使用 FreeIPA 進行集中式 sudo - 使用 SSSD 進行 sudoers
我已經為集中式 sudo 設置了 FreeIPA,除了能夠將 SSSD 用於 sudoers 之外,一切都執行良好。
如果我的客戶端 /etc/nsswitch.conf 中有以下內容:
sudoers: files ldap
當 FreeIPA 伺服器可用時,sudo 命令會根據需要工作。但是,我想使用 SSSD,以便在 FreeIPA 伺服器不可用的情況下,sudo 仍然可以工作。
當我在客戶端 /etc/nsswitch.conf 中有以下內容時:
sudoers: files sss
我的 /etc/sssd/sssd.conf 如下:
[domain/example.com] cache_credentials = True ipa_domain = example.com id_provider = ipa auth_provider = ipa access_provider = ipa ipa_hostname = host3.example.com chpass_provider = ipa ipa_server = _srv_, ipa.example.com ldap_tls_cacert = /etc/ipa/ca.crt [sssd] services = nss, pam, ssh, sudo config_file_version = 2 domains = example.com ldap_sudo_search_base = ou=SUDOers,dc=example,dc=com . . . [snip]
並嘗試執行 sudo 我會得到:
不允許 user1 在 host3 上執行 sudo。將報告此事件。
這是一個不同的錯誤:
user1 不在 sudoers 文件中。將報告此事件。
這讓我相信 SSSD 實際上已經從 FreeIPA 中檢索了一些東西,但它得到的東西在某種程度上是錯誤的。我在 FreeIPA 伺服器上的唯一 sudorule 是:
[root@ipa ~]# ipa sudorule-find ------------------- 1 Sudo Rule matched ------------------- Rule name: All Enabled: TRUE Host category: all Command category: all RunAs User category: all User Groups: admins ---------------------------- Number of entries returned 1 ----------------------------
並且我發出 sudo 的使用者在 admins 組中(當在 nsswitch.conf 中指定 ldap 時,它再次起作用)。
我錯過了什麼?
更新 1:
相信我的 sssd.conf 不正確,已更新為包括:
sudo_provider = ldap ldap_uri = ldap://ipa.example.com ldap_sudo_search_base = ou=SUDOers,dc=example,dc=com ldap_sasl_mech = GSSAPI ldap_sasl_authid = host/host3.example.com ldap_sasl_realm = EXAMPLE.COM krb5_server = ipa.example.com [sssd] services = nss, pam, ssh, sudo config_file_version = 2 domains = example.com . . . [snip]
雖然得到相同的消息,即:
不允許 user1 在 host3 上執行 sudo。將報告此事件。
更新 2:
我打開了 SSSD 的調試,即編輯 /etc/sssd/sssd.conf 並添加:
debug_level = 5
然後我檢查了 /var/log/sssd/sssd_example.com.log。在這裡,我注意到 SSSD 不喜歡 CAPITALS 的值
ldap_sudo_search_base
,即當我有ldap_sudo_search_base = ou=SUDOers,dc=example,dc=com
我注意到在日誌中根本沒有條目
ldap_sudo_search_base
。當我更改為小寫時,ou=sudoers
我看到了日誌中的條目,例如:(Thu Dec 12 18:58:31 2013) [sssd[be[example.com]]] [common_parse_search_base] (0x0100): Search base added: [SUDO][ou=sudoers,dc=example,dc=com][SUBTREE][]
我仍然得到相同的
user1 is not allowed to run sudo on host3.
