Ok...that did it.
I installed libsss_sudo-1.9.2-82.el6.x86_64.rpm on two different RHEL V6.4 systems and now sudo is working through sssd and our ldap server.
But I am not finding this library in the RHEL V6.3 distro, so does that mean sudo with sssd can not be used in Red Hat prior to V6.4 ?
I tried installing the sssd-1.9.2* on a v6.3 system and it failed with gobs of missing dependencies.
Al Licause From: Licause, Al (CSC AMS BCS - UNIX/Linux Network Support) Sent: Wednesday, July 24, 2013 11:06 AM To: 'End-user discussions about the System Security Services Daemon' Subject: RE: Not finding /usr/lib64/libsss_sudo.so on RHEL V6.4
Guess I should look before asking.
I found the following rpm that was not installed on my systems: libsss_sudo-1.9.2-82.el6.x86_64.rpm I guess I'll try to install that and give it shot.
Al Licause
From: Licause, Al (CSC AMS BCS - UNIX/Linux Network Support) Sent: Wednesday, July 24, 2013 11:03 AM To: 'End-user discussions about the System Security Services Daemon' Subject: RE: Not finding /usr/lib64/libsss_sudo.so on RHEL V6.4
I guess I should have mentioned that I have the following installed:
sudo-1.8.6p3-7.el6.x86_64
Al Licause
From: Licause, Al (CSC AMS BCS - UNIX/Linux Network Support) Sent: Wednesday, July 24, 2013 10:57 AM To: 'End-user discussions about the System Security Services Daemon' Subject: Not finding /usr/lib64/libsss_sudo.so on RHEL V6.4
I thought I had this working only to realize on the two systems it appeared to be working, I was actually using the local sudoers file.
Now that I have that and a few other nits covered, I think I almost have this working but when the ldap user attempts to sudo, they get the following:
$ sudo date sudo: Unable to dlopen /usr/lib64/libsss_sudo.so: (null) sudo: Unable to initialize SSS source. Is SSSD installed on your machine?
We trust you have received the usual lecture from the local System Administrator. It usually boils down to these three things:
#1) Respect the privacy of others. #2) Think before you type. #3) With great power comes great responsibility.
[sudo] password for ldap33:
So my question is....where do I find the libsss_sudo.so library ? And which RPM was supposed to contain and install this component ?
Al Licause
On Wed, Jul 24, 2013 at 06:41:38PM +0000, Licause, Al (CSC AMS BCS - UNIX/Linux Network Support) wrote:
Ok...that did it.
I installed libsss_sudo-1.9.2-82.el6.x86_64.rpm on two different RHEL V6.4 systems and now sudo is working through sssd and our ldap server.
But I am not finding this library in the RHEL V6.3 distro, so does that mean sudo with sssd can not be used in Red Hat prior to V6.4 ?
yes, it's a new feature of 6.4
I tried installing the sssd-1.9.2* on a v6.3 system and it failed with gobs of missing dependencies.
yeah, 6.4 added a ton of new features that depend on newer versions of samba and kerberos among others..
Al Licause From: Licause, Al (CSC AMS BCS - UNIX/Linux Network Support) Sent: Wednesday, July 24, 2013 11:06 AM To: 'End-user discussions about the System Security Services Daemon' Subject: RE: Not finding /usr/lib64/libsss_sudo.so on RHEL V6.4
Guess I should look before asking.
I found the following rpm that was not installed on my systems: libsss_sudo-1.9.2-82.el6.x86_64.rpm I guess I'll try to install that and give it shot.
Al Licause
From: Licause, Al (CSC AMS BCS - UNIX/Linux Network Support) Sent: Wednesday, July 24, 2013 11:03 AM To: 'End-user discussions about the System Security Services Daemon' Subject: RE: Not finding /usr/lib64/libsss_sudo.so on RHEL V6.4
I guess I should have mentioned that I have the following installed:
sudo-1.8.6p3-7.el6.x86_64
Al Licause
From: Licause, Al (CSC AMS BCS - UNIX/Linux Network Support) Sent: Wednesday, July 24, 2013 10:57 AM To: 'End-user discussions about the System Security Services Daemon' Subject: Not finding /usr/lib64/libsss_sudo.so on RHEL V6.4
I thought I had this working only to realize on the two systems it appeared to be working, I was actually using the local sudoers file.
Now that I have that and a few other nits covered, I think I almost have this working but when the ldap user attempts to sudo, they get the following:
$ sudo date sudo: Unable to dlopen /usr/lib64/libsss_sudo.so: (null) sudo: Unable to initialize SSS source. Is SSSD installed on your machine?
