2:12 p.m.
Morning,
Having an issue with 6 test servers not allowing sudo even though they
are in the same hostgroup as other boxes that do allow sudo.
sss_sudo.log
(Tue Feb 20 15:31:59 2018) [sssd[sudo]] [sort_sudo_rules] (0x0400): Sorting
rules with higher-wins logic
(Tue Feb 20 15:31:59 2018) [sssd[sudo]] [sudosrv_fetch_rules] (0x0400):
Returning 1 rules for [myid@mydomain.local(a)mydomain.local]
(Tue Feb 20 15:31:59 2018) [sssd[sudo]] [sudosrv_build_response] (0x2000):
error: [0]
(Tue Feb 20 15:31:59 2018) [sssd[sudo]] [sudosrv_build_response] (0x2000):
rules_num: [0]
(Tue Feb 20 15:31:59 2018) [sssd[sudo]] [sudosrv_build_response] (0x2000):
rule [1]/[1]
(Tue Feb 20 15:31:59 2018) [sssd[sudo]] [sudosrv_response_append_attr]
(0x2000): cn:whc_inf
(Tue Feb 20 15:31:59 2018) [sssd[sudo]] [sudosrv_response_append_attr]
(0x2000): objectClass:sudoRule
(Tue Feb 20 15:31:59 2018) [sssd[sudo]] [sudosrv_response_append_attr]
(0x2000): sudoCommand:/sbin/*
(Tue Feb 20 15:31:59 2018) [sssd[sudo]] [sudosrv_response_append_attr]
(0x2000): sudoCommand:/bin/*
(Tue Feb 20 15:31:59 2018) [sssd[sudo]] [sudosrv_response_append_attr]
(0x2000): sudoCommand:/usr/sbin/*
(Tue Feb 20 15:31:59 2018) [sssd[sudo]] [sudosrv_response_append_attr]
(0x2000): sudoCommand:/usr/bin/*
(Tue Feb 20 15:31:59 2018) [sssd[sudo]] [sudosrv_response_append_attr]
(0x2000): sudoHost:+whc_all THIS IS THE HBAC/SUDO RULE name allowing
sudo and the rest of the commands listed here
(Tue Feb 20 15:31:59 2018) [sssd[sudo]] [sudosrv_response_append_attr]
(0x2000): sudoHost:+whc_and
(Tue Feb 20 15:31:59 2018) [sssd[sudo]] [sudosrv_response_append_attr]
(0x2000): sudoHost:+whc_cept
(Tue Feb 20 15:31:59 2018) [sssd[sudo]] [sudosrv_response_append_attr]
(0x2000): sudoHost:+whc_inf
(Tue Feb 20 15:31:59 2018) [sssd[sudo]] [sudosrv_response_append_attr]
(0x2000): sudoHost:+whc_id
(Tue Feb 20 15:31:59 2018) [sssd[sudo]] [sudosrv_response_append_attr]
(0x2000): sudoHost:+whc_jump
(Tue Feb 20 15:31:59 2018) [sssd[sudo]] [sudosrv_response_append_attr]
(0x2000): sudoOption:!authenticate
(Tue Feb 20 15:31:59 2018) [sssd[sudo]] [sudosrv_response_append_attr]
(0x2000): sudoRunAsUser:root
(Tue Feb 20 15:31:59 2018) [sssd[sudo]] [sudosrv_response_append_attr]
(0x2000): sudoUser:#325400379
(Tue Feb 20 15:31:59 2018) [sssd[sudo]] [client_recv] (0x0200): Client
disconnected!
(Tue Feb 20 15:31:59 2018) [sssd[sudo]] [client_close_fn] (0x2000):
Terminated client [0x7f08580a8f00][18]
(Tue Feb 20 15:32:17 2018) [sssd[sudo]] [get_client_cred] (0x4000): Client
creds: euid[0] egid[1006] pid[1786].
