[Freeipa-users] Issue IPA: AD Users and IPA Users when using SSS/LDAP with SUDO
Aly Khimji
aly.khimji at gmail.com
Wed Apr 24 16:38:31 UTC 2013
Hey All,
Hoping you can help out I have provided all details below. I have broken up
diagnostics into sudo-ldap for AD/IPA users and sudo-sss for for AD/IPA
users.
Quick background. Have a 2003 Domain, with an IPA Trust Established and
working. AD users and well as local IPA users are able to login into
clients, HBAC with both type of users work as expected. Problem is with
SUDO. sudo uid has been configured, and I have followed the RedHat IDM
Setup docs for v3. AD users have been nested as required
AD users -> AD Grp -> IPA Ext Grp -> IPA Posix Grp -->HBAC/SUDO applied to
this group
IPA User -> Same HBAC/SUDO as above
When using sudo-ldap on the client side neither local IPA users or AD users
are able to use sudo(see below), when using sudo through sssd only the
local IPA user is able to fetch the correct sudo rules.
atest = local IPA user
btest = AD trust user
All platforms are RHEL6.4 fully updated 64bit
Server Pkgs
libipa_hbac-python-1.9.2-82.4.el6_4.x86_64
ipa-python-3.0.0-26.el6_4.2.x86_64
ipa-client-3.0.0-26.el6_4.2.x86_64
ipa-server-3.0.0-26.el6_4.2.x86_64
ipa-pki-ca-theme-9.0.3-7.el6.noarch
ipa-server-trust-ad-3.0.0-26.el6_4.2.x86_64
libipa_hbac-1.9.2-82.4.el6_4.x86_64
ipa-admintools-3.0.0-26.el6_4.2.x86_64
ipa-server-selinux-3.0.0-26.el6_4.2.x86_64
ipa-pki-common-theme-9.0.3-7.el6.noarch
libsss_idmap-1.9.2-82.4.el6_4.x86_64
sssd-1.9.2-82.4.el6_4.x86_64
libsss_autofs-1.9.2-82.4.el6_4.x86_64
sssd-client-1.9.2-82.4.el6_4.x86_64
sudo-1.8.6p3-7.el6.x86_64
Client Pkgs
ipa-python-3.0.0-25.el6.x86_64
python-iniparse-0.3.1-2.1.el6.noarch
libipa_hbac-python-1.9.2-82.el6.x86_64
ipa-client-3.0.0-25.el6.x86_64
libipa_hbac-1.9.2-82.el6.x86_64
sssd-1.9.2-82.el6.x86_64
libsss_sudo-1.9.2-82.el6.x86_64
sssd-client-1.9.2-82.el6.x86_64
libsss_autofs-1.9.2-82.el6.x86_64
libsss_idmap-1.9.2-82.el6.x86_64
sudo-1.8.6p3-7.el6.x86_6
Diag when using SUDO-> SSS
LOCAL IDM USER
-sh-4.1$ sudo -l
Matching Defaults entries for atest on this host:
requiretty, !visiblepw, always_set_home, env_reset, env_keep="COLORS
DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS", env_keep+="MAIL PS1
PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE
LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY
LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL
LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY",
secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin
User atest may run the following commands on this host:
(root : wheel) /usr/bin/less
-sh-4.1$
AD TRUST USER
-sh-4.1$ sudo -l
[sudo] password for btest at corpnonprd.xxxx.com:
User btest at corpnonprd.xxxx.com is not allowed to run sudo on rhidmclient.