We trust you have received the usual lecture from the local System Administrator. It usually boils down to these three things:
#1) Respect the privacy of others. #2) Think before you type. #3) With great power comes great responsibility.[sudo] password for ldap33:
So my question is....where do I find the libsss_sudo.so library ? And which RPM was supposed to contain and install this component ?
Al Licause
sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
Thanks Jakob,
I suspect I'll have at least one unhappy customer if they can't upgrade.
Should we not be able to use sudo with sssd, is it possible to use straight ldap.conf and shutdown/bypass sssd in V6.3 of RHEL for example ?
I'm trying to get it to work and having a difficult time.
Al
Al Licause HP L2 UNIX Network Services HP Customer Support Center Hours 7am-3pm Pacific time USA Manager: tom.cernilli@hp.com
-----Original Message----- From: sssd-users-bounces@lists.fedorahosted.org [mailto:sssd-users-bounces@lists.fedorahosted.org] On Behalf Of Jakub Hrozek Sent: Wednesday, July 24, 2013 12:40 PM To: sssd-users@lists.fedorahosted.org Subject: Re: [SSSD-users] Not finding /usr/lib64/libsss_sudo.so on RHEL V6.4
On Wed, Jul 24, 2013 at 06:41:38PM +0000, Licause, Al (CSC AMS BCS - UNIX/Linux Network Support) wrote:
Ok...that did it.
I installed libsss_sudo-1.9.2-82.el6.x86_64.rpm on two different RHEL V6.4 systems and now sudo is working through sssd and our ldap server.
But I am not finding this library in the RHEL V6.3 distro, so does that mean sudo with sssd can not be used in Red Hat prior to V6.4 ?
yes, it's a new feature of 6.4
I tried installing the sssd-1.9.2* on a v6.3 system and it failed with gobs of missing dependencies.
yeah, 6.4 added a ton of new features that depend on newer versions of samba and kerberos among others..
Al Licause From: Licause, Al (CSC AMS BCS - UNIX/Linux Network Support) Sent: Wednesday, July 24, 2013 11:06 AM To: 'End-user discussions about the System Security Services Daemon' Subject: RE: Not finding /usr/lib64/libsss_sudo.so on RHEL V6.4
Guess I should look before asking.
I found the following rpm that was not installed on my systems: libsss_sudo-1.9.2-82.el6.x86_64.rpm I guess I'll try to install that and give it shot.
Al Licause
From: Licause, Al (CSC AMS BCS - UNIX/Linux Network Support) Sent: Wednesday, July 24, 2013 11:03 AM To: 'End-user discussions about the System Security Services Daemon' Subject: RE: Not finding /usr/lib64/libsss_sudo.so on RHEL V6.4
I guess I should have mentioned that I have the following installed:
sudo-1.8.6p3-7.el6.x86_64
Al Licause
From: Licause, Al (CSC AMS BCS - UNIX/Linux Network Support) Sent: Wednesday, July 24, 2013 10:57 AM To: 'End-user discussions about the System Security Services Daemon' Subject: Not finding /usr/lib64/libsss_sudo.so on RHEL V6.4
I thought I had this working only to realize on the two systems it appeared to be working, I was actually using the local sudoers file.
Now that I have that and a few other nits covered, I think I almost have this working but when the ldap user attempts to sudo, they get the following:
$ sudo date sudo: Unable to dlopen /usr/lib64/libsss_sudo.so: (null) sudo: Unable to initialize SSS source. Is SSSD installed on your machine?
We trust you have received the usual lecture from the local System Administrator. It usually boils down to these three things:
#1) Respect the privacy of others. #2) Think before you type. #3) With great power comes great responsibility.[sudo] password for ldap33:
So my question is....where do I find the libsss_sudo.so library ? And which RPM was supposed to contain and install this component ?
Al Licause
sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
_______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
On 07/24/2013 03:41 PM, Licause, Al (CSC AMS BCS - UNIX/Linux Network Support) wrote:
Thanks Jakob,
I suspect I'll have at least one unhappy customer if they can't upgrade.
Should we not be able to use sudo with sssd, is it possible to use straight ldap.conf and shutdown/bypass sssd in V6.3 of RHEL for example ?
Yes. In versions before 6.3 it is actually ldap.conf but AFAIR in 6.3 sudo changed the name and location of the file so please check sudo docs for that matter to be sure which file to update.
I'm trying to get it to work and having a difficult time.