(Tue Feb 20 15:32:17 2018) [sssd[sudo]] [get_client_cred] (0x0080): The
following failure is expected to happen in case SELinux is disabled:
SELINUX_getpeercon failed [92][Protocol not available].
Please, consider enabling SELinux in your system.
(Tue Feb 20 15:32:17 2018) [sssd[sudo]] [setup_client_idle_timer] (0x4000):
Idle timer re-set for client [0x7f08580b42d0][18]
keeps prompting even though the pw is right
[myid@server1 ~]$ sudo -i
[sudo] password for myid:
Sorry, try again.
[sudo] password for myid:
Sorry, try again.
[sudo] password for myid:
Run Sudo -L and my password is taken and shows none of the rules
sss_sudo.log returned
[myid@server1~]$ sudo -l
[sudo] password for myid:
Matching Defaults entries for myid on this host:
requiretty, !visiblepw, always_set_home, env_reset, env_keep="COLORS
DISPLAY HOSTNAME HISTSIZE INPUTRC
KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG
LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE
LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY
LC_NAME LC_NUMERIC LC_PAPER
LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET
XAUTHORITY",
secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin, logfile=/var/log/sudo.log
User myid may run the following commands on this host:
(root) !/usr/local/bin/sudo, !/usr/bin/sudo, !/bin/sudo
As you can see even thought the sss sudo log returns the correct sudo rule
to the server I am not seeing the rules with sudo -l
Client having sudo issues
ipa-client-4.5.0-22.el7_4.x86_64
sssd-client-1.15.2-50.el7_4.2.x86_64
IPA Server
ipa-server-4.5.0-21.el7_4.2.2.x86_64
sssd-client-1.15.2-50.el7_4.6.x86_64
Caveat: the real host name looks like this
hgts-aci-2-27123795-7629-4bfd-949e-5ee8e9f882664 and does enroll into IPA
but not sure if this non standard form works with everything
Sean Hogan
2:24 p.m.
Issue resolved.. changed the host name to a more sane one and sudo working
without issue
Sean Hogan
From: Sean Hogan via FreeIPA-users
<freeipa-users(a)lists.fedorahosted.org>
To: freeipa-users <freeipa-users(a)lists.fedorahosted.org>
Cc: Sean Hogan <schogan(a)us.ibm.com>
Date: 02/20/2018 01:13 PM
Subject: [Freeipa-users] Sudo and SSSD
Morning,
Having an issue with 6 test servers not allowing sudo even though they are
in the same hostgroup as other boxes that do allow sudo.
sss_sudo.log
(Tue Feb 20 15:31:59 2018) [sssd[sudo]] [sort_sudo_rules] (0x0400): Sorting
rules with higher-wins logic
(Tue Feb 20 15:31:59 2018) [sssd[sudo]] [sudosrv_fetch_rules] (0x0400):
Returning 1 rules for [myid@mydomain.local(a)mydomain.local]
(Tue Feb 20 15:31:59 2018) [sssd[sudo]] [sudosrv_build_response] (0x2000):
error: [0]
(Tue Feb 20 15:31:59 2018) [sssd[sudo]] [sudosrv_build_response] (0x2000):
rules_num: [0]
(Tue Feb 20 15:31:59 2018) [sssd[sudo]] [sudosrv_build_response] (0x2000):
rule [1]/[1]
(Tue Feb 20 15:31:59 2018) [sssd[sudo]] [sudosrv_response_append_attr]
(0x2000): cn:whc_inf
(Tue Feb 20 15:31:59 2018) [sssd[sudo]] [sudosrv_response_append_attr]
(0x2000): objectClass:sudoRule
(Tue Feb 20 15:31:59 2018) [sssd[sudo]] [sudosrv_response_append_attr]
(0x2000): sudoCommand:/sbin/*
(Tue Feb 20 15:31:59 2018) [sssd[sudo]] [sudosrv_response_append_attr]
(0x2000): sudoCommand:/bin/*
(Tue Feb 20 15:31:59 2018) [sssd[sudo]] [sudosrv_response_append_attr]
