Hi
I an trying to get sudo with sssd work with Samba4 provider, but I can't. I have joined the domain using realmd:
realm --client-software=sssd join mmdd.indra.es
After that, I have modified some sssd settings, to add sudo service, enable enumerate (during debigging), etc.:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ [sssd] domains = xxxx.yyyy.es config_file_version = 2 services = nss, pam, sudo, ssh
[sudo]
[ssh]
[domain/xxxx.yyyy.es] enumerate = True ad_domain = xxxx.yyyy.es krb5_realm = XXXX.YYYY.ES realmd_tags = manages-system joined-with-samba cache_credentials = True id_provider = ad krb5_store_password_if_offline = True default_shell = /bin/bash ldap_id_mapping = False use_fully_qualified_names = False fallback_homedir = /home/%u access_provider = ad case_sensitive = false
ldap_user_ssh_public_key = sshPublicKey
sudo_provider = ldap ldap_sudo_search_base = OU=SUDOers,DC=xxxx,DC=yyyy,DC=es ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Enabled and restarted sssd, oddjob. Now I see users and group using getent, and I can login to the client using SSH.
Then, added to Samba4 the OU=SUDOers tree:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ dn: OU=SUDOers,DC=xxxx,DC=yyyy,DC=es objectClass: organizationalUnit objectClass: top ou: SUDOers name: SUDOers
dn: CN=wheel,OU=SUDOers,DC=xxxx,DC=yyyy,DC=es objectClass: sudoRole objectClass: top cn: wheel name: wheel sudoCommand: ALL sudoHost: ALL sudoUser: %wheel
dn: CN=root,OU=SUDOers,DC=xxxx,DC=yyyy,DC=es objectClass: sudoRole objectClass: top cn: root name: root sudoCommand: ALL sudoHost: ALL sudoUser: root
dn: CN=sysadm,OU=SUDOers,DC=xxxx,DC=yyyy,DC=es objectClass: sudoRole objectClass: top cn: sysadm name: sysadm sudoCommand: ALL sudoHost: ALL sudoUser: %sysadm
dn: CN=defaults,OU=SUDOers,DC=xxxx,DC=yyyy,DC=es objectClass: sudoRole objectClass: top cn: defaults description: Default sudoOptions go here distinguishedName: CN=defaults,OU=SUDOers,DC=xxxx,DC=yyyy,DC=es name: defaults sudoOption: env_keep+=SSH_AUTH_SOCK ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
I have a user that is member of the sysadm group (I show only relevant information):
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ dn: CN=My Full Name,OU=Usuarios,DC=xxxx,DC=yyyy,DC=es objectClass: posixAccount sAMAccountName: jasensios gidNumber: 10004 loginShell: /bin/bash memberOf: CN=sysadm,OU=Grupos,DC=mmdd,DC=indra,DC=es msSFU30Name: jasensios msSFU30NisDomain: xxxx msSFU30PosixMemberOf: CN=sysadm,OU=Grupos,DC=xxxx,DC=yyyy,DC=es uid: jasensios uidNumber: 10000 unixHomeDirectory: /home/jasensios
dn: CN=sysadm,OU=Grupos,DC=xxxx,DC=yyyy,DC=es objectClass: posixGroup cn: sysadm sAMAccountName: sysadm gidNumber: 10014 member: memberUid: jasensios msSFU30Name: sysadm msSFU30NisDomain: xxxx msSFU30PosixMember: CN=My Full Name,OU=Usuarios,DC=xxxx,DC=yyyy,DC=es name: sysadm ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
After loging with user in the client:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ [jasensios@client01 ~]$ id uid=10000(jasensios) gid=10004(domain users) grupos=10004(domain users),10005(sysadm_pro),10014(sysadm) [jasensios@client01 ~]$ groups domain users sysadm [jasensios@client01 ~]$ getent passwd jasensios jasensios:*:10000:10004:My Full Name:/home/jasensios:/bin/bash ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
But....
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ [jasensios@client01 ~]$ sudo -l [sudo] password for jasensios: User jasensios is not allowed to run sudo on client01. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Any advice?
On (25/01/16 14:19), Juan Asensio Sánchez wrote:
Hi
I an trying to get sudo with sssd work with Samba4 provider, but I can't. I have joined the domain using realmd:
realm --client-software=sssd join mmdd.indra.es
After that, I have modified some sssd settings, to add sudo service, enable enumerate (during debigging), etc.:
I would recommend to disable enumeration for AD provider.
[sssd] domains = xxxx.yyyy.es config_file_version = 2 services = nss, pam, sudo, ssh [sudo] [ssh] [domain/xxxx.yyyy.es] enumerate = True ad_domain = xxxx.yyyy.es krb5_realm = XXXX.YYYY.ES realmd_tags = manages-system joined-with-samba cache_credentials = True id_provider = ad krb5_store_password_if_offline = True default_shell = /bin/bash ldap_id_mapping = False use_fully_qualified_names = False fallback_homedir = /home/%u access_provider = ad case_sensitive = false ldap_user_ssh_public_key = sshPublicKey sudo_provider = ldap
which version of sssd do you use? because sssd >= 1.12.0 has native AD sudo provider.
