Hi, I assume rhel6.3 by the el6 in the rpm....
1) Make sure the host and IPA server are fully patched/updated. 2) Edit nsswitch.conf to have "sudoers: files ldap" as the last line, may or may not be there. 3) add lines to /etc/sudo-ldap.conf, takes a recent upgrade/patch of 6.3 for that file to "appear" Im not at work so I odnt have a pastable set 4) Add "nisdomainname example.com" to /etc/rc.d/rc.local. 5) Add or enable the sudo "connection" user in IPA with a password. 6) reboot the host If it doesnt work set the debug level in sudo-ldap.conf to 2 and re-try to see the output..restart sssd. regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________________ From: [email protected] [[email protected]] on behalf of William Muriithi [[email protected]] Sent: Thursday, 8 November 2012 10:28 a.m. To: [email protected] Subject: [Freeipa-users] Managing Sudo through FreeIPA Hello I have been trying to setup user access through sudo file managed by FreeIPA and it don't seem to be working. I am not sure how to go about fixing it, but I guess the best place to start is ask what I should expect the IPA installation script should set up and what should be done manually [root@demo2 wmuriithi]# rpm -qa | grep sssd sssd-client-1.8.0-32.el6.x86_64 sssd-1.8.0-32.el6.x86_64 [root@demo2 wmuriithi]# [root@demo2 wmuriithi]# rpm -qa | grep sudo sudo-1.7.4p5-13.el6_3.x86_64 The only errors related to sudo that I can find is on apache error logs [Wed Nov 07 13:16:18 2012] [error] ipa: INFO: [email protected]: sudorule_add_user(u'read_only_viewiers', all=False, raw=False, version=u'2.34', group=(u'operations',)): SUCCESS [Wed Nov 07 13:54:44 2012] [error] ipa: ERROR: release_ipa_ccache: ccache_name (FILE:/var/run/ipa_memcached/krbcc_3988) != KRB5CCNAME environment variable (FILE:/tmp/krb5cc_apache_NB7pph) [Wed Nov 07 13:54:44 2012] [error] ipa: INFO: [email protected]: sudorule_find(None, sizelimit=0, pkey_only=True): SUCCESS [Wed Nov 07 13:54:44 2012] [error] ipa: INFO: [email protected]: batch: sudorule_show(u'Full_Access', all=True): SUCCESS [Wed Nov 07 13:54:44 2012] [error] ipa: INFO: [email protected]: batch: sudorule_show(u'read_only_viewiers', all=True): SUCCESS [Wed Nov 07 13:54:44 2012] [error] ipa: INFO: [email protected]: batch: sudorule_show(u'developers', all=True): SUCCESS [Wed Nov 07 13:54:44 2012] [error] ipa: INFO: [email protected]: batch: sudorule_show(u'operation', all=True): SUCCESS [Wed Nov 07 13:54:44 2012] [error] ipa: INFO: [email protected]: batch(({u'params': [[u'Full_Access'], {u'all': True}], u'method': u'sudorule_show'}, {u'params': [[u'read_only_viewiers'], {u'all': True}], u'method': u'sudorule_show'}, {u'params': [[u'developers'], {u'all': True}], u'method': u'sudorule_show'}, {u'params': [[u'operation'], {u'all': True}], u'method': u'sudorule_show'})): SUCCESS [Wed Nov 07 13:54:50 2012] [error] ipa: INFO: [email protected]: sudorule_show(u'read_only_viewiers', rights=True, all=True): SUCCESS I created the user as below and associated it with a group, which I then allowed to use less for reading file. As you can see below, it seem to does not work. Nov 7 16:05:42 demo2 sudo: pam_sss(sudo:auth): authentication success; logname=williamm uid=0 euid=0 tty=/dev/pts/2 ruser=williamm rhost= user=williamm Nov 7 16:05:43 demo2 sudo: williamm : user NOT in sudoers ; TTY=pts/2 ; PWD=/home/wmuriithi ; USER=root ; COMMAND=/usr/bin/less /var/log/secure - My question is, does the client install script take care of sudo configuration or is that done manually? I don't see any sudo related flag on the client installation script. - I have tried configuring