Hello,
we are using FreeIPA in the current version 4.5 under current CentOS 7. In order to grant access we are using sudo rules in conjunction with host groups. We have found that these rules do not work under Debian 8/9 and Ubuntu 16.04, but with Centos 6/7. Suggestions from the web require a set nisdomainname (nisdomainname example.com), which does not work. In fact, the nisdomainname is not set under CentOS 6, but under Centos 7 it is. What settings under Debian/Ubuntu must be made for sudo rules to work with hostgroups?
Debian 8 Debian 9 Ubuntu 16.04 Centos 6 Centos 7 sssd-Version 1.15.0-3 1.15.0-3 1.15.0-3ubuntu2~ubuntu16.04.1~ppa1 sssd-1.15.3-1.el6.x86_64 sssd-1.15.2-50.el7_4.2.x86_64 sudo-Version 1.8.10p3-1+deb8u4 1.8.19p1-2.1 1.8.16-0ubuntu1.5 sudo-1.8.6p3-29.el6_9.x86_64 sudo-1.8.19p2-11.el7_4.x86_64
Regards,
Michael
Anybody have an idea for me?
Michael
Am 22.09.2017 um 10:50 schrieb Michael Gusek via FreeIPA-users:
Hello,
we are using FreeIPA in the current version 4.5 under current CentOS 7. In order to grant access we are using sudo rules in conjunction with host groups. We have found that these rules do not work under Debian 8/9 and Ubuntu 16.04, but with Centos 6/7. Suggestions from the web require a set nisdomainname (nisdomainname example.com), which does not work. In fact, the nisdomainname is not set under CentOS 6, but under Centos 7 it is. What settings under Debian/Ubuntu must be made for sudo rules to work with hostgroups?
Debian 8 Debian 9 Ubuntu 16.04 Centos 6 Centos 7 sssd-Version 1.15.0-3 1.15.0-3 1.15.0-3ubuntu2~ubuntu16.04.1~ppa1 sssd-1.15.3-1.el6.x86_64 sssd-1.15.2-50.el7_4.2.x86_64 sudo-Version 1.8.10p3-1+deb8u4 1.8.19p1-2.1 1.8.16-0ubuntu1.5 sudo-1.8.6p3-29.el6_9.x86_64 sudo-1.8.19p2-11.el7_4.x86_64
Regards,
Michael
*Michael**Gusek*| System Administrator| Webtrekk GmbH | *t*+49 30 755 415 302| *f *+49 30 755 415 100 | *w *www.webtrekk.com https://www.webtrekk.com/?wt_mc=signature.-.-.-.homepageURL Amtsgericht/Local Court Berlin, HRB 93435 B | Geschäftsführer/CEO Christian Sauer und Wolf Lichtenstein
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
Hey Michael.
I have never added Ubuntu or Debian machines to an IPA server. I have gotten RHEL 5/6/7, HPUX 11.31 and Solaris 10/11 machines added and working on my IPA servers. So I can hope to shed some light from my troubles. I have found that the issue lies with how the sudo on the server resolves it's own hostname.
Can you attempted to debug sudo? You should be able to add a debug line sssd.conf in the [sudo] section.
Also have you tried to add a rule and explicitly list the server (not group)? This will help determine if the issue is related to the host and passing comparing with the FQDN or if it's having issues expanding host groups.
I'm sure you already know this, but including just in case:
From the sssd.conf man page from Ubuntu you can have a setting in there - hostid_provider - make sure that is set to ipa. I'm sure this is setup from the installation.
The man page also states: "Note: in order to use netgroups or IPA hostgroups in sudo rules, you also need to correctly set nisdomainname(1) to your NIS domain name (which equals to IPA domain name when using hostgroups)."
You can also set a setting in the sssd.conf to reflect the FQDN correctly ipa_hostname = FQDN. I have had to set this, due to not being able to change hostnames from shortname to FQDN.
Common things I have ran into / fixed - - hosts file is not setup correctly for the host. The host entry for itself has to be setup as 10.0.0.5 ServerFQDN ServerShortname
- Set the server name to the FQDN vs shortname. If unable to set, statically set the hostname with the --hostname option on installation.
