Hi,
I've been following Jakub's useful blog post[1], attempting to get sudo rules into our Active Directory, and usable by sudo via SSSD.
I've managed the schema extension, and built a rule, but whatever I've tried I've not managed to get the rule to apply.
When I run "sudo -l" as the user should have received a sudo rule I get the following:
[_johnbadm@sudotest ~]$ sudo -l [sudo] password for _johnbadm: Sorry, user _johnbadm may not run sudo on sudotest.
However, there *is* a rule in the SSSD db:
[root@sudotest ~]# ldbsearch -H /var/lib/sss/db/cache_AD.ldb '(objectClass=sudoRule)' asq: Unable to register control with rootdse! # record 1 dn: name=lessrule,cn=sudorules,cn=custom,cn=AD,cn=sysdb cn: lessrule dataExpireTimestamp: 1475513295 entryUSN: 17309854 name: lessrule objectClass: sudoRule originalDN: CN=lessrule,OU=sudoers,DC=example,DC=com sudoCommand: /usr/bin/less sudoHost: ALL sudoHost: *.example.com sudoRunAsUser: ALL sudoUser: _johnbadm distinguishedName: name=lessrule,cn=sudorules,cn=custom,cn=AD,cn=sysdb
# returned 1 records # 1 entries # 0 referrals
I'm running CentOS 6.8, with SSSD 1.13.3-22.el6.
[root@sudotest ~]# grep sudo /etc/nsswitch.conf sudoers: files sss
[root@sudotest ~]# grep sudo /etc/sssd/sssd.conf services = nss, pam, sudo
I turned on debug for the SSSD sudo service, and get:
https://paste.fedoraproject.org/442892/72188147/
Just read the debug again, and had a hunch around case sensitivity...
When I change the sudo rule to have:
sudoUser: _johnbADM
instead of:
sudoUser: _johnbadm
it works. Surely the matching of rules should be case insensitive, shouldn't it? The username form "_johnbADM" presumably works because the AD user's sAMAccountName is the form with the mixed case, which you can see in the SSSD DB:
# record 25 dn: name=_johnbADM,cn=users,cn=AD,cn=sysdb createTimestamp: 1475573234 fullName: John Beranek ADM gecos: John Beranek ADM
Thoughts?
John
Forgot my footnote:
[1] https://jhrozek.wordpress.com/2014/07/21/add-sudo-rules-to-active-directory-...
On Tue, Oct 04, 2016 at 10:32:51AM +0100, John Beranek wrote:
Hi,
I've been following Jakub's useful blog post[1], attempting to get sudo rules into our Active Directory, and usable by sudo via SSSD.
I've managed the schema extension, and built a rule, but whatever I've tried I've not managed to get the rule to apply.
When I run "sudo -l" as the user should have received a sudo rule I get the following:
[_johnbadm@sudotest ~]$ sudo -l [sudo] password for _johnbadm: Sorry, user _johnbadm may not run sudo on sudotest.
However, there *is* a rule in the SSSD db:
[root@sudotest ~]# ldbsearch -H /var/lib/sss/db/cache_AD.ldb '(objectClass=sudoRule)' asq: Unable to register control with rootdse! # record 1 dn: name=lessrule,cn=sudorules,cn=custom,cn=AD,cn=sysdb cn: lessrule dataExpireTimestamp: 1475513295 entryUSN: 17309854 name: lessrule objectClass: sudoRule originalDN: CN=lessrule,OU=sudoers,DC=example,DC=com sudoCommand: /usr/bin/less sudoHost: ALL sudoHost: *.example.com sudoRunAsUser: ALL sudoUser: _johnbadm distinguishedName: name=lessrule,cn=sudorules,cn=custom,cn=AD,cn=sysdb
# returned 1 records # 1 entries # 0 referrals
I'm running CentOS 6.8, with SSSD 1.13.3-22.el6.
[root@sudotest ~]# grep sudo /etc/nsswitch.conf sudoers: files sss
[root@sudotest ~]# grep sudo /etc/sssd/sssd.conf services = nss, pam, sudo
I turned on debug for the SSSD sudo service, and get:
https://paste.fedoraproject.org/442892/72188147/
Just read the debug again, and had a hunch around case sensitivity...
When I change the sudo rule to have:
sudoUser: _johnbADM
instead of:
sudoUser: _johnbadm
it works. Surely the matching of rules should be case insensitive, shouldn't it? The username form "_johnbADM" presumably works because the AD user's sAMAccountName is the form with the mixed case, which you can see in the SSSD DB:
# record 25 dn: name=_johnbADM,cn=users,cn=AD,cn=sysdb createTimestamp: 1475573234 fullName: John Beranek ADM gecos: John Beranek ADM
Thoughts?
Yes, sorry about this, it's a known bug: https://fedorahosted.org/sssd/ticket/3203 and we are working on a fix..
On 4 October 2016 at 10:37, Jakub Hrozek jhrozek@redhat.com wrote:
On Tue, Oct 04, 2016 at 10:32:51AM +0100, John Beranek wrote:
Hi,
I've been following Jakub's useful blog post[1], attempting to get sudo rules into our Active Directory, and usable by sudo via SSSD.
