[Freeipa-users] sudo - differences between Centos 6.5 and Centos 7.0?

[Tomas Simecek]

Dear freeIPA gurus,
in previous thread (
https://www.redhat.com/archives/freeipa-users/2016-July/msg00046.html) you
helped me make sudo working for AD users on Centos 7.0 (
spcss-2t-www.linuxdomain.cz).
It was caused by not knowing sudo needs to be enabled in HBAC rules.
Now it works properly on Centos 7.0 client.
But it does not work on Centos 6.5 (zp-cml-test.linuxdomain.cz) with the
same sssd.conf setup.
Error message is always:

[simecek.to...@sd-stc.cz@zp-cml-test ~]$ sudo cat /etc/nsswitch.conf
[sudo] password for simecek.to...@sd-stc.cz:
simecek.to...@sd-stc.cz is not allowed to run sudo on zp-cml-test.  This
incident will be reported.

Here are my HBAC rules, the second one should apply. It definitely applies
for Centos 7.0 server:
[root@svlxxipap ~]# ipa hbacrule-find
--------------------
2 HBAC rules matched
--------------------
  Rule name: allow_all
  User category: all
  Host category: all
  Service category: all
  Description: Allow all users to access any host from any host
  Enabled: FALSE

  Rule name: Unixari na test servery
  Enabled: TRUE
  User Groups: grpunixadmins
  Hosts: spcss-2t-www.linuxdomain.cz, zp-cml-test.linuxdomain.cz
  Services: login, sshd, sudo, sudo-i, su, su-l
----------------------------
Number of entries returned 2
----------------------------

This is my /etc/sssd/sssd.conf. It the same like on Centos 7.0 server, just
with proper server name of course:

[root@zp-cml-test sssd]# cat /etc/sssd/sssd.conf
[domain/linuxdomain.cz]
cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = linuxdomain.cz
id_provider = ipa
krb5_realm = LINUXDOMAIN.CZ
auth_provider = ipa
access_provider = ipa
ipa_hostname = zp-cml-test.linuxdomain.cz
chpass_provider = ipa
ipa_server = svlxxipap.linuxdomain.cz
ldap_tls_cacert = /etc/ipa/ca.crt
override_shell = /bin/bash
sudo_provider = ldap
ldap_uri = ldap://svlxxipap.linuxdomain.cz
ldap_sudo_search_base = ou=sudoers,dc=linuxdomain,dc=cz
ldap_sasl_mech = GSSAPI
#ldap_sasl_authid = host/zp-cml-test.linuxdomain...@linuxdomain.cz
ldap_sasl_authid = host/zp-cml-test.linuxdomain.cz
ldap_sasl_realm = LINUXDOMAIN.CZ
krb5_server = svlxxipap.linuxdomain.cz

[sssd]
services = nss, sudo, pam, ssh
config_file_version = 2
debug_level = 0x3ff0
domains = linuxdomain.cz
[nss]
homedir_substring = /home

[pam]
[sudo]
debug_level = 0x3ff0
[autofs]
[ssh]
[pac]
[ifp]

