[Freeipa-users] sudo - differences between Centos 6.5 and Centos 7.0?
Tomas Simecek
simecek.tomas at gmail.com
Thu Jul 14 10:02:59 UTC 2016
Hi Rob,
thanks, but this is not the case.
Firstly, for initial test purposes I am not limiting sudo to specific
commands, in the rule it is set to "any".
Secondly, it fails even in non-symlink cases:
[root at zp-cml-test ~]# which service
/sbin/service
[root at zp-cml-test ~]# ll /sbin/service
-rwxr-xr-x. 1 root root 1694 Oct 16 2014 /sbin/service
[root at zp-cml-test ~]# logout
[simecek.tomas at sd-stc.cz@zp-cml-test ~]$ sudo service sshd restart
[sudo] password for simecek.tomas at sd-stc.cz:
simecek.tomas at sd-stc.cz is not in the sudoers file. This incident will be
reported.
Thanks anyway, let me know if something else comes to your mind.
Tomas
2016-07-14 11:51 GMT+02:00 Rob Verduijn <rob.verduijn at gmail.com>:
> hi,
>
> just a long shot here..
>
> I've been battling sudo for a couple days now and found that my issue was
> one related to symlinks
> on centos7 'which cat' says /bin/cat
> but on centos /bin is a symlink to /usr/bin and sudo knows a symlink when
> it sees one and to prevent abuse it requires the 'real' path for the sudo
> rule : <user> ALL=(ALL) /usr/bin/cat
> on centos6 which cat also says /bin/cat but since /bin is not a symlink it
> requires the sudo rule to be <user> ALL=(ALL) /bin/cat
> so for the sudo to work on both centos6 and centos7 you would require 2
> sudo rules.
>
> Ignore me if this is irrelevant.
>
> Just my 2 cents
> Rob
>
> 2016-07-14 10:38 GMT+02:00 Lukas Slebodnik <lslebodn at redhat.com>:
>
>> On (14/07/16 10:09), Tomas Simecek wrote:
>> >Thanks all of you guys,
>> >I have updated to:
>> >sssd-krb5-common-1.13.3-22.el6_8.4.x86_64
>> >sssd-1.13.3-22.el6_8.4.x86_64
>> >sssd-ldap-1.13.3-22.el6_8.4.x86_64
>> >sssd-client-1.13.3-22.el6_8.4.x86_64
>> >sssd-ad-1.13.3-22.el6_8.4.x86_64
>> >sssd-proxy-1.13.3-22.el6_8.4.x86_64
>> >libsss_idmap-1.13.3-22.el6_8.4.x86_64
>> >sssd-common-1.13.3-22.el6_8.4.x86_64
>> >sssd-ipa-1.13.3-22.el6_8.4.x86_64
>> >python-sssdconfig-1.13.3-22.el6_8.4.noarch
>> >sssd-krb5-1.13.3-22.el6_8.4.x86_64
>> >sssd-common-pac-1.13.3-22.el6_8.4.x86_64
>> >(there does not seem to be libsss_sudo in Centos as suggested by Danila).
>> >and restarted sssd.
>> >
>> >There are two rules enabled. One HBAC as I presented earlier:
>> > Rule name: Unixari na test servery
>> > Enabled: TRUE
>> > User Groups: grpunixadmins
>> > Hosts: spcss-2t-www.linuxdomain.cz, zp-cml-test.linuxdomain.cz
>> > Services: login, sshd, sudo, sudo-i, su, su-l
>> >
>> >and one sudo rule:
>> >Rule name: Pokusne
>> > Enabled: TRUE
>> > Command category: all
>> > User Groups: grpunixadmins
>> > Hosts: spcss-2t-www.linuxdomain.cz, zp-cml-test.linuxdomain.cz
>> >
>> >Default "all-access" rules are disabled.
