On 01/07/14 12:18, "Jakub Hrozek" <jhrozek(a)redhat.com> wrote:
On Fri, Jun 27, 2014 at 12:24:44PM +0000, Teemu Keinonen wrote:
> Hello,
>
> I’m configuring CentOS 6.5 server to authenticate users and sudo rights
>against local Samba 4.1.8 (compiled from source). Sssd is 1.9.2 from
>package repository. User authentication works OK, I can log in with user
>that exists only in Samba but sudoing with the same user fails. After
>hours of trying I still can’t get it right, sssd_sudo receives 0 rules
>from samba. Doing ldapsearch with criteria from logs do return sudoer
>entries as below. Am I missing something obvious?
> Below are (in order) ldapsearch, ssssd.conf and sssd_default.log (part
>which I think relevant).
>
> [root@dc1 sssd]# ldapsearch -h dc1 -Y GSSAPI -b
>OU=SUDOers,DC=teemu,DC=local
>'(&(objectClass=sudoRole)(|(!(sudoHost=*))(sudoHost=ALL)(sudoHost=Host01)
>(sudoHost=Host01.example.com)(sudoHost=192.168.0.21)(sudoHost=192.168.0.0
>/24)(sudoHost=fe80::786b:f4ff:fe87:3314)(sudoHost=fe80::/64)(sudoHost=+*)
>(|(sudoHost=*\\*)(sudoHost=*?*)(sudoHost=*\**)(sudoHost=*[*]*))))'
> SASL/GSSAPI authentication started
> SASL username: administrator(a)TEEMU.LOCAL
I wonder if this ^^ could be the issue.
SSSD authenticates as the host itself, you seem to have authenticated as
the administrator. Maybe there are some ACIs on the server preventing
SSSD from accessing the rules?
Can you try:
kdestroy
kinit -k -t /etc/krb5.sssd.keytab dc1$(a)TEEMU.LOCAL
before the ldapsearch?
Here is the result:
[root@dc1 sssd]# kdestroy
[root@dc1 sssd]# kinit -k -t /etc/krb5.sssd.keytab dc1$TEEMU.LOCAL
kinit: Keytab contains no suitable keys for dc1.LOCAL(a)TEEMU.LOCAL while
getting initial credentials
So I guess the host doesn’t have access. How would I go about adding
access rights? Can you point me to a good document source for these
matters?
And thank you!
-TeemuK