Al
Al Licause HP L2 UNIX Network Services HP Customer Support Center Hours 7am-3pm Pacific time USA Manager: tom.cernilli@hp.com
-----Original Message----- From: sssd-users-bounces@lists.fedorahosted.org [mailto:sssd-users-bounces@lists.fedorahosted.org] On Behalf Of Jakub Hrozek Sent: Wednesday, July 24, 2013 12:40 PM To: sssd-users@lists.fedorahosted.org Subject: Re: [SSSD-users] Not finding /usr/lib64/libsss_sudo.so on RHEL V6.4
On Wed, Jul 24, 2013 at 06:41:38PM +0000, Licause, Al (CSC AMS BCS - UNIX/Linux Network Support) wrote:
Ok...that did it.
I installed libsss_sudo-1.9.2-82.el6.x86_64.rpm on two different RHEL V6.4 systems and now sudo is working through sssd and our ldap server.
But I am not finding this library in the RHEL V6.3 distro, so does that mean sudo with sssd can not be used in Red Hat prior to V6.4 ?
yes, it's a new feature of 6.4
I tried installing the sssd-1.9.2* on a v6.3 system and it failed with gobs of missing dependencies.
yeah, 6.4 added a ton of new features that depend on newer versions of samba and kerberos among others..
Al Licause From: Licause, Al (CSC AMS BCS - UNIX/Linux Network Support) Sent: Wednesday, July 24, 2013 11:06 AM To: 'End-user discussions about the System Security Services Daemon' Subject: RE: Not finding /usr/lib64/libsss_sudo.so on RHEL V6.4
Guess I should look before asking.
I found the following rpm that was not installed on my systems: libsss_sudo-1.9.2-82.el6.x86_64.rpm I guess I'll try to install that and give it shot.
Al Licause
From: Licause, Al (CSC AMS BCS - UNIX/Linux Network Support) Sent: Wednesday, July 24, 2013 11:03 AM To: 'End-user discussions about the System Security Services Daemon' Subject: RE: Not finding /usr/lib64/libsss_sudo.so on RHEL V6.4
I guess I should have mentioned that I have the following installed:
sudo-1.8.6p3-7.el6.x86_64
Al Licause
From: Licause, Al (CSC AMS BCS - UNIX/Linux Network Support) Sent: Wednesday, July 24, 2013 10:57 AM To: 'End-user discussions about the System Security Services Daemon' Subject: Not finding /usr/lib64/libsss_sudo.so on RHEL V6.4
I thought I had this working only to realize on the two systems it appeared to be working, I was actually using the local sudoers file.
Now that I have that and a few other nits covered, I think I almost have this working but when the ldap user attempts to sudo, they get the following:
$ sudo date sudo: Unable to dlopen /usr/lib64/libsss_sudo.so: (null) sudo: Unable to initialize SSS source. Is SSSD installed on your machine?
We trust you have received the usual lecture from the local System Administrator. It usually boils down to these three things:
#1) Respect the privacy of others. #2) Think before you type. #3) With great power comes great responsibility.[sudo] password for ldap33:
So my question is....where do I find the libsss_sudo.so library ? And which RPM was supposed to contain and install this component ?
Al Licause
sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
On Wed, Jul 24, 2013 at 07:11:28PM -0400, Dmitri Pal wrote:
On 07/24/2013 03:41 PM, Licause, Al (CSC AMS BCS - UNIX/Linux Network Support) wrote:
Thanks Jakob,
I suspect I'll have at least one unhappy customer if they can't upgrade.
Should we not be able to use sudo with sssd, is it possible to use straight ldap.conf and shutdown/bypass sssd in V6.3 of RHEL for example ?
Yes. In versions before 6.3 it is actually ldap.conf but AFAIR in 6.3 sudo changed the name and location of the file so please check sudo docs for that matter to be sure which file to update.
The file is located at /etc/sudo-ldap.conf
Thanks very much. I now have this working....I think....under v6.3 of RH.
I could not get authentication to work with ldap alone so I re-enabled sssd and used the /etc/sudo-ldap.conf as recommended, just changing the value of the URI and suoders_base.
Al Licause
-----Original Message----- From: sssd-users-bounces@lists.fedorahosted.org [mailto:sssd-users-bounces@lists.fedorahosted.org] On Behalf Of Jakub Hrozek Sent: Wednesday, July 24, 2013 4:35 PM To: sssd-users@lists.fedorahosted.org Subject: Re: [SSSD-users] Not finding /usr/lib64/libsss_sudo.so on RHEL V6.4
On Wed, Jul 24, 2013 at 07:11:28PM -0400, Dmitri Pal wrote:
On 07/24/2013 03:41 PM, Licause, Al (CSC AMS BCS - UNIX/Linux Network Support) wrote:
Thanks Jakob,
I suspect I'll have at least one unhappy customer if they can't upgrade.
