host1-> nisdomainname
my_domain.com
host1-> rpm -q sudo
sudo-1.7.2p1-6.el5_5
Thanks,
-Mark
________________________________________________________________
Mark Tovey - UNIX Engineer | Service Strategy & Design
UTi | 400 SW Sixth Ave, Suite 1100 | Portland | Oregon | 97204 | USA
[email protected] | O / C +1 503 953-1389
-----Original Message-----
From: [email protected]
[mailto:[email protected]] On Behalf Of Pavel Brezina
Sent: Thursday, July 18, 2013 2:03 AM
To: [email protected]
Subject: Re: [Freeipa-users] sudo rules user and host group bugs?
On 07/17/2013 06:39 PM, Tovey, Mark wrote:
>
> Okay, I get it (pardon my obtuseness).
>
> host1-> getent netgroup hgroup1
> hgroup1 (host1.my_domain.com, -, my_domain.com)
>
> So netgroups are working. The host group is defined in IPA and getent
> is able to access that information.
> Thanks,
> -Mark
Hi,
can you also paste the output of following commands please?
$ nisdomainname
$ rpm -q sudo
Thanks,
Pavel.
>
>
> ________________________________________________________________
> Mark Tovey - UNIX Engineer | Service Strategy & Design UTi | 400 SW
> Sixth Ave, Suite 1100 | Portland | Oregon | 97204 | USA
> [email protected] | O / C +1 503 953-1389
>
>
> -----Original Message-----
> From: Jakub Hrozek [mailto:[email protected]]
> Sent: Wednesday, July 17, 2013 8:58 AM
> To: Tovey, Mark
> Cc: [email protected]; [email protected]
> Subject: Re: [Freeipa-users] sudo rules user and host group bugs?
>
> On Wed, Jul 17, 2013 at 03:01:58PM +0000, Tovey, Mark wrote:
>>
>> We have sssd-1.5.1-58.el5 and ipa-client-2.1.3-5.el5_9.2 installed.
>
> OK, these are recent enough to support netgroups and the compat tree should
> be configured automatically.
>
>> Those came out of the 'latest' repository. We do not have any netgroups
>> defined (there is no /etc/netgroup file), so getent does not return anything.
>
> Every hostgroup is automatically translated into a netgroup on the server
> side. You said you have some host groups present, so does "getent netgroup
> <name-of-hostgroup> return any netgroup data?
>
>> Thanks,
>> -Mark
>>
>
>>
>> ________________________________________________________________
>> Mark Tovey - UNIX Engineer | Service Strategy & Design UTi | 400 SW
>> Sixth Ave, Suite 1100 | Portland | Oregon | 97204 | USA
>> [email protected] | O / C +1 503 953-1389
>>
>>
>> -----Original Message-----
>> From: Jakub Hrozek [mailto:[email protected]]
>> Sent: Wednesday, July 17, 2013 1:32 AM
>> To: Tovey, Mark
>> Cc: [email protected]; [email protected]
>> Subject: Re: [Freeipa-users] sudo rules user and host group bugs?
>>
>> On Tue, Jul 16, 2013 at 09:13:00PM +0000, Tovey, Mark wrote:
>>>
>>>
>>> We are using sssd. The sssd.conf file is mostly unchanged from how it
>>> was installed by the ipa-client-install script:
>>
>> Hi Mark,
>>
>> you said your client is OEL *5.5* ? The SSSD first appeared in RHEL (and by
>> extension OEL) in 5.6. Are you running the version from EPEL? I'm not sure
>> if netgroups were even supported in that old version..
>>
>> What is the output of "rpm -q sssd" and "rpm -q ipa-client" ?
>>
>> Does getent netgroup <netgroup-name> work?
