One of my biggest projects is to use ansible to kill OpenLDAP clients on our production servers and install ipa-client and configured. I'm probably 95% there with automating the process (still trying to figure out what pam_ldap crap is floating around after uninstalling those packages and such) but I've got a weird issue that appears to be related to the C6 ipa-client setup.
After installing the ipa-client and configuring, I can login as my ipa user account, but, even though I have SUDO rules in place, I'm getting a 'user is not in sudoers file...etc, etc' on CentOS 6, but /not/ on a CentOS 7 client I have tested on. I've tried two different C6 boxes with the same result. The SSSD/nsswitch/pam.d config files are all identical between the C6 and C7 servers.
The C7 box did not have a previous OpenLDAP client on it, and neither did one of the C6 boxes, so it doesn't appear to be a problem/conflict with remnants of OpenLDAP/PAM causing the problem. Sudoers on all the boxes I'm testing is out-of-the-box vanilla and there are no sudoers.d/ files either.
I'm an IPA newbie, and I gave up on OpenLDAP and PAM (god, what a cockup that is) almost two decades ago, so I'm not as familiar with it as some people might be. Here are the package versions for the IPA clients:
C7: ipa-client-4.5.0-21.el7.centos.1.2.x86_64
C6: ipa-client-3.0.0-51.el6.centos.x86_64
The only other thing I can think of to mention is that in /var/log/secure on the C6 boxes I'm getting a pam_unix.so authentication failure (obviously since my user isn't on that box) prior to sssd authenticating me successfully when trying to sudo su. I do not see that problem on the C7 box.
Any ideas?
Hi Mark,
Not all CentOS releases are created equal. Support for Sudo appeared later in IPA and you’ll probably need to update sssd and ipa-client. The one in 6.8 should work fine. I’ve recently enrolled a few rhel 6.4 servers and noticed the same thing but everything was solved after doing a yum update sssd.
Cheers, Răzvan
On 13 Sep 2017, at 22:04, Mark Haney via FreeIPA-users freeipa-users@lists.fedorahosted.org wrote:
One of my biggest projects is to use ansible to kill OpenLDAP clients on our production servers and install ipa-client and configured. I'm probably 95% there with automating the process (still trying to figure out what pam_ldap crap is floating around after uninstalling those packages and such) but I've got a weird issue that appears to be related to the C6 ipa-client setup.
After installing the ipa-client and configuring, I can login as my ipa user account, but, even though I have SUDO rules in place, I'm getting a 'user is not in sudoers file...etc, etc' on CentOS 6, but /not/ on a CentOS 7 client I have tested on. I've tried two different C6 boxes with the same result. The SSSD/nsswitch/pam.d config files are all identical between the C6 and C7 servers.
The C7 box did not have a previous OpenLDAP client on it, and neither did one of the C6 boxes, so it doesn't appear to be a problem/conflict with remnants of OpenLDAP/PAM causing the problem. Sudoers on all the boxes I'm testing is out-of-the-box vanilla and there are no sudoers.d/ files either.
I'm an IPA newbie, and I gave up on OpenLDAP and PAM (god, what a cockup that is) almost two decades ago, so I'm not as familiar with it as some people might be. Here are the package versions for the IPA clients:
C7: ipa-client-4.5.0-21.el7.centos.1.2.x86_64
C6: ipa-client-3.0.0-51.el6.centos.x86_64
The only other thing I can think of to mention is that in /var/log/secure on the C6 boxes I'm getting a pam_unix.so authentication failure (obviously since my user isn't on that box) prior to sssd authenticating me successfully when trying to sudo su. I do not see that problem on the C7 box.
Any ideas?
-- Mark Haney Network Engineer at NeoNova 919-460-3330 option 1 mark.haney@neonova.net www.neonova.net _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
On 09/13/2017 03:44 PM, Răzvan Corneliu C.R. VILT via FreeIPA-users wrote:
Hi Mark,
Not all CentOS releases are created equal. Support for Sudo appeared later in IPA and you’ll probably need to update sssd and ipa-client. The one in 6.8 should work fine. I’ve recently enrolled a few rhel 6.4 servers and noticed the same thing but everything was solved after doing a yum update sssd.
