[Freeipa-users] FreeIPA, version: 4.1.0 and sudo configuration

Chamambo Martin chamambom at afri-com.net
Wed Apr 8 11:39:44 UTC 2015 

Sudo seems to be configured correctly but somehow it's not working 

Even if I do a sudo -l under the admin user 

[admin at ironhide tmp]$ sudo -l
[sudo] password for admin: 
Matching Defaults entries for admin on this host:
    requiretty, !visiblepw, always_set_home, env_reset, env_keep="COLORS
    DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS", env_keep+="MAIL PS1
    PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE
    LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY
    LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL
    LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY",
    secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin

User admin may run the following commands on this host:
    (admin, chamambom, kamoyob, kumalop, machangeteb, masaitit, masvivic,
    matangiraa, nyahumap, pedzisail, tayengwaj : ALL) /usr/bin/vim,
    /usr/bin/less
[admin at ironhide tmp]$


tail -f /var/log/sssd/sssd_sudo.log 


[root at ironhide ~]# tail -f /var/log/sssd/sssd_sudo.log 
(Wed Apr  8 13:35:27 2015) [sssd[sudo]] [sysdb_domain_init_internal]
(0x0200): DB File for ai.co.zw: /var/lib/sss/db/cache_ai.co.zw.ldb
(Wed Apr  8 13:35:27 2015) [sssd[sudo]] [ldb] (0x0400): asq: Unable to
register control with rootdse!
(Wed Apr  8 13:35:27 2015) [sssd[sudo]] [sss_process_init] (0x0400):
Responder Initialization complete
(Wed Apr  8 13:35:27 2015) [sssd[sudo]] [sudo_process_init] (0x0400): SUDO
Initialization complete
(Wed Apr  8 13:35:27 2015) [sssd[sudo]] [sss_dp_issue_request] (0x0400):
Issuing request for [0x40c900:domains at ai.co.zw]
(Wed Apr  8 13:35:27 2015) [sssd[sudo]] [sss_dp_get_domains_msg] (0x0400):
Sending get domains request for [ai.co.zw][forced][]
(Wed Apr  8 13:35:27 2015) [sssd[sudo]] [sss_dp_internal_get_send] (0x0400):
Entering request [0x40c900:domains at ai.co.zw]
(Wed Apr  8 13:35:27 2015) [sssd[sudo]] [dp_id_callback] (0x0100): Got id
ack and version (1) from DP
(Wed Apr  8 13:35:27 2015) [sssd[sudo]] [id_callback] (0x0100): Got id ack
and version (1) from Monitor
(Wed Apr  8 13:35:28 2015) [sssd[sudo]] [sss_dp_req_destructor] (0x0400):
Deleting request: [0x40c900:domains at ai.co.zw]
(Wed Apr  8 13:35:37 2015) [sssd[sudo]] [accept_fd_handler] (0x0400): Client
connected!
(Wed Apr  8 13:35:37 2015) [sssd[sudo]] [sss_cmd_get_version] (0x0200):
Received client version [1].
(Wed Apr  8 13:35:37 2015) [sssd[sudo]] [sss_cmd_get_version] (0x0200):
Offered version [1].
(Wed Apr  8 13:35:37 2015) [sssd[sudo]] [sss_parse_name_for_domains]
(0x0200): name 'admin' matched without domain, user is admin
(Wed Apr  8 13:35:37 2015) [sssd[sudo]] [sss_parse_name_for_domains]
(0x0200): using default domain [(null)]
(Wed Apr  8 13:35:37 2015) [sssd[sudo]] [sss_parse_name_for_domains]
(0x0200): name 'admin' matched without domain, user is admin