>>
>>>
>>> [sssd]
>>> config_file_version = 2
>>> services = nss, pam
>>>
>>> domains = my_domain.com
>>> [nss]
>>>
>>> [pam]
>>>
>>> [domain/my_domain.com]
>>> cache_credentials = True
>>> krb5_store_password_if_offline = True ipa_domain = my_domain.com
>>> id_provider = ipa auth_provider = ipa access_provider = ipa
>>> chpass_provider = ipa ipa_server = _srv_, ipa_server.my_domain.com
>>> ldap_tls_cacert = /etc/ipa/ca.crt debug_level = 6
>>>
>>>
>>> And the nsswitch.conf file:
>>>
>>> passwd: files sss
>>> shadow: files sss
>>> group: files sss
>>>
>>> hosts: files dns
>>>
>>> bootparams: nisplus [NOTFOUND=return] files
>>>
>>> ethers: files
>>> netmasks: files
>>> networks: files
>>> protocols: files
>>> rpc: files
>>> services: files
>>>
>>> netgroup: files sss
>>>
>>> publickey: nisplus
>>>
>>> automount: files ldap
>>> aliases: files
>>>
>>> sudoers: files ldap
>>>
>>> Thanks,
>>> -Mark
>>>
>>>
>>>
>>> ________________________________________________________________
>>> Mark Tovey - UNIX Engineer | Service Strategy & Design UTi | 400 SW
>>> Sixth Ave, Suite 1100 | Portland | Oregon | 97204 | USA
>>> [email protected] | O / C +1 503 953-1389 | Skype: mark.tovey2
>>>
>>>
>>> -----Original Message-----
>>> From: [email protected]
>>> [mailto:[email protected]] On Behalf Of Dmitri Pal
>>> Sent: Tuesday, July 16, 2013 12:51 PM
>>> To: [email protected]
>>> Subject: Re: [Freeipa-users] sudo rules user and host group bugs?
>>>
>>> On 07/16/2013 02:11 PM, Tovey, Mark wrote:
>>>> My environment consists of OEL 5.5 clients with ipa-client-2.1.3 and
>>>> the server is OEL 6.4 with ipa-server-3.0.0. We chose these because we
>>>> were able to find RPM packages for them. We would prefer to go with the
>>>> latest versions, but we did not want to spend the time building
>>>> installation packages just yet. Again, we are just evaluating at this
>>>> point. So far, so good, except for this one point.
>>>> The doman name, host name, and nsswitch.conf files are all properly
>>>> configured. But I do not have any netgroups defined (the getent command
>>>> doesn't return anything and there is no /etc/netgroup file). After you
>>>> asked about that, I started looking into the documentation on netgroups.
>>>> The IPA documentation for sudo states that "Identity Management creates
>>>> two groups, a visible host group and a shadow netgroup. sudo itself only
>>>> supports NIS-style netgroups for group formats." But when I look in the
>>>> Netgroups area, I do not see any netgroups defined. I used Apache
>>>> Directory Studio to look around the Directory Server, and I can see
>>>> "cn=hgroup1,cn=ng,cn=alt,dc=my_domain,dc=com", along with
>>>> "cn=hgroup1,cn=hostgroups,cn=accounts,dc=my_domain,dc=com". This seems to
>>>> reflect what was stated in the documentation.
>>>> But I am still stumped. I cannot get sudo to work with host groups;
>>>> I have to directly add each server to the sudo rule.
>>>> Thanks,
>>>> -Mark
>>>
>>> So can it seems that the first thing you need to to do is to make sure your
>>> netgroups work.
>>> If domain and host are properly set then it might be the wrong base in your
>>> LDAP search for the netgroups.
>>> Are you using SSSD for netgroups or something else?
>>> Can you please share your sssd.conf and area where it configures netgroups?
>>> Also is sss in the nsswitch.conf for netgroups map?
>>>
>>>>
>>>>
>>>> ________________________________________________________________
>>>> Mark Tovey - UNIX Engineer | Service Strategy & Design UTi | 400 SW
>>>> Sixth Ave, Suite 1100 | Portland | Oregon | 97204 | USA
>>>> [email protected] | O / C +1 503 953-1389 | Skype: mark.tovey2
>>>>
>>>> -----Original Message-----
>>>> From: Martin Kosek [mailto:[email protected]]
>>>> Sent: Tuesday, July 16, 2013 12:34 AM
>>>> To: Tovey, Mark
>>>> Cc: Steven Jones; James Hogarth; [email protected]; Pavel
>>>> Brezina
>>>> Subject: Re: [Freeipa-users] sudo rules user and host group bugs?
>>>>
>>>> Just checking, did you try troubleshooting hints from JR I found at the
>>>> top of the thread? I did not find an information about that.
>>>>
>>>> ~~~~
>>>> Can you confirm that the output of the following commands:
>>>> 1. $ domainname
>>>> * does it match your domain?
>>>> 2. $ hostname
>>>> * does match match your fqdn?
>>>> 3. $ getent netgroup esolutions-sandbox-hosts
>>>> * does this list your host?
>>>> 4. Does /etc/nsswitch.conf contain the line: "netgroup: files sss"?
>>>>
>>>>
>>>> Another important Sudo Troubleshooting step is to edit:
>>>> /etc/sudo-ldap.conf (or /etc/ldap.conf, depending on what version of
>>>> RHEL/Sudo you're running):
>>>>
>>>> At the top, add the line: sudoers_debug 2
>>>>
>>>> Then try another sudo command. sudo -l for example.
