[Freeipa-users] Issue IPA: AD Users and IPA Users when using SSS/LDAP with SUDO
Dmitri Pal
dpal at redhat.com
Wed Apr 24 17:01:41 UTC 2013
On 04/24/2013 12:38 PM, Aly Khimji wrote:
> Hey All,
>
> Hoping you can help out I have provided all details below. I have
> broken up diagnostics into sudo-ldap for AD/IPA users and sudo-sss for
> for AD/IPA users.
> Quick background. Have a 2003 Domain, with an IPA Trust Established
> and working. AD users and well as local IPA users are able to login
> into clients, HBAC with both type of users work as expected. Problem
> is with SUDO. sudo uid has been configured, and I have followed the
> RedHat IDM Setup docs for v3. AD users have been nested as required
>
> AD users -> AD Grp -> IPA Ext Grp -> IPA Posix Grp -->HBAC/SUDO
> applied to this group
> IPA User -> Same HBAC/SUDO as above
>
> When using sudo-ldap on the client side neither local IPA users or AD
> users are able to use sudo(see below), when using sudo through sssd
> only the local IPA user is able to fetch the correct sudo rules.
>
> atest = local IPA user
> btest = AD trust user
>
>
> All platforms are RHEL6.4 fully updated 64bit
>
> Server Pkgs
> libipa_hbac-python-1.9.2-82.4.el6_4.x86_64
> ipa-python-3.0.0-26.el6_4.2.x86_64
> ipa-client-3.0.0-26.el6_4.2.x86_64
> ipa-server-3.0.0-26.el6_4.2.x86_64
> ipa-pki-ca-theme-9.0.3-7.el6.noarch
> ipa-server-trust-ad-3.0.0-26.el6_4.2.x86_64
> libipa_hbac-1.9.2-82.4.el6_4.x86_64
> ipa-admintools-3.0.0-26.el6_4.2.x86_64
> ipa-server-selinux-3.0.0-26.el6_4.2.x86_64
> ipa-pki-common-theme-9.0.3-7.el6.noarch
>
> libsss_idmap-1.9.2-82.4.el6_4.x86_64
> sssd-1.9.2-82.4.el6_4.x86_64
> libsss_autofs-1.9.2-82.4.el6_4.x86_64
> sssd-client-1.9.2-82.4.el6_4.x86_64
>
> sudo-1.8.6p3-7.el6.x86_64
>
> Client Pkgs
> ipa-python-3.0.0-25.el6.x86_64
> python-iniparse-0.3.1-2.1.el6.noarch
> libipa_hbac-python-1.9.2-82.el6.x86_64
> ipa-client-3.0.0-25.el6.x86_64
> libipa_hbac-1.9.2-82.el6.x86_64
>
> sssd-1.9.2-82.el6.x86_64
> libsss_sudo-1.9.2-82.el6.x86_64
> sssd-client-1.9.2-82.el6.x86_64
> libsss_autofs-1.9.2-82.el6.x86_64
> libsss_idmap-1.9.2-82.el6.x86_64
>
> sudo-1.8.6p3-7.el6.x86_6
>
>
> Diag when using SUDO-> SSS
>
> LOCAL IDM USER
> -sh-4.1$ sudo -l
> Matching Defaults entries for atest on this host:
> requiretty, !visiblepw, always_set_home, env_reset, env_keep="COLORS
> DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS",
> env_keep+="MAIL PS1
> PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE
> LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY
> LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL
> LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY",
> secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin
>
> User atest may run the following commands on this host:
> (root : wheel) /usr/bin/less
> -sh-4.1$
>
>
> AD TRUST USER
> -sh-4.1$ sudo -l
> [sudo] password for btest at corpnonprd.xxxx.com
> <mailto:btest at corpnonprd.xxxx.com>:
> User btest at corpnonprd.xxxx.com <mailto:btest at corpnonprd.xxxx.com> is
> not allowed to run sudo on rhidmclient.
> -sh-4.1$
>
>
> [root at rhidmclient ~]# cat /etc/nsswitch.conf
> ....
