[Freeipa-users] sudo - differences between Centos 6.5 and Centos 7.0?
Tomas Simecek
simecek.tomas at gmail.com
Thu Jul 14 09:26:39 UTC 2016
Hi Lukas,
we have Active Directory group "UnixAdmins"
.
We have IPA external group ad_admins_external
<https://svlxxipap.linuxdomain.cz/ipa/ui/#ad_admins_external>, which has
Windows "UnixAdmins" group as a member.
We have local IPA group grpunixadmins
<https://svlxxipap.linuxdomain.cz/ipa/ui/#grpunixadmins>, which has
ad_admins_external group as a member.
So from that perspective user simecek.tomas at sd-stc.cz is a member of
grpunixadmins <https://svlxxipap.linuxdomain.cz/ipa/ui/#grpunixadmins>.
That setup works for ssh logins and for sudo on Centos 7.0.
It is as per installation document
https://www.freeipa.org/page/Active_Directory_trust_setup
Correct me if I am wrong, but if it works on Client 1, it should also work
on Client 2.
<https://svlxxipap.linuxdomain.cz/ipa/ui/#ad_admins_external>
T.
2016-07-14 10:38 GMT+02:00 Lukas Slebodnik <lslebodn at redhat.com>:
> On (14/07/16 10:09), Tomas Simecek wrote:
> >Thanks all of you guys,
> >I have updated to:
> >sssd-krb5-common-1.13.3-22.el6_8.4.x86_64
> >sssd-1.13.3-22.el6_8.4.x86_64
> >sssd-ldap-1.13.3-22.el6_8.4.x86_64
> >sssd-client-1.13.3-22.el6_8.4.x86_64
> >sssd-ad-1.13.3-22.el6_8.4.x86_64
> >sssd-proxy-1.13.3-22.el6_8.4.x86_64
> >libsss_idmap-1.13.3-22.el6_8.4.x86_64
> >sssd-common-1.13.3-22.el6_8.4.x86_64
> >sssd-ipa-1.13.3-22.el6_8.4.x86_64
> >python-sssdconfig-1.13.3-22.el6_8.4.noarch
> >sssd-krb5-1.13.3-22.el6_8.4.x86_64
> >sssd-common-pac-1.13.3-22.el6_8.4.x86_64
> >(there does not seem to be libsss_sudo in Centos as suggested by Danila).
> >and restarted sssd.
> >
> >There are two rules enabled. One HBAC as I presented earlier:
> > Rule name: Unixari na test servery
> > Enabled: TRUE
> > User Groups: grpunixadmins
> > Hosts: spcss-2t-www.linuxdomain.cz, zp-cml-test.linuxdomain.cz
> > Services: login, sshd, sudo, sudo-i, su, su-l
> >
> >and one sudo rule:
> >Rule name: Pokusne
> > Enabled: TRUE
> > Command category: all
> > User Groups: grpunixadmins
> > Hosts: spcss-2t-www.linuxdomain.cz, zp-cml-test.linuxdomain.cz
> >
> >Default "all-access" rules are disabled.
> >
> >When I try to sudo as AD user (member of grpunixadmins) on Centos 6.6, I
> >still get:
> >
> >[simecek.tomas at sd-stc.cz@zp-cml-test ~]$ sudo cat /etc/nsswitch.conf
> >[sudo] password for simecek.tomas at sd-stc.cz:
> >simecek.tomas at sd-stc.cz is not in the sudoers file. This incident will
> be
> >reported.
> >
> >It works fine on Centos 7 (spcss-2t-www.linuxdomain.cz).
