[Freeipa-users] FreeIPA, version: 4.1.0 and sudo configuration
Chamambo Martin
chamambom at afri-com.net
Wed Apr 8 11:39:44 UTC 2015
Sudo seems to be configured correctly but somehow it's not working
Even if I do a sudo -l under the admin user
[admin at ironhide tmp]$ sudo -l
[sudo] password for admin:
Matching Defaults entries for admin on this host:
requiretty, !visiblepw, always_set_home, env_reset, env_keep="COLORS
DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS", env_keep+="MAIL PS1
PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE
LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY
LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL
LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY",
secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin
User admin may run the following commands on this host:
(admin, chamambom, kamoyob, kumalop, machangeteb, masaitit, masvivic,
matangiraa, nyahumap, pedzisail, tayengwaj : ALL) /usr/bin/vim,
/usr/bin/less
[admin at ironhide tmp]$
tail -f /var/log/sssd/sssd_sudo.log
[root at ironhide ~]# tail -f /var/log/sssd/sssd_sudo.log
(Wed Apr 8 13:35:27 2015) [sssd[sudo]] [sysdb_domain_init_internal]
(0x0200): DB File for ai.co.zw: /var/lib/sss/db/cache_ai.co.zw.ldb
(Wed Apr 8 13:35:27 2015) [sssd[sudo]] [ldb] (0x0400): asq: Unable to
register control with rootdse!
(Wed Apr 8 13:35:27 2015) [sssd[sudo]] [sss_process_init] (0x0400):
Responder Initialization complete
(Wed Apr 8 13:35:27 2015) [sssd[sudo]] [sudo_process_init] (0x0400): SUDO
Initialization complete
(Wed Apr 8 13:35:27 2015) [sssd[sudo]] [sss_dp_issue_request] (0x0400):
Issuing request for [0x40c900:domains at ai.co.zw]
(Wed Apr 8 13:35:27 2015) [sssd[sudo]] [sss_dp_get_domains_msg] (0x0400):
Sending get domains request for [ai.co.zw][forced][]
(Wed Apr 8 13:35:27 2015) [sssd[sudo]] [sss_dp_internal_get_send] (0x0400):
Entering request [0x40c900:domains at ai.co.zw]
(Wed Apr 8 13:35:27 2015) [sssd[sudo]] [dp_id_callback] (0x0100): Got id
ack and version (1) from DP
(Wed Apr 8 13:35:27 2015) [sssd[sudo]] [id_callback] (0x0100): Got id ack
and version (1) from Monitor
(Wed Apr 8 13:35:28 2015) [sssd[sudo]] [sss_dp_req_destructor] (0x0400):
Deleting request: [0x40c900:domains at ai.co.zw]
(Wed Apr 8 13:35:37 2015) [sssd[sudo]] [accept_fd_handler] (0x0400): Client
connected!
(Wed Apr 8 13:35:37 2015) [sssd[sudo]] [sss_cmd_get_version] (0x0200):
Received client version [1].
(Wed Apr 8 13:35:37 2015) [sssd[sudo]] [sss_cmd_get_version] (0x0200):
Offered version [1].