> sudoers: files sss
>
>
> /etc/sssd/sssd.conf (CLIENT)
>
> [domain/nix.corpnonprd.xxxx.com <http://nix.corpnonprd.xxxx.com>]
> debug_level = 5
>
> cache_credentials = True
> krb5_store_password_if_offline = True
> ipa_domain = nix.corpnonprd.xxxx.com <http://nix.corpnonprd.xxxx.com>
> id_provider = ipa
> auth_provider = ipa
> access_provider = ipa
> ipa_hostname = rhidmclient.nix.corpnonprd.xxxx.com
> <http://rhidmclient.nix.corpnonprd.xxxx.com>
> chpass_provider = ipa
> ipa_server = _srv_, didmsvrua01.nix.corpnonprd.xxxx.com
> <http://didmsvrua01.nix.corpnonprd.xxxx.com>
> ldap_tls_cacert = /etc/ipa/ca.crt
>
> sudo_provider = ldap
> ldap_uri = ldap://didmsvrua01.nix.corpnonprd.xxxx.com
> <http://didmsvrua01.nix.corpnonprd.xxxx.com>
> ldap_sudo_search_base = ou=sudoers,dc=nix,dc=corpnonprd,dc=xxxx,dc=com
> ldap_sasl_mech = GSSAPI
> ldap_sasl_authid = host/rhidmclient.nix.corpnonprd.xxxx.com
> <http://rhidmclient.nix.corpnonprd.xxxx.com>
> ldap_sasl_realm = NIX.CORPNONPRD.XXXX.COM <http://NIX.CORPNONPRD.XXXX.COM>
> krb5_server = didmsvrua01.nix.corpnonprd.XXXX.com
> <http://didmsvrua01.nix.corpnonprd.XXXX.com>
>
> subdomains_provider = ipa
>
> [sssd]
> config_file_version = 2
> reconnection_retries = 3
> sbus_timeout = 30
> services = nss, pam, ssh, sudo, pac
>
> [sudo]
>
>
>
> /etc/krb5.conf (CLIENT)
> includedir /var/lib/sss/pubconf/krb5.include.d/
>
> [libdefaults]
> default_realm = NIX.CORPNONPRD.xxxx.COM <http://NIX.CORPNONPRD.xxxx.COM>
> dns_lookup_realm = true
> dns_lookup_kdc = true
> rdns = false
> ticket_lifetime = 24h
> forwardable = yes
>
> [realms]
> NIX.CORPNONPRD.xxxx.COM <http://NIX.CORPNONPRD.xxxx.COM> = {
> pkinit_anchors = FILE:/etc/ipa/ca.crt
> auth_to_local = RULE:[1:$1@$0](^.*@CORPNONPRD.xxxx.COM
> <http://CORPNONPRD.xxxx.COM>$)s/@CORPNONPRD.xxxx.COM/@corpnonprd.xxxx.com/
> <http://CORPNONPRD.xxxx.COM/@corpnonprd.xxxx.com/>
> auth_to_local = DEFAULT
> }
>
> [domain_realm]
> .nix.corpnonprd.xxxx.com <http://nix.corpnonprd.xxxx.com> =
> NIX.CORPNONPRD.xxxx.COM <http://NIX.CORPNONPRD.xxxx.COM>
> nix.corpnonprd.xxxx.com <http://nix.corpnonprd.xxxx.com> =
> NIX.CORPNONPRD.xxxx.COM <http://NIX.CORPNONPRD.xxxx.COM>
>
>
> /var/log/sssd output (CLIENT) when triggering $>sudo -l
>
> LOCAL IDM USER
> (Wed Apr 24 10:56:30 2013) [sssd[be[nix.corpnonprd.xxxx.com
> <http://nix.corpnonprd.xxxx.com>]]] [be_get_account_info] (0x0100):
> Got request for [3][1][name=atest]
> (Wed Apr 24 10:56:30 2013) [sssd[be[nix.corpnonprd.xxxx.com
> <http://nix.corpnonprd.xxxx.com>]]] [sdap_initgr_nested_search]
> (0x0040): Search for group
> cn=ipausers,cn=groups,cn=accounts,dc=nix,dc=corpnonprd,dc=xxxx,dc=com,
> returned 0 results. Skipping
> (Wed Apr 24 10:56:30 2013) [sssd[be[nix.corpnonprd.xxxx.com
> <http://nix.corpnonprd.xxxx.com>]]] [sdap_initgr_nested_search]
> (0x0040): Search for group
> ipauniqueid=ca686218-ac49-11e2-b2da-0050569a7aa2,cn=sudorules,cn=sudo,dc=nix,dc=corpnonprd,dc=xxxx,dc=com,
> returned 0 results. Skipping
> (Wed Apr 24 10:56:30 2013) [sssd[be[nix.corpnonprd.xxxx.com
> <http://nix.corpnonprd.xxxx.com>]]] [sdap_initgr_nested_search]
> (0x0040): Search for group
> ipauniqueid=b4b8650c-ac4a-11e2-8386-0050569a7aa2,cn=hbac,dc=nix,dc=corpnonprd,dc=xxxx,dc=com,
> returned 0 results. Skipping
> (Wed Apr 24 10:56:30 2013) [sssd[be[nix.corpnonprd.xxxx.com
> <http://nix.corpnonprd.xxxx.com>]]] [acctinfo_callback] (0x0100):
> Request processed. Returned 0,0,Success
> (Wed Apr 24 10:56:30 2013) [sssd[be[nix.corpnonprd.xxxx.com
> <http://nix.corpnonprd.xxxx.com>]]] [be_pam_handler] (0x0100): Got
> request with the following data
> (Wed Apr 24 10:56:30 2013) [sssd[be[nix.corpnonprd.xxxx.com
> <http://nix.corpnonprd.xxxx.com>]]] [pam_print_data] (0x0100):
> command: PAM_AUTHENTICATE
> (Wed Apr 24 10:56:30 2013) [sssd[be[nix.corpnonprd.xxxx.com
> <http://nix.corpnonprd.xxxx.com>]]] [pam_print_data] (0x0100): domain:
