Re: [Freeipa-users] sudo with freeIPA

[Alexander Bokovoy]

On Mon, 25 Aug 2014, Martin Kosek wrote:

On 08/25/2014 12:51 PM, Megan . wrote:

Good Morning,

I'm very new to freeIPA.

Welcome on board!

I'm running centOS 6.5 with freeIPA v3

I have the freeIPA server up but i'm working on getting SUDO
configured.  Currently i'm having problems getting sudo commands to
work on the client.  I'm a bit unclear if i have everything configured
correctly.  The only thing that I can figure out might be an issue, is
when i try the sudo command i see a filter search with
objectclass=sudoRule but when i check the ldap server it has
objectclass=sudoRole, so there are no results.

According to
http://www.sudo.ws/sudoers.ldap.man.html

the objectclass in the schema should really read "sudoRole" (I know, may be
confusing).

Any ideas?  Thank you in advance for any advice.

Where do you see the filter?

[tuser2@map1 ~]$ sudo /sbin/iptables -L
Enter RSA PIN+token:
tuser2 is not allowed to run sudo on map1.  This incident will be reported.


CLIENT:

yum installed libsss_sudo

I added "nisdomainname dir1.server.example.com" to /etc/rc.d/rc.local

**still not sure what this is for **

This is for setting the NIS domain permanently. sudo uses NIS domains when it
uses sudo rules with host groups instead of individual host names.

Created a sudo user on ldap server
ldappasswd -x -S -W -h dir1.server.example.com -ZZ -D "cn=Directory
Manager" uid=sudo,cn=sysaccounts,cn=etc,dc=server,dc=example,dc=com
**


[root@map1 sssd]# cat /etc/nsswitch.conf
#
passwd:     files sss
shadow:     files sss
group:      files sss
sudoers:    files sss
sudoers_debug: 1
#sudoers:    files
hosts:      files dns
bootparams: files
ethers:     files
netmasks:   files
networks:   files
protocols:  files
rpc:        files
services:   files sss
netgroup:   files sss
publickey:  files
automount:  files ldap
aliases:    files
[root@map1 sssd]#





[root@map1 sssd]# cat sssd.conf
[domain/server.example.com]

debug_level = 5
cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = server.example.com
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = map1.server.example.com
chpass_provider = ipa
ipa_server = _srv_, dir1.server.example.com
ldap_netgroup_search_base = cn=ng,cn=compat,dc=server,dc=example,dc=com
ldap_tls_cacert = /etc/ipa/ca.crt

sudo_provider = ldap
ldap_uri = ldap://dir1.server.example.com
ldap_sudo_search_base = ou=sudoers,dc=server,dc=example,dc=com
ldap_sasl_mech = GSSAPI
ldap_sasl_authid = host/dir1.server.example.com
ldap_sasl_realm = server.example.com
krb5_server = dir1.server.example.com

[sssd]
services = nss, pam, ssh, sudo
config_file_version = 2

domains = server.example.com
[nss]

[pam]

[sudo]
debug_level=5

[autofs]

[ssh]

[pac]




from the sssd_sudo.log

(Mon Aug 25 10:36:31 2014) [sssd[sudo]]
[sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with
[(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=tuser2)(sudoUser=#1079600005)(sudoUser=%tuser2)(sudoUser=+*))(&(dataExpireTimestamp<=1408962991)))]
(Mon Aug 25 10:36:31 2014) [sssd[sudo]]
[sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with
[(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=tuser2)(sudoUser=#1079600005)(sudoUser=%tuser2)(sudoUser=+*)))]
(Mon Aug 25 10:36:33 2014) [sssd[sudo]] [client_recv] (0x0200): Client
disconnected!

I do not understand why it searches with "sudorule" objectclass. According to
sssd-ldap man page, ldap_sudorule_object_class should default to "sudoRole".
Jakub or Pavel, any idea?

It is a search against SSSD's local cache where the object class is
sudoRule. A correct entry for searching against LDAP server should be in the 
sss_<domain>.log

--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project