FYI Got it working, credit to JR for pointing I need to assign a password to sudo account on LDAP and use it for binding.
Thanks a lot William On 8 November 2012 12:11, William Muriithi <[email protected]> wrote: > Steven, > > Thanks for the pointers. I remember finding a post on this, but having > problem finding it now >> >> I assume rhel6.3 by the el6 in the rpm.... >> >> 1) Make sure the host and IPA server are fully patched/updated. > I am current already > >> 2) Edit nsswitch.conf to have "sudoers: files ldap" as the last line, may or >> may not be there. > > Done > >> 3) add lines to /etc/sudo-ldap.conf, takes a recent upgrade/patch of 6.3 for >> that file to "appear" Im not at work so I odnt have a pastable set > Yes, the file was there already. Wonder if you can paste it now. > Mine was like this > > uri ldap://ipa1-yyz-int.example.loc > > sudoers_base ou=SUDOers,dc=example,dc=loc > > ssl start_tls > tls_checkpeer (yes) > tls_cacertfile /etc/ipa/ca.crt > > >> 4) Add "nisdomainname example.com" to /etc/rc.d/rc.local. > Done >> 5) Add or enable the sudo "connection" user in IPA with a password. > ? Lost me here, mind explaining a bit please if you have a chance? >> 6) reboot the host >> >> If it doesnt work set the debug level in sudo-ldap.conf to 2 and re-try to >> see the output..restart sssd. >> > sh-4.1$ sudo less /var/log/secure > LDAP Config Summary > =================== > uri ldap://ipa1-yyz-int.example.loc > ldap_version 3 > sudoers_base ou=SUDOers,dc=example,dc=loc > binddn (anonymous) > bindpw (anonymous) > ssl start_tls > tls_checkpeer (no) > tls_cacertfile /etc/ipa/ca.crt > =================== > sudo: ldap_set_option: debug -> 0 > sudo: ldap_set_option: tls_checkpeer -> 0 > sudo: ldap_set_option: tls_cacertfile -> /etc/ipa/ca.crt > sudo: ldap_set_option: tls_cacert -> /etc/ipa/ca.crt > sudo: ldap_initialize(ld, ldap://ipa1-yyz-int.example.loc) > sudo: ldap_set_option: ldap_version -> 3 > sudo: ldap_start_tls_s() ok > sudo: ldap_sasl_bind_s() ok > sudo: no default options found in ou=SUDOers,dc=example,dc=loc > sudo: ldap search > '(|(sudoUser=williamm)(sudoUser=%williamm)(sudoUser=%operations)(sudoUser=ALL))' > sudo: ldap search 'sudoUser=+*' > sudo: user_matches=0 > sudo: host_matches=0 > sudo: sudo_ldap_lookup(0)=0x60 > [sudo] password for williamm: > williamm is not in the sudoers file. This incident will be reported. > > > Thank you again for your help > > Regards, > > William >> regards >> Steven Jones >> Technical Specialist - Linux RHCE >> Victoria University, Wellington, NZ >> 0064 4 463 6272 >> >> >> >> ________________________________________ >> From: [email protected] [[email protected]] on >> behalf of William Muriithi [[email protected]] >> Sent: Thursday, 8 November 2012 10:28 a.m. >> To: [email protected] >> Subject: [Freeipa-users] Managing Sudo through FreeIPA >> >> Hello >> >> I have been trying to setup user access through sudo file managed by >> FreeIPA and it don't seem to be working. I am not sure how to go >> about fixing it, but I guess the best place to start is ask what I >> should expect the IPA installation script should set up and what >> should be done manually >> >> [root@demo2 wmuriithi]# rpm -qa | grep sssd >> sssd-client-1.8.0-32.el6.x86_64 >> sssd-1.8.0-32.el6.x86_64 >> [root@demo2 wmuriithi]# >> >> >> >> [root@demo2 wmuriithi]# rpm -qa | grep sudo >> sudo-1.7.4p5-13.el6_3.x86_64 >> >> The only errors related to sudo that I can find is on apache error logs >> >> [Wed Nov 07 13:16:18 2012] [error] ipa: INFO: [email protected]: >> sudorule_add_user(u'read_only_viewiers', all=False, raw=False, >> version=u'2.34', group=(u'operations',)): SUCCESS >> [Wed Nov 07 13:54:44 2012] [error] ipa: ERROR: release_ipa_ccache: >> ccache_name (FILE:/var/run/ipa_memcached/krbcc_3988) != KRB5CCNAME >> environment variable (FILE:/tmp/krb5cc_apache_NB7pph) >> [Wed Nov 07 13:54:44 2012] [error] ipa: INFO: [email protected]: >> sudorule_find(None, sizelimit=0, pkey_only=True): SUCCESS >> [Wed Nov 07 13:54:44 2012] [error] ipa: INFO: [email protected]: >> batch: sudorule_show(u'Full_Access', all=True): SUCCESS >> [Wed Nov 07 13:54:44 2012] [error] ipa: INFO: [email protected]: >> batch: sudorule_show(u'read_only_viewiers', all=True): SUCCESS >> [Wed Nov 07 13:54:44 2012] [error] ipa: INFO: [email protected]: >> batch: sudorule_show(u'developers', all=True): SUCCESS >> [Wed Nov 07 13:54:44 2012] [error] ipa: INFO: [email protected]: >> batch: sudorule_show(u'operation', all=True): SUCCESS >> [Wed Nov 07 13:54:44 2012] [error] ipa: INFO: [email protected]: >> batch(({u'params': [[u'Full_Access'], {u'all': True}], u'method': >> u'sudorule_show'}, {u'params': [[u'read_only_viewiers'], {u'all': >> True}], u'method': u'sudorule_show'}, {u'params': [[u'developers'], >> {u'all': True}], u'method': u'sudorule_show'}, {u'params': >> [[u'operation'], {u'all': True}], u'method': u'sudorule_show'})): >> SUCCESS >> [Wed Nov 07 13:54:50 2012] [error] ipa: INFO: [email protected]: >> sudorule_show(u'read_only_viewiers', rights=True, all=True): SUCCESS >> >> >> I created the user as below and associated it with a group, which I >> then allowed to use less for reading file. As you can see below, it >> seem to does not work. >> >> Nov 7 16:05:42 demo2 sudo: pam_sss(sudo:auth): authentication >> success; logname=williamm uid=0 euid=0 tty=/dev/pts/2 ruser=williamm >> rhost= user=williamm >> Nov 7 16:05:43 demo2 sudo: williamm : user NOT in sudoers ; TTY=pts/2 >> ; PWD=/home/wmuriithi ; USER=root ; COMMAND=/usr/bin/less >> /var/log/secure >> >> >> - My question is, does the client install script take care of sudo >> configuration or is that done manually? I don't see any sudo related >> flag on the client installation script. >> >> - I have tried configuring sssd for sudo use and it didn't go well. >> Last time I messed around with LDAP managed sudo, I have to install a >> LDAP capable sudo package. The ipa-client install did not install >> this package. Does IPA sudo management work differently? >> >> - Where would I check for logs? I checked sssd logs and they are empty. >> >> - I am missing the basedn configuration on sssd configuration. From >> this bug, it should have been setup by installer, oddly though it was >> not setup and the bug is closed. I attempted to fix it by adding the >> line below but it make sudo completely unusable. It could not find >> any valid users apparently >> >> https://fedorahosted.org/freeipa/ticket/932 >> >> ldap_netgroup_search_base = cn=ng,cn=compat,dc=example,dc=loc >> >> Nov 7 16:05:42 demo2 sudo: pam_sss(sudo:auth): authentication >> success; logname=williamm uid=0 euid=0 tty=/dev/pts/2 ruser=williamm >> rhost= user=williamm >> Nov 7 16:05:43 demo2 sudo: williamm : user NOT in sudoers ; TTY=pts/2 >> ; PWD=/home/wmuriithi ; USER=root ; COMMAND=/usr/bin/less >> /var/log/secure >> >> >> Any pointers on why we are going? >> >> Thank you a lot in advance. >> >> William >> >> ---------------------------- >> [root@ipa1-yyz-int wmuriithi]# ipa sudocmd-add --desc='For reading log >> files' '/usr/bin/less' >> ---------------------------------- >> Added Sudo Command "/usr/bin/less" >> ---------------------------------- >> Sudo Command: /usr/bin/less >> Description: For reading log files >> [root@ipa1-yyz-int wmuriithi]# ipa sudocmdgroup-add --desc='Read Only >> Commands' readonly >> ----------------------------------- >> Added Sudo Command Group "readonly" >> ----------------------------------- >> Sudo Command Group: readonly >> Description: Read Only Commands >> [root@ipa1-yyz-int wmuriithi]# ipa sudocmdgroup-add-member >> --sudocmds='/usr/bin/less' readonly >> Sudo Command Group: readonly >> Description: Read Only Commands >> Member Sudo commands: /usr/bin/less >> ------------------------- >> Number of members added 1 >> ------------------------- >> [root@ipa1-yyz-int wmuriithi]# ipa sudorule-add testing_viewiers >> ----------------------------------- >> Added Sudo Rule "testing_viewiers" >> ----------------------------------- >> Rule name: testing_viewiers >> Enabled: TRUE >> [root@ipa1-yyz-int wmuriithi]# ipa sudorule-add-allow-command >> --sudocmdgroups=readonly testing_viewiers >> Rule name: testing_viewiers >> Enabled: TRUE >> Sudo Allow Command Groups: readonly >> ------------------------- >> Number of members added 1 >> ------------------------- >> [root@ipa1-yyz-int wmuriithi]# ipa hostgroup-add demo >> Description: Demonstration systems >>>>> Description: Leading and trailing spaces are not allowed >> Description: Demonstration system >> ---------------------- >> Added hostgroup "demo" >> ---------------------- >> Host-group: demo >> Description: Demonstration system >> [root@ipa1-yyz-int wmuriithi]# ipa hostgroup-add-member >> --hosts=demo2.yyz.int.testing.com demo >> Host-group: demo >> Description: Demonstration system >> Member hosts: demo2.yyz.int.testing.com >> ------------------------- >> Number of members added 1 >> ------------------------- >> [root@ipa1-yyz-int wmuriithi]# ipa sudorule-add-host --hostgroups=demo >> testing_viewiers >> Rule name: testing_viewiers >> Enabled: TRUE >> Host Groups: demo >> Sudo Allow Command Groups: readonly >> ------------------------- >> Number of members added 1 >> ------------------------- >> [root@ipa1-yyz-int wmuriithi]# ipa sudorule-add-user >> --groups=operations testing_viewiers >> Rule name: testing_viewiers >> Enabled: TRUE >> User Groups: operations >> Host Groups: demo >> Sudo Allow Command Groups: readonly >> ------------------------- >> Number of members added 1 >> ------------------------- >> >> _______________________________________________ >> Freeipa-users mailing list >> [email protected] >> https://www.redhat.com/mailman/listinfo/freeipa-users >> >> >> >> ------------------------------ >> >> _______________________________________________ >> Freeipa-users mailing list >> [email protected] >> https://www.redhat.com/mailman/listinfo/freeipa-users >> >> End of Freeipa-users Digest, Vol 52, Issue 18 >> ********************************************* _______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
