On 10/16/2012 11:09 AM, Macklin, Jason wrote: > > Dmitri, > > > > I will give you everything I've got. If I can provide something else, > let me know! > > > > *Working User:* > > > > *Sudo debug output:* > > > > [jmacklin@dbduwdu062 log]$ sudo -l > > sudo: ldap_set_option: debug -> 0 > > sudo: ldap_set_option: tls_checkpeer -> 1 > > sudo: ldap_set_option: tls_cacertfile -> /etc/ipa/ca.crt > > sudo: ldap_set_option: tls_cacert -> /etc/ipa/ca.crt > > sudo: ldap_set_option: ldap_version -> 3 > > sudo: ldap_set_option: timelimit -> 15 > > sudo: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT, 5) > > sudo: ldap_start_tls_s() ok > > sudo: ldap_sasl_bind_s() ok > > sudo: no default options found in ou=SUDOers,dc=dbr,dc=roche,dc=com > > sudo: user_matches=1 > > sudo: host_matches=1 > > sudo: sudo_ldap_lookup(52)=0x82 > > [sudo] password for jmacklin: > > Matching Defaults entries for jmacklin on this host: > > requiretty, !visiblepw, always_set_home, env_reset, > env_keep="COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS", > env_keep+="MAIL PS1 > > PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", > env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", > env_keep+="LC_MONETARY > > LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME > LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY", > > secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin > > > > sudo: ldap search > '(|(sudoUser=jmacklin)(sudoUser=%jmacklin)(sudoUser=%dbr)(sudoUser=%admins)(sudoUser=ALL))' > > sudo: ldap search 'sudoUser=+*' > > User jmacklin may run the following commands on this host: > > (root) ALL > > > > */var/log/secure output:* > > > > Oct 16 11:00:03 dbduwdu062 sudo: pam_unix(sudo:auth): authentication > failure; logname=jmacklin uid=0 euid=0 tty=/dev/pts/1 ruser=jmacklin > rhost= user=jmacklin > > Oct 16 11:00:04 dbduwdu062 sudo: pam_sss(sudo:auth): authentication > success; logname=jmacklin uid=0 euid=0 tty=/dev/pts/1 ruser=jmacklin > rhost= user=jmacklin > > Oct 16 11:00:04 dbduwdu062 sudo: jmacklin : TTY=pts/1 ; PWD=/var/log ; > USER=root ; COMMAND=list > > > > *Non-working user:* > > * * > > *Sudo debug output:* > > * * > > [asteinfeld@dbduwdu062 ~]$ sudo -l > > sudo: ldap_set_option: debug -> 0 > > sudo: ldap_set_option: tls_checkpeer -> 1 > > sudo: ldap_set_option: tls_cacertfile -> /etc/ipa/ca.crt > > sudo: ldap_set_option: tls_cacert -> /etc/ipa/ca.crt > > sudo: ldap_set_option: ldap_version -> 3 > > sudo: ldap_set_option: timelimit -> 15 > > sudo: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT, 5) > > sudo: ldap_start_tls_s() ok > > sudo: ldap_sasl_bind_s() ok > > sudo: no default options found in ou=SUDOers,dc=dbr,dc=domain,dc=com > > sudo: user_matches=1 > > sudo: host_matches=0 > > sudo: sudo_ldap_lookup(52)=0x84 > > [sudo] password for asteinfeld: > > Sorry, user asteinfeld may not run sudo on dbduwdu062 > > > > */var/log/secure output:* > > * * > > Oct 16 11:05:34 dbduwdu062 sudo: pam_unix(sudo:auth): authentication > failure; logname=asteinfeld uid=0 euid=0 tty=/dev/pts/3 > ruser=asteinfeld rhost= user=asteinfeld > > Oct 16 11:05:35 dbduwdu062 sudo: pam_sss(sudo:auth): authentication > success; logname=asteinfeld uid=0 euid=0 tty=/dev/pts/3 > ruser=asteinfeld rhost= user=asteinfeld > > Oct 16 11:05:35 dbduwdu062 sudo: asteinfeld : command not allowed ; > TTY=pts/3 ; PWD=/home2/asteinfeld ; USER=root ; COMMAND=list > > > > Cheers. > > Jason >
Please set sudoers_debug 2 http://www.doxer.org/learn-linux/modify-sudoers_debug-in-ldap-conf-to-debug-sudo-on-linux-and-solaris/ > > > > > > > > *From:*[email protected] > [mailto:[email protected]] *On Behalf Of *Dmitri Pal > *Sent:* Tuesday, October 16, 2012 10:33 AM > *To:* [email protected] > *Subject:* Re: [Freeipa-users] Sudo works for full access, but not on > a per command or host level. > > > > On 10/16/2012 10:05 AM, Macklin, Jason wrote: > > When I become the user in question I see the following in the sssd log. > > > > [ipa_hbac_evaluate_rules] (0x0080): Access granted by HBAC > rule [test] > > > > I think this is a sudo problem before anything else. For a user in > which sudo works, host_matches = 1 always returns when debugging is > on. For