<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
On 11/01/2012 08:26 AM, Bret Wortman wrote:
<blockquote
cite="mid:CACWq_Zmdq-1wV7VTA9O0HWL-kqrnEjca63LzaH_HiaQJRw=gfQ@mail.gmail.com"
type="cite">To close the loop:
<div><br>
</div>
<div>I did the following to clear the credential problem. I
suspect that I hadn't properly run kinit before doing these
steps the first time:</div>
<div><br>
</div>
<div>
<div><font face="courier new, monospace">-sh-4.2$ kinit</font></div>
<div><font face="courier new, monospace">Password for <a
moz-do-not-send="true" href="mailto:bretw@WEDGEOFLI.ME">bretw@WEDGEOFLI.ME</a>: </font></div>
<div><font face="courier new, monospace">-sh-4.2$ sudo su -</font></div>
<div><font face="courier new, monospace">sudo:
ldap_sasl_bind_s(): Invalid credentials</font></div>
<div><font face="courier new, monospace">[sudo] password for
bretw: </font></div>
<div><font face="courier new, monospace">bretw is not in the
sudoers file. This incident will be reported.</font></div>
</div>
</blockquote>
<br>
This seems to suggest that it tries to use sudoers file instead of
LDAP.<br>
<br>
<blockquote
cite="mid:CACWq_Zmdq-1wV7VTA9O0HWL-kqrnEjca63LzaH_HiaQJRw=gfQ@mail.gmail.com"
type="cite">
<div>
<div><font face="courier new, monospace">-sh-4.2$ ldapsearch -x
ou=SUDOers,dc=wedgeofli,dc=me</font></div>
<div><font face="courier new, monospace"># extended LDIF</font></div>
<div><font face="courier new, monospace">#</font></div>
<div><font face="courier new, monospace"># LDAPv3</font></div>
<div><font face="courier new, monospace"># base
<dc=wedgeofli,dc=me> (default) with scope subtree</font></div>
<div><font face="courier new, monospace"># filter:
ou=SUDOers,dc=wedgeofli,dc=me</font></div>
<div><font face="courier new, monospace"># requesting: ALL</font></div>
<div><font face="courier new, monospace">#</font></div>
<div>
<font face="courier new, monospace"><br>
</font></div>
<div><font face="courier new, monospace"># search result</font></div>
<div><font face="courier new, monospace">search: 2</font></div>
<div><font face="courier new, monospace">result: 0 Success</font></div>
<div><font face="courier new, monospace"><br>
</font></div>
<div><font face="courier new, monospace"># numResponses: 1</font></div>
</div>
</blockquote>
<br>
If you used kinit you then can use -Y GSSAPI to use kerberos
credential for the authentication.<br>
<br>
<blockquote
cite="mid:CACWq_Zmdq-1wV7VTA9O0HWL-kqrnEjca63LzaH_HiaQJRw=gfQ@mail.gmail.com"
type="cite">
<div>
<div><font face="courier new, monospace">-sh-4.2$ ldapsearch
ou=SUDOers,dc=wedgeofli,dc=me</font></div>
<div><font face="courier new, monospace">SASL/EXTERNAL
authentication started</font></div>
<div><font face="courier new, monospace">ldap_sasl_interactive_bind_s:
Unknown authentication method (-6)</font></div>
<div><font face="courier new, monospace"><span
class="Apple-tab-span" style="white-space:pre"> </span>additional
info: SASL(-4): no mechanism available: </font></div>
<div><font face="courier new, monospace">-sh-4.2$ ldapsearch -x
ou=SUDOers,dc=wedgeofli,dc=me</font></div>
<div><font face="courier new, monospace"># extended LDIF</font></div>
<div><font face="courier new, monospace">#</font></div>
<div><font face="courier new, monospace"># LDAPv3</font></div>
<div><font face="courier new, monospace"># base
<dc=wedgeofli,dc=me> (default) with scope subtree</font></div>
<div><font face="courier new, monospace"># filter:
ou=SUDOers,dc=wedgeofli,dc=me</font></div>
<div><font face="courier new, monospace"># requesting: ALL</font></div>
<div><font face="courier new, monospace">#</font></div>
<div><font face="courier new, monospace"><br>
</font></div>
<div><font face="courier new, monospace"># search result</font></div>
<div><font face="courier new, monospace">search: 2</font></div>