Should we not be able to use sudo with sssd, is it possible to use straight ldap.conf and shutdown/bypass sssd in V6.3 of RHEL for example ?
Yes. In versions before 6.3 it is actually ldap.conf but AFAIR in 6.3 sudo changed the name and location of the file so please check sudo docs for that matter to be sure which file to update.
The file is located at /etc/sudo-ldap.conf _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
Thanks very much. I'm not sure what AFAIR is but I got this working in RHEL V6.3 by reenabling sssd for authentication and then using /etc/sudo-ldap.conf for the sudo component.
Al Licause
-----Original Message----- From: sssd-users-bounces@lists.fedorahosted.org [mailto:sssd-users-bounces@lists.fedorahosted.org] On Behalf Of Dmitri Pal Sent: Wednesday, July 24, 2013 4:11 PM To: End-user discussions about the System Security Services Daemon Subject: Re: [SSSD-users] Not finding /usr/lib64/libsss_sudo.so on RHEL V6.4
On 07/24/2013 03:41 PM, Licause, Al (CSC AMS BCS - UNIX/Linux Network Support) wrote:
Thanks Jakob,
I suspect I'll have at least one unhappy customer if they can't upgrade.
Should we not be able to use sudo with sssd, is it possible to use straight ldap.conf and shutdown/bypass sssd in V6.3 of RHEL for example ?
Yes. In versions before 6.3 it is actually ldap.conf but AFAIR in 6.3 sudo changed the name and location of the file so please check sudo docs for that matter to be sure which file to update.
I'm trying to get it to work and having a difficult time.
Al
Al Licause HP L2 UNIX Network Services HP Customer Support Center Hours 7am-3pm Pacific time USA Manager: tom.cernilli@hp.com
-----Original Message----- From: sssd-users-bounces@lists.fedorahosted.org [mailto:sssd-users-bounces@lists.fedorahosted.org] On Behalf Of Jakub Hrozek Sent: Wednesday, July 24, 2013 12:40 PM To: sssd-users@lists.fedorahosted.org Subject: Re: [SSSD-users] Not finding /usr/lib64/libsss_sudo.so on RHEL V6.4
On Wed, Jul 24, 2013 at 06:41:38PM +0000, Licause, Al (CSC AMS BCS - UNIX/Linux Network Support) wrote:
Ok...that did it.
I installed libsss_sudo-1.9.2-82.el6.x86_64.rpm on two different RHEL V6.4 systems and now sudo is working through sssd and our ldap server.
But I am not finding this library in the RHEL V6.3 distro, so does that mean sudo with sssd can not be used in Red Hat prior to V6.4 ?
yes, it's a new feature of 6.4
I tried installing the sssd-1.9.2* on a v6.3 system and it failed with gobs of missing dependencies.
yeah, 6.4 added a ton of new features that depend on newer versions of samba and kerberos among others..
Al Licause From: Licause, Al (CSC AMS BCS - UNIX/Linux Network Support) Sent: Wednesday, July 24, 2013 11:06 AM To: 'End-user discussions about the System Security Services Daemon' Subject: RE: Not finding /usr/lib64/libsss_sudo.so on RHEL V6.4
Guess I should look before asking.
I found the following rpm that was not installed on my systems: libsss_sudo-1.9.2-82.el6.x86_64.rpm I guess I'll try to install that and give it shot.
Al Licause
From: Licause, Al (CSC AMS BCS - UNIX/Linux Network Support) Sent: Wednesday, July 24, 2013 11:03 AM To: 'End-user discussions about the System Security Services Daemon' Subject: RE: Not finding /usr/lib64/libsss_sudo.so on RHEL V6.4
I guess I should have mentioned that I have the following installed:
sudo-1.8.6p3-7.el6.x86_64
Al Licause
From: Licause, Al (CSC AMS BCS - UNIX/Linux Network Support) Sent: Wednesday, July 24, 2013 10:57 AM To: 'End-user discussions about the System Security Services Daemon' Subject: Not finding /usr/lib64/libsss_sudo.so on RHEL V6.4
I thought I had this working only to realize on the two systems it appeared to be working, I was actually using the local sudoers file.
Now that I have that and a few other nits covered, I think I almost have this working but when the ldap user attempts to sudo, they get the following:
$ sudo date sudo: Unable to dlopen /usr/lib64/libsss_sudo.so: (null) sudo: Unable to initialize SSS source. Is SSSD installed on your machine?
We trust you have received the usual lecture from the local System Administrator. It usually boils down to these three things:
#1) Respect the privacy of others. #2) Think before you type. #3) With great power comes great responsibility.[sudo] password for ldap33:
So my question is....where do I find the libsss_sudo.so library ? And which RPM was supposed to contain and install this component ?
