To close the loop:<div><br></div><div>I did the following to clear the credential problem. I suspect that I hadn't properly run kinit before doing these steps the first time:</div><div><br></div><div><div><font face="courier new, monospace">-sh-4.2$ kinit</font></div>
<div><font face="courier new, monospace">Password for <a href="mailto:bretw@WEDGEOFLI.ME">bretw@WEDGEOFLI.ME</a>: </font></div><div><font face="courier new, monospace">-sh-4.2$ sudo su -</font></div><div><font face="courier new, monospace">sudo: ldap_sasl_bind_s(): Invalid credentials</font></div>
<div><font face="courier new, monospace">[sudo] password for bretw: </font></div><div><font face="courier new, monospace">bretw is not in the sudoers file. This incident will be reported.</font></div><div><font face="courier new, monospace">-sh-4.2$ ldapsearch -x ou=SUDOers,dc=wedgeofli,dc=me</font></div>
<div><font face="courier new, monospace"># extended LDIF</font></div><div><font face="courier new, monospace">#</font></div><div><font face="courier new, monospace"># LDAPv3</font></div><div><font face="courier new, monospace"># base <dc=wedgeofli,dc=me> (default) with scope subtree</font></div>
<div><font face="courier new, monospace"># filter: ou=SUDOers,dc=wedgeofli,dc=me</font></div><div><font face="courier new, monospace"># requesting: ALL</font></div><div><font face="courier new, monospace">#</font></div><div>
<font face="courier new, monospace"><br></font></div><div><font face="courier new, monospace"># search result</font></div><div><font face="courier new, monospace">search: 2</font></div><div><font face="courier new, monospace">result: 0 Success</font></div>
<div><font face="courier new, monospace"><br></font></div><div><font face="courier new, monospace"># numResponses: 1</font></div><div><font face="courier new, monospace">-sh-4.2$ ldapsearch ou=SUDOers,dc=wedgeofli,dc=me</font></div>
<div><font face="courier new, monospace">SASL/EXTERNAL authentication started</font></div><div><font face="courier new, monospace">ldap_sasl_interactive_bind_s: Unknown authentication method (-6)</font></div><div><font face="courier new, monospace"><span class="Apple-tab-span" style="white-space:pre"> </span>additional info: SASL(-4): no mechanism available: </font></div>
<div><font face="courier new, monospace">-sh-4.2$ ldapsearch -x ou=SUDOers,dc=wedgeofli,dc=me</font></div><div><font face="courier new, monospace"># extended LDIF</font></div><div><font face="courier new, monospace">#</font></div>
<div><font face="courier new, monospace"># LDAPv3</font></div><div><font face="courier new, monospace"># base <dc=wedgeofli,dc=me> (default) with scope subtree</font></div><div><font face="courier new, monospace"># filter: ou=SUDOers,dc=wedgeofli,dc=me</font></div>
<div><font face="courier new, monospace"># requesting: ALL</font></div><div><font face="courier new, monospace">#</font></div><div><font face="courier new, monospace"><br></font></div><div><font face="courier new, monospace"># search result</font></div>
<div><font face="courier new, monospace">search: 2</font></div><div><font face="courier new, monospace">result: 0 Success</font></div><div><font face="courier new, monospace"><br></font></div><div><font face="courier new, monospace"># numResponses: 1</font></div>
<div><span style="font-family:'courier new',monospace">-sh-4.2$ ldapsearch -D uid=sudo,cn=sysaccounts,cn=etc,dc=wedgeofli,dc=me -w password ou=SUDOers,dc=wedgeofli,dc=me</span></div><div><font face="courier new, monospace">ldap_bind: Invalid credentials (49)</font></div>
</div><div><br></div><div><div><font face="courier new, monospace">-sh-4.2$ ldappasswd -Y GSSAPI -S -h <a href="http://fs1.wedgeofli.me">fs1.wedgeofli.me</a> uid=sudo,cn=sysaccounts,cn=etc,dc=wedgeofli,dc=me</font></div><div>
<font face="courier new, monospace">New password: </font></div><div><font face="courier new, monospace">Re-enter new password: </font></div><div><font face="courier new, monospace">SASL/GSSAPI authentication started</font></div>
