Do: ipa hbactest --user=thing-sudo --host=vuwunicocatd001.ods.vuw.ac.nz --service=sudo
with the hbac rule on and off. On Tue, Aug 14, 2012 at 4:47 PM, Steven Jones <[email protected]> wrote: > Hi, > > No it fails even if I specify the host, but it works if I re-enable the > allowall HBAC rule. > > So for some reason HBAC is impacting sudo. > > ===== > [thing-sudo@vuwunicocatd001 ~]$ hostname > vuwunicocatd001.ods.vuw.ac.nz > [thing-sudo@vuwunicocatd001 ~]$ domainname > ods.vuw.ac.nz > [thing-sudo@vuwunicocatd001 ~]$ > [root@vuwunicocatd001 jonesst1]# more /etc/hosts > # not remove the following line, or various programs > # that require network functionality will fail. > 127.0.0.1 localhost.localdomain localhost > 10.70.1.14 vuwunicocatd001.ods.vuw.ac.nz > vuwunicocatd001.vuw.ac.nz visualresourcest.vuw.ac.nz vuwunicocatd001 > [root@vuwunicocatd001 jonesst1]# more /etc/sysconfig/network > NETWORKING=yes > HOSTNAME=vuwunicocatd001.ods.vuw.ac.nz > GATEWAY=10.70.1.1 > NTPSERVERARGS=iburst > [root@vuwunicocatd001 jonesst1]# > ===== > > All looks correct.... > > ======= > > > regards > > Steven Jones > > Technical Specialist - Linux RHCE > > Victoria University, Wellington, NZ > > 0064 4 463 6272 > > ________________________________________ > From: KodaK [[email protected]] > Sent: Wednesday, 15 August 2012 9:41 a.m. > To: Steven Jones > Cc: [email protected] > Subject: Re: [Freeipa-users] Unable to get sudo commend to work... > > OK, so it works if you allow all hosts, but fails if you specify a > host. This leads me to believe that the host may not "know" who it > is. > > Run the gamut on local hostname configuration: > > Check /etc/hosts, is the host listed with the FQDN first? > Check "hostname" -- it should report the FQDN. > Check "domainname" -- it should report the domain. > > I have a very similar rule, btw: > > [jebalicki@slpidml01 ~]$ ipa sudorule-show tds-web-restart > ipa: INFO: trying https://slpidml01.unix.magellanhealth.com/ipa/xml > ipa: INFO: Forwarding 'sudorule_show' to server > u'http://slpidml01.unix.magellanhealth.com/ipa/xml' > Rule name: tds-web-restart > Enabled: TRUE > User Groups: admins, tds-webserver-users, unixadmins > Host Groups: tdswebhosts > Sudo Allow Commands: /etc/rc.d/init.d/httpd > [jebalicki@slpidml01 ~]$ > > > On Tue, Aug 14, 2012 at 4:13 PM, Steven Jones <[email protected]> wrote: >> Hi, >> >> I am trying to get a sudo-group command to work such that a group of users >> can reload apache's config....I know the password is fine as I can ssh into >> the server.... >> >> [thing-sudo@vuwunicocatd001 ~]$ sudo /sbin/service httpd reload >> LDAP Config Summary >> =================== >> uri ldap://vuwunicoipam001.ods.vuw.ac.nz >> ldap://vuwunicoipam002.ods.vuw.ac.nz ldap://vuwunicoipam003.ods.vuw.ac.nz >> ldap_version 3 >> sudoers_base ou=SUDOers,dc=ods,dc=vuw,dc=ac,dc=nz >> binddn uid=sudo,cn=sysaccounts,cn=etc,dc=ods,dc=vuw,dc=ac,dc=nz >> bindpw xxxxxxxxxxxx >> bind_timelimit 5000000 >> ssl start_tls >> tls_checkpeer (no) >> tls_cacertfile /etc/ipa/ca.crt >> =================== >> sudo: ldap_set_option: debug -> 0 >> sudo: ldap_set_option: tls_checkpeer -> 0 >> sudo: ldap_set_option: tls_cacertfile -> /etc/ipa/ca.crt >> sudo: ldap_set_option: tls_cacert -> /etc/ipa/ca.crt >> sudo: ldap_initialize(ld, ldap://vuwunicoipam001.ods.vuw.ac.nz >> ldap://vuwunicoipam002.ods.vuw.ac.nz ldap://vuwunicoipam003.ods.vuw.ac.nz) >> sudo: ldap_set_option: ldap_version -> 3 >> sudo: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT, 5000) >> sudo: ldap_start_tls_s() ok >> sudo: ldap_sasl_bind_s() ok >> sudo: no default options found in ou=SUDOers,dc=ods,dc=vuw,dc=ac,dc=nz >> sudo: ldap search >> '(|(sudoUser=thing-sudo)(sudoUser=%thing-sudo)(sudoUser=%ipausers)(sudoUser=%collectriveaccess-student)(sudoUser=%login04-mysql)(sudoUser=%360-ftp)(sudoUser=%become-mysql-users)(sudoUser=ALL))' >> sudo: >> found:cn=sudo-commands-catd-students,ou=sudoers,dc=ods,dc=vuw,dc=ac,dc=nz >> sudo: ldap sudoHost 'vuwunicocatd001.ods.vuw.ac.nz' ... MATCH! >> sudo: ldap sudoCommand '/sbin/service httpd reload' ... MATCH! >> sudo: ldap sudoCommand '/etc/init.d/httpd reload' ... MATCH! >> sudo: Command allowed >> sudo: user_matches=1 >> sudo: host_matches=1 >> sudo: sudo_ldap_lookup(0)=0x02 >> [sudo] password for thing-sudo: >> Sorry, try again. >> [sudo] password for thing-sudo: >> Sorry, try again. >> [sudo] password for thing-sudo: >> Sorry, try again. >> sudo: 3 incorrect password attempts >> [thing-sudo@vuwunicocatd001 ~]$ sudo /sbin/service httpd reload >> LDAP Config Summary >> =================== >> uri ldap://vuwunicoipam001.ods.vuw.ac.nz >> ldap://vuwunicoipam002.ods.vuw.ac.nz ldap://vuwunicoipam003.ods.vuw.ac.nz >> ldap_version 3 >> sudoers_base ou=SUDOers,dc=ods,dc=vuw,dc=ac,dc=nz >> binddn uid=sudo,cn=sysaccounts,cn=etc,dc=ods,dc=vuw,dc=ac,dc=nz >> bindpw xxxxxxxxxxxxx >> bind_timelimit 5000000 >> ssl start_tls >> tls_checkpeer (no) >> tls_cacertfile /etc/ipa/ca.crt >> =================== >> sudo: ldap_set_option: debug -> 0 >> sudo: ldap_set_option: tls_checkpeer -> 0 >> sudo: ldap_set_option: tls_cacertfile -> /etc/ipa/ca.crt >> sudo: ldap_set_option: tls_cacert -> /etc/ipa/ca.crt >> sudo: ldap_initialize(ld, ldap://vuwunicoipam001.ods.vuw.ac.nz >> ldap://vuwunicoipam002.ods.vuw.ac.nz ldap://vuwunicoipam003.ods.vuw.ac.nz) >> sudo: ldap_set_option: ldap_version -> 3 >> sudo: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT, 5000) >> sudo: ldap_start_tls_s() ok >> sudo: ldap_sasl_bind_s() ok >> sudo: no default options found in ou=SUDOers,dc=ods,dc=vuw,dc=ac,dc=nz >> sudo: ldap search >> '(|(sudoUser=thing-sudo)(sudoUser=%thing-sudo)(sudoUser=%ipausers)(sudoUser=%collectriveaccess-student)(sudoUser=%login04-mysql)(sudoUser=%360-ftp)(sudoUser=%become-mysql-users)(sudoUser=ALL))' >> sudo: >> found:cn=sudo-commands-catd-students,ou=sudoers,dc=ods,dc=vuw,dc=ac,dc=nz >> sudo: ldap