Al Licause
sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
-- Thank you, Dmitri Pal
Sr. Engineering Manager for IdM portfolio Red Hat Inc.
------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/
_______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
On Thu, Jul 25, 2013 at 03:22:20PM +0000, Licause, Al (CSC AMS BCS - UNIX/Linux Network Support) wrote:
Thanks very much. I'm not sure what AFAIR is but I got this working in RHEL V6.3 by reenabling sssd for authentication and then using /etc/sudo-ldap.conf for the sudo component.
Al Licause
That's fine, using sssd for authentication and identity information while using sudo's built-in LDAP support is perfectly supportable configuration.
Excellent ! Thanks again
Al Licause
-----Original Message----- From: sssd-users-bounces@lists.fedorahosted.org [mailto:sssd-users-bounces@lists.fedorahosted.org] On Behalf Of Jakub Hrozek Sent: Thursday, July 25, 2013 8:26 AM To: sssd-users@lists.fedorahosted.org Subject: Re: [SSSD-users] Not finding /usr/lib64/libsss_sudo.so on RHEL V6.4
On Thu, Jul 25, 2013 at 03:22:20PM +0000, Licause, Al (CSC AMS BCS - UNIX/Linux Network Support) wrote:
Thanks very much. I'm not sure what AFAIR is but I got this working in RHEL V6.3 by reenabling sssd for authentication and then using /etc/sudo-ldap.conf for the sudo component.
Al Licause
That's fine, using sssd for authentication and identity information while using sudo's built-in LDAP support is perfectly supportable configuration. _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
Jakub Hrozek wrote:
On Thu, Jul 25, 2013 at 03:22:20PM +0000, Licause, Al (CSC AMS BCS - UNIX/Linux Network Support) wrote:
Thanks very much. I'm not sure what AFAIR is but I got this working in RHEL V6.3 by reenabling sssd for authentication and then using /etc/sudo-ldap.conf for the sudo component.
That's fine, using sssd for authentication and identity information while using sudo's built-in LDAP support is perfectly supportable configuration.
Hmm, direct sudo-ldap does no caching of sudoRole entries. So if you're LDAP server is not available/reachable you're lost fixing the issues...
Ciao, Michael.
Is that to say that when using this under RHEL v6.3 in which we use sssd to authenticate the user and then /etc/sudo-ldap.conf to affect the sudo commands, there is no caching ?
And are you also stating that this should work w/o sssd and just the combination of /etc/ldap.conf and /etc/sudo-ldap.conf ?
If so, I'm confused because everything I've read states that ldap.conf is no longer used in RH V6 or at least 6.3 and beyond. I can not get authentication to work with ldap.conf along having shutdown sssd.
But I can understand that if a utility outside of sssd is necessary to get sudo working for ldap users, that caching is disabled for that function. Am I correct in my assumptions ?
Al Licause
-----Original Message----- From: sssd-users-bounces@lists.fedorahosted.org [mailto:sssd-users-bounces@lists.fedorahosted.org] On Behalf Of Michael Ströder Sent: Thursday, July 25, 2013 10:16 AM To: End-user discussions about the System Security Services Daemon Subject: Re: [SSSD-users] Not finding /usr/lib64/libsss_sudo.so on RHEL V6.4
Jakub Hrozek wrote:
On Thu, Jul 25, 2013 at 03:22:20PM +0000, Licause, Al (CSC AMS BCS - UNIX/Linux Network Support) wrote:
Thanks very much. I'm not sure what AFAIR is but I got this working in RHEL V6.3 by reenabling sssd for authentication and then using /etc/sudo-ldap.conf for the sudo component.
That's fine, using sssd for authentication and identity information while using sudo's built-in LDAP support is perfectly supportable configuration.
Hmm, direct sudo-ldap does no caching of sudoRole entries. So if you're LDAP server is not available/reachable you're lost fixing the issues...
Ciao, Michael.
On Thu, Jul 25, 2013 at 06:01:09PM +0000, Licause, Al (CSC AMS BCS - UNIX/Linux Network Support) wrote:
Is that to say that when using this under RHEL v6.3 in which we use sssd to authenticate the user and then /etc/sudo-ldap.conf to affect the sudo commands, there is no caching ?
There is no caching of *sudo rules*. Caching of the user and his credentials is still available.
And are you also stating that this should work w/o sssd and just the combination of /etc/ldap.conf and /etc/sudo-ldap.conf ?
Define "this". You still need something to read the user identities with, be it sssd, nss-pam-ldapd or something completely different. sudo can't do it by itself.
