Sudo and SSSD
by Sean Hogan
Morning,
Having an issue with 6 test servers not allowing sudo even though they
are in the same hostgroup as other boxes that do allow sudo.
sss_sudo.log
(Tue Feb 20 15:31:59 2018) [sssd[sudo]] [sort_sudo_rules] (0x0400): Sorting
rules with higher-wins logic
(Tue Feb 20 15:31:59 2018) [sssd[sudo]] [sudosrv_fetch_rules] (0x0400):
Returning 1 rules for [myid@mydomain.local(a)mydomain.local]
(Tue Feb 20 15:31:59 2018) [sssd[sudo]] [sudosrv_build_response] (0x2000):
error: [0]
(Tue Feb 20 15:31:59 2018) [sssd[sudo]] [sudosrv_build_response] (0x2000):
rules_num: [0]
(Tue Feb 20 15:31:59 2018) [sssd[sudo]] [sudosrv_build_response] (0x2000):
rule [1]/[1]
(Tue Feb 20 15:31:59 2018) [sssd[sudo]] [sudosrv_response_append_attr]
(0x2000): cn:whc_inf
(Tue Feb 20 15:31:59 2018) [sssd[sudo]] [sudosrv_response_append_attr]
(0x2000): objectClass:sudoRule
(Tue Feb 20 15:31:59 2018) [sssd[sudo]] [sudosrv_response_append_attr]
(0x2000): sudoCommand:/sbin/*
(Tue Feb 20 15:31:59 2018) [sssd[sudo]] [sudosrv_response_append_attr]
(0x2000): sudoCommand:/bin/*
(Tue Feb 20 15:31:59 2018) [sssd[sudo]] [sudosrv_response_append_attr]
(0x2000): sudoCommand:/usr/sbin/*
(Tue Feb 20 15:31:59 2018) [sssd[sudo]] [sudosrv_response_append_attr]
(0x2000): sudoCommand:/usr/bin/*
(Tue Feb 20 15:31:59 2018) [sssd[sudo]] [sudosrv_response_append_attr]
(0x2000): sudoHost:+whc_all THIS IS THE HBAC/SUDO RULE name allowing
sudo and the rest of the commands listed here
(Tue Feb 20 15:31:59 2018) [sssd[sudo]] [sudosrv_response_append_attr]
(0x2000): sudoHost:+whc_and
(Tue Feb 20 15:31:59 2018) [sssd[sudo]] [sudosrv_response_append_attr]
(0x2000): sudoHost:+whc_cept
(Tue Feb 20 15:31:59 2018) [sssd[sudo]] [sudosrv_response_append_attr]
(0x2000): sudoHost:+whc_inf
(Tue Feb 20 15:31:59 2018) [sssd[sudo]] [sudosrv_response_append_attr]
(0x2000): sudoHost:+whc_id
(Tue Feb 20 15:31:59 2018) [sssd[sudo]] [sudosrv_response_append_attr]
(0x2000): sudoHost:+whc_jump
(Tue Feb 20 15:31:59 2018) [sssd[sudo]] [sudosrv_response_append_attr]
(0x2000): sudoOption:!authenticate
(Tue Feb 20 15:31:59 2018) [sssd[sudo]] [sudosrv_response_append_attr]
(0x2000): sudoRunAsUser:root
(Tue Feb 20 15:31:59 2018) [sssd[sudo]] [sudosrv_response_append_attr]
(0x2000): sudoUser:#325400379
(Tue Feb 20 15:31:59 2018) [sssd[sudo]] [client_recv] (0x0200): Client
disconnected!
(Tue Feb 20 15:31:59 2018) [sssd[sudo]] [client_close_fn] (0x2000):
Terminated client [0x7f08580a8f00][18]
(Tue Feb 20 15:32:17 2018) [sssd[sudo]] [get_client_cred] (0x4000): Client
creds: euid[0] egid[1006] pid[1786].
(Tue Feb 20 15:32:17 2018) [sssd[sudo]] [get_client_cred] (0x0080): The
following failure is expected to happen in case SELinux is disabled:
SELINUX_getpeercon failed [92][Protocol not available].
Please, consider enabling SELinux in your system.
(Tue Feb 20 15:32:17 2018) [sssd[sudo]] [setup_client_idle_timer] (0x4000):
Idle timer re-set for client [0x7f08580b42d0][18]
keeps prompting even though the pw is right
[myid@server1 ~]$ sudo -i
[sudo] password for myid:
Sorry, try again.
[sudo] password for myid:
Sorry, try again.
