[Freeipa-users] Sudo works for full access, but not on a per command or host level.

Dmitri Pal dpal at redhat.com
Tue Oct 16 16:09:50 UTC 2012 

On 10/16/2012 11:30 AM, Macklin, Jason wrote:
>
> *Working user:*
>
> * *
>
> [jmacklin at dbduwdu062 log]$ sudo -l
>
> LDAP Config Summary
>
> ===================
>
> uri              ldap://dbduvdu145.dbr.roche.com
>
> ldap_version     3
>
> sudoers_base     ou=SUDOers,dc=dbr,dc=roche,dc=com
>
> binddn           uid=sudo,cn=sysaccounts,cn=etc,dc=dbr,dc=roche,dc=com
>
> bindpw           Roche454
>
> bind_timelimit   5000
>
> timelimit        15
>
> ssl              start_tls
>
> tls_checkpeer    (yes)
>
> tls_cacertfile   /etc/ipa/ca.crt
>
> ===================
>
> sudo: ldap_set_option: debug -> 0
>
> sudo: ldap_set_option: tls_checkpeer -> 1
>
> sudo: ldap_set_option: tls_cacertfile -> /etc/ipa/ca.crt
>
> sudo: ldap_set_option: tls_cacert -> /etc/ipa/ca.crt
>
> sudo: ldap_initialize(ld, ldap://dbduvdu145.dbr.roche.com)
>
> sudo: ldap_set_option: ldap_version -> 3
>
> sudo: ldap_set_option: timelimit -> 15
>
> sudo: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT, 5)
>
> sudo: ldap_start_tls_s() ok
>
> sudo: ldap_sasl_bind_s() ok
>
> sudo: no default options found in ou=SUDOers,dc=dbr,dc=roche,dc=com
>
> sudo: ldap sudoHost 'ALL' ... MATCH!
>
> sudo: user_matches=1
>
> sudo: host_matches=1
>
> sudo: sudo_ldap_lookup(52)=0x82
>
> Matching Defaults entries for jmacklin on this host:
>
>     requiretty, !visiblepw, always_set_home, env_reset,
> env_keep="COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS",
> env_keep+="MAIL PS1
>
>     PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE",
> env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES",
> env_keep+="LC_MONETARY
>
>     LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME
> LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY",
>
>     secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin
>
>  
>
> sudo: ldap search
> '(|(sudoUser=jmacklin)(sudoUser=%jmacklin)(sudoUser=%dbr)(sudoUser=%admins)(sudoUser=ALL))'
>
> sudo: ldap sudoHost 'ALL' ... MATCH!
>
> sudo: ldap search 'sudoUser=+*'
>
> User jmacklin may run the following commands on this host:
>
>     (root) ALL
>
>  
>
> *Non-working user:*
>
> * *
>
> *  Rule name: test4*
>
> *  Enabled: TRUE*
>
> *  Command category: all*
>
> *  Users: asteinfeld*
>
> *  Hosts: dbduwdu062.some.domain.com*
>
>  
>
> LDAP Config Summary
>
> ===================
>
> uri              ldap://dbduvdu145.dbr.roche.com
>
> ldap_version     3
>
> sudoers_base     ou=SUDOers,dc=dbr,dc=roche,dc=com
>
> binddn           uid=sudo,cn=sysaccounts,cn=etc,dc=dbr,dc=roche,dc=com
>
> bindpw           Roche454
>
> bind_timelimit   5000
>
> timelimit        15
>
> ssl              start_tls
>
> tls_checkpeer    (yes)
>
> tls_cacertfile   /etc/ipa/ca.crt
>
> ===================
>
> sudo: ldap_set_option: debug -> 0
>
> sudo: ldap_set_option: tls_checkpeer -> 1
>
> sudo: ldap_set_option: tls_cacertfile -> /etc/ipa/ca.crt
>
> sudo: ldap_set_option: tls_cacert -> /etc/ipa/ca.crt
>
> sudo: ldap_initialize(ld, ldap://dbduvdu145.dbr.roche.com)
>
> sudo: ldap_set_option: ldap_version -> 3
>
> sudo: ldap_set_option: timelimit -> 15
>
> sudo: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT, 5)
>
> sudo: ldap_start_tls_s() ok
>
> sudo: ldap_sasl_bind_s() ok
>
> sudo: no default options found in ou=SUDOers,dc=dbr,dc=roche,dc=com
>
> sudo: ldap sudoHost 'dbduwdu062.dbr.roche.com' ... not
>

So this is the name the sudo client tries to match and it does not seem
to find any hosts.