-sh-4.1$
[root at rhidmclient ~]# cat /etc/nsswitch.conf
....
sudoers: files sss
/etc/sssd/sssd.conf (CLIENT)
[domain/nix.corpnonprd.xxxx.com]
debug_level = 5
cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = nix.corpnonprd.xxxx.com
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = rhidmclient.nix.corpnonprd.xxxx.com
chpass_provider = ipa
ipa_server = _srv_, didmsvrua01.nix.corpnonprd.xxxx.com
ldap_tls_cacert = /etc/ipa/ca.crt
sudo_provider = ldap
ldap_uri = ldap://didmsvrua01.nix.corpnonprd.xxxx.com
ldap_sudo_search_base = ou=sudoers,dc=nix,dc=corpnonprd,dc=xxxx,dc=com
ldap_sasl_mech = GSSAPI
ldap_sasl_authid = host/rhidmclient.nix.corpnonprd.xxxx.com
ldap_sasl_realm = NIX.CORPNONPRD.XXXX.COM
krb5_server = didmsvrua01.nix.corpnonprd.XXXX.com
subdomains_provider = ipa
[sssd]
config_file_version = 2
reconnection_retries = 3
sbus_timeout = 30
services = nss, pam, ssh, sudo, pac
[sudo]
/etc/krb5.conf (CLIENT)
includedir /var/lib/sss/pubconf/krb5.include.d/
[libdefaults]
default_realm = NIX.CORPNONPRD.xxxx.COM
dns_lookup_realm = true
dns_lookup_kdc = true
rdns = false
ticket_lifetime = 24h
forwardable = yes
[realms]
NIX.CORPNONPRD.xxxx.COM = {
pkinit_anchors = FILE:/etc/ipa/ca.crt
auth_to_local = RULE:[1:$1@$0](^.*@CORPNONPRD.xxxx.COM$)s/@
CORPNONPRD.xxxx.COM/@corpnonprd.xxxx.com/
auth_to_local = DEFAULT
}
[domain_realm]
.nix.corpnonprd.xxxx.com = NIX.CORPNONPRD.xxxx.COM
nix.corpnonprd.xxxx.com = NIX.CORPNONPRD.xxxx.COM
/var/log/sssd output (CLIENT) when triggering $>sudo -l
LOCAL IDM USER
(Wed Apr 24 10:56:30 2013) [sssd[be[nix.corpnonprd.xxxx.com]]]
[be_get_account_info] (0x0100): Got request for [3][1][name=atest]
(Wed Apr 24 10:56:30 2013) [sssd[be[nix.corpnonprd.xxxx.com]]]
[sdap_initgr_nested_search] (0x0040): Search for group
cn=ipausers,cn=groups,cn=accounts,dc=nix,dc=corpnonprd,dc=xxxx,dc=com,
returned 0 results. Skipping
(Wed Apr 24 10:56:30 2013) [sssd[be[nix.corpnonprd.xxxx.com]]]
[sdap_initgr_nested_search] (0x0040): Search for group
ipauniqueid=ca686218-ac49-11e2-b2da-0050569a7aa2,cn=sudorules,cn=sudo,dc=nix,dc=corpnonprd,dc=xxxx,dc=com,
returned 0 results. Skipping
(Wed Apr 24 10:56:30 2013) [sssd[be[nix.corpnonprd.xxxx.com]]]
[sdap_initgr_nested_search] (0x0040): Search for group
ipauniqueid=b4b8650c-ac4a-11e2-8386-0050569a7aa2,cn=hbac,dc=nix,dc=corpnonprd,dc=xxxx,dc=com,
returned 0 results. Skipping
(Wed Apr 24 10:56:30 2013) [sssd[be[nix.corpnonprd.xxxx.com]]]
[acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success
(Wed Apr 24 10:56:30 2013) [sssd[be[nix.corpnonprd.xxxx.com]]]
[be_pam_handler] (0x0100): Got request with the following data
(Wed Apr 24 10:56:30 2013) [sssd[be[nix.corpnonprd.xxxx.com]]]
[pam_print_data] (0x0100): command: PAM_AUTHENTICATE
(Wed Apr 24 10:56:30 2013) [sssd[be[nix.corpnonprd.xxxx.com]]]
[pam_print_data] (0x0100): domain: nix.corpnonprd.xxxx.com