a user that does not work host_matches always equals 0 (zero). > > > > > Is there any way to see a more detailed debug log from sudo then? It > should show what it is looking for and what it is getting back from > the server. > > > I am open to troubleshooting the ldap configuration as I am not > convinced that it is referencing the host properly. I enroll the > clients using FQDN, but noticed that initially, domainname and > nisdomainname qould return (none). Fixing these to show the correct > domain did not change the behavior of the nodes though. > > > > Thanks again! > > > > Jason > > > > *From:*[email protected] > <mailto:[email protected]> > [mailto:[email protected]] *On Behalf Of *Dmitri Pal > *Sent:* Monday, October 15, 2012 5:58 PM > *To:* [email protected] <mailto:[email protected]> > *Subject:* Re: [Freeipa-users] Sudo works for full access, but not on > a per command or host level. > > > > On 10/15/2012 04:46 PM, Dmitri Pal wrote: > > On 10/15/2012 04:34 PM, Macklin, Jason wrote: > > Hi, > > > > I apologize up front if this is obvious, but I'm having issues > configuring sudo privileges. > > > > I currently have an IPA server running FreeIPA 2.2 with sudo > configured for our administrators on all hosts. This works > fantastic! As soon as I attempt to configure a more specific sudo > rule it does not work. In my troubleshooting, I have noticed that > from the same host my admin level privileges work, but with another > user account setup to just run one command, it fails. I have turned > on sudo debugging and the only thing I can find that looks out of > sorts is the following: > > > > sudo: host_matches=0 > > > > As soon as I move the user account that is failing into the admin > group it starts to work. > > > > I have attempted every iteration of sudo configuration on the server > that I can think of. I have setup HBAC and given that a shot as > well. At this point I'm completely stumped and would appreciate any > help that I can get! > > > What does sudo test return? > > > Yes I meant HBAC. I might confused you and myself so let us start over. > > First we need to make sure that the authentication happens correctly > so if HBAC is set to allow you should see in the SSSD log that access > is granted. That will limit the problem to just SUDO. If you have the > allow_all HBAC rule and no other rules then we can probably skip this > step and move on to trying to solve the actual SUDO part. > > So with SUDO one of the known issues is the long vs short hostname. Do > you by any chance use a short host name for that host? > If names are FQDN the next step would be to use ldapsearch from the > client and see what LDAP entries the server would return. > > > > > > Thank you in advance for your assistance, > > Jason > > > > > > _______________________________________________ > > Freeipa-users mailing list > > [email protected] <mailto:[email protected]> > > https://www.redhat.com/mailman/listinfo/freeipa-users > > > > > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager for IdM portfolio > Red Hat Inc. > > > ------------------------------- > Looking to carve out IT costs? > www.redhat.com/carveoutcosts/ <http://www.redhat.com/carveoutcosts/> > > > > > > > > _______________________________________________ > Freeipa-users mailing list > [email protected] <mailto:[email protected]> > https://www.redhat.com/mailman/listinfo/freeipa-users > > > > > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager for IdM portfolio > Red Hat Inc. > > > ------------------------------- > Looking to carve out IT costs? > www.redhat.com/carveoutcosts/ <http://www.redhat.com/carveoutcosts/> > > > > > > > _______________________________________________ > Freeipa-users mailing list > [email protected] <mailto:[email protected]> > https://www.redhat.com/mailman/listinfo/freeipa-users > > > > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager for IdM portfolio > Red Hat Inc. > > > ------------------------------- > Looking to carve out IT costs? > www.redhat.com/carveoutcosts/ <http://www.redhat.com/carveoutcosts/> > > -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/
_______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