sssd for sudo use and it didn't go well. Last time I messed around with LDAP managed sudo, I have to install a LDAP capable sudo package. The ipa-client install did not install this package. Does IPA sudo management work differently? - Where would I check for logs? I checked sssd logs and they are empty. - I am missing the basedn configuration on sssd configuration. From this bug, it should have been setup by installer, oddly though it was not setup and the bug is closed. I attempted to fix it by adding the line below but it make sudo completely unusable. It could not find any valid users apparently https://fedorahosted.org/freeipa/ticket/932 ldap_netgroup_search_base = cn=ng,cn=compat,dc=example,dc=loc Nov 7 16:05:42 demo2 sudo: pam_sss(sudo:auth): authentication success; logname=williamm uid=0 euid=0 tty=/dev/pts/2 ruser=williamm rhost= user=williamm Nov 7 16:05:43 demo2 sudo: williamm : user NOT in sudoers ; TTY=pts/2 ; PWD=/home/wmuriithi ; USER=root ; COMMAND=/usr/bin/less /var/log/secure Any pointers on why we are going? Thank you a lot in advance. William ---------------------------- [root@ipa1-yyz-int wmuriithi]# ipa sudocmd-add --desc='For reading log files' '/usr/bin/less' ---------------------------------- Added Sudo Command "/usr/bin/less" ---------------------------------- Sudo Command: /usr/bin/less Description: For reading log files [root@ipa1-yyz-int wmuriithi]# ipa sudocmdgroup-add --desc='Read Only Commands' readonly ----------------------------------- Added Sudo Command Group "readonly" ----------------------------------- Sudo Command Group: readonly Description: Read Only Commands [root@ipa1-yyz-int wmuriithi]# ipa sudocmdgroup-add-member --sudocmds='/usr/bin/less' readonly Sudo Command Group: readonly Description: Read Only Commands Member Sudo commands: /usr/bin/less ------------------------- Number of members added 1 ------------------------- [root@ipa1-yyz-int wmuriithi]# ipa sudorule-add testing_viewiers ----------------------------------- Added Sudo Rule "testing_viewiers" ----------------------------------- Rule name: testing_viewiers Enabled: TRUE [root@ipa1-yyz-int wmuriithi]# ipa sudorule-add-allow-command --sudocmdgroups=readonly testing_viewiers Rule name: testing_viewiers Enabled: TRUE Sudo Allow Command Groups: readonly ------------------------- Number of members added 1 ------------------------- [root@ipa1-yyz-int wmuriithi]# ipa hostgroup-add demo Description: Demonstration systems >>> Description: Leading and trailing spaces are not allowed Description: Demonstration system ---------------------- Added hostgroup "demo" ---------------------- Host-group: demo Description: Demonstration system [root@ipa1-yyz-int wmuriithi]# ipa hostgroup-add-member --hosts=demo2.yyz.int.testing.com demo Host-group: demo Description: Demonstration system Member hosts: demo2.yyz.int.testing.com ------------------------- Number of members added 1 ------------------------- [root@ipa1-yyz-int wmuriithi]# ipa sudorule-add-host --hostgroups=demo testing_viewiers Rule name: testing_viewiers Enabled: TRUE Host Groups: demo Sudo Allow Command Groups: readonly ------------------------- Number of members added 1 ------------------------- [root@ipa1-yyz-int wmuriithi]# ipa sudorule-add-user --groups=operations testing_viewiers Rule name: testing_viewiers Enabled: TRUE User Groups: operations Host Groups: demo Sudo Allow Command Groups: readonly ------------------------- Number of members added 1 ------------------------- _______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users _______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