(Wed Apr 24 10:56:30 2013) [sssd[be[nix.corpnonprd.xxxx.com]]]
[pam_print_data] (0x0100): user: atest
(Wed Apr 24 10:56:30 2013) [sssd[be[nix.corpnonprd.xxxx.com]]]
[pam_print_data] (0x0100): service: sudo
(Wed Apr 24 10:56:30 2013) [sssd[be[nix.corpnonprd.xxxx.com]]]
[pam_print_data] (0x0100): tty: /dev/pts/3
(Wed Apr 24 10:56:30 2013) [sssd[be[nix.corpnonprd.xxxx.com]]]
[pam_print_data] (0x0100): ruser: atest
(Wed Apr 24 10:56:30 2013) [sssd[be[nix.corpnonprd.xxxx.com]]]
[pam_print_data] (0x0100): rhost:
(Wed Apr 24 10:56:30 2013) [sssd[be[nix.corpnonprd.xxxx.com]]]
[pam_print_data] (0x0100): authtok type: 1
(Wed Apr 24 10:56:30 2013) [sssd[be[nix.corpnonprd.xxxx.com]]]
[pam_print_data] (0x0100): authtok size: 11
(Wed Apr 24 10:56:30 2013) [sssd[be[nix.corpnonprd.xxxx.com]]]
[pam_print_data] (0x0100): newauthtok type: 0
(Wed Apr 24 10:56:30 2013) [sssd[be[nix.corpnonprd.xxxx.com]]]
[pam_print_data] (0x0100): newauthtok size: 0
(Wed Apr 24 10:56:30 2013) [sssd[be[nix.corpnonprd.xxxx.com]]]
[pam_print_data] (0x0100): priv: 0
(Wed Apr 24 10:56:30 2013) [sssd[be[nix.corpnonprd.xxxx.com]]]
[pam_print_data] (0x0100): cli_pid: 5382
(Wed Apr 24 10:56:30 2013) [sssd[be[nix.corpnonprd.xxxx.com]]]
[check_for_valid_tgt] (0x0080): TGT is valid.
(Wed Apr 24 10:56:30 2013) [sssd[be[nix.corpnonprd.xxxx.com]]]
[fo_resolve_service_send] (0x0100): Trying to resolve service 'IPA'
(Wed Apr 24 10:56:30 2013) [sssd[be[nix.corpnonprd.xxxx.com]]]
[resolve_srv_send] (0x0200): The status of SRV lookup is resolved
(Wed Apr 24 10:56:30 2013) [sssd[be[nix.corpnonprd.xxxx.com]]]
[be_resolve_server_process] (0x0200): Found address for server
didmsvrua01.nix.corpnonprd.xxxx.com: [10.137.216.162] TTL 1200
(Wed Apr 24 10:56:30 2013) [sssd[be[nix.corpnonprd.xxxx.com]]]
[krb5_find_ccache_step] (0x0080): Saved ccache
FILE:/tmp/krb5cc_818800005_KVeSdP if of different type than ccache in
configuration file, reusing the old ccache
(Wed Apr 24 10:56:30 2013) [sssd[be[nix.corpnonprd.xxxx.com]]]
[fo_set_port_status] (0x0100): Marking port 389 of server '
didmsvrua01.nix.corpnonprd.xxxx.com' as 'working'
(Wed Apr 24 10:56:30 2013) [sssd[be[nix.corpnonprd.xxxx.com]]]
[set_server_common_status] (0x0100): Marking server '
didmsvrua01.nix.corpnonprd.xxxx.com' as 'working'
(Wed Apr 24 10:56:30 2013) [sssd[be[nix.corpnonprd.xxxx.com]]]
[be_pam_handler_callback] (0x0100): Backend returned: (0, 0, <NULL>)
[Success]
(Wed Apr 24 10:56:30 2013) [sssd[be[nix.corpnonprd.xxxx.com]]]
[be_pam_handler_callback] (0x0100): Sending result [0][
nix.corpnonprd.xxxx.com]
(Wed Apr 24 10:56:30 2013) [sssd[be[nix.corpnonprd.xxxx.com]]]
[be_pam_handler_callback] (0x0100): Sent result [0][nix.corpnonprd.xxxx.com]
(Wed Apr 24 10:56:30 2013) [sssd[be[nix.corpnonprd.xxxx.com]]]
[child_sig_handler] (0x0100): child [5383] finished successfully.