(0x2000): sudoCommand:/usr/sbin/*
(Tue Feb 20 15:31:59 2018) [sssd[sudo]] [sudosrv_response_append_attr]
(0x2000): sudoCommand:/usr/bin/*
(Tue Feb 20 15:31:59 2018) [sssd[sudo]] [sudosrv_response_append_attr]
(0x2000): sudoHost:+whc_all THIS IS THE HBAC/SUDO RULE name allowing sudo
and the rest of the commands listed here
(Tue Feb 20 15:31:59 2018) [sssd[sudo]] [sudosrv_response_append_attr]
(0x2000): sudoHost:+whc_and
(Tue Feb 20 15:31:59 2018) [sssd[sudo]] [sudosrv_response_append_attr]
(0x2000): sudoHost:+whc_cept
(Tue Feb 20 15:31:59 2018) [sssd[sudo]] [sudosrv_response_append_attr]
(0x2000): sudoHost:+whc_inf
(Tue Feb 20 15:31:59 2018) [sssd[sudo]] [sudosrv_response_append_attr]
(0x2000): sudoHost:+whc_id
(Tue Feb 20 15:31:59 2018) [sssd[sudo]] [sudosrv_response_append_attr]
(0x2000): sudoHost:+whc_jump
(Tue Feb 20 15:31:59 2018) [sssd[sudo]] [sudosrv_response_append_attr]
(0x2000): sudoOption:!authenticate
(Tue Feb 20 15:31:59 2018) [sssd[sudo]] [sudosrv_response_append_attr]
(0x2000): sudoRunAsUser:root
(Tue Feb 20 15:31:59 2018) [sssd[sudo]] [sudosrv_response_append_attr]
(0x2000): sudoUser:#325400379
(Tue Feb 20 15:31:59 2018) [sssd[sudo]] [client_recv] (0x0200): Client
disconnected!
(Tue Feb 20 15:31:59 2018) [sssd[sudo]] [client_close_fn] (0x2000):
Terminated client [0x7f08580a8f00][18]
(Tue Feb 20 15:32:17 2018) [sssd[sudo]] [get_client_cred] (0x4000): Client
creds: euid[0] egid[1006] pid[1786].
(Tue Feb 20 15:32:17 2018) [sssd[sudo]] [get_client_cred] (0x0080): The
following failure is expected to happen in case SELinux is disabled:
SELINUX_getpeercon failed [92][Protocol not available].
Please, consider enabling SELinux in your system.
(Tue Feb 20 15:32:17 2018) [sssd[sudo]] [setup_client_idle_timer] (0x4000):
Idle timer re-set for client [0x7f08580b42d0][18]
keeps prompting even though the pw is right
[myid@server1 ~]$ sudo -i
[sudo] password for myid:
Sorry, try again.
[sudo] password for myid:
Sorry, try again.
[sudo] password for myid:
Run Sudo -L and my password is taken and shows none of the rules
sss_sudo.log returned
[myid@server1~]$ sudo -l
[sudo] password for myid:
Matching Defaults entries for myid on this host:
requiretty, !visiblepw, always_set_home, env_reset, env_keep="COLORS
DISPLAY HOSTNAME HISTSIZE INPUTRC
KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS
LC_CTYPE", env_keep+="LC_COLLATE
LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY
LC_NAME LC_NUMERIC LC_PAPER
LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET
XAUTHORITY",
secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin, logfile=/var/log/sudo.log
User myid may run the following commands on this host:
(root) !/usr/local/bin/sudo, !/usr/bin/sudo, !/bin/sudo
As you can see even thought the sss sudo log returns the correct sudo rule
to the server I am not seeing the rules with sudo -l
Client having sudo issues
ipa-client-4.5.0-22.el7_4.x86_64
sssd-client-1.15.2-50.el7_4.2.x86_64
IPA Server
ipa-server-4.5.0-21.el7_4.2.2.x86_64
sssd-client-1.15.2-50.el7_4.6.x86_64
Caveat: the real host name looks like this
hgts-aci-2-27123795-7629-4bfd-949e-5ee8e9f882664 and does enroll into IPA
but not sure if this non standard form works with everything
Sean Hogan
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
3:08 p.m.