<div><font face="courier new, monospace">result: 0 Success</font></div>
<div><font face="courier new, monospace"><br>
</font></div>
<div><font face="courier new, monospace"># numResponses: 1</font></div>
<div><span style="font-family:'courier new',monospace">-sh-4.2$
ldapsearch -D
uid=sudo,cn=sysaccounts,cn=etc,dc=wedgeofli,dc=me -w
password ou=SUDOers,dc=wedgeofli,dc=me</span></div>
<div><font face="courier new, monospace">ldap_bind: Invalid
credentials (49)</font></div>
</div>
<div><br>
</div>
<div>
<div><font face="courier new, monospace">-sh-4.2$ ldappasswd -Y
GSSAPI -S -h <a moz-do-not-send="true"
href="http://fs1.wedgeofli.me">fs1.wedgeofli.me</a>
uid=sudo,cn=sysaccounts,cn=etc,dc=wedgeofli,dc=me</font></div>
<div>
<font face="courier new, monospace">New password: </font></div>
<div><font face="courier new, monospace">Re-enter new password: </font></div>
<div><font face="courier new, monospace">SASL/GSSAPI
authentication started</font></div>
<div><font face="courier new, monospace">SASL username: <a
moz-do-not-send="true" href="mailto:bretw@WEDGEOFLI.ME">bretw@WEDGEOFLI.ME</a></font></div>
<div><font face="courier new, monospace">SASL SSF: 56</font></div>
<div><font face="courier new, monospace">SASL data security
layer installed.</font></div>
<div><font face="courier new, monospace">-sh-4.2$ ldapsearch -D
uid=sudo,cn=sysaccounts,cn=etc,dc=wedgeofli,dc=me -w
password ou=SUDOers,dc=wedgeofli,dc=me</font></div>
<div><font face="courier new, monospace"># extended LDIF</font></div>
<div><font face="courier new, monospace">#</font></div>
<div><font face="courier new, monospace"># LDAPv3</font></div>
<div><font face="courier new, monospace"># base
<dc=wedgeofli,dc=me> (default) with scope subtree</font></div>
<div><font face="courier new, monospace"># filter:
ou=SUDOers,dc=wedgeofli,dc=me</font></div>
<div><font face="courier new, monospace"># requesting: ALL</font></div>
<div><font face="courier new, monospace">#</font></div>
<div>
<font face="courier new, monospace"><br>
</font></div>
<div><font face="courier new, monospace"># search result</font></div>
<div><font face="courier new, monospace">search: 2</font></div>
<div><font face="courier new, monospace">result: 0 Success</font></div>
<div><font face="courier new, monospace"><br>
</font></div>
<div><font face="courier new, monospace"># numResponses: 1</font></div>
<div><font face="courier new, monospace">-sh-4.2$ sudo su -</font></div>
<div><font face="courier new, monospace">[sudo] password for
bretw: </font></div>
<div><font face="courier new, monospace">[root@fs1 ~]#</font></div>
<div><br>
<div class="gmail_quote">On Thu, Nov 1, 2012 at 7:58 AM, Bret
Wortman <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:bret.wortman@damascusgrp.com"
target="_blank">bret.wortman@damascusgrp.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">That's
got me closer now, as I'm at least getting an error
message on stdout:
<div><br>
</div>
<div>
<div><font face="courier new, monospace">[root@fs1 etc]#
more nslcd.conf </font></div>
<div><font face="courier new, monospace">binddn
uid=sudo,cn=sysaccounts,cn=etc,dc=wedgeofli,dc=me</font></div>
<div class="im">
<div><font face="courier new, monospace">bindpw
password</font></div>
<div><font face="courier new, monospace"><br>
</font></div>
<div><font face="courier new, monospace">ssl start_tls</font></div>
<div><font face="courier new, monospace">tls_cacertfile
/etc/ipa/ca.crt</font></div>
<div><font face="courier new, monospace">tls_checkpeer
yes</font></div>
<div><font face="courier new, monospace"><br>
</font></div>
<div><font face="courier new, monospace">bind_timelimit
5</font></div>
<div><font face="courier new, monospace">timelimit 15</font></div>
<div><font face="courier new, monospace"><br>
</font></div>