<div><font face="courier new, monospace">SASL username: <a href="mailto:bretw@WEDGEOFLI.ME">bretw@WEDGEOFLI.ME</a></font></div><div><font face="courier new, monospace">SASL SSF: 56</font></div><div><font face="courier new, monospace">SASL data security layer installed.</font></div>
<div><font face="courier new, monospace">-sh-4.2$ ldapsearch -D uid=sudo,cn=sysaccounts,cn=etc,dc=wedgeofli,dc=me -w password ou=SUDOers,dc=wedgeofli,dc=me</font></div><div><font face="courier new, monospace"># extended LDIF</font></div>
<div><font face="courier new, monospace">#</font></div><div><font face="courier new, monospace"># LDAPv3</font></div><div><font face="courier new, monospace"># base <dc=wedgeofli,dc=me> (default) with scope subtree</font></div>
<div><font face="courier new, monospace"># filter: ou=SUDOers,dc=wedgeofli,dc=me</font></div><div><font face="courier new, monospace"># requesting: ALL</font></div><div><font face="courier new, monospace">#</font></div><div>
<font face="courier new, monospace"><br></font></div><div><font face="courier new, monospace"># search result</font></div><div><font face="courier new, monospace">search: 2</font></div><div><font face="courier new, monospace">result: 0 Success</font></div>
<div><font face="courier new, monospace"><br></font></div><div><font face="courier new, monospace"># numResponses: 1</font></div><div><font face="courier new, monospace">-sh-4.2$ sudo su -</font></div><div><font face="courier new, monospace">[sudo] password for bretw: </font></div>
<div><font face="courier new, monospace">[root@fs1 ~]#</font></div><div><br><div class="gmail_quote">On Thu, Nov 1, 2012 at 7:58 AM, Bret Wortman <span dir="ltr"><<a href="mailto:bret.wortman@damascusgrp.com" target="_blank">bret.wortman@damascusgrp.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">That's got me closer now, as I'm at least getting an error message on stdout:<div><br></div><div><div><font face="courier new, monospace">[root@fs1 etc]# more nslcd.conf </font></div>
<div><font face="courier new, monospace">binddn uid=sudo,cn=sysaccounts,cn=etc,dc=wedgeofli,dc=me</font></div><div class="im">
<div><font face="courier new, monospace">bindpw password</font></div><div><font face="courier new, monospace"><br></font></div><div><font face="courier new, monospace">ssl start_tls</font></div><div><font face="courier new, monospace">tls_cacertfile /etc/ipa/ca.crt</font></div>
<div><font face="courier new, monospace">tls_checkpeer yes</font></div><div><font face="courier new, monospace"><br></font></div><div><font face="courier new, monospace">bind_timelimit 5</font></div><div><font face="courier new, monospace">timelimit 15</font></div>
<div><font face="courier new, monospace"><br></font></div><div><font face="courier new, monospace">uri ldap://<a href="http://fs1.wedgeofli.me" target="_blank">fs1.wedgeofli.me</a></font></div></div><div><font face="courier new, monospace">sudoers_base ou=SUDOers,dc=wedgeofli,dc=me</font></div>
<div><font face="courier new, monospace">[root@fs1 etc]# sudo su -</font></div><div><font face="courier new, monospace">sudo: ldap_sasl_bind_s(): Invalid credentials</font></div><div><font face="courier new, monospace">[root@fs1 ~]#</font></div>
<div><br></div><div>So I'm off to figure out where my credentials are wrong. Thanks again, Rob, Stephen & Pavel.</div><span class="HOEnZb"><font color="#888888"><div><br></div><div><br></div><div>Bret</div></font></span><div>
<div class="h5"><br><div class="gmail_quote">On Wed, Oct 31, 2012 at 2:39 PM, Rob Crittenden <span dir="ltr"><<a href="mailto:rcritten@redhat.com" target="_blank">rcritten@redhat.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div>Bret Wortman wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
[root@fs1 etc]# more /etc/ldap.conf<br>
sudoers_debug: 1<br>
[root@fs1 etc]# ls -l /etc/ldap.conf<br>
-rw-r--r--. 1 root root 17 Oct 19 14:54 /etc/ldap.conf<br>
<br>
Where should I see the extra output? I've had this set since last Friday<br>
and I'm not seeing any difference.<br>
</blockquote>
<br></div>
Move the contents of /etc/nslcd.conf to this file and add ldap to sudoers in /etc/nsswitch.conf.<br>