Sean Hogan via FreeIPA-users wrote:
Morning,
Having an issue with 6 test servers not allowing sudo even though they
are in the same hostgroup as other boxes that do allow sudo.
sss_sudo.log
(Tue Feb 20 15:31:59 2018) [sssd[sudo]] [sort_sudo_rules] (0x0400):
Sorting rules with higher-wins logic
(Tue Feb 20 15:31:59 2018) [sssd[sudo]] [sudosrv_fetch_rules] (0x0400):
Returning 1 rules for [myid@mydomain.local(a)mydomain.local]
(Tue Feb 20 15:31:59 2018) [sssd[sudo]] [sudosrv_build_response]
(0x2000): error: [0]
(Tue Feb 20 15:31:59 2018) [sssd[sudo]] [sudosrv_build_response]
(0x2000): rules_num: [0]
(Tue Feb 20 15:31:59 2018) [sssd[sudo]] [sudosrv_build_response]
(0x2000): rule [1]/[1]
(Tue Feb 20 15:31:59 2018) [sssd[sudo]] [sudosrv_response_append_attr]
(0x2000): cn:whc_inf
(Tue Feb 20 15:31:59 2018) [sssd[sudo]] [sudosrv_response_append_attr]
(0x2000): objectClass:sudoRule
(Tue Feb 20 15:31:59 2018) [sssd[sudo]] [sudosrv_response_append_attr]
(0x2000): sudoCommand:/sbin/*
(Tue Feb 20 15:31:59 2018) [sssd[sudo]] [sudosrv_response_append_attr]
(0x2000): sudoCommand:/bin/*
(Tue Feb 20 15:31:59 2018) [sssd[sudo]] [sudosrv_response_append_attr]
(0x2000): sudoCommand:/usr/sbin/*
(Tue Feb 20 15:31:59 2018) [sssd[sudo]] [sudosrv_response_append_attr]
(0x2000): sudoCommand:/usr/bin/*
(Tue Feb 20 15:31:59 2018) [sssd[sudo]] [sudosrv_response_append_attr]
(0x2000): sudoHost:+whc_all THIS IS THE HBAC/SUDO RULE name allowing
sudo and the rest of the commands listed here
(Tue Feb 20 15:31:59 2018) [sssd[sudo]] [sudosrv_response_append_attr]
(0x2000): sudoHost:+whc_and
(Tue Feb 20 15:31:59 2018) [sssd[sudo]] [sudosrv_response_append_attr]
(0x2000): sudoHost:+whc_cept
(Tue Feb 20 15:31:59 2018) [sssd[sudo]] [sudosrv_response_append_attr]
(0x2000): sudoHost:+whc_inf
(Tue Feb 20 15:31:59 2018) [sssd[sudo]] [sudosrv_response_append_attr]
(0x2000): sudoHost:+whc_id
(Tue Feb 20 15:31:59 2018) [sssd[sudo]] [sudosrv_response_append_attr]
(0x2000): sudoHost:+whc_jump
(Tue Feb 20 15:31:59 2018) [sssd[sudo]] [sudosrv_response_append_attr]
(0x2000): sudoOption:!authenticate
(Tue Feb 20 15:31:59 2018) [sssd[sudo]] [sudosrv_response_append_attr]
(0x2000): sudoRunAsUser:root
(Tue Feb 20 15:31:59 2018) [sssd[sudo]] [sudosrv_response_append_attr]
(0x2000): sudoUser:#325400379
(Tue Feb 20 15:31:59 2018) [sssd[sudo]] [client_recv] (0x0200): Client
disconnected!
