[Freeipa-users] Sudo not working

Thu Nov 1 11:58:53 UTC 2012

That's got me closer now, as I'm at least getting an error message on
stdout:

[root at fs1 etc]# more nslcd.conf
binddn uid=sudo,cn=sysaccounts,cn=etc,dc=wedgeofli,dc=me
bindpw password

ssl start_tls
tls_cacertfile /etc/ipa/ca.crt
tls_checkpeer yes

bind_timelimit 5
timelimit 15

uri ldap://fs1.wedgeofli.me
sudoers_base ou=SUDOers,dc=wedgeofli,dc=me
[root at fs1 etc]# sudo su -
sudo: ldap_sasl_bind_s(): Invalid credentials
[root at fs1 ~]#

So I'm off to figure out where my credentials are wrong. Thanks again, Rob,
Stephen & Pavel.

Bret

On Wed, Oct 31, 2012 at 2:39 PM, Rob Crittenden <rcritten at redhat.com> wrote:

> Bret Wortman wrote:
>
>> [root at fs1 etc]# more /etc/ldap.conf
>> sudoers_debug: 1
>> [root at fs1 etc]# ls -l /etc/ldap.conf
>> -rw-r--r--. 1 root root 17 Oct 19 14:54 /etc/ldap.conf
>>
>> Where should I see the extra output? I've had this set since last Friday
>> and I'm not seeing any difference.
>>
>
> Move the contents of /etc/nslcd.conf to this file and add ldap to sudoers
> in /etc/nsswitch.conf.
>
> rob
>
>
>> On Wed, Oct 31, 2012 at 2:20 PM, Rob Crittenden <rcritten at redhat.com
>> <mailto:rcritten at redhat.com>> wrote:
>>
>>     Bret Wortman wrote:
>>
>>         F17.
>>
>>
>>     I think you want /etc/ldap.conf then. The easiest way to be sure the
>>     right file is being used is to add sudoers_debug 1 to the file. This
>>     will present a lot of extra output so you'll know the file is being
>>     read.
>>
>>     rob
>>
>>
>>         On Wed, Oct 31, 2012 at 2:04 PM, Rob Crittenden
>>         <rcritten at redhat.com <mailto:rcritten at redhat.com>
>>         <mailto:rcritten at redhat.com <mailto:rcritten at redhat.com>>> wrote:
>>
>>              Bret Wortman wrote:
>>
>>                  I had enabled debugging of sudo but am not clear on
>>         where that
>>                  debugging
>>                  is going. It's not stdout, and I'm not seeing anything in
>>                  /var/log/messages.
>>
>>                  I'll try switching to SSS and see what that gets me.
>>
>>
>>              What distro is this? If it is RHEL 6.3 then put the
>>         configuration
>>              into /etc/sudo-ldap.conf instead of /etc/nslcd. The docs are
>>              incorrect (we are working on getting them fixed).
>>
>>              rob
>>
>>
>>
>>                  On Wed, Oct 31, 2012 at 1:33 PM, Stephen Gallagher
>>                  <sgallagh at redhat.com <mailto:sgallagh at redhat.com>
>>         <mailto:sgallagh at redhat.com <mailto:sgallagh at redhat.com>>
>>                  <mailto:sgallagh at redhat.com
>>         <mailto:sgallagh at redhat.com> <mailto:sgallagh at redhat.com
>>         <mailto:sgallagh at redhat.com>>>**> wrote:
>>
>>                       On Wed 31 Oct 2012 11:53:15 AM EDT, Bret Wortman
>>         wrote:
>>
>>                           I'm pretty certain there's a painfully simple
>>         solution
>>                  to this that
>>                           I'm not seeing, but my current configuration
>> isn't
>>                  picking up the
>>                           freeipa sudoer rule that I've set.
>>
>>                           /etc/nsswitch.conf specifies:
>>                             sudoers:    files ldap
>>
>>                           /etc/nslcd.conf contains:
>>
>>                           binddn
>>                  uid=sudo,cn=sysaccounts,cn=___**
>> ___etc,dc=wedgeofli,dc=me
>>
>>
>>
>>                           bindpw password
>>
>>                           ssl start_tls
>>                           tls_cacertfile /etc/ipa/ca.crt
>>                           tls_checkpeer yes
>>
>>                           bind_timelimit 5
>>                           timelimit 15
>>
>>                           uri ldap://fs1.wedgeofli.me
>>         <http://fs1.wedgeofli.me> <http://fs1.wedgeofli.me>
>>                  <http://fs1.wedgeofli.me>
>>                           <http://fs1.wedgeofli.me>
>>