Now we need to look at the ou=SUDOers,dc=dbr,dc=roche,dc=com with
ldapsearch and see the SUDO rules that are exposed by the server and
match them visually to the current host.


> sudo: user_matches=1
>
> sudo: host_matches=0
>
> sudo: sudo_ldap_lookup(52)=0x84
>
> [sudo] password for asteinfeld:
>
> Sorry, user asteinfeld may not run sudo on dbduwdu062.
>
>  
>
> Cheers,
>
> Jason
>
> *From:*Dmitri Pal [mailto:dpal at redhat.com]
> *Sent:* Tuesday, October 16, 2012 11:22 AM
> *To:* Macklin, Jason {DASB~Branford}
> *Cc:* freeipa-users at redhat.com
> *Subject:* Re: [Freeipa-users] Sudo works for full access, but not on
> a per command or host level.
>
>  
>
> On 10/16/2012 11:09 AM, Macklin, Jason wrote:
>
> Dmitri,
>
>  
>
> I will give you everything I've got.  If I can provide something else,
> let me know!
>
>  
>
> *Working User:*
>
>  
>
> *Sudo debug output:*
>
>  
>
> [jmacklin at dbduwdu062 log]$ sudo -l
>
> sudo: ldap_set_option: debug -> 0
>
> sudo: ldap_set_option: tls_checkpeer -> 1
>
> sudo: ldap_set_option: tls_cacertfile -> /etc/ipa/ca.crt
>
> sudo: ldap_set_option: tls_cacert -> /etc/ipa/ca.crt
>
> sudo: ldap_set_option: ldap_version -> 3
>
> sudo: ldap_set_option: timelimit -> 15
>
> sudo: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT, 5)
>
> sudo: ldap_start_tls_s() ok
>
> sudo: ldap_sasl_bind_s() ok
>
> sudo: no default options found in ou=SUDOers,dc=dbr,dc=roche,dc=com
>
> sudo: user_matches=1
>
> sudo: host_matches=1
>
> sudo: sudo_ldap_lookup(52)=0x82
>
> [sudo] password for jmacklin:
>
> Matching Defaults entries for jmacklin on this host:
>
>     requiretty, !visiblepw, always_set_home, env_reset,
> env_keep="COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS",
> env_keep+="MAIL PS1
>
>     PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE",
> env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES",
> env_keep+="LC_MONETARY
>
>     LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME
> LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY",
>
>     secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin
>
>  
>
> sudo: ldap search
> '(|(sudoUser=jmacklin)(sudoUser=%jmacklin)(sudoUser=%dbr)(sudoUser=%admins)(sudoUser=ALL))'
>
> sudo: ldap search 'sudoUser=+*'
>
> User jmacklin may run the following commands on this host:
>
>     (root) ALL
>
>  
>
> */var/log/secure output:*
>
>  
>
> Oct 16 11:00:03 dbduwdu062 sudo: pam_unix(sudo:auth): authentication
> failure; logname=jmacklin uid=0 euid=0 tty=/dev/pts/1 ruser=jmacklin
> rhost=  user=jmacklin
>
> Oct 16 11:00:04 dbduwdu062 sudo: pam_sss(sudo:auth): authentication
> success; logname=jmacklin uid=0 euid=0 tty=/dev/pts/1 ruser=jmacklin
> rhost= user=jmacklin
>
> Oct 16 11:00:04 dbduwdu062 sudo: jmacklin : TTY=pts/1 ; PWD=/var/log ;
> USER=root ; COMMAND=list
>
>  
>
> *Non-working user:*
