On 10/17/2012 10:33 AM, Macklin, Jason wrote:
ldapsearch -Y GSSAPI -H ldap://dbduvdu145.dbr.roche.com
"ou=SUDOers,dc=dbr,dc=roche,dc=com"
SASL/GSSAPI authentication started
SASL username: [email protected]
SASL SSF: 56
SASL data security layer installed.
# extended LDIF
#
# LDAPv3
# base<> (default) with scope subtree
# filter: ou=SUDOers,dc=dbr,dc=roche,dc=com
# requesting: ALL
#
# search result
search: 4
result: 32 No such object
# numResponses: 1
Different response, but still no success with the non-working account.
Sorry - the ldapsearch command is wrong. Try this:
ldapsearch -Y GSSAPI -H ldap://dbduvdu145.dbr.roche.com -b
"ou=SUDOers,dc=dbr,dc=roche,dc=com"
Cheers,
Jason
-----Original Message-----
From: Dmitri Pal [mailto:[email protected]]
Sent: Wednesday, October 17, 2012 11:56 AM
To: Macklin, Jason {DASB~Branford}
Cc: [email protected]; [email protected]
Subject: Re: [Freeipa-users] Sudo works for full access, but not on a per
command or host level.
On 10/17/2012 09:26 AM, Macklin, Jason wrote:
Okay,
Rule name: test4
Enabled: TRUE
Command category: all
Users: asteinfeld
Hosts: dbduwdu062.dbr.roche.com
Host Groups: tempsudo
Client dbduwdu062 is matched in the rule by both the hosts and groups entry.
/etc/nsswitch.conf has:
Netgroups: files sss
Getent netgroup tempsudo returns:
[jmacklin@dbduwdu062 Desktop]$ getent netgroup tempsudo
tempsudo (dbduwdu063.dbr.roche.com, -, dbr.roche.com)
(dbduwdu062.dbr.roche.com, -, dbr.roche.com)
To the previous ldapsearch request:
[jmacklin@dbduwdu062 Desktop]$ ldapsearch -Y GSSAPI -H
ldap://dbduvdu145.dbr.roche.com "ou=SUDOers,dc=dbr,dc=roche,dc=com"
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Server is unwilling to perform (53)
additional info: Entry permanently locked.
It seems that you tried the wrong password and the account is now temporarily
locked thus the server is unwilling to perform authentication for this account.
I am still scratching my head on this one...
Cheers,
Jason
If you look closely, the reason that your admin works is because it appears to be
matching a sudo rule who has the "ALL" hosts value set.
When you run the non working user, it is attempting to match the
hostname/hostgroup to the rule and fails to do so.
Try this. Type: getent netgroup hostgroupname<- your host's hostgroup goes
there.
^ that command should return all of the hosts in your hostgroup. If it does
not, then check /etc/nsswitch.conf and make sure that netgroup is set to use
sss.
You will also need to make sure that the output of: domainname or nisdomainname
matches your expected domain.
Let me know how things look after trying that.
--
Thank you,
Dmitri Pal
Sr. Engineering Manager for IdM portfolio Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
_______________________________________________
Freeipa-users mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/freeipa-users
_______________________________________________
Freeipa-users mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/freeipa-users