sudoHost 'vuwunicocatd001.ods.vuw.ac.nz' ... MATCH! >> sudo: ldap sudoCommand '/sbin/service httpd reload' ... MATCH! >> sudo: ldap sudoCommand '/etc/init.d/httpd reload' ... MATCH! >> sudo: Command allowed >> sudo: user_matches=1 >> sudo: host_matches=1 >> sudo: sudo_ldap_lookup(0)=0x02 >> [sudo] password for thing-sudo: >> Sorry, try again. >> [sudo] password for thing-sudo: >> >> Sorry, try again. >> [sudo] password for thing-sudo: >> >> Sorry, try again. >> sudo: 3 incorrect password attempts >> [thing-sudo@vuwunicocatd001 ~]$ >> [thing-sudo@vuwunicocatd001 ~]$ >> >> ============ >> >> The secure log says system error, unable to read password, >> >> =============== >> Aug 15 08:49:09 vuwunicocatd001 sudo: pam_unix(sudo:auth): authentication >> failure; logname=thing-sudo uid=0 euid=0 tty=/dev/pts/2 ruser=thing-sudo >> rhost= user=thing-sudo >> Aug 15 08:49:10 vuwunicocatd001 sudo: pam_sss(sudo:auth): authentication >> success; logname=thing-sudo uid=0 euid=0 tty=/dev/pts/2 ruser=thing-sudo >> rhost= user=thing-sudo >> Aug 15 08:49:10 vuwunicocatd001 sudo: pam_sss(sudo:account): Access denied >> for user thing-sudo: 6 (Permission denied) >> Aug 15 08:49:43 vuwunicocatd001 sudo: pam_sss(sudo:auth): system info: >> [Cannot read password] >> Aug 15 08:49:43 vuwunicocatd001 sudo: pam_sss(sudo:auth): authentication >> failure; logname=thing-sudo uid=0 euid=0 tty=/dev/pts/2 ruser=thing-sudo >> rhost= user=thing-sudo >> Aug 15 08:49:43 vuwunicocatd001 sudo: pam_sss(sudo:auth): received for user >> thing-sudo: 4 (System error) >> Aug 15 08:49:45 vuwunicocatd001 sudo: pam_sss(sudo:auth): system info: >> [Cannot read password] >> Aug 15 08:49:45 vuwunicocatd001 sudo: pam_sss(sudo:auth): authentication >> failure; logname=thing-sudo uid=0 euid=0 tty=/dev/pts/2 ruser=thing-sudo >> rhost= user=thing-sudo >> Aug 15 08:49:45 vuwunicocatd001 sudo: pam_sss(sudo:auth): received for user >> thing-sudo: 4 (System error) >> Aug 15 08:49:47 vuwunicocatd001 sudo: thing-sudo : 3 incorrect password >> attempts ; TTY=pts/2 ; PWD=/home/thing-sudo ; USER=root ; >> COMMAND=/sbin/service httpd reload >> Aug 15 08:55:35 vuwunicocatd001 sudo: PAM unable to >> dlopen(/lib64/security/pam_fprintd.so): /lib64/security/pam_fprintd.so: >> cannot open shared object file: No such file or directory >> Aug 15 08:55:35 vuwunicocatd001 sudo: PAM adding faulty module: >> /lib64/security/pam_fprintd.so >> Aug 15 08:55:44 vuwunicocatd001 sudo: pam_unix(sudo:auth): authentication >> failure; logname=thing-sudo uid=0 euid=0 tty=/dev/pts/2 ruser=thing-sudo >> rhost= user=thing-sudo >> Aug 15 08:55:44 vuwunicocatd001 sudo: pam_sss(sudo:auth): authentication >> success; logname=thing-sudo uid=0 euid=0 tty=/dev/pts/2 ruser=thing-sudo >> rhost= user=thing-sudo >> Aug 15 08:55:44 vuwunicocatd001 sudo: pam_sss(sudo:account): Access denied >> for user thing-sudo: 6 (Permission denied) >> Aug 15 08:55:46 vuwunicocatd001 sudo: pam_sss(sudo:auth): system