[sudo] password for myid:
Run Sudo -L and my password is taken and shows none of the rules
sss_sudo.log returned
[myid@server1~]$ sudo -l
[sudo] password for myid:
Matching Defaults entries for myid on this host:
requiretty, !visiblepw, always_set_home, env_reset, env_keep="COLORS
DISPLAY HOSTNAME HISTSIZE INPUTRC
KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG
LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE
LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY
LC_NAME LC_NUMERIC LC_PAPER
LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET
XAUTHORITY",
secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin, logfile=/var/log/sudo.log
User myid may run the following commands on this host:
(root) !/usr/local/bin/sudo, !/usr/bin/sudo, !/bin/sudo
As you can see even thought the sss sudo log returns the correct sudo rule
to the server I am not seeing the rules with sudo -l
Client having sudo issues
ipa-client-4.5.0-22.el7_4.x86_64
sssd-client-1.15.2-50.el7_4.2.x86_64
IPA Server
ipa-server-4.5.0-21.el7_4.2.2.x86_64
sssd-client-1.15.2-50.el7_4.6.x86_64
Caveat: the real host name looks like this
hgts-aci-2-27123795-7629-4bfd-949e-5ee8e9f882664 and does enroll into IPA
but not sure if this non standard form works with everything
Sean Hogan
6 years, 1 month
AD group name replaced by SID
by Ronald Wimmer
Hi,
for demonstration purposes I added two users to an external group that
already contained an AD group. The AD group had a human readable name.
The users as well.
When I removed these two users the AD group name changed from the human
readable name to the group SID. Why did that happen? Is there a way to
make the human readable name to reappear without re-adding the AD group?
Regards,
Ronald
6 years, 1 month
Automount Question
by Ben Archuleta
Hello,
I have a network with a file server that houses the home directories. The server has 6 NFS export that contain the home directories. Home0,home1,home2,home3,home4,home5 these exports have about 289 home directories between all of them.
In the current NIS environment I have an auto_master that has the following:
# Master map for automounter
#
/net -hosts -nosuid,nobrowse
/xfn -xfn
/homes auto.homes
I have an auto_homes that has entries like the following with 192.168.10.30 being the file server:
barchu02 192.168.10.30:/export/home2/barchu02
I have one entry per user on the system.
How would I configure FreeIPA auto mounts to behave the same way?
Regards,
Ben Archuleta
6 years, 1 month
DNS records erroring when entering main zone
by Andrew Meyer
A while back when I created my FreeIPA servers I added locations to them. I then added 1 more server and removed it for testing purposes. However now when I go into my main zone I am seeing the following errors:
Some operations failed.Hide details
- _kerberos-master._tcp.AWS-us-east-1._locations: DNS resource record not found
- _kerberos-master._tcp.BEL1._locations: DNS resource record not found
- _kerberos-master._tcp.STL2._locations: DNS resource record not found
- _kerberos-master._udp.AWS-us-east-1._locations: DNS resource record not found
- _kerberos-master._udp.STL2._locations: DNS resource record not found
- _kerberos._tcp.AWS-us-east-1._locations: DNS resource record not found
- _kerberos._tcp.BEL1._locations: DNS resource record not found
- _kerberos._tcp.STL2._locations: DNS resource record not found
I did some digging on this error and came across an old article from the mailing list. Re: [Freeipa-users] "DNS resource record not found" error when searching
|
| |
Re: [Freeipa-users] "DNS resource record not found" error when searching
| |
|
Which led me to the RHEL documentation on how to remove it. However I'm confused on which command I need to run in order to resolve the issue.
6 years, 1 month
Authenticating with and external app via LDAP
by Maciej Drobniuch
Hey All,
I want to authenticate with an external app to ldap ipa.
So I've created a user for the bind:
dn: uid=sysaccount,cn=sysaccounts,cn=etc,dc=example,dc=com
changetype: add
objectclass: account
objectclass: simplesecurityobject
uid: system
userPassword: somepass123
passwordExpirationTime: 20380119031407Z
nsIdleTimeout: 0
The external app runs the LDAP check successfully and can see the users
that belong to the group that's allowed to login.
Problem:
I can not login with the default "admin" account but I can not login with
any other account that's in the dn into the app.
Response is: "Invalid credentials"
base: 'cn=users,cn=accounts,dc=example,dc=com'
user_filter:
'(memberOf=cn=gitlab-users,cn=groups,cn=accounts,dc=example,dc=com)'
Any ideas?
Thank You!
--
Best regards
Maciej Drobniuch
Network Security Engineer
Collective-Sense,LLC
6 years, 1 month
PKI Tomcat Server conflict with PWM
by barrykfl@gmail.com
Hi all:
I used to centos 6 freeipa and install PWM together with CA service there
is no problem.