>> >
>> >When I try to sudo as AD user (member of grpunixadmins) on Centos 6.6, I
>> >still get:
>> >
>> >[simecek.tomas at sd-stc.cz@zp-cml-test ~]$ sudo cat /etc/nsswitch.conf
>> >[sudo] password for simecek.tomas at sd-stc.cz:
>> >simecek.tomas at sd-stc.cz is not in the sudoers file. This incident will
>> be
>> >reported.
>> >
>> >It works fine on Centos 7 (spcss-2t-www.linuxdomain.cz).
>> >
>> >sssd.conf:
>> >[domain/linuxdomain.cz]
>> >cache_credentials = True
>> >krb5_store_password_if_offline = True
>> >ipa_domain = linuxdomain.cz
>> >id_provider = ipa
>> >krb5_realm = LINUXDOMAIN.CZ
>> >auth_provider = ipa
>> >access_provider = ipa
>> >ipa_hostname = zp-cml-test.linuxdomain.cz
>> >chpass_provider = ipa
>> >ipa_server = svlxxipap.linuxdomain.cz
>> >ldap_tls_cacert = /etc/ipa/ca.crt
>> >override_shell = /bin/bash
>> >sudo_provider = ipa
>> >ldap_uri = ldap://svlxxipap.linuxdomain.cz
>> >ldap_sudo_search_base = ou=sudoers,dc=linuxdomain,dc=cz
>> >ldap_sasl_mech = GSSAPI
>> >#ldap_sasl_authid = host/zp-cml-test.linuxdomain.cz at LINUXDOMAIN.CZ
>> >ldap_sasl_authid = host/zp-cml-test.linuxdomain.cz
>> >ldap_sasl_realm = LINUXDOMAIN.CZ
>> >krb5_server = svlxxipap.linuxdomain.cz
>> >debug_level = 0x3ff0
>> >[sssd]
>> >services = nss, sudo, pam, ssh
>> >config_file_version = 2
>> >domains = linuxdomain.cz
>> >[nss]
>> >homedir_substring = /home
>> >[pam]
>> >[sudo]
>> >debug_level = 0x3ff0
>> >[autofs]
>> >[ssh]
>> >[pac]
>> >[ifp]
>> >
>> >
>> >sssd_sudo.log from the moment I tried sudo:
>> >(Thu Jul 14 09:53:41 2016) [sssd[sudo]] [sysdb_search_group_by_gid]
>> >(0x0400): No such entry
>> >(Thu Jul 14 09:53:41 2016) [sssd[sudo]]
>> [sudosrv_get_sudorules_query_cache]
>> >(0x0200): Searching sysdb with
>> >[(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=
>> >simecek.tomas at sd-stc.cz)(sudoUser=#988604700)(sudoUser=%domain\
>> >20users at sd-stc.cz)(sudoUser=%unixadmins at sd-stc.cz
>> >)(sudoUser=%grpunixadmins)(sudoUser=%mfcr_mfg at sd-stc.cz)(sudoUser=%
>> >account at sd-stc.cz)(sudoUser=%wifiadmins at sd-stc.cz
>> >)(sudoUser=+*))(&(dataExpireTimestamp<=1468482821)))]
>> >(Thu Jul 14 09:53:41 2016) [sssd[sudo]] [sudosrv_get_rules] (0x2000):
>> About
>> >to get sudo rules from cache
>> >(Thu Jul 14 09:53:41 2016) [sssd[sudo]] [sysdb_search_group_by_gid]
>> >(0x0400): No such entry
>> >(Thu Jul 14 09:53:41 2016) [sssd[sudo]]
>> [sudosrv_get_sudorules_query_cache]
>> >(0x0200): Searching sysdb with
>> >[(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=
>> simecek.tomas at sd-stc.cz
>> >)(sudoUser=#988604700)(sudoUser=%domain\20users at sd-stc.cz)(sudoUser=%
>> >unixadmins at sd-stc.cz)(sudoUser=%grpunixadmins)(sudoUser=%
>> mfcr_mfg at sd-stc.cz
>> >)(sudoUser=%account at sd-stc.cz)(sudoUser=%wifiadmins at sd-stc.cz
>> >)(sudoUser=+*)))]
>> >(Thu Jul 14 09:53:41 2016) [sssd[sudo]]
>> [sudosrv_get_sudorules_from_cache]
>> >(0x0400): Returning 0 rules for [simecek.tomas at sd-stc.cz]
>> >(Thu Jul 14 09:53:47 2016) [sssd[sudo]] [client_recv] (0x0200): Client
>> >disconnected!