If so, I'm confused because everything I've read states that ldap.conf is no longer used in RH V6 or at least 6.3 and beyond. I can not get authentication to work with ldap.conf along having shutdown sssd.
On 6.3, the alternative to SSSD for user and group lookups is nss-pam-ldapd. Just configuring ldap.conf is not enough.
But I can understand that if a utility outside of sssd is necessary to get sudo working for ldap users, that caching is disabled for that function. Am I correct in my assumptions ?
Correct.
Thankyou.
I believe I understand now. When I said "this" was referring to ldap user authentication and sudo. I am clear now as to what will work and what won't.
Now on to test sudo profiles.
Al Licause
-----Original Message----- From: sssd-users-bounces@lists.fedorahosted.org [mailto:sssd-users-bounces@lists.fedorahosted.org] On Behalf Of Jakub Hrozek Sent: Thursday, July 25, 2013 11:09 AM To: sssd-users@lists.fedorahosted.org Subject: Re: [SSSD-users] Not finding /usr/lib64/libsss_sudo.so on RHEL V6.4
On Thu, Jul 25, 2013 at 06:01:09PM +0000, Licause, Al (CSC AMS BCS - UNIX/Linux Network Support) wrote:
Is that to say that when using this under RHEL v6.3 in which we use sssd to authenticate the user and then /etc/sudo-ldap.conf to affect the sudo commands, there is no caching ?
There is no caching of *sudo rules*. Caching of the user and his credentials is still available.
And are you also stating that this should work w/o sssd and just the combination of /etc/ldap.conf and /etc/sudo-ldap.conf ?
Define "this". You still need something to read the user identities with, be it sssd, nss-pam-ldapd or something completely different. sudo can't do it by itself.
If so, I'm confused because everything I've read states that ldap.conf is no longer used in RH V6 or at least 6.3 and beyond. I can not get authentication to work with ldap.conf along having shutdown sssd.
On 6.3, the alternative to SSSD for user and group lookups is nss-pam-ldapd. Just configuring ldap.conf is not enough.
But I can understand that if a utility outside of sssd is necessary to get sudo working for ldap users, that caching is disabled for that function. Am I correct in my assumptions ?
Correct. _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
On 07/25/2013 01:15 PM, Michael Ströder wrote:
Jakub Hrozek wrote:
On Thu, Jul 25, 2013 at 03:22:20PM +0000, Licause, Al (CSC AMS BCS - UNIX/Linux Network Support) wrote:
Thanks very much. I'm not sure what AFAIR is but I got this working in RHEL V6.3 by reenabling sssd for authentication and then using /etc/sudo-ldap.conf for the sudo component.
That's fine, using sssd for authentication and identity information while using sudo's built-in LDAP support is perfectly supportable configuration.
Hmm, direct sudo-ldap does no caching of sudoRole entries. So if you're LDAP server is not available/reachable you're lost fixing the issues...
Ciao, Michael.
I think what Michael meant is: Since you are using 6.3 you are using the configuration that does not leverage SSSD integration for sudo and connects directly to LDAP source for sudo rules. In this case there is no caching of the sudo rules and if you loose connectivity sudo will failover to local sudoers file. In case of 6.4 the SSSD integration is possible and SSSD would fetch sudo rules and store them so that sudo acts consistently whether there is connectivity to the central server or not.
So the point that Michael might have had (guessing here) is that it might be better to upgrade to 6.4 to leverage SSSD integration and caching than to use 6.3 without caching.
HTH
sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
Thanks much. That was my interpretation too. Unfortunately depending on schedules and in some cases internal platform testing and assurance, it’s not always possible to upgrade in a timely manner for many customers.
I’m hoping for now that this customer will be satisfied with the performance from the v6.3 RH implementation. As the man pages state, the interaction between client and ldap server is minimal compared to a full user authentication……so hopefully a non-cached sudo user hit won’t be too harmful in their opinions.
Of course as was indicated, if the ldap server is unreachable, it will prevent the sudo command from working.
Al Licause HP L2 UNIX Network Services HP Customer Support Center Hours 7am-3pm Pacific time USA Manager: tom.cernilli@hp.com
From: sssd-users-bounces@lists.fedorahosted.org [mailto:sssd-users-bounces@lists.fedorahosted.org] On Behalf Of Dmitri Pal Sent: Thursday, July 25, 2013 2:23 PM To: sssd-users@lists.fedorahosted.org Subject: Re: [SSSD-users] Not finding /usr/lib64/libsss_sudo.so on RHEL V6.4
On 07/25/2013 01:15 PM, Michael Ströder wrote: Jakub Hrozek wrote:
On Thu, Jul 25, 2013 at 03:22:20PM +0000, Licause, Al (CSC AMS BCS - UNIX/Linux Network Support) wrote:
Thanks very much. I'm not sure what AFAIR is but I got this working in RHEL V6.3 by reenabling sssd for authentication and then using /etc/sudo-ldap.conf for the sudo component.