> >
> >sssd.conf:
> >[domain/linuxdomain.cz]
> >cache_credentials = True
> >krb5_store_password_if_offline = True
> >ipa_domain = linuxdomain.cz
> >id_provider = ipa
> >krb5_realm = LINUXDOMAIN.CZ
> >auth_provider = ipa
> >access_provider = ipa
> >ipa_hostname = zp-cml-test.linuxdomain.cz
> >chpass_provider = ipa
> >ipa_server = svlxxipap.linuxdomain.cz
> >ldap_tls_cacert = /etc/ipa/ca.crt
> >override_shell = /bin/bash
> >sudo_provider = ipa
> >ldap_uri = ldap://svlxxipap.linuxdomain.cz
> >ldap_sudo_search_base = ou=sudoers,dc=linuxdomain,dc=cz
> >ldap_sasl_mech = GSSAPI
> >#ldap_sasl_authid = host/zp-cml-test.linuxdomain.cz at LINUXDOMAIN.CZ
> >ldap_sasl_authid = host/zp-cml-test.linuxdomain.cz
> >ldap_sasl_realm = LINUXDOMAIN.CZ
> >krb5_server = svlxxipap.linuxdomain.cz
> >debug_level = 0x3ff0
> >[sssd]
> >services = nss, sudo, pam, ssh
> >config_file_version = 2
> >domains = linuxdomain.cz
> >[nss]
> >homedir_substring = /home
> >[pam]
> >[sudo]
> >debug_level = 0x3ff0
> >[autofs]
> >[ssh]
> >[pac]
> >[ifp]
> >
> >
> >sssd_sudo.log from the moment I tried sudo:
> >(Thu Jul 14 09:53:41 2016) [sssd[sudo]] [sysdb_search_group_by_gid]
> >(0x0400): No such entry
> >(Thu Jul 14 09:53:41 2016) [sssd[sudo]]
> [sudosrv_get_sudorules_query_cache]
> >(0x0200): Searching sysdb with
> >[(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=
> >simecek.tomas at sd-stc.cz)(sudoUser=#988604700)(sudoUser=%domain\
> >20users at sd-stc.cz)(sudoUser=%unixadmins at sd-stc.cz
> >)(sudoUser=%grpunixadmins)(sudoUser=%mfcr_mfg at sd-stc.cz)(sudoUser=%
> >account at sd-stc.cz)(sudoUser=%wifiadmins at sd-stc.cz
> >)(sudoUser=+*))(&(dataExpireTimestamp<=1468482821)))]
> >(Thu Jul 14 09:53:41 2016) [sssd[sudo]] [sudosrv_get_rules] (0x2000):
> About
> >to get sudo rules from cache
> >(Thu Jul 14 09:53:41 2016) [sssd[sudo]] [sysdb_search_group_by_gid]
> >(0x0400): No such entry
> >(Thu Jul 14 09:53:41 2016) [sssd[sudo]]
> [sudosrv_get_sudorules_query_cache]
> >(0x0200): Searching sysdb with
> >[(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=
> simecek.tomas at sd-stc.cz
> >)(sudoUser=#988604700)(sudoUser=%domain\20users at sd-stc.cz)(sudoUser=%
> >unixadmins at sd-stc.cz)(sudoUser=%grpunixadmins)(sudoUser=%
> mfcr_mfg at sd-stc.cz
> >)(sudoUser=%account at sd-stc.cz)(sudoUser=%wifiadmins at sd-stc.cz
> >)(sudoUser=+*)))]
> >(Thu Jul 14 09:53:41 2016) [sssd[sudo]] [sudosrv_get_sudorules_from_cache]
> >(0x0400): Returning 0 rules for [simecek.tomas at sd-stc.cz]
> >(Thu Jul 14 09:53:47 2016) [sssd[sudo]] [client_recv] (0x0200): Client
> >disconnected!
> >(Thu Jul 14 09:53:47 2016) [sssd[sudo]] [client_destructor] (0x2000):
> >Terminated client [0x260b690][17]
> >(Thu Jul 14 09:53:51 2016) [sssd[sudo]] [sbus_message_handler] (0x2000):
> >Received SBUS method org.freedesktop.sssd.service.ping on path
> >/org/freedesktop/sssd/service
> >(Thu Jul 14 09:53:51 2016) [sssd[sudo]] [sbus_get_sender_id_send]
> (0x2000):
> >Not a sysbus message, quit
> >(Thu Jul 14 09:53:55 2016) [sssd[sudo]] [accept_fd_handler] (0x0400):
> >Client connected!
> >(Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sss_cmd_get_version] (0x0200):
> >Received client version [1].
> >(Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sss_cmd_get_version] (0x0200):
> >Offered version [1].