Cheers, Răzvan
Unfortunately, sssd is already the 6.9 version:
python-sssdconfig-1.13.3-57.el6_9.noarch sssd-common-1.13.3-57.el6_9.x86_64 sssd-common-pac-1.13.3-57.el6_9.x86_64 sssd-ad-1.13.3-57.el6_9.x86_64 sssd-ldap-1.13.3-57.el6_9.x86_64 sssd-1.13.3-57.el6_9.x86_64 sssd-client-1.13.3-57.el6_9.x86_64 sssd-krb5-common-1.13.3-57.el6_9.x86_64 sssd-ipa-1.13.3-57.el6_9.x86_64 sssd-krb5-1.13.3-57.el6_9.x86_64 sssd-proxy-1.13.3-57.el6_9.x86_64
On ke, 13 syys 2017, Mark Haney via FreeIPA-users wrote:
On 09/13/2017 03:44 PM, Răzvan Corneliu C.R. VILT via FreeIPA-users wrote:
Hi Mark,
Not all CentOS releases are created equal. Support for Sudo appeared later in IPA and you’ll probably need to update sssd and ipa-client. The one in 6.8 should work fine. I’ve recently enrolled a few rhel 6.4 servers and noticed the same thing but everything was solved after doing a yum update sssd.
Cheers, Răzvan
Unfortunately, sssd is already the 6.9 version:
python-sssdconfig-1.13.3-57.el6_9.noarch sssd-common-1.13.3-57.el6_9.x86_64 sssd-common-pac-1.13.3-57.el6_9.x86_64 sssd-ad-1.13.3-57.el6_9.x86_64 sssd-ldap-1.13.3-57.el6_9.x86_64 sssd-1.13.3-57.el6_9.x86_64 sssd-client-1.13.3-57.el6_9.x86_64 sssd-krb5-common-1.13.3-57.el6_9.x86_64 sssd-ipa-1.13.3-57.el6_9.x86_64 sssd-krb5-1.13.3-57.el6_9.x86_64 sssd-proxy-1.13.3-57.el6_9.x86_64
Check sudo version as well.
On Wed, Sep 13, 2017 at 11:05:25PM +0300, Alexander Bokovoy via FreeIPA-users wrote:
On ke, 13 syys 2017, Mark Haney via FreeIPA-users wrote:
On 09/13/2017 03:44 PM, Răzvan Corneliu C.R. VILT via FreeIPA-users wrote:
Hi Mark,
Not all CentOS releases are created equal. Support for Sudo appeared later in IPA and you’ll probably need to update sssd and ipa-client. The one in 6.8 should work fine. I’ve recently enrolled a few rhel 6.4 servers and noticed the same thing but everything was solved after doing a yum update sssd.
Cheers, Răzvan
Unfortunately, sssd is already the 6.9 version:
python-sssdconfig-1.13.3-57.el6_9.noarch sssd-common-1.13.3-57.el6_9.x86_64 sssd-common-pac-1.13.3-57.el6_9.x86_64 sssd-ad-1.13.3-57.el6_9.x86_64 sssd-ldap-1.13.3-57.el6_9.x86_64 sssd-1.13.3-57.el6_9.x86_64 sssd-client-1.13.3-57.el6_9.x86_64 sssd-krb5-common-1.13.3-57.el6_9.x86_64 sssd-ipa-1.13.3-57.el6_9.x86_64 sssd-krb5-1.13.3-57.el6_9.x86_64 sssd-proxy-1.13.3-57.el6_9.x86_64
Check sudo version as well.
And if that doesn't help, follow https://docs.pagure.org/SSSD.sssd/users/sudo_troubleshooting.html
Do you use default_domain_suffix with IPA-AD trusts? That's one thing that's known to not work on el6..