(Wed Apr 8 13:35:37 2015) [sssd[sudo]] [sss_parse_name_for_domains]
(0x0200): name 'admin' matched without domain, user is admin
(Wed Apr 8 13:35:37 2015) [sssd[sudo]] [sss_parse_name_for_domains]
(0x0200): using default domain [(null)]
(Wed Apr 8 13:35:37 2015) [sssd[sudo]] [sss_parse_name_for_domains]
(0x0200): name 'admin' matched without domain, user is admin
(Wed Apr 8 13:35:37 2015) [sssd[sudo]] [sss_parse_name_for_domains]
(0x0200): using default domain [(null)]
(Wed Apr 8 13:35:37 2015) [sssd[sudo]] [sudosrv_cmd_parse_query_done]
(0x0200): Requesting default options for [admin] from [<ALL>]
(Wed Apr 8 13:35:37 2015) [sssd[sudo]] [sudosrv_get_user] (0x0200):
Requesting info about [admin at ai.co.zw]
(Wed Apr 8 13:35:37 2015) [sssd[sudo]] [sudosrv_get_user] (0x0400):
Returning info for user [admin at ai.co.zw]
(Wed Apr 8 13:35:37 2015) [sssd[sudo]] [sudosrv_get_rules] (0x0400):
Retrieving default options for [admin] from [ai.co.zw]
(Wed Apr 8 13:35:37 2015) [sssd[sudo]] [sudosrv_get_sudorules_query_cache]
(0x0200): Searching sysdb with
[(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=admin)(sud
oUser=#1468200000)(sudoUser=%admins)(sudoUser=%trust
admins)(sudoUser=%admins)(sudoUser=+*))(&(dataExpireTimestamp<=1428492937)))
]
(Wed Apr 8 13:35:37 2015) [sssd[sudo]] [sudosrv_get_sudorules_query_cache]
(0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(name=defaults)))]
(Wed Apr 8 13:35:37 2015) [sssd[sudo]] [sudosrv_get_sudorules_from_cache]
(0x0400): Returning 0 rules for [<default options>@ai.co.zw]
(Wed Apr 8 13:35:37 2015) [sssd[sudo]] [sss_parse_name_for_domains]
(0x0200): name 'admin' matched without domain, user is admin
(Wed Apr 8 13:35:37 2015) [sssd[sudo]] [sss_parse_name_for_domains]
(0x0200): using default domain [(null)]
(Wed Apr 8 13:35:37 2015) [sssd[sudo]] [sss_parse_name_for_domains]
(0x0200): name 'admin' matched without domain, user is admin
(Wed Apr 8 13:35:37 2015) [sssd[sudo]] [sss_parse_name_for_domains]
(0x0200): using default domain [(null)]
(Wed Apr 8 13:35:37 2015) [sssd[sudo]] [sudosrv_cmd_parse_query_done]
(0x0200): Requesting rules for [admin] from [<ALL>]
(Wed Apr 8 13:35:37 2015) [sssd[sudo]] [sudosrv_get_user] (0x0200):
Requesting info about [admin at ai.co.zw]
(Wed Apr 8 13:35:37 2015) [sssd[sudo]] [sudosrv_get_user] (0x0400):
Returning info for user [admin at ai.co.zw]
(Wed Apr 8 13:35:37 2015) [sssd[sudo]] [sudosrv_get_rules] (0x0400):
Retrieving rules for [admin] from [ai.co.zw]
(Wed Apr 8 13:35:37 2015) [sssd[sudo]] [sudosrv_get_sudorules_query_cache]
(0x0200): Searching sysdb with
[(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=admin)(sud
oUser=#1468200000)(sudoUser=%admins)(sudoUser=%trust
admins)(sudoUser=%admins)(sudoUser=+*))(&(dataExpireTimestamp<=1428492937)))
]
(Wed Apr 8 13:35:37 2015) [sssd[sudo]] [sudosrv_get_sudorules_query_cache]
(0x0200): Searching sysdb with
[(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=admin)(sudoUser=#14682000
00)(sudoUser=%admins)(sudoUser=%trust
admins)(sudoUser=%admins)(sudoUser=+*)))]
(Wed Apr 8 13:35:37 2015) [sssd[sudo]] [sudosrv_get_sudorules_from_cache]
(0x0400): Returning 1 rules for [admin at ai.co.zw]
(Wed Apr 8 13:35:44 2015) [sssd[sudo]] [client_recv] (0x0200): Client
disconnected!