That's fine, using sssd for authentication and identity information while using sudo's built-in LDAP support is perfectly supportable configuration.
Hmm, direct sudo-ldap does no caching of sudoRole entries. So if you're LDAP server is not available/reachable you're lost fixing the issues...
Ciao, Michael.
I think what Michael meant is: Since you are using 6.3 you are using the configuration that does not leverage SSSD integration for sudo and connects directly to LDAP source for sudo rules. In this case there is no caching of the sudo rules and if you loose connectivity sudo will failover to local sudoers file. In case of 6.4 the SSSD integration is possible and SSSD would fetch sudo rules and store them so that sudo acts consistently whether there is connectivity to the central server or not.
So the point that Michael might have had (guessing here) is that it might be better to upgrade to 6.4 to leverage SSSD integration and caching than to use 6.3 without caching.
HTH
_______________________________________________
sssd-users mailing list
sssd-users@lists.fedorahosted.orgmailto:sssd-users@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
--
Thank you,
Dmitri Pal
Sr. Engineering Manager for IdM portfolio
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/http://www.redhat.com/carveoutcosts/
Dmitri Pal wrote:
On 07/25/2013 01:15 PM, Michael Ströder wrote:
Jakub Hrozek wrote:
On Thu, Jul 25, 2013 at 03:22:20PM +0000, Licause, Al (CSC AMS BCS - UNIX/Linux Network Support) wrote:
Thanks very much. I'm not sure what AFAIR is but I got this working in RHEL V6.3 by reenabling sssd for authentication and then using /etc/sudo-ldap.conf for the sudo component.
That's fine, using sssd for authentication and identity information while using sudo's built-in LDAP support is perfectly supportable configuration.
Hmm, direct sudo-ldap does no caching of sudoRole entries. So if you're LDAP server is not available/reachable you're lost fixing the issues...
I think what Michael meant is: Since you are using 6.3 you are using the configuration that does not leverage SSSD integration for sudo and connects directly to LDAP source for sudo rules. In this case there is no caching of the sudo rules and if you loose connectivity sudo will failover to local sudoers file. In case of 6.4 the SSSD integration is possible and SSSD would fetch sudo rules and store them so that sudo acts consistently whether there is connectivity to the central server or not.
Exactly.
So the point that Michael might have had (guessing here) is that it might be better to upgrade to 6.4 to leverage SSSD integration and caching than to use 6.3 without caching.
I did not want to make a statement about whether upgrading the distribution is better or not since there are more things to consider.
I just wanted to point out the main difference between having 'sudoers ldap' or 'sudoers sss' in /etc/nsswitch.conf no matter which sudo config file is used to specify the sudo-ldap options. While it feels the same in case everything's working it can make a difference during an emergency case.
Ciao, Michael.
Quick note: Maybe there is a time to update "man nsswitch.conf", too. Ondrej
Odesláno ze Samsung Mobile
-------- Původní zpráva -------- Od: Michael Ströder michael@stroeder.com Datum: Komu: sssd-users@lists.fedorahosted.org Předmět: Re: [SSSD-users] Not finding /usr/lib64/libsss_sudo.so on RHEL V6.4
Dmitri Pal wrote:
On 07/25/2013 01:15 PM, Michael Ströder wrote:
Jakub Hrozek wrote:
On Thu, Jul 25, 2013 at 03:22:20PM +0000, Licause, Al (CSC AMS BCS - UNIX/Linux Network Support) wrote:
Thanks very much. I'm not sure what AFAIR is but I got this working in RHEL V6.3 by reenabling sssd for authentication and then using /etc/sudo-ldap.conf for the sudo component.
That's fine, using sssd for authentication and identity information while using sudo's built-in LDAP support is perfectly supportable configuration.
Hmm, direct sudo-ldap does no caching of sudoRole entries. So if you're LDAP server is not available/reachable you're lost fixing the issues...
I think what Michael meant is: Since you are using 6.3 you are using the configuration that does not leverage SSSD integration for sudo and connects directly to LDAP source for sudo rules. In this case there is no caching of the sudo rules and if you loose connectivity sudo will failover to local sudoers file. In case of 6.4 the SSSD integration is possible and SSSD would fetch sudo rules and store them so that sudo acts consistently whether there is connectivity to the central server or not.