<div><font face="courier new, monospace">uri <a class="moz-txt-link-freetext" href="ldap://">ldap://</a><a
moz-do-not-send="true"
href="http://fs1.wedgeofli.me" target="_blank">fs1.wedgeofli.me</a></font></div>
</div>
<div><font face="courier new, monospace">sudoers_base
ou=SUDOers,dc=wedgeofli,dc=me</font></div>
<div><font face="courier new, monospace">[root@fs1 etc]#
sudo su -</font></div>
<div><font face="courier new, monospace">sudo:
ldap_sasl_bind_s(): Invalid credentials</font></div>
<div><font face="courier new, monospace">[root@fs1 ~]#</font></div>
<div><br>
</div>
<div>So I'm off to figure out where my credentials are
wrong. Thanks again, Rob, Stephen & Pavel.</div>
<span class="HOEnZb"><font color="#888888">
<div><br>
</div>
<div><br>
</div>
<div>Bret</div>
</font></span>
<div>
<div class="h5"><br>
<div class="gmail_quote">On Wed, Oct 31, 2012 at
2:39 PM, Rob Crittenden <span dir="ltr"><<a
moz-do-not-send="true"
href="mailto:rcritten@redhat.com"
target="_blank">rcritten@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0
0 .8ex;border-left:1px #ccc
solid;padding-left:1ex">
<div>Bret Wortman wrote:<br>
<blockquote class="gmail_quote"
style="margin:0 0 0 .8ex;border-left:1px
#ccc solid;padding-left:1ex">
[root@fs1 etc]# more /etc/ldap.conf<br>
sudoers_debug: 1<br>
[root@fs1 etc]# ls -l /etc/ldap.conf<br>
-rw-r--r--. 1 root root 17 Oct 19 14:54
/etc/ldap.conf<br>
<br>
Where should I see the extra output? I've
had this set since last Friday<br>
and I'm not seeing any difference.<br>
</blockquote>
<br>
</div>
Move the contents of /etc/nslcd.conf to this
file and add ldap to sudoers in
/etc/nsswitch.conf.<br>
<br>
rob<br>
<br>
<blockquote class="gmail_quote" style="margin:0
0 0 .8ex;border-left:1px #ccc
solid;padding-left:1ex">
<br>
<div>
On Wed, Oct 31, 2012 at 2:20 PM, Rob
Crittenden <<a moz-do-not-send="true"
href="mailto:rcritten@redhat.com"
target="_blank">rcritten@redhat.com</a><br>
</div>
<div>
<mailto:<a moz-do-not-send="true"
href="mailto:rcritten@redhat.com"
target="_blank">rcritten@redhat.com</a>>>
wrote:<br>
<br>
Bret Wortman wrote:<br>
<br>
F17.<br>
<br>
<br>
I think you want /etc/ldap.conf then.
The easiest way to be sure the<br>
right file is being used is to add
sudoers_debug 1 to the file. This<br>
will present a lot of extra output so
you'll know the file is being<br>
read.<br>
<br>
rob<br>
<br>
<br>
On Wed, Oct 31, 2012 at 2:04 PM, Rob
Crittenden<br>
<<a moz-do-not-send="true"
href="mailto:rcritten@redhat.com"
target="_blank">rcritten@redhat.com</a>
<mailto:<a moz-do-not-send="true"
href="mailto:rcritten@redhat.com"
target="_blank">rcritten@redhat.com</a>><br>
</div>
<div>
<div>
<mailto:<a
moz-do-not-send="true"
href="mailto:rcritten@redhat.com"
target="_blank">rcritten@redhat.com</a>
<mailto:<a moz-do-not-send="true"
href="mailto:rcritten@redhat.com"
target="_blank">rcritten@redhat.com</a>>>>
wrote:<br>
<br>
Bret Wortman wrote:<br>
<br>
I had enabled debugging
of sudo but am not clear on<br>
where that<br>
debugging<br>
is going. It's not
stdout, and I'm not seeing anything in<br>
/var/log/messages.<br>
<br>
I'll try switching to SSS
and see what that gets me.<br>
<br>
<br>
What distro is this? If it is
RHEL 6.3 then put the<br>
configuration<br>
into /etc/sudo-ldap.conf
instead of /etc/nslcd. The docs are<br>
incorrect (we are working on
getting them fixed).<br>
<br>
rob<br>
<br>
<br>
<br>
On Wed, Oct 31, 2012 at
1:33 PM, Stephen Gallagher<br>
<<a
moz-do-not-send="true"
href="mailto:sgallagh@redhat.com"
target="_blank">sgallagh@redhat.com</a>
<mailto:<a moz-do-not-send="true"
href="mailto:sgallagh@redhat.com"
target="_blank">sgallagh@redhat.com</a>><br>
<mailto:<a
moz-do-not-send="true"
href="mailto:sgallagh@redhat.com"
target="_blank">sgallagh@redhat.com</a>
<mailto:<a moz-do-not-send="true"