(Wed Apr  8 13:35:37 2015) [sssd[sudo]] [sss_parse_name_for_domains]
(0x0200): using default domain [(null)]
(Wed Apr  8 13:35:37 2015) [sssd[sudo]] [sudosrv_cmd_parse_query_done]
(0x0200): Requesting default options for [admin] from [<ALL>]
(Wed Apr  8 13:35:37 2015) [sssd[sudo]] [sudosrv_get_user] (0x0200):
Requesting info about [admin at ai.co.zw]
(Wed Apr  8 13:35:37 2015) [sssd[sudo]] [sudosrv_get_user] (0x0400):
Returning info for user [admin at ai.co.zw]
(Wed Apr  8 13:35:37 2015) [sssd[sudo]] [sudosrv_get_rules] (0x0400):
Retrieving default options for [admin] from [ai.co.zw]
(Wed Apr  8 13:35:37 2015) [sssd[sudo]] [sudosrv_get_sudorules_query_cache]
(0x0200): Searching sysdb with
[(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=admin)(sud
oUser=#1468200000)(sudoUser=%admins)(sudoUser=%trust
admins)(sudoUser=%admins)(sudoUser=+*))(&(dataExpireTimestamp<=1428492937)))
]
(Wed Apr  8 13:35:37 2015) [sssd[sudo]] [sudosrv_get_sudorules_query_cache]
(0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(name=defaults)))]
(Wed Apr  8 13:35:37 2015) [sssd[sudo]] [sudosrv_get_sudorules_from_cache]
(0x0400): Returning 0 rules for [<default options>@ai.co.zw]
(Wed Apr  8 13:35:37 2015) [sssd[sudo]] [sss_parse_name_for_domains]
(0x0200): name 'admin' matched without domain, user is admin
(Wed Apr  8 13:35:37 2015) [sssd[sudo]] [sss_parse_name_for_domains]
(0x0200): using default domain [(null)]
(Wed Apr  8 13:35:37 2015) [sssd[sudo]] [sss_parse_name_for_domains]
(0x0200): name 'admin' matched without domain, user is admin
(Wed Apr  8 13:35:37 2015) [sssd[sudo]] [sss_parse_name_for_domains]
(0x0200): using default domain [(null)]
(Wed Apr  8 13:35:37 2015) [sssd[sudo]] [sudosrv_cmd_parse_query_done]
(0x0200): Requesting rules for [admin] from [<ALL>]
(Wed Apr  8 13:35:37 2015) [sssd[sudo]] [sudosrv_get_user] (0x0200):
Requesting info about [admin at ai.co.zw]
(Wed Apr  8 13:35:37 2015) [sssd[sudo]] [sudosrv_get_user] (0x0400):
Returning info for user [admin at ai.co.zw]
(Wed Apr  8 13:35:37 2015) [sssd[sudo]] [sudosrv_get_rules] (0x0400):
Retrieving rules for [admin] from [ai.co.zw]
(Wed Apr  8 13:35:37 2015) [sssd[sudo]] [sudosrv_get_sudorules_query_cache]
(0x0200): Searching sysdb with
[(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=admin)(sud
oUser=#1468200000)(sudoUser=%admins)(sudoUser=%trust
admins)(sudoUser=%admins)(sudoUser=+*))(&(dataExpireTimestamp<=1428492937)))
]
(Wed Apr  8 13:35:37 2015) [sssd[sudo]] [sudosrv_get_sudorules_query_cache]
(0x0200): Searching sysdb with
[(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=admin)(sudoUser=#14682000
00)(sudoUser=%admins)(sudoUser=%trust
admins)(sudoUser=%admins)(sudoUser=+*)))]
(Wed Apr  8 13:35:37 2015) [sssd[sudo]] [sudosrv_get_sudorules_from_cache]
(0x0400): Returning 1 rules for [admin at ai.co.zw]
(Wed Apr  8 13:35:44 2015) [sssd[sudo]] [client_recv] (0x0200): Client
disconnected!