> nix.corpnonprd.xxxx.com <http://nix.corpnonprd.xxxx.com>
> (Wed Apr 24 10:56:30 2013) [sssd[be[nix.corpnonprd.xxxx.com
> <http://nix.corpnonprd.xxxx.com>]]] [pam_print_data] (0x0100): user: atest
> (Wed Apr 24 10:56:30 2013) [sssd[be[nix.corpnonprd.xxxx.com
> <http://nix.corpnonprd.xxxx.com>]]] [pam_print_data] (0x0100):
> service: sudo
> (Wed Apr 24 10:56:30 2013) [sssd[be[nix.corpnonprd.xxxx.com
> <http://nix.corpnonprd.xxxx.com>]]] [pam_print_data] (0x0100): tty:
> /dev/pts/3
> (Wed Apr 24 10:56:30 2013) [sssd[be[nix.corpnonprd.xxxx.com
> <http://nix.corpnonprd.xxxx.com>]]] [pam_print_data] (0x0100): ruser:
> atest
> (Wed Apr 24 10:56:30 2013) [sssd[be[nix.corpnonprd.xxxx.com
> <http://nix.corpnonprd.xxxx.com>]]] [pam_print_data] (0x0100): rhost:
> (Wed Apr 24 10:56:30 2013) [sssd[be[nix.corpnonprd.xxxx.com
> <http://nix.corpnonprd.xxxx.com>]]] [pam_print_data] (0x0100): authtok
> type: 1
> (Wed Apr 24 10:56:30 2013) [sssd[be[nix.corpnonprd.xxxx.com
> <http://nix.corpnonprd.xxxx.com>]]] [pam_print_data] (0x0100): authtok
> size: 11
> (Wed Apr 24 10:56:30 2013) [sssd[be[nix.corpnonprd.xxxx.com
> <http://nix.corpnonprd.xxxx.com>]]] [pam_print_data] (0x0100):
> newauthtok type: 0
> (Wed Apr 24 10:56:30 2013) [sssd[be[nix.corpnonprd.xxxx.com
> <http://nix.corpnonprd.xxxx.com>]]] [pam_print_data] (0x0100):
> newauthtok size: 0
> (Wed Apr 24 10:56:30 2013) [sssd[be[nix.corpnonprd.xxxx.com
> <http://nix.corpnonprd.xxxx.com>]]] [pam_print_data] (0x0100): priv: 0
> (Wed Apr 24 10:56:30 2013) [sssd[be[nix.corpnonprd.xxxx.com
> <http://nix.corpnonprd.xxxx.com>]]] [pam_print_data] (0x0100):
> cli_pid: 5382
> (Wed Apr 24 10:56:30 2013) [sssd[be[nix.corpnonprd.xxxx.com
> <http://nix.corpnonprd.xxxx.com>]]] [check_for_valid_tgt] (0x0080):
> TGT is valid.
> (Wed Apr 24 10:56:30 2013) [sssd[be[nix.corpnonprd.xxxx.com
> <http://nix.corpnonprd.xxxx.com>]]] [fo_resolve_service_send]
> (0x0100): Trying to resolve service 'IPA'
> (Wed Apr 24 10:56:30 2013) [sssd[be[nix.corpnonprd.xxxx.com
> <http://nix.corpnonprd.xxxx.com>]]] [resolve_srv_send] (0x0200): The
> status of SRV lookup is resolved
> (Wed Apr 24 10:56:30 2013) [sssd[be[nix.corpnonprd.xxxx.com
> <http://nix.corpnonprd.xxxx.com>]]] [be_resolve_server_process]
> (0x0200): Found address for server didmsvrua01.nix.corpnonprd.xxxx.com
> <http://didmsvrua01.nix.corpnonprd.xxxx.com>: [10.137.216.162] TTL 1200
> (Wed Apr 24 10:56:30 2013) [sssd[be[nix.corpnonprd.xxxx.com
> <http://nix.corpnonprd.xxxx.com>]]] [krb5_find_ccache_step] (0x0080):
> Saved ccache FILE:/tmp/krb5cc_818800005_KVeSdP if of different type
> than ccache in configuration file, reusing the old ccache
> (Wed Apr 24 10:56:30 2013) [sssd[be[nix.corpnonprd.xxxx.com
> <http://nix.corpnonprd.xxxx.com>]]] [fo_set_port_status] (0x0100):
> Marking port 389 of server 'didmsvrua01.nix.corpnonprd.xxxx.com
> <http://didmsvrua01.nix.corpnonprd.xxxx.com>' as 'working'
> (Wed Apr 24 10:56:30 2013) [sssd[be[nix.corpnonprd.xxxx.com
> <http://nix.corpnonprd.xxxx.com>]]] [set_server_common_status]
> (0x0100): Marking server 'didmsvrua01.nix.corpnonprd.xxxx.com
> <http://didmsvrua01.nix.corpnonprd.xxxx.com>' as 'working'
> (Wed Apr 24 10:56:30 2013) [sssd[be[nix.corpnonprd.xxxx.com
> <http://nix.corpnonprd.xxxx.com>]]] [be_pam_handler_callback]
> (0x0100): Backend returned: (0, 0, <NULL>) [Success]
> (Wed Apr 24 10:56:30 2013) [sssd[be[nix.corpnonprd.xxxx.com
> <http://nix.corpnonprd.xxxx.com>]]] [be_pam_handler_callback]
> (0x0100): Sending result [0][nix.corpnonprd.xxxx.com
> <http://nix.corpnonprd.xxxx.com>]
> (Wed Apr 24 10:56:30 2013) [sssd[be[nix.corpnonprd.xxxx.com
> <http://nix.corpnonprd.xxxx.com>]]] [be_pam_handler_callback]
> (0x0100): Sent result [0][nix.corpnonprd.xxxx.com
> <http://nix.corpnonprd.xxxx.com>]
> (Wed Apr 24 10:56:30 2013) [sssd[be[nix.corpnonprd.xxxx.com
> <http://nix.corpnonprd.xxxx.com>]]] [child_sig_handler] (0x0100):
> child [5383] finished successfully.