Is sudo compiled with sssd support sh$ sudo --version | grep sss
https://jhrozek.wordpress.com/2014/07/21/add-sudo-rules-to-active-directory-...
And here is a link to sudo trouble shooting wiki. https://fedorahosted.org/sssd/wiki/HOWTO_Troubleshoot_SUDO
LS
Hi
Sorry, I forgot to include versions:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ [root@client01 ~]# lsb_release -a LSB Version: :core-4.1-amd64:core-4.1-noarch Distributor ID: RedHatEnterpriseServer Description: Red Hat Enterprise Linux Server release 7.2 (Maipo) Release: 7.2 Codename: Maipo
[root@client01 ~]# rpm -qa | grep sudo sudo-1.8.6p7-16.el7.x86_64
[root@client01 ~]# rpm -qa | grep sssd sssd-client-1.13.0-40.el7_2.1.x86_64 sssd-krb5-common-1.13.0-40.el7_2.1.x86_64 sssd-krb5-1.13.0-40.el7_2.1.x86_64 sssd-common-1.13.0-40.el7_2.1.x86_64 sssd-common-pac-1.13.0-40.el7_2.1.x86_64 sssd-ad-1.13.0-40.el7_2.1.x86_64 sssd-ldap-1.13.0-40.el7_2.1.x86_64 sssd-1.13.0-40.el7_2.1.x86_64 python-sssdconfig-1.13.0-40.el7_2.1.noarch sssd-ipa-1.13.0-40.el7_2.1.x86_64 sssd-proxy-1.13.0-40.el7_2.1.x86_64
[root@client01 ~]# sudo -V | grep -i version Sudoers policy plugin version 1.8.6p7 Sudoers file grammar version 42 Sudoers I/O plugin version 1.8.6p7
[root@client01 ~]# sudo -V | grep --color sss Opciones de configuración: --build=x86_64-redhat-linux-gnu --host=x86_64-redhat-linux-gnu --program-prefix= --disable-dependency-tracking --prefix=/usr --exec-prefix=/usr --bindir=/usr/bin --sbindir=/usr/sbin --sysconfdir=/etc --datadir=/usr/share --includedir=/usr/include --libdir=/usr/lib64 --libexecdir=/usr/libexec --localstatedir=/var --sharedstatedir=/var/lib --mandir=/usr/share/man --infodir=/usr/share/info --prefix=/usr --sbindir=/usr/sbin --libdir=/usr/lib64 --docdir=/usr/share/doc/sudo-1.8.6p7 --with-logging=syslog --with-logfac=authpriv --with-pam --with-pam-login --with-editor=/bin/vi --with-env-editor --with-ignore-dot --with-tty-tickets --with-ldap --with-ldap-conf-file=/etc/sudo-ldap.conf --with-selinux --with-passprompt=[sudo] password for %p: --with-linux-audit *--with-sssd* --with-gcrypt ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
I have read these two webpages, without success. I have enabled sssd-sudo debug according to https://fedorahosted.org/sssd/wiki/HOWTO_Troubleshoot_SUDO but I haven't found any relevant information in the LOGs (lots of messages, including successful searches, groups without members ¿?, etc.). Among all those messages, how would I filter to get the relevant ones?
Regards and thanks in advance.
2016-01-25 14:41 GMT+01:00 Lukas Slebodnik lslebodn@redhat.com:
On (25/01/16 14:19), Juan Asensio Sánchez wrote:
Hi
I an trying to get sudo with sssd work with Samba4 provider, but I can't.
I
have joined the domain using realmd:
realm --client-software=sssd join mmdd.indra.es
After that, I have modified some sssd settings, to add sudo service,
enable
enumerate (during debigging), etc.:
I would recommend to disable enumeration for AD provider.
[sssd] domains = xxxx.yyyy.es config_file_version = 2 services = nss, pam, sudo, ssh [sudo] [ssh] [domain/xxxx.yyyy.es] enumerate = True ad_domain = xxxx.yyyy.es krb5_realm = XXXX.YYYY.ES realmd_tags = manages-system joined-with-samba cache_credentials = True id_provider = ad krb5_store_password_if_offline = True default_shell = /bin/bash ldap_id_mapping = False use_fully_qualified_names = False fallback_homedir = /home/%u access_provider = ad case_sensitive = false ldap_user_ssh_public_key = sshPublicKey sudo_provider = ldap
which version of sssd do you use? because sssd >= 1.12.0 has native AD sudo provider.
Is sudo compiled with sssd support sh$ sudo --version | grep sss
https://jhrozek.wordpress.com/2014/07/21/add-sudo-rules-to-active-directory-...
And here is a link to sudo trouble shooting wiki. https://fedorahosted.org/sssd/wiki/HOWTO_Troubleshoot_SUDO
LS _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org
https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org
sssd-users@lists.fedorahosted.org