-----Original Message-----
From: freeipa-users-bounces at redhat.com
[mailto:freeipa-users-bounces at redhat.com] On Behalf Of Chamambo Martin
Sent: Wednesday, April 08, 2015 10:49 AM
To: 'Jakub Hrozek'
Cc: freeipa-users at redhat.com
Subject: Re: [Freeipa-users] FreeIPA, version: 4.1.0 and sudo configuration
I have done below and its giving me the correct results and at the moment
LET ME enable debugging in sudo itself and see if that will get me somewhere
[root at ironhide ~]# getent netgroup mailservers
mailservers (ironhide.ai.co.zw,-,ai.co.zw)
(alvin.ai.co.zw,-,ai.co.zw) (madagascar.ai.co.zw,-,ai.co.zw)
(nemo.ai.co.zw,-,ai.co.zw)
[root at ironhide ~]#
-----Original Message-----
From: Jakub Hrozek [mailto:jhrozek at redhat.com]
Sent: Wednesday, April 08, 2015 10:35 AM
To: Chamambo Martin
Cc: freeipa-users at redhat.com; 'Lukas Slebodnik'
Subject: Re: [Freeipa-users] FreeIPA, version: 4.1.0 and sudo configuration
On Wed, Apr 08, 2015 at 10:17:59AM +0200, Chamambo Martin wrote:
> I have this log after doing a debug_level=6 in the sudo section and
> have attached a txt file for the ldbsearch -H
> /var/lib/sss/db/cache_ai.co.zw.ldb
>
> (Wed Apr 8 10:14:52 2015) [sssd[sudo]]
> [sudosrv_get_sudorules_query_cache]
> (0x0200): Searching sysdb with
> [(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=admi
> n)(sud oUser=#1468200000)(sudoUser=%admins)(sudoUser=%trust
> admins)(sudoUser=%admins)(sudoUser=+*))(&(dataExpireTimestamp<=1428480
> 892)))
> ]
> (Wed Apr 8 10:14:52 2015) [sssd[sudo]]
> [sudosrv_get_sudorules_query_cache]
> (0x0200): Searching sysdb with
> [(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=admin)(sudoUser=#14
> 682000
> 00)(sudoUser=%admins)(sudoUser=%trust
> admins)(sudoUser=%admins)(sudoUser=+*)))]
The above are the cache searches sssd ran.
This is how the sudo rule looks in your cache:
# record 29
dn: name=file-commands,cn=sudorules,cn=custom,cn=ai.co.zw,cn=sysdb
cn: file-commands
dataExpireTimestamp: 1428486013
entryUSN: 28714
name: file-commands
objectClass: sudoRule
originalDN: cn=file-commands,ou=sudoers,dc=ai,dc=co,dc=zw
sudoCommand: /usr/bin/vim
sudoCommand: /usr/bin/less
sudoHost: +mailservers
sudoRunAsGroup: ALL
sudoRunAsUser: admin
sudoRunAsUser: chamambom
sudoRunAsUser: kamoyob
sudoRunAsUser: kumalop
sudoRunAsUser: machangeteb
sudoRunAsUser: masaitit
sudoRunAsUser: masvivic
sudoRunAsUser: matangiraa
sudoRunAsUser: nyahumap
sudoRunAsUser: pedzisail
sudoRunAsUser: tayengwaj
sudoUser: ALL
distinguishedName:
name=file-commands,cn=sudorules,cn=custom,cn=ai.co.zw,cn=sy
sdb
> (Wed Apr 8 10:14:52 2015) [sssd[sudo]]
> [sudosrv_get_sudorules_from_cache]
> (0x0400): Returning 1 rules for [admin at ai.co.zw]
And here we see that the sudo rule was returned from SSSD to sudo. But then
in sudo, it didn't match for some reason. I expect it's because of the
netgroup, can you check if nisdomainname is really set correctly and getent
netgroup mailservers reports the FQDN of your client?
Also, you can enable debugging in sudo itself. See man sudo.conf and search
for the option "Debug". That will show you how exactly sudo matches the
rules.
> (Wed Apr 8 10:15:02 2015) [sssd[sudo]] [client_recv] (0x0200): Client
> disconnected!
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
More information about the Freeipa-users
mailing list