> (Wed Apr 24 10:56:30 2013) [sssd[be[nix.corpnonprd.xxxx.com
> <http://nix.corpnonprd.xxxx.com>]]] [be_pam_handler] (0x0100): Got
> request with the following data
> (Wed Apr 24 10:56:30 2013) [sssd[be[nix.corpnonprd.xxxx.com
> <http://nix.corpnonprd.xxxx.com>]]] [pam_print_data] (0x0100):
> command: PAM_ACCT_MGMT
> (Wed Apr 24 10:56:30 2013) [sssd[be[nix.corpnonprd.xxxx.com
> <http://nix.corpnonprd.xxxx.com>]]] [pam_print_data] (0x0100): domain:
> nix.corpnonprd.xxxx.com <http://nix.corpnonprd.xxxx.com>
> (Wed Apr 24 10:56:30 2013) [sssd[be[nix.corpnonprd.xxxx.com
> <http://nix.corpnonprd.xxxx.com>]]] [pam_print_data] (0x0100): user: atest
> (Wed Apr 24 10:56:30 2013) [sssd[be[nix.corpnonprd.xxxx.com
> <http://nix.corpnonprd.xxxx.com>]]] [pam_print_data] (0x0100):
> service: sudo
> (Wed Apr 24 10:56:30 2013) [sssd[be[nix.corpnonprd.xxxx.com
> <http://nix.corpnonprd.xxxx.com>]]] [pam_print_data] (0x0100): tty:
> /dev/pts/3
> (Wed Apr 24 10:56:30 2013) [sssd[be[nix.corpnonprd.xxxx.com
> <http://nix.corpnonprd.xxxx.com>]]] [pam_print_data] (0x0100): ruser:
> atest
> (Wed Apr 24 10:56:30 2013) [sssd[be[nix.corpnonprd.xxxx.com
> <http://nix.corpnonprd.xxxx.com>]]] [pam_print_data] (0x0100): rhost:
> (Wed Apr 24 10:56:30 2013) [sssd[be[nix.corpnonprd.xxxx.com
> <http://nix.corpnonprd.xxxx.com>]]] [pam_print_data] (0x0100): authtok
> type: 0
> (Wed Apr 24 10:56:30 2013) [sssd[be[nix.corpnonprd.xxxx.com
> <http://nix.corpnonprd.xxxx.com>]]] [pam_print_data] (0x0100): authtok
> size: 0
> (Wed Apr 24 10:56:30 2013) [sssd[be[nix.corpnonprd.xxxx.com
> <http://nix.corpnonprd.xxxx.com>]]] [pam_print_data] (0x0100):
> newauthtok type: 0
> (Wed Apr 24 10:56:30 2013) [sssd[be[nix.corpnonprd.xxxx.com
> <http://nix.corpnonprd.xxxx.com>]]] [pam_print_data] (0x0100):
> newauthtok size: 0
> (Wed Apr 24 10:56:30 2013) [sssd[be[nix.corpnonprd.xxxx.com
> <http://nix.corpnonprd.xxxx.com>]]] [pam_print_data] (0x0100): priv: 0
> (Wed Apr 24 10:56:30 2013) [sssd[be[nix.corpnonprd.xxxx.com
> <http://nix.corpnonprd.xxxx.com>]]] [pam_print_data] (0x0100):
> cli_pid: 5382
> (Wed Apr 24 10:56:30 2013) [sssd[be[nix.corpnonprd.xxxx.com
> <http://nix.corpnonprd.xxxx.com>]]] [ipa_hostgroup_info_done]
> (0x0200): No host groups were dereferenced
> (Wed Apr 24 10:56:30 2013) [sssd[be[nix.corpnonprd.xxxx.com
> <http://nix.corpnonprd.xxxx.com>]]] [ipa_hbac_evaluate_rules]
> (0x0080): Access granted by HBAC rule [test_HBAC]
> (Wed Apr 24 10:56:30 2013) [sssd[be[nix.corpnonprd.xxxx.com
> <http://nix.corpnonprd.xxxx.com>]]] [be_pam_handler_callback]
> (0x0100): Backend returned: (0, 0, <NULL>) [Success]
> (Wed Apr 24 10:56:30 2013) [sssd[be[nix.corpnonprd.xxxx.com
> <http://nix.corpnonprd.xxxx.com>]]] [be_pam_handler_callback]
> (0x0100): Backend returned: (0, 0, Success) [Success]
> (Wed Apr 24 10:56:30 2013) [sssd[be[nix.corpnonprd.xxxx.com
> <http://nix.corpnonprd.xxxx.com>]]] [be_pam_handler_callback]
> (0x0100): Sending result [0][nix.corpnonprd.xxxx.com
> <http://nix.corpnonprd.xxxx.com>]
> (Wed Apr 24 10:56:30 2013) [sssd[be[nix.corpnonprd.xxxx.com
> <http://nix.corpnonprd.xxxx.com>]]] [be_pam_handler_callback]
> (0x0100): Sent result [0][nix.corpnonprd.xxxx.com
> <http://nix.corpnonprd.xxxx.com>]
>
>
>
> AD TRUST USER
> (Wed Apr 24 10:57:15 2013) [sssd[be[nix.corpnonprd.xxxx.com