info: >> [Cannot read password] >> Aug 15 08:55:46 vuwunicocatd001 sudo: pam_sss(sudo:auth): authentication >> failure; logname=thing-sudo uid=0 euid=0 tty=/dev/pts/2 ruser=thing-sudo >> rhost= user=thing-sudo >> Aug 15 08:55:46 vuwunicocatd001 sudo: pam_sss(sudo:auth): received for user >> thing-sudo: 4 (System error) >> Aug 15 08:55:52 vuwunicocatd001 sudo: pam_sss(sudo:auth): system info: >> [Cannot read password] >> Aug 15 08:55:52 vuwunicocatd001 sudo: pam_sss(sudo:auth): authentication >> failure; logname=thing-sudo uid=0 euid=0 tty=/dev/pts/2 ruser=thing-sudo >> rhost= user=thing-sudo >> Aug 15 08:55:52 vuwunicocatd001 sudo: pam_sss(sudo:auth): received for user >> thing-sudo: 4 (System error) >> Aug 15 08:55:54 vuwunicocatd001 sudo: thing-sudo : 3 incorrect password >> attempts ; TTY=pts/2 ; PWD=/home/thing-sudo ; USER=root ; >> COMMAND=/sbin/service httpd reload >> Aug 15 08:55:57 vuwunicocatd001 sudo: PAM unable to >> dlopen(/lib64/security/pam_fprintd.so): /lib64/security/pam_fprintd.so: >> cannot open shared object file: No such file or directory >> Aug 15 08:55:57 vuwunicocatd001 sudo: PAM adding faulty module: >> /lib64/security/pam_fprintd.so >> Aug 15 08:56:04 vuwunicocatd001 sudo: pam_unix(sudo:auth): authentication >> failure; logname=thing-sudo uid=0 euid=0 tty=/dev/pts/2 ruser=thing-sudo >> rhost= user=thing-sudo >> Aug 15 08:56:05 vuwunicocatd001 sudo: pam_sss(sudo:auth): authentication >> success; logname=thing-sudo uid=0 euid=0 tty=/dev/pts/2 ruser=thing-sudo >> rhost= user=thing-sudo >> Aug 15 08:56:05 vuwunicocatd001 sudo: pam_sss(sudo:account): Access denied >> for user thing-sudo: 6 (Permission denied) >> Aug 15 08:56:06 vuwunicocatd001 sudo: pam_sss(sudo:auth): system info: >> [Cannot read password] >> Aug 15 08:56:06 vuwunicocatd001 sudo: pam_sss(sudo:auth): authentication >> failure; logname=thing-sudo uid=0 euid=0 tty=/dev/pts/2 ruser=thing-sudo >> rhost= user=thing-sudo >> Aug 15 08:56:06 vuwunicocatd001 sudo: pam_sss(sudo:auth): received for user >> thing-sudo: 4 (System error) >> Aug 15 08:56:08 vuwunicocatd001 sudo: pam_sss(sudo:auth): system info: >> [Cannot read password] >> Aug 15 08:56:08 vuwunicocatd001 sudo: pam_sss(sudo:auth): authentication >> failure; logname=thing-sudo uid=0 euid=0 tty=/dev/pts/2 ruser=thing-sudo >> rhost= user=thing-sudo >> Aug 15 08:56:08 vuwunicocatd001 sudo: pam_sss(sudo:auth): received for user >> thing-sudo: 4 (System error) >> Aug 15 08:56:09 vuwunicocatd001 sudo: thing-sudo : 3 incorrect password >> attempts ; TTY=pts/2 ; PWD=/home/thing-sudo ; USER=root ; >> COMMAND=/sbin/service httpd reload >> [root@vuwunicocatd001 jonesst1]# >> ================ >> >> Looks like Bug 814414 >> >> :( >> >> "Rob told me elsewhere that when he re-enabled the allow_all rule it started >> behaving properly, which seems highly suspect." >> >> So lets do that, and yes, >> >> ========= >> [thing-sudo@vuwunicocatd001 ~]$ >> [thing-sudo@vuwunicocatd001 ~]$ sudo /sbin/service httpd reload >> LDAP Config Summary >> =================== >> uri ldap://vuwunicoipam001.ods.vuw.ac.nz >> ldap://vuwunicoipam002.ods.vuw.ac.nz ldap://vuwunicoipam003.ods.vuw.ac.nz >> ldap_version 3 >> sudoers_base ou=SUDOers,dc=ods,dc=vuw,dc=ac,dc=nz >> binddn uid=sudo,cn=sysaccounts,cn=etc,dc=ods,dc=vuw,dc=ac,dc=nz >> bindpw xxxxxxxxxxx >> bind_timelimit 5000000 >> ssl start_tls >> tls_checkpeer (no) >> tls_cacertfile /etc/ipa/ca.crt >> =================== >> sudo: ldap_set_option: debug -> 0 >> sudo: ldap_set_option: tls_checkpeer -> 0 >> sudo: ldap_set_option: tls_cacertfile -> /etc/ipa/ca.crt >> sudo: ldap_set_option: tls_cacert -> /etc/ipa/ca.crt >> sudo: ldap_initialize(ld, ldap://vuwunicoipam001.ods.vuw.ac.nz >> ldap://vuwunicoipam002.ods.vuw.ac.nz ldap://vuwunicoipam003.ods.vuw.ac.nz) >> sudo: ldap_set_option: ldap_version -> 3 >> sudo: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT, 5000) >> sudo: ldap_start_tls_s() ok >> sudo: ldap_sasl_bind_s() ok >> sudo: no default options found in ou=SUDOers,dc=ods,dc=vuw,dc=ac,dc=nz >> sudo: ldap search >> '(|(sudoUser=thing-sudo)(sudoUser=%thing-sudo)(sudoUser=%ipausers)(sudoUser=%collectriveaccess-student)(sudoUser=%login04-mysql)(sudoUser=%360-ftp)(sudoUser=%become-mysql-users)(sudoUser=ALL))' >> sudo: >> found:cn=sudo-commands-catd-students,ou=sudoers,dc=ods,dc=vuw,dc=ac,dc=nz >> sudo: ldap sudoHost 'vuwunicocatd001.ods.vuw.ac.nz' ... MATCH! >> sudo: ldap sudoCommand '/sbin/service httpd reload' ... MATCH! >> sudo: ldap sudoCommand '/etc/init.d/httpd reload' ... MATCH! >> sudo: Command allowed >> sudo: user_matches=1 >> sudo: host_matches=1 >> sudo: sudo_ldap_lookup(0)=0x02 >> [sudo] password for thing-sudo: >> Reloading httpd: >> [thing-sudo@vuwunicocatd001 ~]$ >> =================== >> >> and as we can see that indeed "fixes it". >> >> D: >> >> If you let me know exactly which logs you want to see I will send them to >> you. >> >> I have "sudoers_debug 3" at present, anything else needs to be set higher >> to help? >> >> What I can see is I made an oops is specifying the wrong host group but that >> contains the host anyway....but also Ive then bypassed hostgroups and set a >> specific host....this still fails as above. >> >> I am also getting other intermitant failures when I do a sudo su - but its >> not consistant. >> >> regards >> >> Steven Jones >> >> Technical Specialist - Linux RHCE >> >> Victoria University, Wellington, NZ >> >> 0064 4 463 6272 >> >> _______________________________________________ >> Freeipa-users mailing list >> [email protected] >> https://www.redhat.com/mailman/listinfo/freeipa-users > > > > -- > The government is going to read our mail anyway, might as well make it > tough for them. GPG Public key ID: B6A1A7C6 > > -- The government is going to read our mail anyway, might as well make it tough for them. GPG Public key ID: B6A1A7C6 _______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