<br>
rob<br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<br><div>
On Wed, Oct 31, 2012 at 2:20 PM, Rob Crittenden <<a href="mailto:rcritten@redhat.com" target="_blank">rcritten@redhat.com</a><br></div><div>
<mailto:<a href="mailto:rcritten@redhat.com" target="_blank">rcritten@redhat.com</a>>> wrote:<br>
<br>
Bret Wortman wrote:<br>
<br>
F17.<br>
<br>
<br>
I think you want /etc/ldap.conf then. The easiest way to be sure the<br>
right file is being used is to add sudoers_debug 1 to the file. This<br>
will present a lot of extra output so you'll know the file is being<br>
read.<br>
<br>
rob<br>
<br>
<br>
On Wed, Oct 31, 2012 at 2:04 PM, Rob Crittenden<br>
<<a href="mailto:rcritten@redhat.com" target="_blank">rcritten@redhat.com</a> <mailto:<a href="mailto:rcritten@redhat.com" target="_blank">rcritten@redhat.com</a>><br></div><div><div>
<mailto:<a href="mailto:rcritten@redhat.com" target="_blank">rcritten@redhat.com</a> <mailto:<a href="mailto:rcritten@redhat.com" target="_blank">rcritten@redhat.com</a>>>> wrote:<br>
<br>
Bret Wortman wrote:<br>
<br>
I had enabled debugging of sudo but am not clear on<br>
where that<br>
debugging<br>
is going. It's not stdout, and I'm not seeing anything in<br>
/var/log/messages.<br>
<br>
I'll try switching to SSS and see what that gets me.<br>
<br>
<br>
What distro is this? If it is RHEL 6.3 then put the<br>
configuration<br>
into /etc/sudo-ldap.conf instead of /etc/nslcd. The docs are<br>
incorrect (we are working on getting them fixed).<br>
<br>
rob<br>
<br>
<br>
<br>
On Wed, Oct 31, 2012 at 1:33 PM, Stephen Gallagher<br>
<<a href="mailto:sgallagh@redhat.com" target="_blank">sgallagh@redhat.com</a> <mailto:<a href="mailto:sgallagh@redhat.com" target="_blank">sgallagh@redhat.com</a>><br>
<mailto:<a href="mailto:sgallagh@redhat.com" target="_blank">sgallagh@redhat.com</a> <mailto:<a href="mailto:sgallagh@redhat.com" target="_blank">sgallagh@redhat.com</a>>><br>
<mailto:<a href="mailto:sgallagh@redhat.com" target="_blank">sgallagh@redhat.com</a><br>
<mailto:<a href="mailto:sgallagh@redhat.com" target="_blank">sgallagh@redhat.com</a>> <mailto:<a href="mailto:sgallagh@redhat.com" target="_blank">sgallagh@redhat.com</a><br>
<mailto:<a href="mailto:sgallagh@redhat.com" target="_blank">sgallagh@redhat.com</a>>>><u></u>> wrote:<br>
<br>
On Wed 31 Oct 2012 11:53:15 AM EDT, Bret Wortman<br>
wrote:<br>
<br>
I'm pretty certain there's a painfully simple<br>
solution<br>
to this that<br>
I'm not seeing, but my current configuration isn't<br>
picking up the<br>
freeipa sudoer rule that I've set.<br>
<br>
/etc/nsswitch.conf specifies:<br>
sudoers: files ldap<br>
<br>
/etc/nslcd.conf contains:<br>
<br>
binddn<br></div></div>
uid=sudo,cn=sysaccounts,cn=___<u></u>___etc,dc=wedgeofli,dc=me<div><div><br>
<br>
<br>
bindpw password<br>
<br>
ssl start_tls<br>
tls_cacertfile /etc/ipa/ca.crt<br>
tls_checkpeer yes<br>
<br>
bind_timelimit 5<br>
timelimit 15<br>
<br>
uri ldap://<a href="http://fs1.wedgeofli.me" target="_blank">fs1.wedgeofli.me</a><br>
<<a href="http://fs1.wedgeofli.me" target="_blank">http://fs1.wedgeofli.me</a>> <<a href="http://fs1.wedgeofli.me" target="_blank">http://fs1.wedgeofli.me</a>><br>
<<a href="http://fs1.wedgeofli.me" target="_blank">http://fs1.wedgeofli.me</a>><br>
<<a href="http://fs1.wedgeofli.me" target="_blank">http://fs1.wedgeofli.me</a>><br>
<br>
sudoers_base ou=SUDOers,dc=wedgeofli,dc=me<br>
<br>
<br>
The sssd_DOMAIN.log file contains this when I<br>
try to sudo:<br>
<br>
<br>
<snip><br>
<br>
The SSSD logs aren't showing anything wrong<br>
because they have<br>
nothing to do with the execution of the SUDO rules<br>
in this<br>
situation. All the SSSD is doing is verifying the<br>
authentication<br>
(when sudo prompts you for your password).<br>
<br>
The problem with the rule is most likely happening<br>
inside SUDO<br>
itself. When you specify 'sudoers: files, ldap' in<br>
nsswitch.conf,<br>
it's telling SUDO to use its own internal LDAP<br>
driver to<br>
look up the<br>
rules. So you need to check sudo logs to see<br>