> <http://nix.corpnonprd.xxxx.com>]]] [be_get_account_info] (0x0100):
> Got request for [3][1][name=btest]
> (Wed Apr 24 10:57:15 2013) [sssd[be[nix.corpnonprd.xxxx.com
> <http://nix.corpnonprd.xxxx.com>]]] [acctinfo_callback] (0x0100):
> Request processed. Returned 3,95,User lookup failed
> (Wed Apr 24 10:57:15 2013) [sssd[be[nix.corpnonprd.xxxx.com
> <http://nix.corpnonprd.xxxx.com>]]] [be_get_account_info] (0x0100):
> Got request for [3][1][name=btest]
> (Wed Apr 24 10:57:15 2013) [sssd[be[nix.corpnonprd.xxxx.com
> <http://nix.corpnonprd.xxxx.com>]]] [acctinfo_callback] (0x0100):
> Request processed. Returned 3,95,User lookup failed
> (Wed Apr 24 10:57:18 2013) [sssd[be[nix.corpnonprd.xxxx.com
> <http://nix.corpnonprd.xxxx.com>]]] [be_get_account_info] (0x0100):
> Got request for [3][1][name=btest]
> (Wed Apr 24 10:57:18 2013) [sssd[be[nix.corpnonprd.xxxx.com
> <http://nix.corpnonprd.xxxx.com>]]] [acctinfo_callback] (0x0100):
> Request processed. Returned 3,95,User lookup failed
> (Wed Apr 24 10:57:18 2013) [sssd[be[nix.corpnonprd.xxxx.com
> <http://nix.corpnonprd.xxxx.com>]]] [be_pam_handler] (0x0100): Got
> request with the following data
> (Wed Apr 24 10:57:18 2013) [sssd[be[nix.corpnonprd.xxxx.com
> <http://nix.corpnonprd.xxxx.com>]]] [pam_print_data] (0x0100):
> command: PAM_AUTHENTICATE
> (Wed Apr 24 10:57:18 2013) [sssd[be[nix.corpnonprd.xxxx.com
> <http://nix.corpnonprd.xxxx.com>]]] [pam_print_data] (0x0100): domain:
> CorpNonPrd.xxxx.com <http://CorpNonPrd.xxxx.com>
> (Wed Apr 24 10:57:18 2013) [sssd[be[nix.corpnonprd.xxxx.com
> <http://nix.corpnonprd.xxxx.com>]]] [pam_print_data] (0x0100): user:
> btest at CorpNonPrd.xxxx.com <mailto:btest at CorpNonPrd.xxxx.com>
> (Wed Apr 24 10:57:18 2013) [sssd[be[nix.corpnonprd.xxxx.com
> <http://nix.corpnonprd.xxxx.com>]]] [pam_print_data] (0x0100):
> service: sudo
> (Wed Apr 24 10:57:18 2013) [sssd[be[nix.corpnonprd.xxxx.com
> <http://nix.corpnonprd.xxxx.com>]]] [pam_print_data] (0x0100): tty:
> /dev/pts/3
> (Wed Apr 24 10:57:18 2013) [sssd[be[nix.corpnonprd.xxxx.com
> <http://nix.corpnonprd.xxxx.com>]]] [pam_print_data] (0x0100): ruser:
> btest at corpnonprd.xxxx.com <mailto:btest at corpnonprd.xxxx.com>
> (Wed Apr 24 10:57:18 2013) [sssd[be[nix.corpnonprd.xxxx.com
> <http://nix.corpnonprd.xxxx.com>]]] [pam_print_data] (0x0100): rhost:
> (Wed Apr 24 10:57:18 2013) [sssd[be[nix.corpnonprd.xxxx.com
> <http://nix.corpnonprd.xxxx.com>]]] [pam_print_data] (0x0100): authtok
> type: 1
> (Wed Apr 24 10:57:18 2013) [sssd[be[nix.corpnonprd.xxxx.com
> <http://nix.corpnonprd.xxxx.com>]]] [pam_print_data] (0x0100): authtok
> size: 11
> (Wed Apr 24 10:57:18 2013) [sssd[be[nix.corpnonprd.xxxx.com
> <http://nix.corpnonprd.xxxx.com>]]] [pam_print_data] (0x0100):
> newauthtok type: 0
> (Wed Apr 24 10:57:18 2013) [sssd[be[nix.corpnonprd.xxxx.com
> <http://nix.corpnonprd.xxxx.com>]]] [pam_print_data] (0x0100):
> newauthtok size: 0
> (Wed Apr 24 10:57:18 2013) [sssd[be[nix.corpnonprd.xxxx.com
> <http://nix.corpnonprd.xxxx.com>]]] [pam_print_data] (0x0100): priv: 0
> (Wed Apr 24 10:57:18 2013) [sssd[be[nix.corpnonprd.xxxx.com
> <http://nix.corpnonprd.xxxx.com>]]] [pam_print_data] (0x0100):
> cli_pid: 5412
> (Wed Apr 24 10:57:18 2013) [sssd[be[nix.corpnonprd.xxxx.com
> <http://nix.corpnonprd.xxxx.com>]]] [check_for_valid_tgt] (0x0020):
> krb5_cc_retrieve_cred failed.