> >(Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sudosrv_cmd] (0x2000): Using
> >protocol version [1]
> >(Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sss_parse_name_for_domains]
> >(0x0200): name 'simecek.tomas at sd-stc.cz' matched expression for domain '
> >sd-stc.cz', user is simecek.tomas
> >(Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sss_parse_name_for_domains]
> >(0x0200): name 'simecek.tomas at sd-stc.cz' matched expression for domain '
> >sd-stc.cz', user is simecek.tomas
> >(Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sudosrv_cmd_parse_query_done]
> >(0x0200): Requesting default options for [simecek.tomas] from [sd-stc.cz]
> >(Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sss_ncache_check_str] (0x2000):
> >Checking negative cache for [NCE/USER/sd-stc.cz/simecek.tomas]
> >(Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sudosrv_get_user] (0x0200):
> >Requesting info about [simecek.tomas at sd-stc.cz]
> >(Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sudosrv_get_user] (0x0400):
> >Returning info for user [simecek.tomas at sd-stc.cz]
> >(Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sudosrv_get_rules] (0x0400):
> >Retrieving default options for [simecek.tomas at sd-stc.cz] from [sd-stc.cz]
> >(Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sysdb_search_group_by_gid]
> >(0x0400): No such entry
> >(Thu Jul 14 09:53:55 2016) [sssd[sudo]]
> [sudosrv_get_sudorules_query_cache]
> >(0x0200): Searching sysdb with
> >[(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=
> >simecek.tomas at sd-stc.cz)(sudoUser=#988604700)(sudoUser=%domain\
> >20users at sd-stc.cz)(sudoUser=%unixadmins at sd-stc.cz)(sudoUser=%
> >wifiadmins at sd-stc.cz)(sudoUser=%grpunixadmins)(sudoUser=%
> mfcr_mfg at sd-stc.cz
> >)(sudoUser=+*))(&(dataExpireTimestamp<=1468482835)))]
> >(Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sudosrv_get_rules] (0x2000):
> About
> >to get sudo rules from cache
> >(Thu Jul 14 09:53:55 2016) [sssd[sudo]]
> [sudosrv_get_sudorules_query_cache]
> >(0x0200): Searching sysdb with
> [(&(objectClass=sudoRule)(|(name=defaults)))]
> >(Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sudosrv_get_sudorules_from_cache]
> >(0x0400): Returning 0 rules for [<default options>@sd-stc.cz]
> >(Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sudosrv_cmd] (0x2000): Using
> >protocol version [1]
> >(Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sss_parse_name_for_domains]
> >(0x0200): name 'simecek.tomas at sd-stc.cz' matched expression for domain '
> >sd-stc.cz', user is simecek.tomas
> >(Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sss_parse_name_for_domains]
> >(0x0200): name 'simecek.tomas at sd-stc.cz' matched expression for domain '
> >sd-stc.cz', user is simecek.tomas
> >(Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sudosrv_cmd_parse_query_done]
> >(0x0200): Requesting rules for [simecek.tomas] from [sd-stc.cz]
> >(Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sss_ncache_check_str] (0x2000):
> >Checking negative cache for [NCE/USER/sd-stc.cz/simecek.tomas]
> >(Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sudosrv_get_user] (0x0200):
> >Requesting info about [simecek.tomas at sd-stc.cz]
> >(Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sudosrv_get_user] (0x0400):
> >Returning info for user [simecek.tomas at sd-stc.cz]
> >(Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sudosrv_get_rules] (0x0400):
> >Retrieving rules for [simecek.tomas at sd-stc.cz] from [sd-stc.cz]
> >(Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sysdb_search_group_by_gid]
> >(0x0400): No such entry
> >(Thu Jul 14 09:53:55 2016) [sssd[sudo]]
> [sudosrv_get_sudorules_query_cache]
> >(0x0200): Searching sysdb with
> >[(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=
> >simecek.tomas at sd-stc.cz)(sudoUser=#988604700)(sudoUser=%domain\
> >20users at sd-stc.cz)(sudoUser=%unixadmins at sd-stc.cz)(sudoUser=%
> >wifiadmins at sd-stc.cz)(sudoUser=%grpunixadmins)(sudoUser=%
> mfcr_mfg at sd-stc.cz
> >)(sudoUser=+*))(&(dataExpireTimestamp<=1468482835)))]
> >(Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sudosrv_get_rules] (0x2000):
> About
> >to get sudo rules from cache
> >(Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sysdb_search_group_by_gid]
> >(0x0400): No such entry
> >(Thu Jul 14 09:53:55 2016) [sssd[sudo]]
> [sudosrv_get_sudorules_query_cache]
> >(0x0200): Searching sysdb with
> >[(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=
> simecek.tomas at sd-stc.cz
> >)(sudoUser=#988604700)(sudoUser=%domain\20users at sd-stc.cz)(sudoUser=%
> >unixadmins at sd-stc.cz)(sudoUser=%wifiadmins at sd-stc.cz
> >)(sudoUser=%grpunixadmins)(sudoUser=%mfcr_mfg at sd-stc.cz)(sudoUser=+*)))]
> >(Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sudosrv_get_sudorules_from_cache]
> >(0x0400): Returning 0 rules for [simecek.tomas at sd-stc.cz]
> Your user does not have any valid sudo rules.
> It might be caused by wrong group membership.
> Are you sure that user simecek.tomas at sd-stc.cz is member of group
> grpunixadmins
>
> BTW this is described in sudo troubleshooting wiki
>
> https://fedorahosted.org/sssd/wiki/HOWTO_Troubleshoot_SUDO
>
> LS
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160714/b33c7794/attachment.htm>
More information about the Freeipa-users
mailing list