what's happening<br>
(probably you will need to enable debug logging in<br>
/etc/sudo.conf).<br>
<br>
Recent versions of SUDO (1.8.6 and later) have<br>
support for<br>
setting<br>
'sudoers: files, sss' in nsswitch.conf which DOES<br>
use SSSD<br>
(1.9.0<br>
and later) for lookups (and caching) of sudo rules.<br>
<br>
<br>
<br>
<br>
--<br>
Bret Wortman<br>
The Damascus Group<br>
Fairfax, VA<br>
<a href="http://bretwortman.com/" target="_blank">http://bretwortman.com/</a><br>
<a href="http://twitter.com/BretWortman" target="_blank">http://twitter.com/BretWortman</a><br>
<br>
<br>
<br>
<br>
--<br>
Bret Wortman<br>
The Damascus Group<br>
Fairfax, VA<br>
<a href="http://bretwortman.com/" target="_blank">http://bretwortman.com/</a><br>
<a href="http://twitter.com/BretWortman" target="_blank">http://twitter.com/BretWortman</a><br>
<br>
<br>
<br></div></div>
______________________________<u></u>_____________________<div><br>
Freeipa-users mailing list<br>
<a href="mailto:Freeipa-users@redhat.com" target="_blank">Freeipa-users@redhat.com</a> <mailto:<a href="mailto:Freeipa-users@redhat.com" target="_blank">Freeipa-users@redhat.<u></u>com</a>><br></div>
<mailto:<a href="mailto:Freeipa-users@redhat." target="_blank">Freeipa-users@redhat.</a>_<u></u>_com<br>
<mailto:<a href="mailto:Freeipa-users@redhat.com" target="_blank">Freeipa-users@redhat.<u></u>com</a>>><br>
<a href="https://www.redhat.com/____mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/____<u></u>mailman/listinfo/freeipa-users</a><br>
<<a href="https://www.redhat.com/__mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/__<u></u>mailman/listinfo/freeipa-users</a><u></u>><br>
<br>
<br>
<<a href="https://www.redhat.com/__mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/__<u></u>mailman/listinfo/freeipa-users</a><br>
<<a href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/<u></u>mailman/listinfo/freeipa-users</a><u></u>>__><div><br>
<br>
<br>
<br>
<br>
<br>
--<br>
Bret Wortman<br>
The Damascus Group<br>
Fairfax, VA<br>
<a href="http://bretwortman.com/" target="_blank">http://bretwortman.com/</a><br>
<a href="http://twitter.com/BretWortman" target="_blank">http://twitter.com/BretWortman</a><br>
<br>
<br>
<br>
______________________________<u></u>___________________<br>
Freeipa-users mailing list<br>
<a href="mailto:Freeipa-users@redhat.com" target="_blank">Freeipa-users@redhat.com</a> <mailto:<a href="mailto:Freeipa-users@redhat.com" target="_blank">Freeipa-users@redhat.<u></u>com</a>><br>
<a href="https://www.redhat.com/__mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/__<u></u>mailman/listinfo/freeipa-users</a><br>
<<a href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/<u></u>mailman/listinfo/freeipa-users</a><u></u>><br>
<br>
<br>
<br>
<br>
<br>
--<br>
Bret Wortman<br>
The Damascus Group<br>
Fairfax, VA<br>
<a href="http://bretwortman.com/" target="_blank">http://bretwortman.com/</a><br>
<a href="http://twitter.com/BretWortman" target="_blank">http://twitter.com/BretWortman</a><br>
<br>
<br>
<br>
______________________________<u></u>_________________<br>
Freeipa-users mailing list<br>
<a href="mailto:Freeipa-users@redhat.com" target="_blank">Freeipa-users@redhat.com</a><br>
<a href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/<u></u>mailman/listinfo/freeipa-users</a><br>
<br>
</div></blockquote>
<br>
</blockquote></div><br><br clear="all"><div><br></div>-- <br><div>Bret Wortman</div><div>The Damascus Group</div><div>Fairfax, VA</div><div><a href="http://bretwortman.com/" target="_blank">http://bretwortman.com/</a></div>
<div><a href="http://twitter.com/BretWortman" target="_blank">http://twitter.com/BretWortman</a></div><br>
</div></div></div>
</blockquote></div><br><br clear="all"><div><br></div>-- <br><div>Bret Wortman</div><div>The Damascus Group</div><div>Fairfax, VA</div><div><a href="http://bretwortman.com/" target="_blank">http://bretwortman.com/</a></div>
<div><a href="http://twitter.com/BretWortman" target="_blank">http://twitter.com/BretWortman</a></div><br>
</div></div>