I saw the light after hours...
Solution:
for pam.d/sudo
#%PAM-1.0
auth include system-auth
account include system-auth
password include system-auth
session optional pam_keyinit.so revoke
session required pam_limits.so
And for the ou=SUDOers APPLY read policies for the relevant users or
groups!! (That is the reason why it could not download anything from
that group. The user/group which run the bindings on sssd was NOT able
of reading that OU!!)
Thanks very much guys
On 2014-06-16 08:47, g.fer.ordas@unicyber.co.uk wrote:
> Hi
>
> I am find problems trying to configure the sudoers on ds-389...
> This is the far I have reached but still is not working... I cannot
> still download any rule at all
> the user "username" belongs to group1
>
> is there anything I might be missing at all?
>
> Sudoers Configuration in ds-389
>
> ---
> dn: ou=SUDOers,dc=companyname,dc=com
> objectClass: top
> objectClass: OrganizationalUnit
> ou: SUDOers
>
> dn: cn=group1,ou=SUDOers,dc=companyname,dc=com
> objectClass: top
> objectClass: sudoRole
> cn: sudogrp
> sudoUser: %group1
> sudoHost: ALL
> sudoCommand: /usr/bin/sudo
> sudoCommand: /usr/bin/su
> ----
>
>
> /etc/sssd/sssd.conf
> ======
> [domain/companyname]
>
> krb5_realm = companyname.com
> krb5_server = ldapserver.eweprod.companyname.com
> enumerate = true
> auth_provider = ldap
> id_provider = ldap
> sudo_provider = ldap
> case_sensitive = False
> debug_level = 5
> chpass_provider = ldap
> #pam_password = md5
> #chpass_provider = krb5
> cache_credentials = False
>
> ldap_user_name = uid
> ldap_default_authtok_type = password
> ldap_search_base = dc=companyname,dc=com
> ldap_user_search_base = ou=companynameAccts,DC=companyname,DC=com
> ldap_group_search_base = OU=companynameGroups,dc=companyname,dc=com
> ldap_default_bind_dn =
> uid=linuxuser,ou=companynameaccts,dc=companyname,dc=com
> ldap_uri = ldaps://ldapserver.eweprod.companyname.com
> ldap_sudo_search_base = ou=SUDOers,dc=companyname,dc=com
> ldap_tls_cacertdir = /etc/openldap/cacerts
> ldap_tls_reqcert = demand
> ldap_schema = rfc2307bis
> ldap_id_use_start_tls = False
> ldap_default_authtok = password
> access_provider = simple
> simple_allow_groups = tester1, tester2
> use_host_filter = false
>
> #sudo
> ldap_sudo_full_refresh_interval=86400
> ldap_sudo_smart_refresh_interval=3600
>
> [sssd]
> config_file_version = 2
> services = nss, pam, sudo
> domains = companyname
> debug_level = 5
>
> [nss]
> filter_groups = root
> filter_users = root
> reconnection_retries = 3
>
> [pam]
>
> [sudo]
> debug_level = 6
> =====
>
> /etc/pam.d/sudo
>
> ---
> #%PAM-1.0
> auth sufficient pam_ldap.so
> uth required pam_unix.so try_first_pass
> auth required pam_nologin.so
> auth include system-auth
> account include system-auth
> password include system-auth
> session optional pam_keyinit.so revoke
> session required pam_limits.so
> ------
>
> Output log:
>
> ------
> (Mon Jun 16 11:37:18 2014) [sssd[sudo]] [sss_cmd_get_version]
> (0x0200): Received client version [1].
> (Mon Jun 16 11:37:18 2014) [sssd[sudo]] [sss_cmd_get_version]
> (0x0200): Offered version [1].