- Ensure that the host entry FQDN in IPA is the same as the hosts file/hostname. Otherwise you can set the hostname statically in sssd.conf with
- Set the nisdomain name to IPA domain.
- Added a sudo option into the sudo rule "fqdn", to ensure the fqdn will be used by the hosts.
I would be more interested in what the debugging produces.
-Aaron
On all ubuntu flavours simple solution is to install sudo from its developement page sudo included in system does not work with groups correctly. Up to Ubuntu 16.04
From what i have seen if user is in a group that is in different group sudo on Ubuntu does not recognize the second group ( that group that the users group is member of)
Havent tested host groups but might be same case there.
W dniu 01.10.2017 o 16:58, Aaron Cole via FreeIPA-users pisze:
Hey Michael.
I have never added Ubuntu or Debian machines to an IPA server. I have gotten RHEL 5/6/7, HPUX 11.31 and Solaris 10/11 machines added and working on my IPA servers. So I can hope to shed some light from my troubles. I have found that the issue lies with how the sudo on the server resolves it's own hostname.
Can you attempted to debug sudo? You should be able to add a debug line sssd.conf in the [sudo] section.
Also have you tried to add a rule and explicitly list the server (not group)? This will help determine if the issue is related to the host and passing comparing with the FQDN or if it's having issues expanding host groups.
I'm sure you already know this, but including just in case:
From the sssd.conf man page from Ubuntu you can have a setting in there - hostid_provider - make sure that is set to ipa. I'm sure this is setup from the installation.
The man page also states: "Note: in order to use netgroups or IPA hostgroups in sudo rules, you also need to correctly set nisdomainname(1) to your NIS domain name (which equals to IPA domain name when using hostgroups)."
You can also set a setting in the sssd.conf to reflect the FQDN correctly ipa_hostname = FQDN. I have had to set this, due to not being able to change hostnames from shortname to FQDN.
Common things I have ran into / fixed -
hosts file is not setup correctly for the host. The host entry for itself has to be setup as 10.0.0.5 ServerFQDN ServerShortname
Set the server name to the FQDN vs shortname. If unable to set, statically set the hostname with the --hostname option on installation.
Ensure that the host entry FQDN in IPA is the same as the hosts file/hostname. Otherwise you can set the hostname statically in sssd.conf with
Set the nisdomain name to IPA domain.
Added a sudo option into the sudo rule "fqdn", to ensure the fqdn will be used by the hosts.
I would be more interested in what the debugging produces.
-Aaron _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
Hi thanks for your tips support, I follow your tips and also find a RedHat document -> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/htm...
In short words: - follow the instructions - enable logging (sudoers_debug 2) -> got the following result: sudo rule for host group does not match because ldap search for hosts instead of host groups :-(
ipa-lx-test-debian9% sudo -l sudo: LDAP Config Summary sudo: =================== sudo: uri ldaps://ipa-lx-test-01.example.world.com sudo: uri ldap://ipa-prod-01.example.world.com sudo: ldap_version 3 sudo: sudoers_base ou=SUDOers,dc=example,dc=world,dc=com sudo: search_filter (objectClass=sudoRole) sudo: netgroup_base (NONE: will use nsswitch) sudo: netgroup_search_filter (objectClass=nisNetgroup) sudo: binddn uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=world,dc=com sudo: bindpw MySecurePassword sudo: bind_timelimit 5 sudo: timelimit 15 sudo: ssl (no) sudo: tls_checkpeer (yes) sudo: tls_cacertfile /etc/ipa/ca.crt sudo: =================== sudo: ldap_set_option: debug -> 0 sudo: ldap_set_option: tls_checkpeer -> 1 sudo: ldap_set_option: tls_cacertfile -> /etc/ipa/ca.crt sudo: ldap_set_option: tls_cacert -> /etc/ipa/ca.crt sudo: ldap_initialize(ld, ldaps://ipa-lx-test-01.example.world.com ldap://ipa-prod-01.example.world.com) sudo: ldap_set_option: ldap_version -> 3 sudo: ldap_set_option: timelimit -> 15 