>> >(Thu Jul 14 09:53:47 2016) [sssd[sudo]] [client_destructor] (0x2000):
>> >Terminated client [0x260b690][17]
>> >(Thu Jul 14 09:53:51 2016) [sssd[sudo]] [sbus_message_handler] (0x2000):
>> >Received SBUS method org.freedesktop.sssd.service.ping on path
>> >/org/freedesktop/sssd/service
>> >(Thu Jul 14 09:53:51 2016) [sssd[sudo]] [sbus_get_sender_id_send]
>> (0x2000):
>> >Not a sysbus message, quit
>> >(Thu Jul 14 09:53:55 2016) [sssd[sudo]] [accept_fd_handler] (0x0400):
>> >Client connected!
>> >(Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sss_cmd_get_version] (0x0200):
>> >Received client version [1].
>> >(Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sss_cmd_get_version] (0x0200):
>> >Offered version [1].
>> >(Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sudosrv_cmd] (0x2000): Using
>> >protocol version [1]
>> >(Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sss_parse_name_for_domains]
>> >(0x0200): name 'simecek.tomas at sd-stc.cz' matched expression for domain '
>> >sd-stc.cz', user is simecek.tomas
>> >(Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sss_parse_name_for_domains]
>> >(0x0200): name 'simecek.tomas at sd-stc.cz' matched expression for domain '
>> >sd-stc.cz', user is simecek.tomas
>> >(Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sudosrv_cmd_parse_query_done]
>> >(0x0200): Requesting default options for [simecek.tomas] from [sd-stc.cz
>> ]
>> >(Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sss_ncache_check_str] (0x2000):
>> >Checking negative cache for [NCE/USER/sd-stc.cz/simecek.tomas]
>> >(Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sudosrv_get_user] (0x0200):
>> >Requesting info about [simecek.tomas at sd-stc.cz]
>> >(Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sudosrv_get_user] (0x0400):
>> >Returning info for user [simecek.tomas at sd-stc.cz]
>> >(Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sudosrv_get_rules] (0x0400):
>> >Retrieving default options for [simecek.tomas at sd-stc.cz] from [sd-stc.cz
>> ]
>> >(Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sysdb_search_group_by_gid]
>> >(0x0400): No such entry
>> >(Thu Jul 14 09:53:55 2016) [sssd[sudo]]
>> [sudosrv_get_sudorules_query_cache]
>> >(0x0200): Searching sysdb with
>> >[(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=
>> >simecek.tomas at sd-stc.cz)(sudoUser=#988604700)(sudoUser=%domain\
>> >20users at sd-stc.cz)(sudoUser=%unixadmins at sd-stc.cz)(sudoUser=%
>> >wifiadmins at sd-stc.cz)(sudoUser=%grpunixadmins)(sudoUser=%
>> mfcr_mfg at sd-stc.cz
>> >)(sudoUser=+*))(&(dataExpireTimestamp<=1468482835)))]
>> >(Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sudosrv_get_rules] (0x2000):
>> About
>> >to get sudo rules from cache
>> >(Thu Jul 14 09:53:55 2016) [sssd[sudo]]
>> [sudosrv_get_sudorules_query_cache]
>> >(0x0200): Searching sysdb with
>> [(&(objectClass=sudoRule)(|(name=defaults)))]
>> >(Thu Jul 14 09:53:55 2016) [sssd[sudo]]
>> [sudosrv_get_sudorules_from_cache]
>> >(0x0400): Returning 0 rules for [<default options>@sd-stc.cz]
>> >(Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sudosrv_cmd] (0x2000): Using
>> >protocol version [1]