> (Mon Jun 16 11:37:18 2014) [sssd[sudo]] [sss_parse_name_for_domains]
> (0x0200): name 'username' matched without domain, user is username
> (Mon Jun 16 11:37:18 2014) [sssd[sudo]] [sss_parse_name_for_domains]
> (0x0200): using default domain [(null)]
> (Mon Jun 16 11:37:18 2014) [sssd[sudo]] [sss_parse_name_for_domains]
> (0x0200): name 'username' matched without domain, user is username
> (Mon Jun 16 11:37:18 2014) [sssd[sudo]] [sss_parse_name_for_domains]
> (0x0200): using default domain [(null)]
> (Mon Jun 16 11:37:18 2014) [sssd[sudo]] [sudosrv_cmd_parse_query_done]
> (0x0200): Requesting default options for [username] from [<ALL>]
> (Mon Jun 16 11:37:18 2014) [sssd[sudo]] [sudosrv_get_user] (0x0200):
> Requesting info about [username@companyname]
> (Mon Jun 16 11:37:18 2014) [sssd[sudo]] [sudosrv_get_user] (0x0400):
> Returning info for user [username@companyname]
> (Mon Jun 16 11:37:18 2014) [sssd[sudo]] [sudosrv_get_rules] (0x0400):
> Retrieving default options for [username] from [companyname]
> (Mon Jun 16 11:37:18 2014) [sssd[sudo]]
> [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with
> [(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=username)(sudoUser=#1000)(sudoUser=%group1)(sudoUser=+*))(&(dataExpireTimestamp<=1402933038)))]
> (Mon Jun 16 11:37:18 2014) [sssd[sudo]]
> [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with
> [(&(objectClass=sudoRule)(|(name=defaults)))]
> (Mon Jun 16 11:37:18 2014) [sssd[sudo]]
> [sudosrv_get_sudorules_from_cache] (0x0400): Returning 0 rules for
> [<default options>@companyname]
> (Mon Jun 16 11:37:18 2014) [sssd[sudo]] [sss_parse_name_for_domains]
> (0x0200): name 'username' matched without domain, user is username
> (Mon Jun 16 11:37:18 2014) [sssd[sudo]] [sss_parse_name_for_domains]
> (0x0200): using default domain [(null)]
> (Mon Jun 16 11:37:18 2014) [sssd[sudo]] [sss_parse_name_for_domains]
> (0x0200): name 'username' matched without domain, user is username
> (Mon Jun 16 11:37:18 2014) [sssd[sudo]] [sss_parse_name_for_domains]
> (0x0200): using default domain [(null)]
> (Mon Jun 16 11:37:18 2014) [sssd[sudo]] [sudosrv_cmd_parse_query_done]
> (0x0200): Requesting rules for [username] from [<ALL>]
> (Mon Jun 16 11:37:18 2014) [sssd[sudo]] [sudosrv_get_user] (0x0200):
> Requesting info about [username@companyname]
> (Mon Jun 16 11:37:18 2014) [sssd[sudo]] [sudosrv_get_user] (0x0400):
> Returning info for user [username@companyname]
> (Mon Jun 16 11:37:18 2014) [sssd[sudo]] [sudosrv_get_rules] (0x0400):
> Retrieving rules for [username] from [companyname]
> (Mon Jun 16 11:37:18 2014) [sssd[sudo]]
> [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with
> [(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=username)(sudoUser=#1000)(sudoUser=%group1)(sudoUser=+*))(&(dataExpireTimestamp<=1402933038)))]
> (Mon Jun 16 11:37:18 2014) [sssd[sudo]]
> [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with
> [(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=username)(sudoUser=#1000)(sudoUser=%group1)(sudoUser=+*)))]
> (Mon Jun 16 11:37:18 2014) [sssd[sudo]]
> [sudosrv_get_sudorules_from_cache] (0x0400): Returning 0 rules for
> [username@companyname]
> -----
>
>
> Thanks very much for all your help
> --
> 389 users mailing list
> 389-users@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/389-users
--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
No comments:
Post a Comment