[Freeipa-users] Sudo works for full access, but not on a per command or host level.

Rich Megginson rmeggins at redhat.com
Wed Oct 17 16:58:42 UTC 2012 

On 10/17/2012 10:33 AM, Macklin, Jason wrote:
> ldapsearch -Y GSSAPI -H ldap://dbduvdu145.dbr.roche.com "ou=SUDOers,dc=dbr,dc=roche,dc=com"
> SASL/GSSAPI authentication started
> SASL username: admin at DBR.ROCHE.COM
> SASL SSF: 56
> SASL data security layer installed.
> # extended LDIF
> #
> # LDAPv3
> # base<>  (default) with scope subtree
> # filter: ou=SUDOers,dc=dbr,dc=roche,dc=com
> # requesting: ALL
> #
>
> # search result
> search: 4
> result: 32 No such object
>
> # numResponses: 1
>
> Different response, but still no success with the non-working account.

Sorry - the ldapsearch command is wrong.  Try this:
ldapsearch -Y GSSAPI -H ldap://dbduvdu145.dbr.roche.com -b 
"ou=SUDOers,dc=dbr,dc=roche,dc=com"

>
> Cheers,
> Jason
>
> -----Original Message-----
> From: Dmitri Pal [mailto:dpal at redhat.com]
> Sent: Wednesday, October 17, 2012 11:56 AM
> To: Macklin, Jason {DASB~Branford}
> Cc: JR.Aquino at citrix.com; freeipa-users at redhat.com
> Subject: Re: [Freeipa-users] Sudo works for full access, but not on a per command or host level.
>
> On 10/17/2012 09:26 AM, Macklin, Jason wrote:
>> Okay,
>>
>>    Rule name: test4
>>    Enabled: TRUE
>>    Command category: all
>>    Users: asteinfeld
>>    Hosts: dbduwdu062.dbr.roche.com
>>    Host Groups: tempsudo
>>
>> Client dbduwdu062 is matched in the rule by both the hosts and groups entry.
>>
>> /etc/nsswitch.conf has:
>>
>> 	Netgroups: files sss
>>
>> Getent netgroup tempsudo returns:
>>
>> 	[jmacklin at dbduwdu062 Desktop]$ getent netgroup tempsudo
>> 	tempsudo              (dbduwdu063.dbr.roche.com, -, dbr.roche.com) (dbduwdu062.dbr.roche.com, -, dbr.roche.com)
>>
>> To the previous ldapsearch request:
>>
>> 	[jmacklin at dbduwdu062 Desktop]$ ldapsearch -Y GSSAPI -H ldap://dbduvdu145.dbr.roche.com "ou=SUDOers,dc=dbr,dc=roche,dc=com"
>> 	SASL/GSSAPI authentication started
>> 	ldap_sasl_interactive_bind_s: Server is unwilling to perform (53)
>> 	additional info: Entry permanently locked.
> It seems that you tried the wrong password and the account is now temporarily locked thus the server is unwilling to perform authentication for this account.
>
>> I am still scratching my head on this one...
>>
>> Cheers,
>> Jason
>>
>> If you look closely, the reason that your admin works is because it appears to be matching a sudo rule who has the "ALL" hosts value set.
>>
>> When you run the non working user, it is attempting to match the hostname/hostgroup to the rule and fails to do so.
>>
>> Try this. Type: getent netgroup hostgroupname<- your host's hostgroup goes there.
>>
>> ^ that command should return all of the hosts in your hostgroup. If it does not, then check /etc/nsswitch.conf and make sure that netgroup is set to use sss.
>>
>> You will also need to make sure that the output of: domainname or nisdomainname matches your expected domain.
>>
>> Let me know how things look after trying that.
>>
>
> --
> Thank you,
> Dmitri Pal
>
> Sr. Engineering Manager for IdM portfolio Red Hat Inc.
>
>
> -------------------------------
> Looking to carve out IT costs?
> www.redhat.com/carveoutcosts/
>
>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users

More information about the Freeipa-users mailing list