guffe
> >> objectClass: sudoRule
> >> originalDN: cn=guffe,ou=sudoers,dc=linux,dc=dr,dc=dk
> >> sudoCommand: /usr/bin/cat /var/log/messages
> >> sudoHost: ALL
> >> sudoRunAsGroup: ALL
> >> sudoRunAsUser: ALL
> >> sudoUser: %domain_users
> >> distinguishedName: name=guffe,cn=sudorules,cn=custom,cn=linux.dr.dk,cn=sysdb
> >>
> >> But still sudo debug log says:
> >>
> >> Aug 25 08:29:55 sudo[2392] -> user_in_group @ ./pwutil.c:940
> >> Aug 25 08:29:55 sudo[2392] -> sudo_get_grlist @ ./pwutil.c:877
> >> Aug 25 08:29:55 sudo[2392] -> rbfind @ ./redblack.c:273
> >> Aug 25 08:29:55 sudo[2392] <- rbfind @ ./redblack.c:277 := 0x7f877f45d1d0
> >> Aug 25 08:29:55 sudo[2392] <- sudo_get_grlist @ ./pwutil.c:930 := 0x7f877f45d348
> >> Aug 25 08:29:55 sudo[2392] -> sudo_getgrnam @ ./pwutil.c:719
> >> Aug 25 08:29:55 sudo[2392] -> rbfind @ ./redblack.c:273
> >> Aug 25 08:29:55 sudo[2392] <- rbfind @ ./redblack.c:280 := (nil)
> >> Aug 25 08:29:55 sudo[2392] -> make_gritem @ ./pwutil.c:474
> >> Aug 25 08:29:55 sudo[2392] <- make_gritem @ ./pwutil.c:524 := 0x7f877f44ef20
> >> Aug 25 08:29:55 sudo[2392] -> rbinsert @ ./redblack.c:181
> >> Aug 25 08:29:55 sudo[2392] <- rbinsert @ ./redblack.c:261 := (nil)
> >> Aug 25 08:29:55 sudo[2392] <- sudo_getgrnam @ ./pwutil.c:745 := 0x7f877f44ef38
> >> Aug 25 08:29:55 sudo[2392] -> sudo_grlist_delref @ ./pwutil.c:816
> >> Aug 25 08:29:55 sudo[2392] -> sudo_grlist_delref_item @ ./pwutil.c:805
> >> Aug 25 08:29:55 sudo[2392] <- sudo_grlist_delref_item @ ./pwutil.c:810
> >> Aug 25 08:29:55 sudo[2392] <- sudo_grlist_delref @ ./pwutil.c:818
> >> Aug 25 08:29:55 sudo[2392] <- user_in_group @ ./pwutil.c:1010 := false
> >>
> >>
> >> I'm quite lost on how to debug further on this.....
> >>
> >> ----- On Aug 24, 2016, at 9:50 AM, Jakub Hrozek jhrozek at redhat.com wrote:
> >>
> >>> On Tue, Aug 23, 2016 at 03:17:48PM +0200, Troels Hansen wrote:
> >>>> Running RHEL 7.2:
> >>>>
> >>>> ipa-client-4.2.0-15.el7_2.18
> >>>> sssd-ipa-1.13.0-40.el7_2.12.x86_64
> >>>> ipa-server-4.2.0-15.el7_2.18.x86_64
> >>>>
> >>>> I have a sudo rule where I try to give sudo access based on a AD group.
> >>>>
> >>>> # groups drextrha at net.dr.dk
> >>>> drextrha at net.dr.dk : drextrha at net.dr.dk ............... domain_users at linux.dr.dk
> >>>>
> >>>> I'm member of the group domain_users via AD.
> >>>>
> >>>> SUDO rule in LDAP:
> >>>>
> >>>> # guffe, sudoers, linux.dr.dk
> >>>> dn: cn=guffe,ou=sudoers,dc=linux,dc=dr,dc=dk
> >>>> sudoUser: %domain_users
> >>>> sudoRunAsGroup: ALL
> >>>> objectClass: sudoRole
> >>>> objectClass: top
> >>>> sudoCommand: /usr/bin/cat /var/log/messages
> >>>> sudoRunAsUser: ALL
> >>>> sudoHost: ALL
> >>>> cn: guffe
> >>>
> >>> domain_users != domain_users at linux.dr.dk
> >>>
> >>> I'm also curious why sssd qualifies the IPA group name (domain_users is
> >>> an IPA group name right?)
> >>>
> >>> do you set use_fully_qualified_names=true by chance in the config file?
> >>>
> >>> --
> >>> Manage your subscription for the Freeipa-users mailing list:
> >>> https://www.redhat.com/mailman/listinfo/freeipa-users
> >>> Go to http://freeipa.org for more info on the project
> >>
> >> --
> >> Med venlig hilsen
> >>
> >> Troels Hansen
> >>
> >> Systemkonsulent
> >>
> >> Casalogic A/S
> >>
> >>
> >> T (+45) 70 20 10 63
> >>
> >> M (+45) 22 43 71 57
> >>
> >> Red Hat, SUSE, VMware, Citrix, Novell, Yellowfin BI, EnterpriseDB, Sophos og
> >> meget mere.
> >>
> >> --
> >> Manage your subscription for the Freeipa-users mailing list:
> >> https://www.redhat.com/mailman/listinfo/freeipa-users
> >> Go to http://freeipa.org for more info on the project
> >
> > --
> > Med venlig hilsen
> >
> > Troels Hansen
> >
> > Systemkonsulent
> >
> > Casalogic A/S
> >
> >
> > T (+45) 70 20 10 63
> >
> > M (+45) 22 43 71 57
> >
> > Red Hat, SUSE, VMware, Citrix, Novell, Yellowfin BI, EnterpriseDB, Sophos og
> > meget mere.
> >
> > --
> > Manage your subscription for the Freeipa-users mailing list:
> > https://www.redhat.com/mailman/listinfo/freeipa-users
> > Go to http://freeipa.org for more info on the project
>
> --
> Med venlig hilsen
>
> Troels Hansen
>
> Systemkonsulent
>
> Casalogic A/S
>
>
> T (+45) 70 20 10 63
>
> M (+45) 22 43 71 57
>
> Red Hat, SUSE, VMware, Citrix, Novell, Yellowfin BI, EnterpriseDB, Sophos og meget mere.
More information about the Freeipa-users
mailing list