href="mailto:sgallagh@redhat.com"
target="_blank">sgallagh@redhat.com</a>>><br>
<mailto:<a
moz-do-not-send="true"
href="mailto:sgallagh@redhat.com"
target="_blank">sgallagh@redhat.com</a><br>
<mailto:<a
moz-do-not-send="true"
href="mailto:sgallagh@redhat.com"
target="_blank">sgallagh@redhat.com</a>>
<mailto:<a moz-do-not-send="true"
href="mailto:sgallagh@redhat.com"
target="_blank">sgallagh@redhat.com</a><br>
<mailto:<a
moz-do-not-send="true"
href="mailto:sgallagh@redhat.com"
target="_blank">sgallagh@redhat.com</a>>>>>
wrote:<br>
<br>
On Wed 31 Oct 2012
11:53:15 AM EDT, Bret Wortman<br>
wrote:<br>
<br>
I'm pretty
certain there's a painfully simple<br>
solution<br>
to this that<br>
I'm not seeing,
but my current configuration isn't<br>
picking up the<br>
freeipa sudoer
rule that I've set.<br>
<br>
/etc/nsswitch.conf specifies:<br>
sudoers:
files ldap<br>
<br>
/etc/nslcd.conf
contains:<br>
<br>
binddn<br>
</div>
</div>
uid=sudo,cn=sysaccounts,cn=______etc,dc=wedgeofli,dc=me
<div>
<div><br>
<br>
<br>
bindpw password<br>
<br>
ssl start_tls<br>
tls_cacertfile
/etc/ipa/ca.crt<br>
tls_checkpeer
yes<br>
<br>
bind_timelimit 5<br>
timelimit 15<br>
<br>
uri <a class="moz-txt-link-freetext" href="ldap://">ldap://</a><a
moz-do-not-send="true"
href="http://fs1.wedgeofli.me"
target="_blank">fs1.wedgeofli.me</a><br>
<<a moz-do-not-send="true"
href="http://fs1.wedgeofli.me"
target="_blank">http://fs1.wedgeofli.me</a>>
<<a moz-do-not-send="true"
href="http://fs1.wedgeofli.me"
target="_blank">http://fs1.wedgeofli.me</a>><br>
<<a
moz-do-not-send="true"
href="http://fs1.wedgeofli.me"
target="_blank">http://fs1.wedgeofli.me</a>><br>
<<a
moz-do-not-send="true"
href="http://fs1.wedgeofli.me"
target="_blank">http://fs1.wedgeofli.me</a>><br>
<br>
sudoers_base
ou=SUDOers,dc=wedgeofli,dc=me<br>
<br>
<br>
The
sssd_DOMAIN.log file contains this when I<br>
try to sudo:<br>
<br>
<br>
<snip><br>
<br>
The SSSD logs aren't
showing anything wrong<br>
because they have<br>
nothing to do with
the execution of the SUDO rules<br>
in this<br>
situation. All the
SSSD is doing is verifying the<br>
authentication<br>
(when sudo prompts
you for your password).<br>
<br>
The problem with the
rule is most likely happening<br>
inside SUDO<br>
itself. When you
specify 'sudoers: files, ldap' in<br>
nsswitch.conf,<br>
it's telling SUDO to
use its own internal LDAP<br>
driver to<br>
look up the<br>
rules. So you need
to check sudo logs to see<br>
what's happening<br>
(probably you will
need to enable debug logging in<br>
/etc/sudo.conf).<br>
<br>
Recent versions of
SUDO (1.8.6 and later) have<br>
support for<br>
setting<br>
'sudoers: files,
sss' in nsswitch.conf which DOES<br>
use SSSD<br>
(1.9.0<br>
and later) for
lookups (and caching) of sudo rules.<br>
<br>
<br>
<br>
<br>
--<br>
Bret Wortman<br>
The Damascus Group<br>
Fairfax, VA<br>
<a moz-do-not-send="true"
href="http://bretwortman.com/"
target="_blank">http://bretwortman.com/</a><br>
<a moz-do-not-send="true"
href="http://twitter.com/BretWortman"
target="_blank">http://twitter.com/BretWortman</a><br>
<br>
<br>
<br>
<br>
--<br>
Bret Wortman<br>
The Damascus Group<br>
Fairfax, VA<br>
<a moz-do-not-send="true"
href="http://bretwortman.com/"
target="_blank">http://bretwortman.com/</a><br>
<a moz-do-not-send="true"
href="http://twitter.com/BretWortman"
target="_blank">http://twitter.com/BretWortman</a><br>
<br>
<br>
<br>
</div>
</div>
___________________________________________________
<div><br>
Freeipa-users mailing list<br>
<a moz-do-not-send="true"
href="mailto:Freeipa-users@redhat.com"
target="_blank">Freeipa-users@redhat.com</a>
<mailto:<a moz-do-not-send="true"
href="mailto:Freeipa-users@redhat.com"
target="_blank">Freeipa-users@redhat.com</a>><br>
</div>
<mailto:<a moz-do-not-send="true"
href="mailto:Freeipa-users@redhat."