結果,所以它仍然沒有解決。更新 3
(Thu Dec 19 18:02:07 2013) [sssd[sudo]] [accept_fd_handler] (0x0400): Client connected! (Thu Dec 19 18:02:07 2013) [sssd[sudo]] [sss_cmd_get_version] (0x0200): Received client version [1]. (Thu Dec 19 18:02:07 2013) [sssd[sudo]] [sss_cmd_get_version] (0x0200): Offered version [1]. (Thu Dec 19 18:02:07 2013) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'user1' matched without domain, user is user1 (Thu Dec 19 18:02:07 2013) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): using default domain [(null)] (Thu Dec 19 18:02:07 2013) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'user1' matched without domain, user is user1 (Thu Dec 19 18:02:07 2013) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): using default domain [(null)] (Thu Dec 19 18:02:07 2013) [sssd[sudo]] [sudosrv_cmd_parse_query_done] (0x0200): Requesting default options for [user1] from [<ALL>] (Thu Dec 19 18:02:07 2013) [sssd[sudo]] [sudosrv_get_user] (0x0200): Requesting info about [user1@example.com] (Thu Dec 19 18:02:07 2013) [sssd[sudo]] [sudosrv_get_user] (0x0400): Returning info for user [user1@example.com] (Thu Dec 19 18:02:07 2013) [sssd[sudo]] [sudosrv_get_rules] (0x0400): Retrieving default options for [user1] from [example.com] (Thu Dec 19 18:02:07 2013) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=user1)(sudoUser=#1219400005)(sudoUser=%apache)(sudoUser=%superadmins)(sudoUser=%user1)(sudoUser=+*))(&(dataExpireTimestamp<=1387476127)))] (Thu Dec 19 18:02:07 2013) [sssd[sudo]] [sudosrv_get_rules] (0x2000): About to get sudo rules from cache (Thu Dec 19 18:02:07 2013) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(name=defaults)))] (Thu Dec 19 18:02:07 2013) [sssd[sudo]] [sudosrv_get_sudorules_from_cache] (0x0400): Returning 0 rules for [<default options>@example.com] (Thu Dec 19 18:02:07 2013) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'user1' matched without domain, user is user1 (Thu Dec 19 18:02:07 2013) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): using default domain [(null)] (Thu Dec 19 18:02:07 2013) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'user1' matched without domain, user is user1 (Thu Dec 19 18:02:07 2013) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): using default domain [(null)] (Thu Dec 19 18:02:07 2013) [sssd[sudo]] [sudosrv_cmd_parse_query_done] (0x0200): Requesting rules for [user1] from [<ALL>] (Thu Dec 19 18:02:07 2013) [sssd[sudo]] [sudosrv_get_user] (0x0200): Requesting info about [user1@example.com] (Thu Dec 19 18:02:07 2013) [sssd[sudo]] [sudosrv_get_user] (0x0400): Returning info for user [user1@example.com] (Thu Dec 19 18:02:07 2013) [sssd[sudo]] [sudosrv_get_rules] (0x0400): Retrieving rules for [user1] from [example.com] (Thu Dec 19 18:02:07 2013) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=user1)(sudoUser=#1219400005)(sudoUser=%apache)(sudoUser=%superadmins)(sudoUser=%user1)(sudoUser=+*))(&(dataExpireTimestamp<=1387476127)))] (Thu Dec 19 18:02:07 2013) [sssd[sudo]] [sudosrv_get_rules] (0x2000): About to get sudo rules from cache (Thu Dec 19 18:02:07 2013) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=user1)(sudoUser=#1219400005)(sudoUser=%apache)(sudoUser=%superadmins)(sudoUser=%user1)(sudoUser=+*)))] (Thu Dec 19 18:02:07 2013) [sssd[sudo]] [sudosrv_get_sudorules_from_cache] (0x0400): Returning 0 rules for [user1@example.com] (Thu Dec 19 18:02:11 2013) [sssd[sudo]] [client_recv] (0x0200): Client disconnected! (Thu Dec 19 18:02:11 2013) [sssd[sudo]] [client_destructor] (0x2000): Terminated client [0x2095c60][18]
確保您的配置遵循此處描述的簡單設置:https ://www.redhat.com/archives/freeipa-users/2013-June/msg00064.html
好的,因為我在驗證它適用於 RHEL 6.x 和 Fedora 18 後進行了簡單的設置,我希望您指定更多詳細資訊來幫助您。
這是我使用 Fedora 19 的工作範例(使用 RHEL 6.5 修復正向移植的測試 sudo 包):
[root@id ~]# nisdomainname example.com [root@id ~]# sudo -U admin -l Matching Defaults entries for admin on this host: requiretty, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin User admin may run the following commands on this host: (root) /usr/bin/bash [root@id ~]# LANG=en_US.utf8 ipa sudorule-show admins --all dn: ipaUniqueID=83814998-68c1-11e3-a7ad-001a4a418612,cn=sudorules,cn=sudo,dc=example,dc=com Rule name: admins Enabled: TRUE User Groups: admins Hosts: id.example.com Sudo Allow Commands: /usr/bin/bash RunAs External User: root ipauniqueid: 83814998-68c1-11e3-a7ad-001a4a418612 objectclass: ipaassociation, ipasudorule [root@id ~]# su - admin [admin@id ~]$ sudo /usr/bin/bash [sudo] password for admin: [root@id admin]# exit [admin@id ~]$
您是否定義了 nisdomainname?