Well this is interesting. The latest version of sudo is sudo-1.8.6p3-29.el6_9.x86_64. Mine is sudo-1.8.6-7.el6.x86_64. The issue here is that this box is CentOS 6.4 and I can't fully update it to 6.9. But I can't simply update sudo by itself:
[root@secure nnsops]# yum update sudo Loaded plugins: changelog, fastestmirror Setting up Update Process Loading mirror speeds from cached hostfile * base: mirror.cogentco.com * epel: mirror.nodesdirect.com * extras: mirror.team-cymru.org * updates: centos.vwtonline.net No Packages marked for Update
That's a good call on checking it, but I don't understand why I can't simply yum update sudo. I can download the package and update it, but I'm at a loss as to why I'm not seeing it even when I run just 'yum update'. I swear, I just don't understand how these systems were left not updated for years. This box is currently 6.4.
On Wed, Sep 13, 2017 at 4:25 PM, Jakub Hrozek via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote:
On Wed, Sep 13, 2017 at 11:05:25PM +0300, Alexander Bokovoy via FreeIPA-users wrote:
On ke, 13 syys 2017, Mark Haney via FreeIPA-users wrote:
On 09/13/2017 03:44 PM, Răzvan Corneliu C.R. VILT via FreeIPA-users
wrote:
Hi Mark,
Not all CentOS releases are created equal. Support for Sudo appeared later in IPA and you’ll probably need to update sssd and ipa-client. The one in 6.8 should work fine. I’ve recently enrolled a few rhel
6.4
servers and noticed the same thing but everything was solved after doing a yum update sssd.
Cheers, Răzvan
Unfortunately, sssd is already the 6.9 version:
python-sssdconfig-1.13.3-57.el6_9.noarch sssd-common-1.13.3-57.el6_9.x86_64 sssd-common-pac-1.13.3-57.el6_9.x86_64 sssd-ad-1.13.3-57.el6_9.x86_64 sssd-ldap-1.13.3-57.el6_9.x86_64 sssd-1.13.3-57.el6_9.x86_64 sssd-client-1.13.3-57.el6_9.x86_64 sssd-krb5-common-1.13.3-57.el6_9.x86_64 sssd-ipa-1.13.3-57.el6_9.x86_64 sssd-krb5-1.13.3-57.el6_9.x86_64 sssd-proxy-1.13.3-57.el6_9.x86_64
Check sudo version as well.
And if that doesn't help, follow https://docs.pagure.org/SSSD.sssd/users/sudo_troubleshooting.html
Do you use default_domain_suffix with IPA-AD trusts? That's one thing that's known to not work on el6.. _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
You're probably not using the 6.9 repos. Try to temporarily set your repos to the 6.9 ones instead of using $releasever.
On 14 Sep 2017, at 14:15, Mark Haney via FreeIPA-users freeipa-users@lists.fedorahosted.org wrote:
Well this is interesting. The latest version of sudo is sudo-1.8.6p3-29.el6_9.x86_64. Mine is sudo-1.8.6-7.el6.x86_64. The issue here is that this box is CentOS 6.4 and I can't fully update it to 6.9. But I can't simply update sudo by itself:
[root@secure nnsops]# yum update sudo Loaded plugins: changelog, fastestmirror Setting up Update Process Loading mirror speeds from cached hostfile
- base: mirror.cogentco.com http://mirror.cogentco.com/
- epel: mirror.nodesdirect.com http://mirror.nodesdirect.com/
- extras: mirror.team-cymru.org http://mirror.team-cymru.org/
- updates: centos.vwtonline.net http://centos.vwtonline.net/
No Packages marked for Update
That's a good call on checking it, but I don't understand why I can't simply yum update sudo. I can download the package and update it, but I'm at a loss as to why I'm not seeing it even when I run just 'yum update'. I swear, I just don't understand how these systems were left not updated for years. This box is currently 6.4.