target="_blank">Freeipa-users@redhat.</a>__com<br>
<mailto:<a moz-do-not-send="true"
href="mailto:Freeipa-users@redhat.com"
target="_blank">Freeipa-users@redhat.com</a>>><br>
<a moz-do-not-send="true"
href="https://www.redhat.com/____mailman/listinfo/freeipa-users"
target="_blank">https://www.redhat.com/____mailman/listinfo/freeipa-users</a><br>
<<a moz-do-not-send="true"
href="https://www.redhat.com/__mailman/listinfo/freeipa-users"
target="_blank">https://www.redhat.com/__mailman/listinfo/freeipa-users</a>><br>
<br>
<br>
<<a moz-do-not-send="true"
href="https://www.redhat.com/__mailman/listinfo/freeipa-users"
target="_blank">https://www.redhat.com/__mailman/listinfo/freeipa-users</a><br>
<<a moz-do-not-send="true"
href="https://www.redhat.com/mailman/listinfo/freeipa-users"
target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a>>__>
<div><br>
<br>
<br>
<br>
<br>
<br>
--<br>
Bret Wortman<br>
The Damascus Group<br>
Fairfax, VA<br>
<a moz-do-not-send="true"
href="http://bretwortman.com/"
target="_blank">http://bretwortman.com/</a><br>
<a moz-do-not-send="true"
href="http://twitter.com/BretWortman"
target="_blank">http://twitter.com/BretWortman</a><br>
<br>
<br>
<br>
_________________________________________________<br>
Freeipa-users mailing list<br>
<a moz-do-not-send="true"
href="mailto:Freeipa-users@redhat.com"
target="_blank">Freeipa-users@redhat.com</a>
<mailto:<a moz-do-not-send="true"
href="mailto:Freeipa-users@redhat.com"
target="_blank">Freeipa-users@redhat.com</a>><br>
<a moz-do-not-send="true"
href="https://www.redhat.com/__mailman/listinfo/freeipa-users"
target="_blank">https://www.redhat.com/__mailman/listinfo/freeipa-users</a><br>
<<a moz-do-not-send="true"
href="https://www.redhat.com/mailman/listinfo/freeipa-users"
target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a>><br>
<br>
<br>
<br>
<br>
<br>
--<br>
Bret Wortman<br>
The Damascus Group<br>
Fairfax, VA<br>
<a moz-do-not-send="true"
href="http://bretwortman.com/"
target="_blank">http://bretwortman.com/</a><br>
<a moz-do-not-send="true"
href="http://twitter.com/BretWortman"
target="_blank">http://twitter.com/BretWortman</a><br>
<br>
<br>
<br>
_______________________________________________<br>
Freeipa-users mailing list<br>
<a moz-do-not-send="true"
href="mailto:Freeipa-users@redhat.com"
target="_blank">Freeipa-users@redhat.com</a><br>
<a moz-do-not-send="true"
href="https://www.redhat.com/mailman/listinfo/freeipa-users"
target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a><br>
<br>
</div>
</blockquote>
<br>
</blockquote>
</div>
<br>
<br clear="all">
<div><br>
</div>
-- <br>
<div>Bret Wortman</div>
<div>The Damascus Group</div>
<div>Fairfax, VA</div>
<div><a moz-do-not-send="true"
href="http://bretwortman.com/" target="_blank">http://bretwortman.com/</a></div>
<div><a moz-do-not-send="true"
href="http://twitter.com/BretWortman"
target="_blank">http://twitter.com/BretWortman</a></div>
<br>
</div>
</div>
</div>
</blockquote>
</div>
<br>
<br clear="all">
<div><br>
</div>
-- <br>
<div>Bret Wortman</div>
<div>The Damascus Group</div>
<div>Fairfax, VA</div>
<div><a moz-do-not-send="true" href="http://bretwortman.com/"
target="_blank">http://bretwortman.com/</a></div>
<div><a moz-do-not-send="true"
href="http://twitter.com/BretWortman" target="_blank">http://twitter.com/BretWortman</a></div>
<br>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Freeipa-users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a>
<a class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a></pre>
</blockquote>
<br>
<br>
<pre class="moz-signature" cols="72">--
Thank you,
Dmitri Pal
Sr. Engineering Manager for IdM portfolio
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
<a class="moz-txt-link-abbreviated" href="http://www.redhat.com/carveoutcosts/">www.redhat.com/carveoutcosts/</a>
</pre>
</body>
</html>