> (Wed Apr 24 10:57:18 2013) [sssd[be[nix.corpnonprd.xxxx.com
> <http://nix.corpnonprd.xxxx.com>]]] [fo_resolve_service_send]
> (0x0100): Trying to resolve service 'IPA'
> (Wed Apr 24 10:57:18 2013) [sssd[be[nix.corpnonprd.xxxx.com
> <http://nix.corpnonprd.xxxx.com>]]] [resolve_srv_send] (0x0200): The
> status of SRV lookup is resolved
> (Wed Apr 24 10:57:18 2013) [sssd[be[nix.corpnonprd.xxxx.com
> <http://nix.corpnonprd.xxxx.com>]]] [be_resolve_server_process]
> (0x0200): Found address for server didmsvrua01.nix.corpnonprd.xxxx.com
> <http://didmsvrua01.nix.corpnonprd.xxxx.com>: [10.137.216.162] TTL 1200
> (Wed Apr 24 10:57:18 2013) [sssd[be[nix.corpnonprd.xxxx.com
> <http://nix.corpnonprd.xxxx.com>]]] [krb5_find_ccache_step] (0x0080):
> Saved ccache FILE:/tmp/krb5cc_59401108_CfhZS2 if of different type
> than ccache in configuration file, reusing the old ccache
> (Wed Apr 24 10:57:19 2013) [sssd[be[nix.corpnonprd.xxxx.com
> <http://nix.corpnonprd.xxxx.com>]]] [fo_set_port_status] (0x0100):
> Marking port 389 of server 'didmsvrua01.nix.corpnonprd.xxxx.com
> <http://didmsvrua01.nix.corpnonprd.xxxx.com>' as 'working'
> (Wed Apr 24 10:57:19 2013) [sssd[be[nix.corpnonprd.xxxx.com
> <http://nix.corpnonprd.xxxx.com>]]] [set_server_common_status]
> (0x0100): Marking server 'didmsvrua01.nix.corpnonprd.xxxx.com
> <http://didmsvrua01.nix.corpnonprd.xxxx.com>' as 'working'
> (Wed Apr 24 10:57:19 2013) [sssd[be[nix.corpnonprd.xxxx.com
> <http://nix.corpnonprd.xxxx.com>]]] [be_pam_handler_callback]
> (0x0100): Backend returned: (0, 0, <NULL>) [Success]
> (Wed Apr 24 10:57:19 2013) [sssd[be[nix.corpnonprd.xxxx.com
> <http://nix.corpnonprd.xxxx.com>]]] [be_pam_handler_callback]
> (0x0100): Sending result [0][CorpNonPrd.xxxx.com
> <http://CorpNonPrd.xxxx.com>]
> (Wed Apr 24 10:57:19 2013) [sssd[be[nix.corpnonprd.xxxx.com
> <http://nix.corpnonprd.xxxx.com>]]] [be_pam_handler_callback]
> (0x0100): Sent result [0][CorpNonPrd.xxxx.com
> <http://CorpNonPrd.xxxx.com>]
> (Wed Apr 24 10:57:19 2013) [sssd[be[nix.corpnonprd.xxxx.com
> <http://nix.corpnonprd.xxxx.com>]]] [child_sig_handler] (0x0100):
> child [5414] finished successfully.
> (Wed Apr 24 10:57:19 2013) [sssd[be[nix.corpnonprd.xxxx.com
> <http://nix.corpnonprd.xxxx.com>]]] [be_get_account_info] (0x0100):
> Got request for [3][1][name=btest]
> (Wed Apr 24 10:57:19 2013) [sssd[be[nix.corpnonprd.xxxx.com
> <http://nix.corpnonprd.xxxx.com>]]] [acctinfo_callback] (0x0100):
> Request processed. Returned 3,95,User lookup failed
> (Wed Apr 24 10:57:19 2013) [sssd[be[nix.corpnonprd.xxxx.com
> <http://nix.corpnonprd.xxxx.com>]]] [be_pam_handler] (0x0100): Got
> request with the following data
> (Wed Apr 24 10:57:19 2013) [sssd[be[nix.corpnonprd.xxxx.com
> <http://nix.corpnonprd.xxxx.com>]]] [pam_print_data] (0x0100):
> command: PAM_ACCT_MGMT
> (Wed Apr 24 10:57:19 2013) [sssd[be[nix.corpnonprd.xxxx.com
> <http://nix.corpnonprd.xxxx.com>]]] [pam_print_data] (0x0100): domain:
> CorpNonPrd.xxxx.com <http://CorpNonPrd.xxxx.com>
> (Wed Apr 24 10:57:19 2013) [sssd[be[nix.corpnonprd.xxxx.com
> <http://nix.corpnonprd.xxxx.com>]]] [pam_print_data] (0x0100): user:
> btest at CorpNonPrd.xxxx.com <mailto:btest at CorpNonPrd.xxxx.com>
> (Wed Apr 24 10:57:19 2013) [sssd[be[nix.corpnonprd.xxxx.com
> <http://nix.corpnonprd.xxxx.com>]]] [pam_print_data] (0x0100):
> service: sudo
> (Wed Apr 24 10:57:19 2013) [sssd[be[nix.corpnonprd.xxxx.com
> <http://nix.corpnonprd.xxxx.com>]]] [pam_print_data] (0x0100): tty:
> /dev/pts/3
> (Wed Apr 24 10:57:19 2013) [sssd[be[nix.corpnonprd.xxxx.com