sudo: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT, 5) sudo: ldap_sasl_bind_s() ok sudo: Looking for cn=defaults: (&(objectClass=sudoRole)(cn=defaults)) sudo: no default options found in ou=SUDOers,dc=example,dc=world,dc=com sudo: ldap search '(&(objectClass=sudoRole)(|(sudoUser=webtrekk)(sudoUser=%webtrekk)(sudoUser=%#299801104)(sudoUser=%domänen-benutzer)(sudoUser=%mitarbeiter)(sudoUser=%wt-it-warp)(sudoUser=%wt-it)(sudoUser=%ad_users)(sudoUser=%wt-it-warp)(sudoUser=%#299800513)(sudoUser=%#299801109)(sudoUser=%#299801114)(sudoUser=%#299801116)(sudoUser=%#556800008)(sudoUser=%#556800012)(sudoUser=ALL)))' sudo: searching from base 'ou=SUDOers,dc=example,dc=world,dc=com' sudo: adding search result sudo: ldap sudoHost '+centos_group' ... not sudo: ldap sudoHost '+debian_group' ... not sudo: ldap sudoHost '+ubuntu_group' ... not sudo: result now has 0 entries sudo: ldap search '(&(objectClass=sudoRole)(sudoUser=)(sudoUser=+))' sudo: searching from base 'ou=SUDOers,dc=example,dc=world,dc=com' sudo: adding search result sudo: result now has 0 entries sudo: perform search for pwflag 54 sudo: done with LDAP searches sudo: user_matches=true sudo: host_matches=false sudo: sudo_ldap_lookup(54)=0x84 [sudo] Password for user:
If you explicitly define your host into the sudo rule, does it work? Can you post the output with the hostname explicitly defined in the rule, to see if it parses it? That way we can at least see if sudo is comparing it's FQDN to what's in the host rule.
if it does find the host, then it means the issue lies with hostgroup expansion. If it doesn't then the issue lies with how sudo is interpreting the name of server and comparing. We need to first see if sudo is properly comparing it's name to what it should be.
Hi Aaron, I found this information very helpful for debugging a CentOS 7 box that is having the same problem, thank you.
On my box, sudo over SSSD is working, but not with host groups, only with specific hosts listed. So there's some problem with the host expansion as you point out, but I'm unable to find the right log entries. I used the document at https://docs.pagure.org/SSSD.sssd/users/sudo_troubleshooting.html to set up the logging.
Do you know any keywords that I can grep for that would narrow down the log lines that are relevant? These log files are really big!
Thanks, Brian
Is the domainname set to the domain name of your IPA domain? I usually set CentOS/RHEL servers hostname as the FQDN and when you install the free-ipa-client it sets the domain name of the server to the freeipa domain name.
The next thing to check is if your hosts file is setup properly. Meaning the entry for your host should be "IP FQDN alias". I have found if FQDN is not the first entry, as it should always be, it can cause issues with sudo.
Did you add anything to the sssd.conf? SSSD usually works pretty good. This article may help also. Let me know the outcome.
https://access.redhat.com/solutions/1281953
Aaron
Thanks Aaron, appreciate the input. Happy Friday!
I read that article and that key-value does not exist. I also set the FQDN before `ipa-client-install` and let it do it's magic. Only sssd.conf changes to add debug configuration (https://gist.github.com/briantopping/671341ea8025f127588a66801932c19f). Output of both `domainname` and `nisdomainname` match `ipa_domain` in sssd.conf. Seemingly relevant package versions are below.
The debug logs seem exhaustive, are there clues in there?
Thanks! Brian
Client: CentOS Linux release 7.4.1708 (Core) ipa-client-4.5.0-21.el7.centos.2.2.x86_64 sssd-ipa-1.15.2-50.el7_4.6.x86_64
Server: CentOS Linux release 7.4.1708 (Core) ipa-server-4.5.0-21.el7.centos.2.2.x86_64 sssd-ipa-1.15.2-50.el7_4.6.x86_64
Debug logs are always long...
Even though you don't have that key, it shows how to do some further testing and debuging for sudo itself.
In that article did you set the sudoers_debug to 3 - to get all info for sudo (you can paste it here)? Did you check the nsswitch.conf for sss in it? Did you run getent netgroup {hostgroup}?
Let me know what you get. Aaron
freeipa-users@lists.fedorahosted.org
-
Aaron Cole -
Bjoern Klimpel -
Brian Topping -
Michael Gusek -
Przemysław Orzechowski