Exactly.
So the point that Michael might have had (guessing here) is that it might be better to upgrade to 6.4 to leverage SSSD integration and caching than to use 6.3 without caching.
I did not want to make a statement about whether upgrading the distribution is better or not since there are more things to consider.
I just wanted to point out the main difference between having 'sudoers ldap' or 'sudoers sss' in /etc/nsswitch.conf no matter which sudo config file is used to specify the sudo-ldap options. While it feels the same in case everything's working it can make a difference during an emergency case.
Ciao, Michael.
On Sat, Jul 27, 2013 at 08:18:59PM +0000, Ondrej Valousek wrote:
Quick note: Maybe there is a time to update "man nsswitch.conf", too. Ondrej
Not sure. man nsswitch.conf is part of glibc and so is the code for the maps handled by name-service-switch (group, passwd, netgroups, ...)
Some third party components such as sudo, automounter and I'm sure there are others choose to configure where they fetch data from in nsswitch.conf even though there are not handled by glibc at all. They simply share the same configuration file.
Well, true. But quite misleading to the end-administrators. They would expect there is at least something like "BTW, this configuration file is used by automounter and sudo as well - so please check 'man automount' or 'man sudo' for more"
Ondrej
-----Original Message----- From: sssd-users-bounces@lists.fedorahosted.org [mailto:sssd-users-bounces@lists.fedorahosted.org] On Behalf Of Jakub Hrozek Sent: Monday, July 29, 2013 10:00 AM To: sssd-users@lists.fedorahosted.org Subject: Re: [SSSD-users] Not finding /usr/lib64/libsss_sudo.so on RHEL V6.4
On Sat, Jul 27, 2013 at 08:18:59PM +0000, Ondrej Valousek wrote:
Quick note: Maybe there is a time to update "man nsswitch.conf", too. Ondrej
Not sure. man nsswitch.conf is part of glibc and so is the code for the maps handled by name-service-switch (group, passwd, netgroups, ...)
Some third party components such as sudo, automounter and I'm sure there are others choose to configure where they fetch data from in nsswitch.conf even though there are not handled by glibc at all. They simply share the same configuration file. _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
Thanks again for the explaination.
Al Licause HP L2 UNIX Network Services HP Customer Support Center Hours 7am-3pm Pacific time USA Manager: tom.cernilli@hp.com
-----Original Message----- From: sssd-users-bounces@lists.fedorahosted.org [mailto:sssd-users-bounces@lists.fedorahosted.org] On Behalf Of Michael Ströder Sent: Saturday, July 27, 2013 7:52 AM To: sssd-users@lists.fedorahosted.org Subject: Re: [SSSD-users] Not finding /usr/lib64/libsss_sudo.so on RHEL V6.4
Dmitri Pal wrote:
On 07/25/2013 01:15 PM, Michael Ströder wrote:
Jakub Hrozek wrote:
On Thu, Jul 25, 2013 at 03:22:20PM +0000, Licause, Al (CSC AMS BCS - UNIX/Linux Network Support) wrote:
Thanks very much. I'm not sure what AFAIR is but I got this working in RHEL V6.3 by reenabling sssd for authentication and then using /etc/sudo-ldap.conf for the sudo component.
That's fine, using sssd for authentication and identity information while using sudo's built-in LDAP support is perfectly supportable configuration.
Hmm, direct sudo-ldap does no caching of sudoRole entries. So if you're LDAP server is not available/reachable you're lost fixing the issues...
I think what Michael meant is: Since you are using 6.3 you are using the configuration that does not leverage SSSD integration for sudo and connects directly to LDAP source for sudo rules. In this case there is no caching of the sudo rules and if you loose connectivity sudo will failover to local sudoers file. In case of 6.4 the SSSD integration is possible and SSSD would fetch sudo rules and store them so that sudo acts consistently whether there is connectivity to the central server or not.
Exactly.
So the point that Michael might have had (guessing here) is that it might be better to upgrade to 6.4 to leverage SSSD integration and caching than to use 6.3 without caching.
I did not want to make a statement about whether upgrading the distribution is better or not since there are more things to consider.
I just wanted to point out the main difference between having 'sudoers ldap' or 'sudoers sss' in /etc/nsswitch.conf no matter which sudo config file is used to specify the sudo-ldap options. While it feels the same in case everything's working it can make a difference during an emergency case.
Ciao, Michael.
sssd-users@lists.fedorahosted.org
-
Dmitri Pal -
Jakub Hrozek -
Licause, Al (CSC AMS BCS - UNIX/Linux Network Support) -
Michael Ströder -
Ondrej Valousek