>
> * *
>
> *Sudo debug output:*
>
> * *
>
> [asteinfeld at dbduwdu062 ~]$ sudo -l
>
> sudo: ldap_set_option: debug -> 0
>
> sudo: ldap_set_option: tls_checkpeer -> 1
>
> sudo: ldap_set_option: tls_cacertfile -> /etc/ipa/ca.crt
>
> sudo: ldap_set_option: tls_cacert -> /etc/ipa/ca.crt
>
> sudo: ldap_set_option: ldap_version -> 3
>
> sudo: ldap_set_option: timelimit -> 15
>
> sudo: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT, 5)
>
> sudo: ldap_start_tls_s() ok
>
> sudo: ldap_sasl_bind_s() ok
>
> sudo: no default options found in ou=SUDOers,dc=dbr,dc=domain,dc=com
>
> sudo: user_matches=1
>
> sudo: host_matches=0
>
> sudo: sudo_ldap_lookup(52)=0x84
>
> [sudo] password for asteinfeld:
>
> Sorry, user asteinfeld may not run sudo on dbduwdu062
>
>  
>
> */var/log/secure output:*
>
> * *
>
> Oct 16 11:05:34 dbduwdu062 sudo: pam_unix(sudo:auth): authentication
> failure; logname=asteinfeld uid=0 euid=0 tty=/dev/pts/3
> ruser=asteinfeld rhost=  user=asteinfeld
>
> Oct 16 11:05:35 dbduwdu062 sudo: pam_sss(sudo:auth): authentication
> success; logname=asteinfeld uid=0 euid=0 tty=/dev/pts/3
> ruser=asteinfeld rhost= user=asteinfeld
>
> Oct 16 11:05:35 dbduwdu062 sudo: asteinfeld : command not allowed ;
> TTY=pts/3 ; PWD=/home2/asteinfeld ; USER=root ; COMMAND=list
>
>  
>
> Cheers.
>
> Jason
>
>
>
> Please set sudoers_debug 2
>
> http://www.doxer.org/learn-linux/modify-sudoers_debug-in-ldap-conf-to-debug-sudo-on-linux-and-solaris/
>
>  
>
>  
>
>  
>
> *From:*freeipa-users-bounces at redhat.com
> <mailto:freeipa-users-bounces at redhat.com>
> [mailto:freeipa-users-bounces at redhat.com] *On Behalf Of *Dmitri Pal
> *Sent:* Tuesday, October 16, 2012 10:33 AM
> *To:* freeipa-users at redhat.com <mailto:freeipa-users at redhat.com>
> *Subject:* Re: [Freeipa-users] Sudo works for full access, but not on
> a per command or host level.
>
>  
>
> On 10/16/2012 10:05 AM, Macklin, Jason wrote:
>
> When I become the user in question I see the following in the sssd log.
>
>  
>
>             [ipa_hbac_evaluate_rules] (0x0080): Access granted by HBAC
> rule [test]
>
>  
>
> I think this is a sudo problem before anything else.  For a user in
> which sudo works, host_matches = 1 always returns when debugging is
> on.  For a user that does not work host_matches always equals 0 (zero).
>
>  
>
>
> Is there any way to see a more detailed debug log from sudo then? It
> should show what it is looking for and what it is getting back from
> the server.
>
>
>
> I am open to troubleshooting the ldap configuration as I am not
> convinced that it is referencing the host properly.  I enroll the
> clients using FQDN, but noticed that initially, domainname and
> nisdomainname qould return (none).  Fixing these to show the correct
> domain did not change the behavior of the nodes though.
>
>  
>
> Thanks again!