BUt now we change to centos 7 seem PKI Tomcat Server by default will launch
8443 and 8080 port . Now I installed PWM (password manager) but
pki tomcat 8080 port conflict with pwm 's 8080 port , I can changed port no.
But 8443 seem still fail to display if I changed to 8444 etc
Any idea ? can I stop pki tomacat 's 8080 / 8443 ?
barry
6 years, 1 month
DNS forwarder policies
by Andrew Meyer
Is there a way to specify a policy for 1 zone to be on 1 server or on a set of servers in 1 location?
6 years, 1 month
IPA 4.5 on Centos7 - SSLV3_ALERT_HANDSHAKE_FAILURE
by Bob Clough
I'm having some issues talking to our new Freeipa servers via TLS from Python 3.5 on Debian Stretch. Previously we had a Freeipa 4.2 server on Fedora 23 which was not showing this error, but i suspect that's because it had SSLv3 turned on. I'm also having a similar error with etherpad's ldap support which is nodejs, so it isn't limited to just python.
Trying to open the ldap on port 636, or starttls on port 389 gives the following error:
ssl.SSLError: [SSL: SSLV3_ALERT_HANDSHAKE_FAILURE] sslv3 alert handshake failure (_ssl.c:720)
I've written the following minimal test case that shows the error:
#!/usr/bin/env python3
import socket,ssl
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
wrappedSocket = ssl.wrap_socket(sock, ssl_version=ssl.PROTOCOL_TLS, ciphers='ALL')
wrappedSocket.connect(("ipa1.hz.codethink.co.uk", 636))
wrappedSocket.close()
Connecting with openssl s_client -connect ipa1.hz.codethink.co.uk:636 connects successfully.
Any ideas how I can work around this? I *think* the error is a cipher set incompatibility between the two systems, but i've turned on all available non-null ciphers at both ends and am out of ideas beyond that.
6 years, 1 month
SEC_ERROR_REUSED_ISSUER_AND_SERIAL
by Bret Wortman
Sequence of events in trying to stand up a new IPA server to replace
(wholesale) our old ones.
1. Built new box, which joined the existing IPA infrastructure as a client.
2. # ipa-client-install -U --uninstall
3. # ipa-server-install --setup-dns --auto-reverse --no-forwarders
4. Inserted data using custom scripts which had pulled out and parsed
data from existing servers to set up users, hosts, dns entries, etc.
5. Tried to connect to server via firefox and was denied due to
SEC_ERROR_REUSED_ISSUER_AND_SERIAL
6. Googled a lot.
7. Tried removing existing CA cert from firefox. No joy. It refused to
be removed.
8. Tried setting up a new profile in firefox. It got the old cert as well.
9. Tried removing the cert using certutil -D. Now httpd won't start.
10. Backed up the server using the ipa-backup script.
11. Delete /etc/httpd/alias and restored the data from ipa-backup using
ipa-restore.
12. Httpd won't start. *Sigh*.
13. Ran ipa-server-install -U --uninstall
14. # ipa-server-install as above
15. # ipa-restore -data /path/to/backup
And now I'm back where I was. IPA is running and contains our user,
host, and DNS data (plus others) from the original hosts but I can't
connect to it using firefox. Any other possible solutions to this problem?
We're using the same realm & network name, and we have to do that.
--
photo
*Bret Wortman*
President, Damascus Products LLC
855-644-2783 <tel:855-644-2783> | 303-523-8037 <tel:303-523-8037> |
bret(a)damascusproducts.com <mailto:bret@damascusproducts.com> |
http://damascusproducts.com/ | 10332 Main St Suite 319 Fairfax, VA 22030
<http://facebook.com/wrapbuddiesco> <http://twitter.com/wrapbuddiesco>
<http://instagram.com/wrapbuddies>
<https://facebook.com/wrapbuddiesco><https://instagram.com/wrapbuddies>
6 years, 1 month
errors when adding a new server
by Andrew Meyer
So I rebuilt a server tonight and gave it a new hostname but i'm getting the following error when trying to add the new one.
Skip ipa.domain.local: cannot verify if this is an IPA server
Provide your IPA server name (ex: ipa.example.com): ipa.domain.local
Skip ipa.domain.local: cannot verify if this is an IPA server
Failed to verify that ipa.domain.local is an IPA Server.
This may mean that the remote server is not up or is not reachable due to network or firewall settings.
There is nothing in the logs in /var/log. However when I run systemctl I see that the IPA service exited. But I can tell why.
The last thing I did was reboot the IPA server. This is a single IPA server domain setup running on CentOS 7.4 latest version of FreeIPA.
6 years, 1 month