On Wed, Sep 13, 2017 at 4:25 PM, Jakub Hrozek via FreeIPA-users <freeipa-users@lists.fedorahosted.org mailto:freeipa-users@lists.fedorahosted.org> wrote: On Wed, Sep 13, 2017 at 11:05:25PM +0300, Alexander Bokovoy via FreeIPA-users wrote:
On ke, 13 syys 2017, Mark Haney via FreeIPA-users wrote:
On 09/13/2017 03:44 PM, Răzvan Corneliu C.R. VILT via FreeIPA-users wrote:
Hi Mark,
Not all CentOS releases are created equal. Support for Sudo appeared later in IPA and you’ll probably need to update sssd and ipa-client. The one in 6.8 should work fine. I’ve recently enrolled a few rhel 6.4 servers and noticed the same thing but everything was solved after doing a yum update sssd.
Cheers, Răzvan
Unfortunately, sssd is already the 6.9 version:
python-sssdconfig-1.13.3-57.el6_9.noarch sssd-common-1.13.3-57.el6_9.x86_64 sssd-common-pac-1.13.3-57.el6_9.x86_64 sssd-ad-1.13.3-57.el6_9.x86_64 sssd-ldap-1.13.3-57.el6_9.x86_64 sssd-1.13.3-57.el6_9.x86_64 sssd-client-1.13.3-57.el6_9.x86_64 sssd-krb5-common-1.13.3-57.el6_9.x86_64 sssd-ipa-1.13.3-57.el6_9.x86_64 sssd-krb5-1.13.3-57.el6_9.x86_64 sssd-proxy-1.13.3-57.el6_9.x86_64
Check sudo version as well.
And if that doesn't help, follow https://docs.pagure.org/SSSD.sssd/users/sudo_troubleshooting.html https://docs.pagure.org/SSSD.sssd/users/sudo_troubleshooting.html
Do you use default_domain_suffix with IPA-AD trusts? That's one thing that's known to not work on el6.. _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org mailto:freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org mailto:freeipa-users-leave@lists.fedorahosted.org
--
Mark Haney Network Engineer at NeoNova 919-460-3330 tel:(919)%20460-3330 (opt 1) • mark.haney@neonova.net mailto:mark.haney@neonova.net www.neonova.net https://neonova.net/ https://www.facebook.com/NeoNovaNNS/ https://twitter.com/NeoNova_NNS http://www.linkedin.com/company/neonova-network-services_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
Okay, maybe something is very wrong with this server. I can't even set that and have it see updates. I even hardcoded the URL to a repo I KNOW has the updated sudo version. Still says no updates. I am so lost on this. It makes no sense.
So I downloaded the latest version of the sudo rpm and tried to install it with yum. This is what I get:
[root@secure nnsops]# yum install sudo-1.8.6p3-29.el6_9.x86_64.rpm Loaded plugins: changelog, fastestmirror Setting up Install Process Examining sudo-1.8.6p3-29.el6_9.x86_64.rpm: sudo-1.8.6p3-29.el6_9.x86_64 Error: Nothing to do
[root@secure nnsops]# rpm -qa | grep sudo sudo-1.8.6-7.el6.x86_64
This is insane.
On Thu, Sep 14, 2017 at 7:21 AM, Răzvan Vilt razvan.vilt@me.com wrote:
You're probably not using the 6.9 repos. Try to temporarily set your repos to the 6.9 ones instead of using $releasever.
On 14 Sep 2017, at 14:15, Mark Haney via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote:
Well this is interesting. The latest version of sudo is sudo-1.8.6p3-29.el6_9.x86_64. Mine is sudo-1.8.6-7.el6.x86_64. The issue here is that this box is CentOS 6.4 and I can't fully update it to 6.9. But I can't simply update sudo by itself:
[root@secure nnsops]# yum update sudo Loaded plugins: changelog, fastestmirror Setting up Update Process Loading mirror speeds from cached hostfile
- base: mirror.cogentco.com
- epel: mirror.nodesdirect.com
- extras: mirror.team-cymru.org
- updates: centos.vwtonline.net
No Packages marked for Update
That's a good call on checking it, but I don't understand why I can't simply yum update sudo. I can download the package and update it, but I'm at a loss as to why I'm not seeing it even when I run just 'yum update'. I swear, I just don't understand how these systems were left not updated for years. This box is currently 6.4.