> <http://nix.corpnonprd.xxxx.com>]]] [pam_print_data] (0x0100): ruser:
> btest at corpnonprd.xxxx.com <mailto:btest at corpnonprd.xxxx.com>
> (Wed Apr 24 10:57:19 2013) [sssd[be[nix.corpnonprd.xxxx.com
> <http://nix.corpnonprd.xxxx.com>]]] [pam_print_data] (0x0100): rhost:
> (Wed Apr 24 10:57:19 2013) [sssd[be[nix.corpnonprd.xxxx.com
> <http://nix.corpnonprd.xxxx.com>]]] [pam_print_data] (0x0100): authtok
> type: 0
> (Wed Apr 24 10:57:19 2013) [sssd[be[nix.corpnonprd.xxxx.com
> <http://nix.corpnonprd.xxxx.com>]]] [pam_print_data] (0x0100): authtok
> size: 0
> (Wed Apr 24 10:57:19 2013) [sssd[be[nix.corpnonprd.xxxx.com
> <http://nix.corpnonprd.xxxx.com>]]] [pam_print_data] (0x0100):
> newauthtok type: 0
> (Wed Apr 24 10:57:19 2013) [sssd[be[nix.corpnonprd.xxxx.com
> <http://nix.corpnonprd.xxxx.com>]]] [pam_print_data] (0x0100):
> newauthtok size: 0
> (Wed Apr 24 10:57:19 2013) [sssd[be[nix.corpnonprd.xxxx.com
> <http://nix.corpnonprd.xxxx.com>]]] [pam_print_data] (0x0100): priv: 0
> (Wed Apr 24 10:57:19 2013) [sssd[be[nix.corpnonprd.xxxx.com
> <http://nix.corpnonprd.xxxx.com>]]] [pam_print_data] (0x0100):
> cli_pid: 5412
> (Wed Apr 24 10:57:19 2013) [sssd[be[nix.corpnonprd.xxxx.com
> <http://nix.corpnonprd.xxxx.com>]]] [ipa_hostgroup_info_done]
> (0x0200): No host groups were dereferenced
> (Wed Apr 24 10:57:19 2013) [sssd[be[nix.corpnonprd.xxxx.com
> <http://nix.corpnonprd.xxxx.com>]]] [ipa_hbac_evaluate_rules]
> (0x0080): Access granted by HBAC rule [test_HBAC]
> (Wed Apr 24 10:57:19 2013) [sssd[be[nix.corpnonprd.xxxx.com
> <http://nix.corpnonprd.xxxx.com>]]] [be_pam_handler_callback]
> (0x0100): Backend returned: (0, 0, <NULL>) [Success]
> (Wed Apr 24 10:57:19 2013) [sssd[be[nix.corpnonprd.xxxx.com
> <http://nix.corpnonprd.xxxx.com>]]] [sss_selinux_extract_user]
> (0x0040): sysdb_search_user_by_name failed.
> (Wed Apr 24 10:57:19 2013) [sssd[be[nix.corpnonprd.xxxx.com
> <http://nix.corpnonprd.xxxx.com>]]] [ipa_selinux_handler] (0x0040):
> Cannot create op context
> (Wed Apr 24 10:57:19 2013) [sssd[be[nix.corpnonprd.xxxx.com
> <http://nix.corpnonprd.xxxx.com>]]] [be_pam_handler_callback]
> (0x0100): Backend returned: (3, 4, <NULL>) [Internal Error (System error)]
> (Wed Apr 24 10:57:19 2013) [sssd[be[nix.corpnonprd.xxxx.com
> <http://nix.corpnonprd.xxxx.com>]]] [be_pam_handler_callback]
> (0x0100): Sending result [0][CorpNonPrd.xxxx.com
> <http://CorpNonPrd.xxxx.com>]
> (Wed Apr 24 10:57:19 2013) [sssd[be[nix.corpnonprd.xxxx.com
> <http://nix.corpnonprd.xxxx.com>]]] [be_pam_handler_callback]
> (0x0100): Sent result [0][CorpNonPrd.xxxx.com
> <http://CorpNonPrd.xxxx.com>]
> (Wed Apr 24 10:57:19 2013) [sssd[be[nix.corpnonprd.xxxx.com
> <http://nix.corpnonprd.xxxx.com>]]] [be_get_account_info] (0x0100):
> Got request for [3][1][name=btest]
> (Wed Apr 24 10:57:19 2013) [sssd[be[nix.corpnonprd.xxxx.com
> <http://nix.corpnonprd.xxxx.com>]]] [acctinfo_callback] (0x0100):
> Request processed. Returned 3,95,User lookup failed
> (Wed Apr 24 10:57:19 2013) [sssd[be[nix.corpnonprd.xxxx.com
> <http://nix.corpnonprd.xxxx.com>]]] [be_get_account_info] (0x0100):
> Got request for [3][1][name=btest]
> (Wed Apr 24 10:57:19 2013) [sssd[be[nix.corpnonprd.xxxx.com
> <http://nix.corpnonprd.xxxx.com>]]] [acctinfo_callback] (0x0100):
> Request processed. Returned 3,95,User lookup failed
>
> * I did note the [Internal Error (System error)] & the 3,95,User
> lookup failed, but I don't know specifics of these calls
>
>
>
> USING SUDO-LDAP
>
> [root at rhidmclient ~]# cat /etc/nsswitch.conf
> ....
> sudoers: files ldap
>
> [root at rhidmclient ~]# cat /etc/sudo-ldap.conf
> ....
