On 08/25/2014 12:51 PM, Megan . wrote: > Good Morning, > > I'm very new to freeIPA.
Welcome on board! > I'm running centOS 6.5 with freeIPA v3 > > I have the freeIPA server up but i'm working on getting SUDO > configured. Currently i'm having problems getting sudo commands to > work on the client. I'm a bit unclear if i have everything configured > correctly. The only thing that I can figure out might be an issue, is > when i try the sudo command i see a filter search with > objectclass=sudoRule but when i check the ldap server it has > objectclass=sudoRole, so there are no results. According to http://www.sudo.ws/sudoers.ldap.man.html the objectclass in the schema should really read "sudoRole" (I know, may be confusing). > Any ideas? Thank you in advance for any advice. Where do you see the filter? > > [tuser2@map1 ~]$ sudo /sbin/iptables -L > Enter RSA PIN+token: > tuser2 is not allowed to run sudo on map1. This incident will be reported. > > > CLIENT: > > yum installed libsss_sudo > > I added "nisdomainname dir1.server.example.com" to /etc/rc.d/rc.local > > **still not sure what this is for ** This is for setting the NIS domain permanently. sudo uses NIS domains when it uses sudo rules with host groups instead of individual host names. > Created a sudo user on ldap server > ldappasswd -x -S -W -h dir1.server.example.com -ZZ -D "cn=Directory > Manager" uid=sudo,cn=sysaccounts,cn=etc,dc=server,dc=example,dc=com > ** > > > [root@map1 sssd]# cat /etc/nsswitch.conf > # > passwd: files sss > shadow: files sss > group: files sss > sudoers: files sss > sudoers_debug: 1 > #sudoers: files > hosts: files dns > bootparams: files > ethers: files > netmasks: files > networks: files > protocols: files > rpc: files > services: files sss > netgroup: files sss > publickey: files > automount: files ldap > aliases: files > [root@map1 sssd]# > > > > > > [root@map1 sssd]# cat sssd.conf > [domain/server.example.com] > > debug_level = 5 > cache_credentials = True > krb5_store_password_if_offline = True > ipa_domain = server.example.com > id_provider = ipa > auth_provider = ipa > access_provider = ipa > ipa_hostname = map1.server.example.com > chpass_provider = ipa > ipa_server = _srv_, dir1.server.example.com > ldap_netgroup_search_base = cn=ng,cn=compat,dc=server,dc=example,dc=com > ldap_tls_cacert = /etc/ipa/ca.crt > > sudo_provider = ldap > ldap_uri = ldap://dir1.server.example.com > ldap_sudo_search_base = ou=sudoers,dc=server,dc=example,dc=com > ldap_sasl_mech = GSSAPI > ldap_sasl_authid = host/dir1.server.example.com > ldap_sasl_realm = server.example.com > krb5_server = dir1.server.example.com > > [sssd] > services = nss, pam, ssh, sudo > config_file_version = 2 > > domains = server.example.com > [nss] > > [pam] > > [sudo] > debug_level=5 > > [autofs] > > [ssh] > > [pac] > > > > > from the sssd_sudo.log > > (Mon Aug 25 10:36:31 2014) [sssd[sudo]] > [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with > [(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=tuser2)(sudoUser=#1079600005)(sudoUser=%tuser2)(sudoUser=+*))(&(dataExpireTimestamp<=1408962991)))] > (Mon Aug 25 10:36:31 2014) [sssd[sudo]] > [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with > [(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=tuser2)(sudoUser=#1079600005)(sudoUser=%tuser2)(sudoUser=+*)))] > (Mon Aug 25 10:36:33 2014) [sssd[sudo]] [client_recv] (0x0200): Client > disconnected! I do not understand why it searches with "sudorule" objectclass. According to sssd-ldap man page, ldap_sudorule_object_class should default to "sudoRole". Jakub or Pavel, any idea? > [root@dir1 ~]# !ldaps > ldapsearch -h dir1.server.example.com -x -D "cn=Directory Manager" -W > -b "dc=server,dc=example,dc=com" 'objectclass=sudoRole' > Enter LDAP Password: > # extended LDIF > # > # LDAPv3 > # base <dc=server,dc=example,dc=com> with scope subtree > # filter: objectclass=sudoRole > # requesting: ALL > # > > # test, sudoers, server.example.com > dn: cn=test,ou=sudoers,dc=server,dc=example,dc=com > objectClass: sudoRole > sudoUser: megan2 > sudoUser: tuser2 > sudoHost: map1.server.example.com > sudoCommand: /sbin/iptables -L > sudoCommand: /home/tuser1/test.sh > sudoCommand: test2.sh > cn: test > > # search result > search: 2 > result: 0 Success > > # numResponses: 2 > # numEntries: 1 > [root@dir1 ~]# ldapsearch -h dir1.server.example.com -x -D > "cn=Directory Manager" -W -b "dc=server,dc=example,dc=com" > 'objectclass=sudoRule' > Enter LDAP Password: > # extended LDIF > # > # LDAPv3 > # base <dc=server,dc=example,dc=com> with scope subtree > # filter: objectclass=sudoRule > # requesting: ALL > # > > # search result > search: 2 > result: 0 Success > > # numResponses: 1 > I do not know the root cause, but Pavel or Jakub will be able to provide help. BTW, FreeIPA 4.0+ enable SUDO via SSSD's sudo provider automatically (https://fedorahosted.org/freeipa/ticket/3358). This functionality will be also available in RHEL-6.6. Martin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