On Wed, Sep 13, 2017 at 4:25 PM, Jakub Hrozek via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote:
On Wed, Sep 13, 2017 at 11:05:25PM +0300, Alexander Bokovoy via FreeIPA-users wrote:
On ke, 13 syys 2017, Mark Haney via FreeIPA-users wrote:
On 09/13/2017 03:44 PM, Răzvan Corneliu C.R. VILT via FreeIPA-users
wrote:
Hi Mark,
Not all CentOS releases are created equal. Support for Sudo appeared later in IPA and you’ll probably need to update sssd and ipa-client. The one in 6.8 should work fine. I’ve recently enrolled a few rhel
6.4
servers and noticed the same thing but everything was solved after doing a yum update sssd.
Cheers, Răzvan
Unfortunately, sssd is already the 6.9 version:
python-sssdconfig-1.13.3-57.el6_9.noarch sssd-common-1.13.3-57.el6_9.x86_64 sssd-common-pac-1.13.3-57.el6_9.x86_64 sssd-ad-1.13.3-57.el6_9.x86_64 sssd-ldap-1.13.3-57.el6_9.x86_64 sssd-1.13.3-57.el6_9.x86_64 sssd-client-1.13.3-57.el6_9.x86_64 sssd-krb5-common-1.13.3-57.el6_9.x86_64 sssd-ipa-1.13.3-57.el6_9.x86_64 sssd-krb5-1.13.3-57.el6_9.x86_64 sssd-proxy-1.13.3-57.el6_9.x86_64
Check sudo version as well.
And if that doesn't help, follow https://docs.pagure.org/SSSD.sssd/users/sudo_troubleshooting.html
Do you use default_domain_suffix with IPA-AD trusts? That's one thing that's known to not work on el6.. _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedo rahosted.org
-- [image: photo] Mark Haney Network Engineer at NeoNova 919-460-3330 <(919)%20460-3330> (opt 1) • mark.haney@neonova.net www.neonova.net https://neonova.net/ https://www.facebook.com/NeoNovaNNS/ https://twitter.com/NeoNova_NNS http://www.linkedin.com/company/neonova-network-services _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
On to, 14 syys 2017, Mark Haney via FreeIPA-users wrote:
Well this is interesting. The latest version of sudo is sudo-1.8.6p3-29.el6_9.x86_64. Mine is sudo-1.8.6-7.el6.x86_64. The issue here is that this box is CentOS 6.4 and I can't fully update it to 6.9. But I can't simply update sudo by itself:
[root@secure nnsops]# yum update sudo Loaded plugins: changelog, fastestmirror Setting up Update Process Loading mirror speeds from cached hostfile
- base: mirror.cogentco.com
- epel: mirror.nodesdirect.com
- extras: mirror.team-cymru.org
- updates: centos.vwtonline.net
No Packages marked for Update
That's a good call on checking it, but I don't understand why I can't simply yum update sudo. I can download the package and update it, but I'm at a loss as to why I'm not seeing it even when I run just 'yum update'. I swear, I just don't understand how these systems were left not updated for years. This box is currently 6.4.
This is CentOS. See CentOS updates policy: https://wiki.centos.org/FAQ/General#head-dcca41e9a3d5ac4c6d900a991990fd11930...
Sigh. As I said, I edited the repo to point DIRECTLY to 6.9 and got the same result. Care to explain that with some other policy? Even then, DOWNLOADING the RPM still will not install. Is there a policy for that too?