This is output from sssd_sudo.log:
(Wed Jul 13 08:58:38 2016) [sssd[sudo]] [accept_fd_handler] (0x0400):
Client connected!
(Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sss_cmd_get_version] (0x0200):
Received client version [1].
(Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sss_cmd_get_version] (0x0200):
Offered version [1].
(Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sudosrv_cmd] (0x2000): Using
protocol version [1]
(Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sss_parse_name_for_domains]
(0x0200): name 'simecek.to...@sd-stc.cz' matched expression for domain '
sd-stc.cz', user is simecek.tomas
(Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sss_parse_name_for_domains]
(0x0200): name 'simecek.to...@sd-stc.cz' matched expression for domain '
sd-stc.cz', user is simecek.tomas
(Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sudosrv_cmd_parse_query_done]
(0x0200): Requesting default options for [simecek.tomas] from [sd-stc.cz]
(Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sudosrv_get_user] (0x0200):
Requesting info about [simecek.to...@sd-stc.cz]
(Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sudosrv_get_user] (0x0400):
Returning info for user [simecek.to...@sd-stc.cz]
(Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sudosrv_get_rules] (0x0400):
Retrieving default options for [simecek.to...@sd-stc.cz] from [sd-stc.cz]
(Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sysdb_search_group_by_gid]
(0x0400): No such entry
(Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sudosrv_get_sudorules_query_cache]
(0x0200): Searching sysdb with
[(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=
simecek.to...@sd-stc.cz)(sudoUser=#988604700)(sudoUser=%domain
us...@sd-stc.cz)(sudoUser=%unixadm...@sd-stc.cz)(sudoUser=%
mfcr_...@sd-stc.cz)(sudoUser=%acco...@sd-stc.cz)(sudoUser=%w...@sd-stc.cz
)(sudoUser=%grpunixadmins)(sudoUser=+*))(&(dataExpireTimestamp<=1468393118)))]
(Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sudosrv_get_rules] (0x2000): About
to get sudo rules from cache
(Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sudosrv_get_sudorules_query_cache]
(0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(name=defaults)))]
(Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sudosrv_get_sudorules_from_cache]
(0x0400): Returning 0 rules for [<default options>@sd-stc.cz]
(Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sudosrv_cmd] (0x2000): Using
protocol version [1]
(Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sss_parse_name_for_domains]
(0x0200): name 'simecek.to...@sd-stc.cz' matched expression for domain '
sd-stc.cz', user is simecek.tomas
(Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sss_parse_name_for_domains]
(0x0200): name 'simecek.to...@sd-stc.cz' matched expression for domain '
sd-stc.cz', user is simecek.tomas
(Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sudosrv_cmd_parse_query_done]
(0x0200): Requesting rules for [simecek.tomas] from [sd-stc.cz]
(Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sudosrv_get_user] (0x0200):
Requesting info about [simecek.to...@sd-stc.cz]
(Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sudosrv_get_user] (0x0400):
Returning info for user [simecek.to...@sd-stc.cz]
(Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sudosrv_get_rules] (0x0400):
Retrieving rules for [simecek.to...@sd-stc.cz] from [sd-stc.cz]
(Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sysdb_search_group_by_gid]
(0x0400): No such entry
(Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sudosrv_get_sudorules_query_cache]
(0x0200): Searching sysdb with
[(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=
simecek.to...@sd-stc.cz)(sudoUser=#988604700)(sudoUser=%domain
us...@sd-stc.cz)(sudoUser=%unixadm...@sd-stc.cz)(sudoUser=%
mfcr_...@sd-stc.cz)(sudoUser=%acco...@sd-stc.cz)(sudoUser=%w...@sd-stc.cz
)(sudoUser=%grpunixadmins)(sudoUser=+*))(&(dataExpireTimestamp<=1468393118)))]
(Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sudosrv_get_rules] (0x2000): About
to get sudo rules from cache
(Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sysdb_search_group_by_gid]
(0x0400): No such entry
(Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sudosrv_get_sudorules_query_cache]
(0x0200): Searching sysdb with
[(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=simecek.to...@sd-stc.cz)(sudoUser=#988604700)(sudoUser=%domain
us...@sd-stc.cz)(sudoUser=%unixadm...@sd-stc.cz)(sudoUser=%
mfcr_...@sd-stc.cz)(sudoUser=%acco...@sd-stc.cz)(sudoUser=%w...@sd-stc.cz
)(sudoUser=%grpunixadmins)(sudoUser=+*)))]
(Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sudosrv_get_sudorules_from_cache]
(0x0400): Returning 0 rules for [simecek.to...@sd-stc.cz]
(Wed Jul 13 08:58:42 2016) [sssd[sudo]] [client_recv] (0x0200): Client
disconnected!
(Wed Jul 13 08:58:42 2016) [sssd[sudo]] [client_destructor] (0x2000):
Terminated client [0x1330300][18]

It looks like it cannot get any rules from IPA server. Any idea why? It
works fine on Centos 7.0 client.

Thanks

Tomas

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project