(Wed Apr 24 10:56:30 2013) [sssd[be[nix.corpnonprd.xxxx.com]]]
[be_pam_handler] (0x0100): Got request with the following data
(Wed Apr 24 10:56:30 2013) [sssd[be[nix.corpnonprd.xxxx.com]]]
[pam_print_data] (0x0100): command: PAM_ACCT_MGMT
(Wed Apr 24 10:56:30 2013) [sssd[be[nix.corpnonprd.xxxx.com]]]
[pam_print_data] (0x0100): domain: nix.corpnonprd.xxxx.com
(Wed Apr 24 10:56:30 2013) [sssd[be[nix.corpnonprd.xxxx.com]]]
[pam_print_data] (0x0100): user: atest
(Wed Apr 24 10:56:30 2013) [sssd[be[nix.corpnonprd.xxxx.com]]]
[pam_print_data] (0x0100): service: sudo
(Wed Apr 24 10:56:30 2013) [sssd[be[nix.corpnonprd.xxxx.com]]]
[pam_print_data] (0x0100): tty: /dev/pts/3
(Wed Apr 24 10:56:30 2013) [sssd[be[nix.corpnonprd.xxxx.com]]]
[pam_print_data] (0x0100): ruser: atest
(Wed Apr 24 10:56:30 2013) [sssd[be[nix.corpnonprd.xxxx.com]]]
[pam_print_data] (0x0100): rhost:
(Wed Apr 24 10:56:30 2013) [sssd[be[nix.corpnonprd.xxxx.com]]]
[pam_print_data] (0x0100): authtok type: 0
(Wed Apr 24 10:56:30 2013) [sssd[be[nix.corpnonprd.xxxx.com]]]
[pam_print_data] (0x0100): authtok size: 0
(Wed Apr 24 10:56:30 2013) [sssd[be[nix.corpnonprd.xxxx.com]]]
[pam_print_data] (0x0100): newauthtok type: 0
(Wed Apr 24 10:56:30 2013) [sssd[be[nix.corpnonprd.xxxx.com]]]
[pam_print_data] (0x0100): newauthtok size: 0
(Wed Apr 24 10:56:30 2013) [sssd[be[nix.corpnonprd.xxxx.com]]]
[pam_print_data] (0x0100): priv: 0
(Wed Apr 24 10:56:30 2013) [sssd[be[nix.corpnonprd.xxxx.com]]]
[pam_print_data] (0x0100): cli_pid: 5382
(Wed Apr 24 10:56:30 2013) [sssd[be[nix.corpnonprd.xxxx.com]]]
[ipa_hostgroup_info_done] (0x0200): No host groups were dereferenced
(Wed Apr 24 10:56:30 2013) [sssd[be[nix.corpnonprd.xxxx.com]]]
[ipa_hbac_evaluate_rules] (0x0080): Access granted by HBAC rule [test_HBAC]
(Wed Apr 24 10:56:30 2013) [sssd[be[nix.corpnonprd.xxxx.com]]]
[be_pam_handler_callback] (0x0100): Backend returned: (0, 0, <NULL>)
[Success]
(Wed Apr 24 10:56:30 2013) [sssd[be[nix.corpnonprd.xxxx.com]]]
[be_pam_handler_callback] (0x0100): Backend returned: (0, 0, Success)
[Success]
(Wed Apr 24 10:56:30 2013) [sssd[be[nix.corpnonprd.xxxx.com]]]
[be_pam_handler_callback] (0x0100): Sending result [0][
nix.corpnonprd.xxxx.com]
(Wed Apr 24 10:56:30 2013) [sssd[be[nix.corpnonprd.xxxx.com]]]
[be_pam_handler_callback] (0x0100): Sent result [0][nix.corpnonprd.xxxx.com]
AD TRUST USER
(Wed Apr 24 10:57:15 2013) [sssd[be[nix.corpnonprd.xxxx.com]]]