(Tue Feb 20 15:31:59 2018) [sssd[sudo]] [client_close_fn] (0x2000):
Terminated client [0x7f08580a8f00][18]
(Tue Feb 20 15:32:17 2018) [sssd[sudo]] [get_client_cred] (0x4000):
Client creds: euid[0] egid[1006] pid[1786].
(Tue Feb 20 15:32:17 2018) [sssd[sudo]] [get_client_cred] (0x0080): The
following failure is expected to happen in case SELinux is disabled:
SELINUX_getpeercon failed [92][Protocol not available].
Please, consider enabling SELinux in your system.
(Tue Feb 20 15:32:17 2018) [sssd[sudo]] [setup_client_idle_timer]
(0x4000): Idle timer re-set for client [0x7f08580b42d0][18]
keeps prompting even though the pw is right
[myid@server1 ~]$ sudo -i
[sudo] password for myid:
Sorry, try again.
[sudo] password for myid:
Sorry, try again.
[sudo] password for myid:
Run Sudo -L and my password is taken and shows none of the rules
sss_sudo.log returned
[myid@server1~]$ sudo -l
[sudo] password for myid:
Matching Defaults entries for myid on this host:
requiretty, !visiblepw, always_set_home, env_reset, env_keep="COLORS
DISPLAY HOSTNAME HISTSIZE INPUTRC
KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG
LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE
LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY
LC_NAME LC_NUMERIC LC_PAPER
LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET
XAUTHORITY",
secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin, logfile=/var/log/sudo.log
User myid may run the following commands on this host:
(root) !/usr/local/bin/sudo, !/usr/bin/sudo, !/bin/sudo
As you can see even thought the sss sudo log returns the correct sudo
rule to the server I am not seeing the rules with sudo -l
Client having sudo issues
ipa-client-4.5.0-22.el7_4.x86_64
sssd-client-1.15.2-50.el7_4.2.x86_64
IPA Server
ipa-server-4.5.0-21.el7_4.2.2.x86_64
sssd-client-1.15.2-50.el7_4.6.x86_64
Caveat: the real host name looks like this
hgts-aci-2-27123795-7629-4bfd-949e-5ee8e9f882664 and does enroll into
IPA but not sure if this non standard form works with everything
When sudo doesn't work for hostgroups it almost always means that
netgroups are not being resolved properly which almost always points to
the nisdomain not being set.
rob
8:45 a.m.
New subject: freeipa on ubuntu SERVER
Could I get any error by installing freeipa-server on ubuntu server due to the lack of a
graphical desktop environment ?
I' ve been trying to install it, but I get several different errors.
So, I can just install it on a non-graphical system and then just use the CLI
freeipa-tools for administration tasks ?
Any idea, suggestion?
Thanks in advance.
Phil.
La @universidad_uci es Fidel: 15 años conectados al futuro... conectados a la Revolución
2002-2017
7:56 a.m.
New subject: freeipa on ubuntu SERVER
On 02/26/2018 10:45 AM, Felipe_G0NZÁLEZ_SANTIAG0 via FreeIPA-users wrote:
Could I get any error by installing freeipa-server on ubuntu server
due
to the lack of a graphical desktop environment ?
I' ve been trying to install it, but I get several *different* errors.
So, I can just install it on a non-graphical system and then just use
the CLI freeipa-tools for administration tasks ?
yes, you should be able to do that.
Could you share the installation logs (/var/log/ipaserver-install.log)?
Which version of IPA are you installing?
>
> Any idea, suggestion?
>
> Thanks in advance.
> Phil.
>
>
>
>
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
>
10:08 a.m.
New subject: freeipa on ubuntu SERVER
I'm on ubuntu server 16.04
Freeipa version 4.3.1.