>
>  
>
> Jason
>
>  
>
> *From:*freeipa-users-bounces at redhat.com
> <mailto:freeipa-users-bounces at redhat.com>
> [mailto:freeipa-users-bounces at redhat.com] *On Behalf Of *Dmitri Pal
> *Sent:* Monday, October 15, 2012 5:58 PM
> *To:* freeipa-users at redhat.com <mailto:freeipa-users at redhat.com>
> *Subject:* Re: [Freeipa-users] Sudo works for full access, but not on
> a per command or host level.
>
>  
>
> On 10/15/2012 04:46 PM, Dmitri Pal wrote:
>
> On 10/15/2012 04:34 PM, Macklin, Jason wrote:
>
> Hi,
>
>  
>
> I apologize up front if this is obvious, but I'm having issues
> configuring sudo privileges. 
>
>  
>
> I currently have an IPA server running FreeIPA 2.2 with sudo
> configured for our administrators on all hosts.  This works
> fantastic!  As soon as I attempt to configure a more specific sudo
> rule it does not work.  In my troubleshooting, I have noticed that
> from the same host my admin level privileges work, but with another
> user account setup to just run one command, it fails.  I have turned
> on sudo debugging and the only thing I can find that looks out of
> sorts is the following:
>
>  
>
> sudo: host_matches=0
>
>  
>
> As soon as I move the user account that is failing into the admin
> group it starts to work.
>
>  
>
> I have attempted every iteration of sudo configuration on the server
> that I can think of.  I have setup HBAC and given that a shot as
> well.  At this point I'm completely stumped and would appreciate any
> help that I can get!
>
>
> What does sudo test return?
>
>
> Yes I meant HBAC. I might confused you and myself so let us start over.
>
> First we need to make sure that the authentication happens correctly
> so if HBAC is set to allow you should see in the SSSD log that access
> is granted. That will limit the problem to just SUDO. If you have the
> allow_all HBAC rule and no other rules then we can probably skip this
> step and move on to trying to solve the actual SUDO part.
>
> So with SUDO one of the known issues is the long vs short hostname. Do
> you by any chance use a short host name for that host?
> If names are FQDN the next step would be to use ldapsearch from the
> client and see what LDAP entries the server would return.
>
>
>
>
>      
>
>     Thank you in advance for your assistance,
>
>     Jason
>
>
>
>
>
>
>     _______________________________________________
>
>     Freeipa-users mailing list
>
>     Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>
>
>     https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
>
>
>
>
> -- 
> Thank you,
> Dmitri Pal
>  
> Sr. Engineering Manager for IdM portfolio
> Red Hat Inc.
>  
>  
> -------------------------------
> Looking to carve out IT costs?
> www.redhat.com/carveoutcosts/ <http://www.redhat.com/carveoutcosts/>
>  
>  
>
>
>
>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
>
>
>
>
> -- 
> Thank you,
> Dmitri Pal
>  
> Sr. Engineering Manager for IdM portfolio
> Red Hat Inc.
>  
>  
> -------------------------------
> Looking to carve out IT costs?
> www.redhat.com/carveoutcosts/ <http://www.redhat.com/carveoutcosts/>
>  
>  
>
>
>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
>
>
>
> -- 
> Thank you,
> Dmitri Pal
>  
> Sr. Engineering Manager for IdM portfolio
> Red Hat Inc.
>  
>  
> -------------------------------
> Looking to carve out IT costs?
> www.redhat.com/carveoutcosts/ <http://www.redhat.com/carveoutcosts/>
>  
>  
>
>
>
>
> -- 
> Thank you,
> Dmitri Pal
>  
> Sr. Engineering Manager for IdM portfolio
> Red Hat Inc.
>  
>  
> -------------------------------
> Looking to carve out IT costs?
> www.redhat.com/carveoutcosts/ <http://www.redhat.com/carveoutcosts/>
>  
>  


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20121016/af01c933/attachment.htm>

More information about the Freeipa-users mailing list