[be_get_account_info] (0x0100): Got request for [3][1][name=btest]
(Wed Apr 24 10:57:15 2013) [sssd[be[nix.corpnonprd.xxxx.com]]]
[acctinfo_callback] (0x0100): Request processed. Returned 3,95,User lookup
failed
(Wed Apr 24 10:57:15 2013) [sssd[be[nix.corpnonprd.xxxx.com]]]
[be_get_account_info] (0x0100): Got request for [3][1][name=btest]
(Wed Apr 24 10:57:15 2013) [sssd[be[nix.corpnonprd.xxxx.com]]]
[acctinfo_callback] (0x0100): Request processed. Returned 3,95,User lookup
failed
(Wed Apr 24 10:57:18 2013) [sssd[be[nix.corpnonprd.xxxx.com]]]
[be_get_account_info] (0x0100): Got request for [3][1][name=btest]
(Wed Apr 24 10:57:18 2013) [sssd[be[nix.corpnonprd.xxxx.com]]]
[acctinfo_callback] (0x0100): Request processed. Returned 3,95,User lookup
failed
(Wed Apr 24 10:57:18 2013) [sssd[be[nix.corpnonprd.xxxx.com]]]
[be_pam_handler] (0x0100): Got request with the following data
(Wed Apr 24 10:57:18 2013) [sssd[be[nix.corpnonprd.xxxx.com]]]
[pam_print_data] (0x0100): command: PAM_AUTHENTICATE
(Wed Apr 24 10:57:18 2013) [sssd[be[nix.corpnonprd.xxxx.com]]]
[pam_print_data] (0x0100): domain: CorpNonPrd.xxxx.com
(Wed Apr 24 10:57:18 2013) [sssd[be[nix.corpnonprd.xxxx.com]]]
[pam_print_data] (0x0100): user: btest at CorpNonPrd.xxxx.com
(Wed Apr 24 10:57:18 2013) [sssd[be[nix.corpnonprd.xxxx.com]]]
[pam_print_data] (0x0100): service: sudo
(Wed Apr 24 10:57:18 2013) [sssd[be[nix.corpnonprd.xxxx.com]]]
[pam_print_data] (0x0100): tty: /dev/pts/3
(Wed Apr 24 10:57:18 2013) [sssd[be[nix.corpnonprd.xxxx.com]]]
[pam_print_data] (0x0100): ruser: btest at corpnonprd.xxxx.com
(Wed Apr 24 10:57:18 2013) [sssd[be[nix.corpnonprd.xxxx.com]]]
[pam_print_data] (0x0100): rhost:
(Wed Apr 24 10:57:18 2013) [sssd[be[nix.corpnonprd.xxxx.com]]]
[pam_print_data] (0x0100): authtok type: 1
(Wed Apr 24 10:57:18 2013) [sssd[be[nix.corpnonprd.xxxx.com]]]
[pam_print_data] (0x0100): authtok size: 11
(Wed Apr 24 10:57:18 2013) [sssd[be[nix.corpnonprd.xxxx.com]]]
[pam_print_data] (0x0100): newauthtok type: 0
(Wed Apr 24 10:57:18 2013) [sssd[be[nix.corpnonprd.xxxx.com]]]
[pam_print_data] (0x0100): newauthtok size: 0
(Wed Apr 24 10:57:18 2013) [sssd[be[nix.corpnonprd.xxxx.com]]]
[pam_print_data] (0x0100): priv: 0
(Wed Apr 24 10:57:18 2013) [sssd[be[nix.corpnonprd.xxxx.com]]]
[pam_print_data] (0x0100): cli_pid: 5412
(Wed Apr 24 10:57:18 2013) [sssd[be[nix.corpnonprd.xxxx.com]]]
[check_for_valid_tgt] (0x0020): krb5_cc_retrieve_cred failed.