Installation process almost ends perfect, but I get an error:
trying https://ubuntu.ipa.cu
Forwarding ´ ping´ to json server " https://ubuntu.ipa.cu/ipa/json "
Cannot connect to the server due to generic error: Authentication method not supported:
sasl mechanism not supported.
Any idea?
----- Original Message -----
| On 02/26/2018 10:45 AM, Felipe_G0NZÁLEZ_SANTIAG0 via FreeIPA-users wrote:
| > Could I get any error by installing freeipa-server on ubuntu server due
| > to the lack of a graphical desktop environment ?
| >
| > I' ve been trying to install it, but I get several *different* errors.
| >
| > So, I can just install it on a non-graphical system and then just use
| > the CLI freeipa-tools for administration tasks ?
| yes, you should be able to do that.
| Could you share the installation logs (/var/log/ipaserver-install.log)?
| Which version of IPA are you installing?
| >
| > Any idea, suggestion?
| >
| > Thanks in advance.
| > Phil.
| >
| >
| >
| >
| > _______________________________________________
| > FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
| > To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
| >
La @universidad_uci es Fidel: 15 años conectados al futuro... conectados a la Revolución
2002-2017
11:11 a.m.
New subject: freeipa on ubuntu SERVER
On 02/26/2018 12:08 PM, Felipe_G0NZÁLEZ_SANTIAG0 wrote:
I'm on ubuntu server 16.04
Freeipa version 4.3.1.
Installation process almost ends perfect, but I get an error:
trying https://ubuntu.ipa.cu
Forwarding ´ ping´ to json server "https://ubuntu.ipa.cu/ipa/json
<https://ubuntu.ipa.cu>"
Cannot connect to the server due to generic error: Authentication method
not supported: sasl mechanism not supported.
Any idea?
Probably a package is missing, check this thread on users list [1], it
may help you.
If not, please provide the logs [2]. It's easier to help with the entire
stack trace.
[1] https://www.redhat.com/archives/freeipa-users/2016-August/msg00231.html
[2]
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/...
> **
> ------------------------------------------------------------------------
>
>
>
> On 02/26/2018 10:45 AM, Felipe_G0NZÁLEZ_SANTIAG0 via FreeIPA-users
> wrote:
> > Could I get any error by installing freeipa-server on ubuntu
> server due
> > to the lack of a graphical desktop environment ?
> >
> > I' ve been trying to install it, but I get several *different*
> errors.
> >
> > So, I can just install it on a non-graphical system and then just
> use
> > the CLI freeipa-tools for administration tasks ?
>
> yes, you should be able to do that.
> Could you share the installation logs (/var/log/ipaserver-install.log)?
> Which version of IPA are you installing?
>
> >
> > Any idea, suggestion?
> >
> > Thanks in advance.
> > Phil.
> >
> >
> >
> >
> > _______________________________________________
> > FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> > To unsubscribe send an email to
> freeipa-users-leave(a)lists.fedorahosted.org
> >
>
>
>
>
7:57 a.m.
New subject: freeipa on ubuntu SERVER
Felipe_G0NZÁLEZ_SANTIAG0 via FreeIPA-users wrote:
Could I get any error by installing freeipa-server on ubuntu server
due
to the lack of a graphical desktop environment ?
I' ve been trying to install it, but I get several *different* errors.
So, I can just install it on a non-graphical system and then just use
the CLI freeipa-tools for administration tasks ?
Any idea, suggestion?
I install in headless Fedora servers all the time with no error.
You will need to provide the error(s) you are seeing to know for sure.
Also note just because the server machine isn't running a DM doesn't
mean a remote browser can't connect to the web server running on it.
rob
2243
days inactive
2250
days old
freeipa-users@lists.fedorahosted.org
7 comments
4 participants
participants (4)
-
Felipe Barreto -
Felipe_G0NZÁLEZ_SANTIAG0 -
Rob Crittenden -
Sean Hogan