>>>> ~~~~
>>>>
>>>> For example, it would help to know that netgroup list (step 3) works or
>>>> domainname is set correctly (step 1).
>>>>
>>>> Martin
>>>>
>>>>
>>>> On 07/16/2013 06:09 AM, Tovey, Mark wrote:
>>>>>
>>>>>
>>>>> Okay, I stopped sssd on the client and deleted the cache
>>>>> files, removed the sudo rule, started sssd and verified that the
>>>>> rule was gone, stopped sssd and deleted the files again, added the
>>>>> rule back in, restarted sssd, and still it does not work.
>>>>> One note, when I enter the hosts into the sudo rule in place of
>>>>> the host group, the effect is immediate; I do not need to restart
>>>>> sssd. And the opposite is true too: if I put the host group back,
>>>>> the rule immediately stops working. I don't think the issue is
>>>>> cache related; it seems to be something else. The serv_account that we
>>>>> are accessing with the sudo rule is external. I wouldn't expect that to
>>>>> matter, but perhaps it does?
>>>>>
>>>>>
>>>>>
>>>>> I like your idea for the labels; they make sense. Right now
>>>>> we are just evaluating this to see if we want to go this route.
>>>>> So far we like it, but this could be a problem because we have a
>>>>> several hundred hosts that we need to manage. Having to enter each one
>>>>> individually will be problematic.
>>>>>
>>>>> Thanks,
>>>>>
>>>>> -Mark
>>>>>
>>>>>
>>>>>
>>>>> * *
>>>>>
>>>>> *________________________________________________________________
>>>>> *
>>>>>
>>>>> *Mark Tovey - UNIX Engineer | Service Strategy & Design*
>>>>>
>>>>> UTi <http://www.go2uti.com/> | 400 SW Sixth Ave, Suite 1100 |
>>>>> Portland
>>>>> | Oregon
>>>>> | 97204 | USA
>>>>>
>>>>> [email protected] <mailto:[email protected]> | O / C +1 503 953-1389 |
>>>>> Skype:
>>>>> mark.tovey2
>>>>>
>>>>>
>>>>>
>>>>> *From:*Steven Jones [mailto:[email protected]]
>>>>> *Sent:* Monday, July 15, 2013 4:44 PM
>>>>> *To:* Tovey, Mark; James Hogarth
>>>>> *Cc:* [email protected]
>>>>> *Subject:* RE: [Freeipa-users] sudo rules user and host group bugs?
>>>>>
>>>>>
>>>>>
>>>>> option b) delete the rule totally and redo it from scratch.
>>>>>
>>>>> I label rules like this,
>>>>>
>>>>> hb-xxxx for a hbac rule
>>>>>
>>>>> su-xxxx for a sudo rule
>>>>>
>>>>> sc-xxxx for a sudo command group
>>>>>
>>>>> ug-xxxx for a user group
>>>>>
>>>>> hg-xxxx for a host groups
>>>>>
>>>>> etc
>>>>>
>>>>> etc
>>>>>
>>>>> It makes the logic easier when you go into command line which I
>>>>> find easier to trace with than the gui at time.
>>>>>
>>>>>
>>>>>
>>>>> regards
>>>>>
>>>>> Steven Jones
>>>>>
>>>>> Technical Specialist - Linux RHCE
>>>>>
>>>>> Victoria University, Wellington, NZ
>>>>>
>>>>> 0064 4 463 6272
>>>>>
>>>>> -----------------------------------------------------------------
>>>>> --
>>>>> --
>>>>> -
>>>>> ---------
>>>>>
>>>>> *From:*Tovey, Mark [[email protected]]
>>>>> *Sent:* Tuesday, 16 July 2013 11:34 a.m.
>>>>> *To:* Steven Jones; James Hogarth
>>>>> *Cc:* [email protected] <mailto:[email protected]>
>>>>> *Subject:* RE: [Freeipa-users] sudo rules user and host group bugs?
>>>>>
>>>>>
>>>>>
>>>>> That didn't work either. I set up the host group in my sudo
>>>>> rule, stopped sssd, renamed /var/lib/sss/db and created a new db
>>>>> directory, then restarted sssd. New files were created in the db
>>>>> directory, but it still refuses to work unless the hosts are directly
>>>>> specified in the sudo rule.