>>                           sudoers_base ou=SUDOers,dc=wedgeofli,dc=me
>>
>>
>>                           The sssd_DOMAIN.log file contains this when I
>>         try to sudo:
>>
>>
>>                       <snip>
>>
>>                       The SSSD logs aren't showing anything wrong
>>         because they have
>>                       nothing to do with the execution of the SUDO rules
>>         in this
>>                       situation. All the SSSD is doing is verifying the
>>                  authentication
>>                       (when sudo prompts you for your password).
>>
>>                       The problem with the rule is most likely happening
>>         inside SUDO
>>                       itself. When you specify 'sudoers: files, ldap' in
>>                  nsswitch.conf,
>>                       it's telling SUDO to use its own internal LDAP
>>         driver to
>>                  look up the
>>                       rules. So you need to check sudo logs to see
>>         what's happening
>>                       (probably you will need to enable debug logging in
>>                  /etc/sudo.conf).
>>
>>                       Recent versions of SUDO (1.8.6 and later) have
>>         support for
>>                  setting
>>                       'sudoers: files, sss' in nsswitch.conf which DOES
>>         use SSSD
>>                  (1.9.0
>>                       and later) for lookups (and caching) of sudo rules.
>>
>>
>>
>>
>>                  --
>>                  Bret Wortman
>>                  The Damascus Group
>>                  Fairfax, VA
>>         http://bretwortman.com/
>>         http://twitter.com/BretWortman
>>
>>
>>
>>
>>                  --
>>                  Bret Wortman
>>                  The Damascus Group
>>                  Fairfax, VA
>>         http://bretwortman.com/
>>         http://twitter.com/BretWortman
>>
>>
>>
>>                  ______________________________**_____________________
>>
>>                  Freeipa-users mailing list
>>         Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.**com<Freeipa-users at redhat.com>
>> >
>>         <mailto:Freeipa-users at redhat._**_com
>>         <mailto:Freeipa-users at redhat.**com <Freeipa-users at redhat.com>>>
>>         https://www.redhat.com/____**mailman/listinfo/freeipa-users<https://www.redhat.com/____mailman/listinfo/freeipa-users>
>>         <https://www.redhat.com/__**mailman/listinfo/freeipa-users<https://www.redhat.com/__mailman/listinfo/freeipa-users>
>> **>
>>
>>
>>         <https://www.redhat.com/__**mailman/listinfo/freeipa-users<https://www.redhat.com/__mailman/listinfo/freeipa-users>
>>         <https://www.redhat.com/**mailman/listinfo/freeipa-users<https://www.redhat.com/mailman/listinfo/freeipa-users>
>> **>__>
>>
>>
>>
>>
>>
>>
>>         --
>>         Bret Wortman
>>         The Damascus Group
>>         Fairfax, VA
>>         http://bretwortman.com/
>>         http://twitter.com/BretWortman
>>
>>
>>
>>         ______________________________**___________________
>>         Freeipa-users mailing list
>>         Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.**com<Freeipa-users at redhat.com>
>> >
>>         https://www.redhat.com/__**mailman/listinfo/freeipa-users<https://www.redhat.com/__mailman/listinfo/freeipa-users>
>>         <https://www.redhat.com/**mailman/listinfo/freeipa-users<https://www.redhat.com/mailman/listinfo/freeipa-users>
>> **>
>>
>>
>>
>>
>>
>> --
>> Bret Wortman
>> The Damascus Group
>> Fairfax, VA
>> http://bretwortman.com/
>> http://twitter.com/BretWortman
>>
>>
>>
>> ______________________________**_________________
>> Freeipa-users mailing list
>> Freeipa-users at redhat.com
>> https://www.redhat.com/**mailman/listinfo/freeipa-users<https://www.redhat.com/mailman/listinfo/freeipa-users>
>>
>>
>

-- 
Bret Wortman
The Damascus Group
Fairfax, VA
http://bretwortman.com/
http://twitter.com/BretWortman
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20121101/a2332130/attachment.htm>