(Wed Apr 24 10:57:18 2013) [sssd[be[nix.corpnonprd.xxxx.com]]]
[fo_resolve_service_send] (0x0100): Trying to resolve service 'IPA'
(Wed Apr 24 10:57:18 2013) [sssd[be[nix.corpnonprd.xxxx.com]]]
[resolve_srv_send] (0x0200): The status of SRV lookup is resolved
(Wed Apr 24 10:57:18 2013) [sssd[be[nix.corpnonprd.xxxx.com]]]
[be_resolve_server_process] (0x0200): Found address for server
didmsvrua01.nix.corpnonprd.xxxx.com: [10.137.216.162] TTL 1200
(Wed Apr 24 10:57:18 2013) [sssd[be[nix.corpnonprd.xxxx.com]]]
[krb5_find_ccache_step] (0x0080): Saved ccache
FILE:/tmp/krb5cc_59401108_CfhZS2 if of different type than ccache in
configuration file, reusing the old ccache
(Wed Apr 24 10:57:19 2013) [sssd[be[nix.corpnonprd.xxxx.com]]]
[fo_set_port_status] (0x0100): Marking port 389 of server '
didmsvrua01.nix.corpnonprd.xxxx.com' as 'working'
(Wed Apr 24 10:57:19 2013) [sssd[be[nix.corpnonprd.xxxx.com]]]
[set_server_common_status] (0x0100): Marking server '
didmsvrua01.nix.corpnonprd.xxxx.com' as 'working'
(Wed Apr 24 10:57:19 2013) [sssd[be[nix.corpnonprd.xxxx.com]]]
[be_pam_handler_callback] (0x0100): Backend returned: (0, 0, <NULL>)
[Success]
(Wed Apr 24 10:57:19 2013) [sssd[be[nix.corpnonprd.xxxx.com]]]
[be_pam_handler_callback] (0x0100): Sending result [0][CorpNonPrd.xxxx.com]
(Wed Apr 24 10:57:19 2013) [sssd[be[nix.corpnonprd.xxxx.com]]]
[be_pam_handler_callback] (0x0100): Sent result [0][CorpNonPrd.xxxx.com]
(Wed Apr 24 10:57:19 2013) [sssd[be[nix.corpnonprd.xxxx.com]]]
[child_sig_handler] (0x0100): child [5414] finished successfully.
(Wed Apr 24 10:57:19 2013) [sssd[be[nix.corpnonprd.xxxx.com]]]
[be_get_account_info] (0x0100): Got request for [3][1][name=btest]
(Wed Apr 24 10:57:19 2013) [sssd[be[nix.corpnonprd.xxxx.com]]]
[acctinfo_callback] (0x0100): Request processed. Returned 3,95,User lookup
failed
(Wed Apr 24 10:57:19 2013) [sssd[be[nix.corpnonprd.xxxx.com]]]
[be_pam_handler] (0x0100): Got request with the following data
(Wed Apr 24 10:57:19 2013) [sssd[be[nix.corpnonprd.xxxx.com]]]
[pam_print_data] (0x0100): command: PAM_ACCT_MGMT
(Wed Apr 24 10:57:19 2013) [sssd[be[nix.corpnonprd.xxxx.com]]]
[pam_print_data] (0x0100): domain: CorpNonPrd.xxxx.com
(Wed Apr 24 10:57:19 2013) [sssd[be[nix.corpnonprd.xxxx.com]]]
[pam_print_data] (0x0100): user: btest at CorpNonPrd.xxxx.com
(Wed Apr 24 10:57:19 2013) [sssd[be[nix.corpnonprd.xxxx.com]]]
[pam_print_data] (0x0100): service: sudo
(Wed Apr 24 10:57:19 2013) [sssd[be[nix.corpnonprd.xxxx.com]]]
[pam_print_data] (0x0100): tty: /dev/pts/3
(Wed Apr 24 10:57:19 2013) [sssd[be[nix.corpnonprd.xxxx.com]]]
[pam_print_data] (0x0100): ruser: btest at corpnonprd.xxxx.com