>> >(Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sss_parse_name_for_domains]
>> >(0x0200): name 'simecek.tomas at sd-stc.cz' matched expression for domain '
>> >sd-stc.cz', user is simecek.tomas
>> >(Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sss_parse_name_for_domains]
>> >(0x0200): name 'simecek.tomas at sd-stc.cz' matched expression for domain '
>> >sd-stc.cz', user is simecek.tomas
>> >(Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sudosrv_cmd_parse_query_done]
>> >(0x0200): Requesting rules for [simecek.tomas] from [sd-stc.cz]
>> >(Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sss_ncache_check_str] (0x2000):
>> >Checking negative cache for [NCE/USER/sd-stc.cz/simecek.tomas]
>> >(Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sudosrv_get_user] (0x0200):
>> >Requesting info about [simecek.tomas at sd-stc.cz]
>> >(Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sudosrv_get_user] (0x0400):
>> >Returning info for user [simecek.tomas at sd-stc.cz]
>> >(Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sudosrv_get_rules] (0x0400):
>> >Retrieving rules for [simecek.tomas at sd-stc.cz] from [sd-stc.cz]
>> >(Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sysdb_search_group_by_gid]
>> >(0x0400): No such entry
>> >(Thu Jul 14 09:53:55 2016) [sssd[sudo]]
>> [sudosrv_get_sudorules_query_cache]
>> >(0x0200): Searching sysdb with
>> >[(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=
>> >simecek.tomas at sd-stc.cz)(sudoUser=#988604700)(sudoUser=%domain\
>> >20users at sd-stc.cz)(sudoUser=%unixadmins at sd-stc.cz)(sudoUser=%
>> >wifiadmins at sd-stc.cz)(sudoUser=%grpunixadmins)(sudoUser=%
>> mfcr_mfg at sd-stc.cz
>> >)(sudoUser=+*))(&(dataExpireTimestamp<=1468482835)))]
>> >(Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sudosrv_get_rules] (0x2000):
>> About
>> >to get sudo rules from cache
>> >(Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sysdb_search_group_by_gid]
>> >(0x0400): No such entry
>> >(Thu Jul 14 09:53:55 2016) [sssd[sudo]]
>> [sudosrv_get_sudorules_query_cache]
>> >(0x0200): Searching sysdb with
>> >[(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=
>> simecek.tomas at sd-stc.cz
>> >)(sudoUser=#988604700)(sudoUser=%domain\20users at sd-stc.cz)(sudoUser=%
>> >unixadmins at sd-stc.cz)(sudoUser=%wifiadmins at sd-stc.cz
>> >)(sudoUser=%grpunixadmins)(sudoUser=%mfcr_mfg at sd-stc.cz)(sudoUser=+*)))]
>> >(Thu Jul 14 09:53:55 2016) [sssd[sudo]]
>> [sudosrv_get_sudorules_from_cache]
>> >(0x0400): Returning 0 rules for [simecek.tomas at sd-stc.cz]
>> Your user does not have any valid sudo rules.
>> It might be caused by wrong group membership.
>> Are you sure that user simecek.tomas at sd-stc.cz is member of group
>> grpunixadmins
>>
>> BTW this is described in sudo troubleshooting wiki
>>
>> https://fedorahosted.org/sssd/wiki/HOWTO_Troubleshoot_SUDO
>>
>> LS
>>
>> --
>> Manage your subscription for the Freeipa-users mailing list:
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>> Go to http://freeipa.org for more info on the project
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160714/512377f7/attachment.htm>
More information about the Freeipa-users
mailing list