[Freeipa-users] Managing Sudo through FreeIPA
William Muriithi
william.muriithi at gmail.com
Wed Nov 7 21:28:52 UTC 2012
Hello
I have been trying to setup user access through sudo file managed by
FreeIPA and it don't seem to be working. I am not sure how to go
about fixing it, but I guess the best place to start is ask what I
should expect the IPA installation script should set up and what
should be done manually
[root at demo2 wmuriithi]# rpm -qa | grep sssd
sssd-client-1.8.0-32.el6.x86_64
sssd-1.8.0-32.el6.x86_64
[root at demo2 wmuriithi]#
[root at demo2 wmuriithi]# rpm -qa | grep sudo
sudo-1.7.4p5-13.el6_3.x86_64
The only errors related to sudo that I can find is on apache error logs
[Wed Nov 07 13:16:18 2012] [error] ipa: INFO: admin at EXAMPLE.LOC:
sudorule_add_user(u'read_only_viewiers', all=False, raw=False,
version=u'2.34', group=(u'operations',)): SUCCESS
[Wed Nov 07 13:54:44 2012] [error] ipa: ERROR: release_ipa_ccache:
ccache_name (FILE:/var/run/ipa_memcached/krbcc_3988) != KRB5CCNAME
environment variable (FILE:/tmp/krb5cc_apache_NB7pph)
[Wed Nov 07 13:54:44 2012] [error] ipa: INFO: admin at EXAMPLE.LOC:
sudorule_find(None, sizelimit=0, pkey_only=True): SUCCESS
[Wed Nov 07 13:54:44 2012] [error] ipa: INFO: admin at EXAMPLE.LOC:
batch: sudorule_show(u'Full_Access', all=True): SUCCESS
[Wed Nov 07 13:54:44 2012] [error] ipa: INFO: admin at EXAMPLE.LOC:
batch: sudorule_show(u'read_only_viewiers', all=True): SUCCESS
[Wed Nov 07 13:54:44 2012] [error] ipa: INFO: admin at EXAMPLE.LOC:
batch: sudorule_show(u'developers', all=True): SUCCESS
[Wed Nov 07 13:54:44 2012] [error] ipa: INFO: admin at EXAMPLE.LOC:
batch: sudorule_show(u'operation', all=True): SUCCESS
[Wed Nov 07 13:54:44 2012] [error] ipa: INFO: admin at EXAMPLE.LOC:
batch(({u'params': [[u'Full_Access'], {u'all': True}], u'method':
u'sudorule_show'}, {u'params': [[u'read_only_viewiers'], {u'all':
True}], u'method': u'sudorule_show'}, {u'params': [[u'developers'],
{u'all': True}], u'method': u'sudorule_show'}, {u'params':
[[u'operation'], {u'all': True}], u'method': u'sudorule_show'})):
SUCCESS
[Wed Nov 07 13:54:50 2012] [error] ipa: INFO: admin at EXAMPLE.LOC:
sudorule_show(u'read_only_viewiers', rights=True, all=True): SUCCESS
I created the user as below and associated it with a group, which I
then allowed to use less for reading file. As you can see below, it
seem to does not work.
Nov 7 16:05:42 demo2 sudo: pam_sss(sudo:auth): authentication
success; logname=williamm uid=0 euid=0 tty=/dev/pts/2 ruser=williamm
rhost= user=williamm
Nov 7 16:05:43 demo2 sudo: williamm : user NOT in sudoers ; TTY=pts/2
; PWD=/home/wmuriithi ; USER=root ; COMMAND=/usr/bin/less
/var/log/secure
- My question is, does the client install script take care of sudo
configuration or is that done manually? I don't see any sudo related
flag on the client installation script.
- I have tried configuring sssd for sudo use and it didn't go well.
Last time I messed around with LDAP managed sudo, I have to install a
LDAP capable sudo package. The ipa-client install did not install
this package. Does IPA sudo management work differently?
- Where would I check for logs? I checked sssd logs and they are empty.
- I am missing the basedn configuration on sssd configuration. From
this bug, it should have been setup by installer, oddly though it was
not setup and the bug is closed. I attempted to fix it by adding the
line below but it make sudo completely unusable. It could not find
any valid users apparently
https://fedorahosted.org/freeipa/ticket/932
ldap_netgroup_search_base = cn=ng,cn=compat,dc=example,dc=loc
Nov 7 16:05:42 demo2 sudo: pam_sss(sudo:auth): authentication
success; logname=williamm uid=0 euid=0 tty=/dev/pts/2 ruser=williamm
rhost= user=williamm
Nov 7 16:05:43 demo2 sudo: williamm : user NOT in sudoers ; TTY=pts/2
; PWD=/home/wmuriithi ; USER=root ; COMMAND=/usr/bin/less
/var/log/secure
Any pointers on why we are going?
Thank you a lot in advance.
William
----------------------------
[root at ipa1-yyz-int wmuriithi]# ipa sudocmd-add --desc='For reading log
files' '/usr/bin/less'
----------------------------------
Added Sudo Command "/usr/bin/less"
----------------------------------
Sudo Command: /usr/bin/less
Description: For reading log files
[root at ipa1-yyz-int wmuriithi]# ipa sudocmdgroup-add --desc='Read Only
Commands' readonly
-----------------------------------
Added Sudo Command Group "readonly"
-----------------------------------
Sudo Command Group: readonly
Description: Read Only Commands
[root at ipa1-yyz-int wmuriithi]# ipa sudocmdgroup-add-member
--sudocmds='/usr/bin/less' readonly
Sudo Command Group: readonly
Description: Read Only Commands
Member Sudo commands: /usr/bin/less
-------------------------
Number of members added 1
-------------------------
[root at ipa1-yyz-int wmuriithi]# ipa sudorule-add testing_viewiers
-----------------------------------
Added Sudo Rule "testing_viewiers"
-----------------------------------
Rule name: testing_viewiers
Enabled: TRUE
[root at ipa1-yyz-int wmuriithi]# ipa sudorule-add-allow-command
--sudocmdgroups=readonly testing_viewiers
Rule name: testing_viewiers
Enabled: TRUE
Sudo Allow Command Groups: readonly
-------------------------
Number of members added 1
-------------------------
[root at ipa1-yyz-int wmuriithi]# ipa hostgroup-add demo
Description: Demonstration systems
>>> Description: Leading and trailing spaces are not allowed
Description: Demonstration system
----------------------
Added hostgroup "demo"
----------------------
Host-group: demo
Description: Demonstration system
[root at ipa1-yyz-int wmuriithi]# ipa hostgroup-add-member
--hosts=demo2.yyz.int.testing.com demo
Host-group: demo
Description: Demonstration system
Member hosts: demo2.yyz.int.testing.com
-------------------------
Number of members added 1
-------------------------
[root at ipa1-yyz-int wmuriithi]# ipa sudorule-add-host --hostgroups=demo
testing_viewiers
Rule name: testing_viewiers
Enabled: TRUE
Host Groups: demo
Sudo Allow Command Groups: readonly
-------------------------
Number of members added 1
-------------------------
[root at ipa1-yyz-int wmuriithi]# ipa sudorule-add-user
--groups=operations testing_viewiers
Rule name: testing_viewiers
Enabled: TRUE
User Groups: operations
Host Groups: demo
Sudo Allow Command Groups: readonly
-------------------------
Number of members added 1
-------------------------
More information about the Freeipa-users
mailing list