(Wed Apr 24 10:57:19 2013) [sssd[be[nix.corpnonprd.xxxx.com]]]
[pam_print_data] (0x0100): rhost:
(Wed Apr 24 10:57:19 2013) [sssd[be[nix.corpnonprd.xxxx.com]]]
[pam_print_data] (0x0100): authtok type: 0
(Wed Apr 24 10:57:19 2013) [sssd[be[nix.corpnonprd.xxxx.com]]]
[pam_print_data] (0x0100): authtok size: 0
(Wed Apr 24 10:57:19 2013) [sssd[be[nix.corpnonprd.xxxx.com]]]
[pam_print_data] (0x0100): newauthtok type: 0
(Wed Apr 24 10:57:19 2013) [sssd[be[nix.corpnonprd.xxxx.com]]]
[pam_print_data] (0x0100): newauthtok size: 0
(Wed Apr 24 10:57:19 2013) [sssd[be[nix.corpnonprd.xxxx.com]]]
[pam_print_data] (0x0100): priv: 0
(Wed Apr 24 10:57:19 2013) [sssd[be[nix.corpnonprd.xxxx.com]]]
[pam_print_data] (0x0100): cli_pid: 5412
(Wed Apr 24 10:57:19 2013) [sssd[be[nix.corpnonprd.xxxx.com]]]
[ipa_hostgroup_info_done] (0x0200): No host groups were dereferenced
(Wed Apr 24 10:57:19 2013) [sssd[be[nix.corpnonprd.xxxx.com]]]
[ipa_hbac_evaluate_rules] (0x0080): Access granted by HBAC rule [test_HBAC]
(Wed Apr 24 10:57:19 2013) [sssd[be[nix.corpnonprd.xxxx.com]]]
[be_pam_handler_callback] (0x0100): Backend returned: (0, 0, <NULL>)
[Success]
(Wed Apr 24 10:57:19 2013) [sssd[be[nix.corpnonprd.xxxx.com]]]
[sss_selinux_extract_user] (0x0040): sysdb_search_user_by_name failed.
(Wed Apr 24 10:57:19 2013) [sssd[be[nix.corpnonprd.xxxx.com]]]
[ipa_selinux_handler] (0x0040): Cannot create op context
(Wed Apr 24 10:57:19 2013) [sssd[be[nix.corpnonprd.xxxx.com]]]
[be_pam_handler_callback] (0x0100): Backend returned: (3, 4, <NULL>)
[Internal Error (System error)]
(Wed Apr 24 10:57:19 2013) [sssd[be[nix.corpnonprd.xxxx.com]]]
[be_pam_handler_callback] (0x0100): Sending result [0][CorpNonPrd.xxxx.com]
(Wed Apr 24 10:57:19 2013) [sssd[be[nix.corpnonprd.xxxx.com]]]
[be_pam_handler_callback] (0x0100): Sent result [0][CorpNonPrd.xxxx.com]
(Wed Apr 24 10:57:19 2013) [sssd[be[nix.corpnonprd.xxxx.com]]]
[be_get_account_info] (0x0100): Got request for [3][1][name=btest]
(Wed Apr 24 10:57:19 2013) [sssd[be[nix.corpnonprd.xxxx.com]]]
[acctinfo_callback] (0x0100): Request processed. Returned 3,95,User lookup
failed
(Wed Apr 24 10:57:19 2013) [sssd[be[nix.corpnonprd.xxxx.com]]]
[be_get_account_info] (0x0100): Got request for [3][1][name=btest]
(Wed Apr 24 10:57:19 2013) [sssd[be[nix.corpnonprd.xxxx.com]]]
[acctinfo_callback] (0x0100): Request processed. Returned 3,95,User lookup
failed
* I did note the [Internal Error (System error)] & the 3,95,User lookup
failed, but I don't know specifics of these calls
USING SUDO-LDAP
[root at rhidmclient ~]# cat /etc/nsswitch.conf
....
sudoers: files ldap
[root at rhidmclient ~]# cat /etc/sudo-ldap.conf
....