On Thu, Sep 14, 2017 at 8:57 AM, Alexander Bokovoy abokovoy@redhat.com wrote:
On to, 14 syys 2017, Mark Haney via FreeIPA-users wrote:
Well this is interesting. The latest version of sudo is sudo-1.8.6p3-29.el6_9.x86_64. Mine is sudo-1.8.6-7.el6.x86_64. The issue here is that this box is CentOS 6.4 and I can't fully update it to 6.9. But I can't simply update sudo by itself:
[root@secure nnsops]# yum update sudo Loaded plugins: changelog, fastestmirror Setting up Update Process Loading mirror speeds from cached hostfile
- base: mirror.cogentco.com
- epel: mirror.nodesdirect.com
- extras: mirror.team-cymru.org
- updates: centos.vwtonline.net
No Packages marked for Update
That's a good call on checking it, but I don't understand why I can't simply yum update sudo. I can download the package and update it, but I'm at a loss as to why I'm not seeing it even when I run just 'yum update'. I swear, I just don't understand how these systems were left not updated for years. This box is currently 6.4.
This is CentOS. See CentOS updates policy: https://wiki.centos.org/FAQ/Ge neral#head-dcca41e9a3d5ac4c6d900a991990fd11930867d6
-- / Alexander Bokovoy
On to, 14 syys 2017, Mark Haney via FreeIPA-users wrote:
Sigh. As I said, I edited the repo to point DIRECTLY to 6.9 and got the same result. Care to explain that with some other policy? Even then, DOWNLOADING the RPM still will not install. Is there a policy for that too?
Well, I only pointed out that update repos for older releases stop being updated in CentOS after some time. Why local system does not update when you point directly to a supported release is a different story. Perhaps, you have some yum plugins that prevent that upgrade? Check /etc/yum/* configuration.
On Thu, Sep 14, 2017 at 8:57 AM, Alexander Bokovoy abokovoy@redhat.com wrote:
On to, 14 syys 2017, Mark Haney via FreeIPA-users wrote:
Well this is interesting. The latest version of sudo is sudo-1.8.6p3-29.el6_9.x86_64. Mine is sudo-1.8.6-7.el6.x86_64. The issue here is that this box is CentOS 6.4 and I can't fully update it to 6.9. But I can't simply update sudo by itself:
[root@secure nnsops]# yum update sudo Loaded plugins: changelog, fastestmirror Setting up Update Process Loading mirror speeds from cached hostfile
- base: mirror.cogentco.com
- epel: mirror.nodesdirect.com
- extras: mirror.team-cymru.org
- updates: centos.vwtonline.net
No Packages marked for Update
That's a good call on checking it, but I don't understand why I can't simply yum update sudo. I can download the package and update it, but I'm at a loss as to why I'm not seeing it even when I run just 'yum update'. I swear, I just don't understand how these systems were left not updated for years. This box is currently 6.4.
This is CentOS. See CentOS updates policy: https://wiki.centos.org/FAQ/Ge neral#head-dcca41e9a3d5ac4c6d900a991990fd11930867d6
-- / Alexander Bokovoy
-- [image: photo] Mark Haney Network Engineer at NeoNova 919-460-3330 <(919)%20460-3330> (opt 1) • mark.haney@neonova.net www.neonova.net https://neonova.net/ https://www.facebook.com/NeoNovaNNS/ https://twitter.com/NeoNova_NNS http://www.linkedin.com/company/neonova-network-services
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
On 09/14/2017 09:41 AM, Alexander Bokovoy wrote:
On to, 14 syys 2017, Mark Haney via FreeIPA-users wrote:
Sigh. As I said, I edited the repo to point DIRECTLY to 6.9 and got the same result. Care to explain that with some other policy? Even then, DOWNLOADING the RPM still will not install. Is there a policy for that too?
Well, I only pointed out that update repos for older releases stop being updated in CentOS after some time. Why local system does not update when you point directly to a supported release is a different story. Perhaps, you have some yum plugins that prevent that upgrade? Check /etc/yum/* configuration.
Well, after three days, I finally got sudo updated. And that fixed the problem I was having.
Turns out someone, in their infinite wisdom, had excluded sudo from being updated. No one in their right mind should ever need to exclude that significant a package, so I failed to check for exclusion. I'm really embarrassed for whoever did something that moronic, but that's probably why they are no longer here.
freeipa-users@lists.fedorahosted.org
-
Alexander Bokovoy -
Jakub Hrozek -
Mark Haney -
Răzvan Corneliu C.R. VILT -
Răzvan Vilt