[snip]
Thoughts?
Yes, sorry about this, it's a known bug: https://fedorahosted.org/sssd/ticket/3203 and we are working on a fix..
OK, thanks. Just to confirm, groups specified in the sudo rule are also being matched with case sensitivity, not just users.
John
One further question about SSSD and sudo...is it possible to force a cache refresh?
There's no mention of sudo in sss_cache(8), and doing "sss_cache -E" doesn't appear to refresh the rules.
I've made a change to a sudo rule in AD, but it doesn't seem to be very quick to propagate down to the SSSD client...
John
On 4 October 2016 at 10:52, John Beranek john@redux.org.uk wrote:
On 4 October 2016 at 10:37, Jakub Hrozek jhrozek@redhat.com wrote:
On Tue, Oct 04, 2016 at 10:32:51AM +0100, John Beranek wrote:
Hi,
I've been following Jakub's useful blog post[1], attempting to get sudo rules into our Active Directory, and usable by sudo via SSSD.
[snip]
Thoughts?
Yes, sorry about this, it's a known bug: https://fedorahosted.org/sssd/ticket/3203 and we are working on a fix..
OK, thanks. Just to confirm, groups specified in the sudo rule are also being matched with case sensitivity, not just users.
John
-- John Beranek To generalise is to be an idiot. http://redux.org.uk/ -- William Blake
Hmm, though it could be my test setup, which seems to fall off the domain commonly (perhaps after an sss_cache -E) with errors like:
Oct 4 12:21:57 how-centos6-tpl [sssd[ldap_child[15261]]]: Failed to initialize credentials using keytab [MEMORY:/etc/krb5.keytab]: Preauthentication failed. Unable to create GSSAPI-encrypted LDAP connection.
John
On 4 October 2016 at 12:21, John Beranek john@redux.org.uk wrote:
One further question about SSSD and sudo...is it possible to force a cache refresh?
There's no mention of sudo in sss_cache(8), and doing "sss_cache -E" doesn't appear to refresh the rules.
I've made a change to a sudo rule in AD, but it doesn't seem to be very quick to propagate down to the SSSD client...
John
On 4 October 2016 at 10:52, John Beranek john@redux.org.uk wrote:
On 4 October 2016 at 10:37, Jakub Hrozek jhrozek@redhat.com wrote:
On Tue, Oct 04, 2016 at 10:32:51AM +0100, John Beranek wrote:
Hi,
I've been following Jakub's useful blog post[1], attempting to get sudo rules into our Active Directory, and usable by sudo via SSSD.
[snip]
Thoughts?
Yes, sorry about this, it's a known bug: https://fedorahosted.org/sssd/ticket/3203 and we are working on a fix..
OK, thanks. Just to confirm, groups specified in the sudo rule are also being matched with case sensitivity, not just users.
John
-- John Beranek To generalise is to be an idiot. http://redux.org.uk/ -- William Blake
-- John Beranek To generalise is to be an idiot. http://redux.org.uk/ -- William Blake
On Tue, Oct 04, 2016 at 12:23:38PM +0100, John Beranek wrote:
Hmm, though it could be my test setup, which seems to fall off the domain commonly (perhaps after an sss_cache -E) with errors like:
Oct 4 12:21:57 how-centos6-tpl [sssd[ldap_child[15261]]]: Failed to initialize credentials using keytab [MEMORY:/etc/krb5.keytab]: Preauthentication failed. Unable to create GSSAPI-encrypted LDAP connection.
I wonder if the domain rotates the keytab? But 6.8 should already support this provided you install adcli on the machine..
Looks like I had a krb5.keytab with both the VM template's hostname and the test VM's hostname. Clearing that out seems to have fixed it.
John
On 4 October 2016 at 12:35, Jakub Hrozek jhrozek@redhat.com wrote:
On Tue, Oct 04, 2016 at 12:23:38PM +0100, John Beranek wrote:
Hmm, though it could be my test setup, which seems to fall off the domain commonly (perhaps after an sss_cache -E) with errors like:
Oct 4 12:21:57 how-centos6-tpl [sssd[ldap_child[15261]]]: Failed to initialize credentials using keytab [MEMORY:/etc/krb5.keytab]: Preauthentication failed. Unable to create GSSAPI-encrypted LDAP connection.
I wonder if the domain rotates the keytab? But 6.8 should already support this provided you install adcli on the machine.. _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
On Tue, Oct 04, 2016 at 12:21:29PM +0100, John Beranek wrote:
One further question about SSSD and sudo...is it possible to force a cache refresh?
There's no mention of sudo in sss_cache(8), and doing "sss_cache -E" doesn't appear to refresh the rules.
I've made a change to a sudo rule in AD, but it doesn't seem to be very quick to propagate down to the SSSD client...
This was implemented in sssd-1-14 only, sorry.
sssd-users@lists.fedorahosted.org