>>>>>
>>>>> Thanks,
>>>>>
>>>>> -Mark
>>>>>
>>>>>
>>>>>
>>>>> * *
>>>>>
>>>>> *________________________________________________________________
>>>>> *
>>>>>
>>>>> *Mark Tovey - UNIX Engineer | Service Strategy & Design*
>>>>>
>>>>> UTi <http://www.go2uti.com/> | 400 SW Sixth Ave, Suite 1100 |
>>>>> Portland
>>>>> | Oregon
>>>>> | 97204 | USA
>>>>>
>>>>> [email protected] <mailto:[email protected]> | O / C +1 503 953-1389 |
>>>>> Skype:
>>>>> mark.tovey2
>>>>>
>>>>>
>>>>>
>>>>> *From:*Steven Jones [mailto:[email protected]]
>>>>> *Sent:* Monday, July 15, 2013 4:15 PM
>>>>> *To:* Tovey, Mark; James Hogarth
>>>>> *Cc:* [email protected] <mailto:[email protected]>
>>>>> *Subject:* RE: [Freeipa-users] sudo rules user and host group bugs?
>>>>>
>>>>>
>>>>>
>>>>> Hi,
>>>>>
>>>>> This is a known issue Ive suffered a long time with. What would
>>>>> be interesting is adding another host to the host group could well
>>>>> work fine, that will really make you bang your head against the wall..
>>>>>
>>>>> 2 possibilities, stop the sssd daemon on the problem host, delete
>>>>> its cache and start it, that might fix it.
>>>>>
>>>>> Otherwise best to,
>>>>>
>>>>> All RH support could come up with is delete the HBAC rule, sudo
>>>>> rule, user group and host group and re-do it, then it will probably work
>>>>> fine.
>>>>>
>>>>>
>>>>>
>>>>> regards
>>>>>
>>>>> Steven Jones
>>>>>
>>>>> Technical Specialist - Linux RHCE
>>>>>
>>>>> Victoria University, Wellington, NZ
>>>>>
>>>>> 0064 4 463 6272
>>>>>
>>>>> -----------------------------------------------------------------
>>>>> --
>>>>> --
>>>>> -
>>>>> ---------
>>>>>
>>>>> *From:*[email protected]
>>>>> <mailto:[email protected]>
>>>>> [[email protected]] on behalf of Tovey, Mark
>>>>> [[email protected]]
>>>>> *Sent:* Tuesday, 16 July 2013 10:54 a.m.
>>>>> *To:* James Hogarth
>>>>> *Cc:* [email protected] <mailto:[email protected]>
>>>>> *Subject:* Re: [Freeipa-users] sudo rules user and host group bugs?
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> I checked that and it is set correctly:
>>>>>
>>>>>
>>>>>
>>>>> [user1@host1 ~]$ nisdomainname
>>>>>
>>>>> my_domain.com
>>>>>
>>>>>
>>>>>
>>>>> If I try to run a command with the hosts specified indirectly
>>>>> through a host group, it fails:
>>>>>
>>>>>
>>>>>
>>>>> [user1@host1 ~]$ sudo -i -u serv_account
>>>>>
>>>>> LDAP Config Summary
>>>>>
>>>>> ===================
>>>>>
>>>>> uri ldap://ipa_server.my_domain.com
>>>>>
>>>>> ldap_version 3
>>>>>
>>>>> sudoers_base ou=SUDOers,dc=my_domain,dc=com
>>>>>
>>>>> binddn uid=sudo,cn=sysaccounts,cn=etc,dc=my_domain,dc=com
>>>>>
>>>>> bindpw **********
>>>>>
>>>>> bind_timelimit 5000
>>>>>
>>>>> timelimit 15
>>>>>
>>>>> ssl start_tls
>>>>>
>>>>> tls_checkpeer (yes)
>>>>>
>>>>> tls_cacertfile /etc/ipa/ca.crt
>>>>>
>>>>> ===================
>>>>>
>>>>> sudo: ldap_initialize(ld, ldap://ipa_server.my_domain.com)
>>>>>
>>>>> sudo: ldap_set_option: debug -> 0
>>>>>
>>>>> sudo: ldap_set_option: ldap_version -> 3
>>>>>
>>>>> sudo: ldap_set_option: tls_checkpeer -> 1
>>>>>
>>>>> sudo: ldap_set_option: tls_cacertfile -> /etc/ipa/ca.crt
>>>>>
>>>>> sudo: ldap_set_option: timelimit -> 15
>>>>>
>>>>> sudo: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT, 5)
>>>>>
>>>>>
>>>>>
>>>>> sudo: ldap_start_tls_s() ok
>>>>>
>>>>> sudo: ldap_sasl_bind_s() ok
>>>>>
>>>>> sudo: no default options found!