-----Original Message-----
From: freeipa-users-bounces at redhat.com
[mailto:freeipa-users-bounces at redhat.com] On Behalf Of Chamambo Martin
Sent: Wednesday, April 08, 2015 10:49 AM
To: 'Jakub Hrozek'
Cc: freeipa-users at redhat.com
Subject: Re: [Freeipa-users] FreeIPA, version: 4.1.0 and sudo configuration

I have done below and its giving me the correct results and at the moment
LET ME enable debugging in sudo itself and see if that will get me somewhere

[root at ironhide ~]# getent netgroup mailservers 
mailservers           (ironhide.ai.co.zw,-,ai.co.zw)
(alvin.ai.co.zw,-,ai.co.zw) (madagascar.ai.co.zw,-,ai.co.zw)
(nemo.ai.co.zw,-,ai.co.zw)
[root at ironhide ~]# 





-----Original Message-----
From: Jakub Hrozek [mailto:jhrozek at redhat.com]
Sent: Wednesday, April 08, 2015 10:35 AM
To: Chamambo Martin
Cc: freeipa-users at redhat.com; 'Lukas Slebodnik'
Subject: Re: [Freeipa-users] FreeIPA, version: 4.1.0 and sudo configuration

On Wed, Apr 08, 2015 at 10:17:59AM +0200, Chamambo Martin wrote:
> I have this log after doing a debug_level=6 in the sudo section and 
> have attached a txt file for the ldbsearch -H 
> /var/lib/sss/db/cache_ai.co.zw.ldb
> 

> (Wed Apr  8 10:14:52 2015) [sssd[sudo]] 
> [sudosrv_get_sudorules_query_cache]
> (0x0200): Searching sysdb with
> [(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=admi
> n)(sud oUser=#1468200000)(sudoUser=%admins)(sudoUser=%trust
> admins)(sudoUser=%admins)(sudoUser=+*))(&(dataExpireTimestamp<=1428480
> 892)))
> ]
> (Wed Apr  8 10:14:52 2015) [sssd[sudo]] 
> [sudosrv_get_sudorules_query_cache]
> (0x0200): Searching sysdb with
> [(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=admin)(sudoUser=#14
> 682000
> 00)(sudoUser=%admins)(sudoUser=%trust
> admins)(sudoUser=%admins)(sudoUser=+*)))]

The above are the cache searches sssd ran.

This is how the sudo rule looks in your cache:
# record 29

dn: name=file-commands,cn=sudorules,cn=custom,cn=ai.co.zw,cn=sysdb

cn: file-commands

dataExpireTimestamp: 1428486013

entryUSN: 28714

name: file-commands

objectClass: sudoRule

originalDN: cn=file-commands,ou=sudoers,dc=ai,dc=co,dc=zw

sudoCommand: /usr/bin/vim

sudoCommand: /usr/bin/less

sudoHost: +mailservers

sudoRunAsGroup: ALL

sudoRunAsUser: admin

sudoRunAsUser: chamambom

sudoRunAsUser: kamoyob

sudoRunAsUser: kumalop

sudoRunAsUser: machangeteb

sudoRunAsUser: masaitit

sudoRunAsUser: masvivic

sudoRunAsUser: matangiraa

sudoRunAsUser: nyahumap

sudoRunAsUser: pedzisail

sudoRunAsUser: tayengwaj

sudoUser: ALL

distinguishedName:
name=file-commands,cn=sudorules,cn=custom,cn=ai.co.zw,cn=sy

 sdb

> (Wed Apr  8 10:14:52 2015) [sssd[sudo]] 
> [sudosrv_get_sudorules_from_cache]
> (0x0400): Returning 1 rules for [admin at ai.co.zw]

And here we see that the sudo rule was returned from SSSD to sudo. But then
in sudo, it didn't match for some reason. I expect it's because of the
netgroup, can you check if nisdomainname is really set correctly and getent
netgroup mailservers reports the FQDN of your client?

Also, you can enable debugging in sudo itself. See man sudo.conf and search
for the option "Debug". That will show you how exactly sudo matches the
rules.


> (Wed Apr  8 10:15:02 2015) [sssd[sudo]] [client_recv] (0x0200): Client 
> disconnected!

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

More information about the Freeipa-users mailing list