> bindn uid=sudo,cn=sysaccounts,cn=etc,dc=nix,dc=corpnonprd,dc=xxxx,dc=com
> bindpw xxxx
> ssl start_tls
> uri ldap://didmsvrua01.nix.corpnonprd.xxxx.com
> <http://didmsvrua01.nix.corpnonprd.xxxx.com>
> sudoers_base ou=sudoers,dc=nix,dc=corpnonprd,dc=xxxx,dc=com
> sudoers_debug 1
> tls_cacertfile /etc/ipa/ca.crt
>
>
>
> LOCAL IDM USER
> -sh-4.1$ sudo -l
> sudo: ldap_set_option: debug -> 0
> sudo: ldap_set_option: ldap_version -> 3
> sudo: ldap_sasl_bind_s() ok
> sudo: Looking for cn=defaults: cn=defaults
> sudo: no default options found in
> ou=sudoers,dc=nix,dc=corpnonprd,dc=xxxx,dc=com
> sudo: ldap search
> '(|(sudoUser=atest)(sudoUser=%atest)(sudoUser=%#818800005)(sudoUser=ALL))'
> sudo: searching from base 'ou=sudoers,dc=nix,dc=corpnonprd,dc=xxxx,dc=com'
> sudo: adding search result
> sudo: result now has 0 entries
> sudo: ldap search '(sudoUser=+*)'
> sudo: searching from base 'ou=sudoers,dc=nix,dc=corpnonprd,dc=xxxx,dc=com'
> sudo: adding search result
> sudo: result now has 0 entries
> sudo: sorting remaining 0 entries
> sudo: perform search for pwflag 52
> sudo: done with LDAP searches
> sudo: user_matches=1
> sudo: host_matches=0
> sudo: sudo_ldap_lookup(52)=0x82
> [sudo] password for atest:
> Your password will expire in 89 day(s).
> sudo: ldap search for command list
> sudo: reusing previous result (user atest) with 0 entries
> User atest is not allowed to run sudo on rhidmclient.
> sudo: removing reusable search result
> -sh-4.1$
>
>
> AD TRUST USER
> -sh-4.1$ sudo -l
> sudo: ldap_set_option: debug -> 0
> sudo: ldap_set_option: ldap_version -> 3
> sudo: ldap_sasl_bind_s() ok
> sudo: Looking for cn=defaults: cn=defaults
> sudo: no default options found in
> ou=sudoers,dc=nix,dc=corpnonprd,dc=xxxx,dc=com
> sudo: ldap search '(|(sudoUser=btest at corpnonprd.xxxx.com
> <mailto:btest at corpnonprd.xxxx.com>)(sudoUser=%btest at corpnonprd.xxxx.com <mailto:btest at corpnonprd.xxxx.com>)(sudoUser=%#59401108)(sudoUser=%domain
> admins at corpnonprd.xxxx.com
> <mailto:admins at corpnonprd.xxxx.com>)(sudoUser=%domain
> users at corpnonprd.xxxx.com
> <mailto:users at corpnonprd.xxxx.com>)(sudoUser=%seca at corpnonprd.xxxx.com
> <mailto:seca at corpnonprd.xxxx.com>)(sudoUser=%ad_admins)(sudoUser=%#59400512)(sudoUser=%#59400513)(sudoUser=%#59401113)(sudoUser=%#818800006)(sudoUser=ALL))'
> sudo: searching from base 'ou=sudoers,dc=nix,dc=corpnonprd,dc=xxxx,dc=com'
> sudo: adding search result
> sudo: result now has 0 entries
> sudo: ldap search '(sudoUser=+*)'
> sudo: searching from base 'ou=sudoers,dc=nix,dc=corpnonprd,dc=xxxx,dc=com'
> sudo: adding search result
> sudo: result now has 0 entries
> sudo: sorting remaining 0 entries
> sudo: perform search for pwflag 52
> sudo: done with LDAP searches
> sudo: user_matches=1
> sudo: host_matches=0
> sudo: sudo_ldap_lookup(52)=0x82
> [sudo] password for btest at corpnonprd.xxxx.com
> <mailto:btest at corpnonprd.xxxx.com>:
> Your password will expire in 8908 day(s).
> sudo: ldap search for command list
> sudo: reusing previous result (user btest at corpnonprd.xxxx.com
> <mailto:btest at corpnonprd.xxxx.com>) with 0 entries
> User btest at corpnonprd.xxxx.com <mailto:btest at corpnonprd.xxxx.com> is
> not allowed to run sudo on rhidmclient.
> sudo: removing reusable search result
> -sh-4.1$
>
> hope you guys can provide some support
>
I am not sure that sudo-ldap would work for the trust case at all. The
resolution of user to sudo rule via his AD group membership to ipa
groups is tricky and done by SSSD. sudo natively cant resolve it as part
of the data is not stored in the LDAP but taken from the kerberos ticket
that user has.
I suspect that sudo dose not work for the AD user in the SSSD test above
because user have never authenticated. User should authenticate and get
on the box first either via SSH or via a direct login into the box. In
both cases there will be a Kerberos TGT acquired for this user. The TGT
will come from AD and will have MS-PAC - a blob of authorization data
that contains the list of the groups the user is a member of. One of the
groups should be a member of the IPA group. So the user would be
resolved to the right sudo rule(s). Right now data about the AD group
membership is missing. Please authenticate with the test user and try again.
> Thx
>
> Aly
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
--
Thank you,
Dmitri Pal
Sr. Engineering Manager for IdM portfolio
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130424/9ae2ffa5/attachment.htm>
More information about the Freeipa-users
mailing list