>>>>>
>>>>> sudo: ldap search
>>>>> '(|(sudoUser=user1)(sudoUser=%user1)(sudoUser=%user1s)(sudoUser=ALL))'
>>>>>
>>>>> sudo: found:cn=my_sudo_rule,ou=sudoers,dc=my_domain,dc=com
>>>>>
>>>>> sudo: ldap sudoHost '+hgroup1' ... not
>>>>>
>>>>> sudo: ldap search 'sudoUser=+*'
>>>>>
>>>>> sudo: user_matches=1
>>>>>
>>>>> sudo: host_matches=0
>>>>>
>>>>> sudo: sudo_ldap_lookup(0)=0x40
>>>>>
>>>>> [sudo] password for user1:
>>>>>
>>>>> Sorry, try again.
>>>>>
>>>>> [sudo] password for user1:
>>>>>
>>>>> sudo: 1 incorrect password attempt
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> But if I remove the host group from the sudo rule and
>>>>> directly add the hosts that were in the host group, it works fine:
>>>>>
>>>>>
>>>>>
>>>>> <snip>
>>>>>
>>>>>
>>>>>
>>>>> sudo: ldap_start_tls_s() ok
>>>>>
>>>>> sudo: ldap_sasl_bind_s() ok
>>>>>
>>>>> sudo: no default options found!
>>>>>
>>>>> sudo: ldap search
>>>>> '(|(sudoUser=user1)(sudoUser=%user1)(sudoUser=%user1s)(sudoUser=ALL))'
>>>>>
>>>>> sudo: found:cn=my_sudo_rule,ou=sudoers,dc=my_domain,dc=com
>>>>>
>>>>> sudo: ldap sudoHost 'host1.my_domain.com' ... MATCH!
>>>>>
>>>>> sudo: ldap sudoRunAsUser 'serv_account' ... MATCH!
>>>>>
>>>>> sudo: ldap sudoCommand 'ALL' ... MATCH!
>>>>>
>>>>> sudo: Command allowed
>>>>>
>>>>> sudo: user_matches=1
>>>>>
>>>>> sudo: host_matches=1
>>>>>
>>>>> sudo: sudo_ldap_lookup(0)=0x02
>>>>>
>>>>> [sudo] password for user1:
>>>>>
>>>>> [serv_account@host1 ~]$
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> So something isn't lining up correctly with host groups in
>>>>> sudo rules somewhere. I just haven't been able to track it down.
>>>>>
>>>>> Thanks,
>>>>>
>>>>> -Mark
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> * *
>>>>>
>>>>> *________________________________________________________________
>>>>> *
>>>>>
>>>>> *Mark Tovey - UNIX Engineer | Service Strategy & Design*
>>>>>
>>>>> UTi <http://www.go2uti.com/> | 400 SW Sixth Ave, Suite 1100 |
>>>>> Portland
>>>>> | Oregon
>>>>> | 97204 | USA
>>>>>
>>>>> [email protected] <mailto:[email protected]> | O / C +1 503 953-1389 |
>>>>> Skype:
>>>>> mark.tovey2
>>>>>
>>>>>
>>>>>
>>>>> *From:*James Hogarth [mailto:[email protected]]
>>>>> *Sent:* Monday, July 15, 2013 1:11 PM
>>>>> *To:* Tovey, Mark
>>>>> *Subject:* Re: [Freeipa-users] sudo rules user and host group bugs?
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>>
>>>>>>
>>>>>> Did anyone find a solution for this? I am having the same
>>>>>> experience.
>>>>>>
>>>>>>
>>>>>>
>>>>> Wow that was a mess...
>>>>>
>>>>> To use hostgroups for sudo ensure nisdomainname is set on the
>>>>> hosts to the IPA domain.
>>>>>
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> Freeipa-users mailing list
>>>>> [email protected]
>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>>>
>>>>
>>>> _______________________________________________
>>>> Freeipa-users mailing list
>>>> [email protected]
>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>
>>>
>>> --
>>> Thank you,
>>> Dmitri Pal
>>>
>>> Sr. Engineering Manager for IdM portfolio Red Hat Inc.
>>>
>>>
>>> -------------------------------
>>> Looking to carve out IT costs?
>>> www.redhat.com/carveoutcosts/
>>>
>>>
>>>
>>> _______________________________________________
>>> Freeipa-users mailing list
>>> [email protected]
>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>
>>> _______________________________________________
>>> Freeipa-users mailing list
>>> [email protected]
>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>
> _______________________________________________
> Freeipa-users mailing list
> [email protected]
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
_______________________________________________
Freeipa-users mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/freeipa-users
_______________________________________________
Freeipa-users mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/freeipa-users