bindn uid=sudo,cn=sysaccounts,cn=etc,dc=nix,dc=corpnonprd,dc=xxxx,dc=com
bindpw xxxx
ssl start_tls
uri ldap://didmsvrua01.nix.corpnonprd.xxxx.com
sudoers_base ou=sudoers,dc=nix,dc=corpnonprd,dc=xxxx,dc=com
sudoers_debug 1
tls_cacertfile /etc/ipa/ca.crt
LOCAL IDM USER
-sh-4.1$ sudo -l
sudo: ldap_set_option: debug -> 0
sudo: ldap_set_option: ldap_version -> 3
sudo: ldap_sasl_bind_s() ok
sudo: Looking for cn=defaults: cn=defaults
sudo: no default options found in
ou=sudoers,dc=nix,dc=corpnonprd,dc=xxxx,dc=com
sudo: ldap search
'(|(sudoUser=atest)(sudoUser=%atest)(sudoUser=%#818800005)(sudoUser=ALL))'
sudo: searching from base 'ou=sudoers,dc=nix,dc=corpnonprd,dc=xxxx,dc=com'
sudo: adding search result
sudo: result now has 0 entries
sudo: ldap search '(sudoUser=+*)'
sudo: searching from base 'ou=sudoers,dc=nix,dc=corpnonprd,dc=xxxx,dc=com'
sudo: adding search result
sudo: result now has 0 entries
sudo: sorting remaining 0 entries
sudo: perform search for pwflag 52
sudo: done with LDAP searches
sudo: user_matches=1
sudo: host_matches=0
sudo: sudo_ldap_lookup(52)=0x82
[sudo] password for atest:
Your password will expire in 89 day(s).
sudo: ldap search for command list
sudo: reusing previous result (user atest) with 0 entries
User atest is not allowed to run sudo on rhidmclient.
sudo: removing reusable search result
-sh-4.1$
AD TRUST USER
-sh-4.1$ sudo -l
sudo: ldap_set_option: debug -> 0
sudo: ldap_set_option: ldap_version -> 3
sudo: ldap_sasl_bind_s() ok
sudo: Looking for cn=defaults: cn=defaults
sudo: no default options found in
ou=sudoers,dc=nix,dc=corpnonprd,dc=xxxx,dc=com
sudo: ldap search '(|(sudoUser=btest at corpnonprd.xxxx.com)(sudoUser=%
btest at corpnonprd.xxxx.com)(sudoUser=%#59401108)(sudoUser=%domain
admins at corpnonprd.xxxx.com)(sudoUser=%domain users at corpnonprd.xxxx.com
)(sudoUser=%seca at corpnonprd.xxxx.com
)(sudoUser=%ad_admins)(sudoUser=%#59400512)(sudoUser=%#59400513)(sudoUser=%#59401113)(sudoUser=%#818800006)(sudoUser=ALL))'
sudo: searching from base 'ou=sudoers,dc=nix,dc=corpnonprd,dc=xxxx,dc=com'
sudo: adding search result
sudo: result now has 0 entries
sudo: ldap search '(sudoUser=+*)'
sudo: searching from base 'ou=sudoers,dc=nix,dc=corpnonprd,dc=xxxx,dc=com'
sudo: adding search result
sudo: result now has 0 entries
sudo: sorting remaining 0 entries
sudo: perform search for pwflag 52
sudo: done with LDAP searches
sudo: user_matches=1
sudo: host_matches=0
sudo: sudo_ldap_lookup(52)=0x82
[sudo] password for btest at corpnonprd.xxxx.com:
Your password will expire in 8908 day(s).
sudo: ldap search for command list
sudo: reusing previous result (user btest at corpnonprd.xxxx.com) with 0
entries
User btest at corpnonprd.xxxx.com is not allowed to run sudo on rhidmclient.
sudo: removing reusable search result
-sh-4.1$
hope you guys can provide some support
Thx
Aly
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130424/b2b9cf60/attachment.htm>
More information about the Freeipa-users
mailing list