Monday, June 16, 2014

[389-users] Issues related to the Sudoers. Not working..

Hi

I am find problems trying to configure the sudoers on ds-389...
This is the far I have reached but still is not working... I cannot
still download any rule at all
the user "username" belongs to group1

is there anything I might be missing at all?

Sudoers Configuration in ds-389

---
dn: ou=SUDOers,dc=companyname,dc=com
objectClass: top
objectClass: OrganizationalUnit
ou: SUDOers

dn: cn=group1,ou=SUDOers,dc=companyname,dc=com
objectClass: top
objectClass: sudoRole
cn: sudogrp
sudoUser: %group1
sudoHost: ALL
sudoCommand: /usr/bin/sudo
sudoCommand: /usr/bin/su
----


/etc/sssd/sssd.conf
======
[domain/companyname]

krb5_realm = companyname.com
krb5_server = ldapserver.eweprod.companyname.com
enumerate = true
auth_provider = ldap
id_provider = ldap
sudo_provider = ldap
case_sensitive = False
debug_level = 5
chpass_provider = ldap
#pam_password = md5
#chpass_provider = krb5
cache_credentials = False

ldap_user_name = uid
ldap_default_authtok_type = password
ldap_search_base = dc=companyname,dc=com
ldap_user_search_base = ou=companynameAccts,DC=companyname,DC=com
ldap_group_search_base = OU=companynameGroups,dc=companyname,dc=com
ldap_default_bind_dn =
uid=linuxuser,ou=companynameaccts,dc=companyname,dc=com
ldap_uri = ldaps://ldapserver.eweprod.companyname.com
ldap_sudo_search_base = ou=SUDOers,dc=companyname,dc=com
ldap_tls_cacertdir = /etc/openldap/cacerts
ldap_tls_reqcert = demand
ldap_schema = rfc2307bis
ldap_id_use_start_tls = False
ldap_default_authtok = password
access_provider = simple
simple_allow_groups = tester1, tester2
use_host_filter = false

#sudo
ldap_sudo_full_refresh_interval=86400
ldap_sudo_smart_refresh_interval=3600

[sssd]
config_file_version = 2
services = nss, pam, sudo
domains = companyname
debug_level = 5

[nss]
filter_groups = root
filter_users = root
reconnection_retries = 3

[pam]

[sudo]
debug_level = 6
=====

/etc/pam.d/sudo

---
#%PAM-1.0
auth sufficient pam_ldap.so
uth required pam_unix.so try_first_pass
auth required pam_nologin.so
auth include system-auth
account include system-auth
password include system-auth
session optional pam_keyinit.so revoke
session required pam_limits.so
------

Output log:

------
(Mon Jun 16 11:37:18 2014) [sssd[sudo]] [sss_cmd_get_version] (0x0200):
Received client version [1].
(Mon Jun 16 11:37:18 2014) [sssd[sudo]] [sss_cmd_get_version] (0x0200):
Offered version [1].
(Mon Jun 16 11:37:18 2014) [sssd[sudo]] [sss_parse_name_for_domains]
(0x0200): name 'username' matched without domain, user is username
(Mon Jun 16 11:37:18 2014) [sssd[sudo]] [sss_parse_name_for_domains]
(0x0200): using default domain [(null)]
(Mon Jun 16 11:37:18 2014) [sssd[sudo]] [sss_parse_name_for_domains]
(0x0200): name 'username' matched without domain, user is username
(Mon Jun 16 11:37:18 2014) [sssd[sudo]] [sss_parse_name_for_domains]
(0x0200): using default domain [(null)]
(Mon Jun 16 11:37:18 2014) [sssd[sudo]] [sudosrv_cmd_parse_query_done]
(0x0200): Requesting default options for [username] from [<ALL>]
(Mon Jun 16 11:37:18 2014) [sssd[sudo]] [sudosrv_get_user] (0x0200):
Requesting info about [username@companyname]
(Mon Jun 16 11:37:18 2014) [sssd[sudo]] [sudosrv_get_user] (0x0400):
Returning info for user [username@companyname]
(Mon Jun 16 11:37:18 2014) [sssd[sudo]] [sudosrv_get_rules] (0x0400):
Retrieving default options for [username] from [companyname]
(Mon Jun 16 11:37:18 2014) [sssd[sudo]]
[sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with
[(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=username)(sudoUser=#1000)(sudoUser=%group1)(sudoUser=+*))(&(dataExpireTimestamp<=1402933038)))]
(Mon Jun 16 11:37:18 2014) [sssd[sudo]]
[sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with
[(&(objectClass=sudoRule)(|(name=defaults)))]
(Mon Jun 16 11:37:18 2014) [sssd[sudo]]
[sudosrv_get_sudorules_from_cache] (0x0400): Returning 0 rules for
[<default options>@companyname]
(Mon Jun 16 11:37:18 2014) [sssd[sudo]] [sss_parse_name_for_domains]
(0x0200): name 'username' matched without domain, user is username
(Mon Jun 16 11:37:18 2014) [sssd[sudo]] [sss_parse_name_for_domains]
(0x0200): using default domain [(null)]
(Mon Jun 16 11:37:18 2014) [sssd[sudo]] [sss_parse_name_for_domains]
(0x0200): name 'username' matched without domain, user is username
(Mon Jun 16 11:37:18 2014) [sssd[sudo]] [sss_parse_name_for_domains]
(0x0200): using default domain [(null)]
(Mon Jun 16 11:37:18 2014) [sssd[sudo]] [sudosrv_cmd_parse_query_done]
(0x0200): Requesting rules for [username] from [<ALL>]
(Mon Jun 16 11:37:18 2014) [sssd[sudo]] [sudosrv_get_user] (0x0200):
Requesting info about [username@companyname]
(Mon Jun 16 11:37:18 2014) [sssd[sudo]] [sudosrv_get_user] (0x0400):
Returning info for user [username@companyname]
(Mon Jun 16 11:37:18 2014) [sssd[sudo]] [sudosrv_get_rules] (0x0400):
Retrieving rules for [username] from [companyname]
(Mon Jun 16 11:37:18 2014) [sssd[sudo]]
[sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with
[(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=username)(sudoUser=#1000)(sudoUser=%group1)(sudoUser=+*))(&(dataExpireTimestamp<=1402933038)))]
(Mon Jun 16 11:37:18 2014) [sssd[sudo]]
[sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with
[(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=username)(sudoUser=#1000)(sudoUser=%group1)(sudoUser=+*)))]
(Mon Jun 16 11:37:18 2014) [sssd[sudo]]
[sudosrv_get_sudorules_from_cache] (0x0400): Returning 0 rules for
[username@companyname]
-----


Thanks very much for all your help
--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users

No comments:

Post a Comment