主页 / server / 问题 / 560772
Accepted
HTTP500
Asked: 2013-12-12 13:08:33 +0800 CST

使用 FreeIPA 进行集中式 sudo - 使用 SSSD 进行 sudoers

  • 772

我已经为集中式 sudo 设置了 FreeIPA,除了能够将 SSSD 用于 sudoers 之外,一切都运行良好。

如果我的客户端 /etc/nsswitch.conf 中有以下内容:

sudoers: files ldap

当 FreeIPA 服务器可用时,sudo 命令会根据需要工作。但是,我想使用 SSSD,以便在 FreeIPA 服务器不可用的情况下,sudo 仍然可以工作。

当我在客户端 /etc/nsswitch.conf 中有以下内容时:

sudoers: files sss

我的 /etc/sssd/sssd.conf 如下:

[domain/example.com]

cache_credentials = True
ipa_domain = example.com
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = host3.example.com
chpass_provider = ipa
ipa_server = _srv_, ipa.example.com
ldap_tls_cacert = /etc/ipa/ca.crt
[sssd]
services = nss, pam, ssh, sudo
config_file_version = 2
domains = example.com
ldap_sudo_search_base = ou=SUDOers,dc=example,dc=com
.
.
.
[snip]

并尝试运行 sudo 我会得到:

不允许 user1 在 host3 上运行 sudo。将报告此事件。

这是一个不同的错误:

user1 不在 sudoers 文件中。将报告此事件。

这让我相信 SSSD 实际上已经从 FreeIPA 中检索了一些东西,但它得到的东西在某种程度上是错误的。我在 FreeIPA 服务器上的唯一 sudorule 是:

[root@ipa ~]# ipa sudorule-find
-------------------
1 Sudo Rule matched
-------------------
  Rule name: All
  Enabled: TRUE
  Host category: all
  Command category: all
  RunAs User category: all
  User Groups: admins
----------------------------
Number of entries returned 1
----------------------------

并且我发出 sudo 的用户在 admins 组中(当在 nsswitch.conf 中指定 ldap 时,它再次起作用)。

我错过了什么?

更新 1:

相信我的 sssd.conf 不正确,已更新为包括:

sudo_provider = ldap
ldap_uri = ldap://ipa.example.com
ldap_sudo_search_base = ou=SUDOers,dc=example,dc=com
ldap_sasl_mech = GSSAPI
ldap_sasl_authid = host/host3.example.com
ldap_sasl_realm = EXAMPLE.COM
krb5_server = ipa.example.com
[sssd]
services = nss, pam, ssh, sudo
config_file_version = 2
domains = example.com
.
.
.
[snip]

虽然得到相同的消息,即:

不允许 user1 在 host3 上运行 sudo。将报告此事件。

更新 2:

我打开了 SSSD 的调试,即编辑 /etc/sssd/sssd.conf 并添加:

debug_level = 5

然后我检查了 /var/log/sssd/sssd_example.com.log。在这里,我注意到 SSSD 不喜欢 CAPITALS 的值ldap_sudo_search_base,即当我有

ldap_sudo_search_base = ou=SUDOers,dc=example,dc=com

我注意到在日志中根本没有条目ldap_sudo_search_base。当我更改为小写时,ou=sudoers我看到了日志中的条目,例如:

(Thu Dec 12 18:58:31 2013) [sssd[be[example.com]]] [common_parse_search_base] (0x0100): Search base added: [SUDO][ou=sudoers,dc=example,dc=com][SUBTREE][]

我仍然得到相同的user1 is not allowed to run sudo on host3.结果,所以它仍然没有解决。

更新 3

(Thu Dec 19 18:02:07 2013) [sssd[sudo]] [accept_fd_handler] (0x0400): Client connected!
(Thu Dec 19 18:02:07 2013) [sssd[sudo]] [sss_cmd_get_version] (0x0200): Received client version [1].
(Thu Dec 19 18:02:07 2013) [sssd[sudo]] [sss_cmd_get_version] (0x0200): Offered version [1].
(Thu Dec 19 18:02:07 2013) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'user1' matched without domain, user is user1
(Thu Dec 19 18:02:07 2013) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): using default domain [(null)]
(Thu Dec 19 18:02:07 2013) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'user1' matched without domain, user is user1
(Thu Dec 19 18:02:07 2013) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): using default domain [(null)]
(Thu Dec 19 18:02:07 2013) [sssd[sudo]] [sudosrv_cmd_parse_query_done] (0x0200): Requesting default options for [user1] from [<ALL>]
(Thu Dec 19 18:02:07 2013) [sssd[sudo]] [sudosrv_get_user] (0x0200): Requesting info about [[email protected]]
(Thu Dec 19 18:02:07 2013) [sssd[sudo]] [sudosrv_get_user] (0x0400): Returning info for user [[email protected]]
(Thu Dec 19 18:02:07 2013) [sssd[sudo]] [sudosrv_get_rules] (0x0400): Retrieving default options for [user1] from [example.com]
(Thu Dec 19 18:02:07 2013) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=user1)(sudoUser=#1219400005)(sudoUser=%apache)(sudoUser=%superadmins)(sudoUser=%user1)(sudoUser=+*))(&(dataExpireTimestamp<=1387476127)))]
(Thu Dec 19 18:02:07 2013) [sssd[sudo]] [sudosrv_get_rules] (0x2000): About to get sudo rules from cache
(Thu Dec 19 18:02:07 2013) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(name=defaults)))]
(Thu Dec 19 18:02:07 2013) [sssd[sudo]] [sudosrv_get_sudorules_from_cache] (0x0400): Returning 0 rules for [<default options>@example.com]
(Thu Dec 19 18:02:07 2013) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'user1' matched without domain, user is user1
(Thu Dec 19 18:02:07 2013) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): using default domain [(null)]
(Thu Dec 19 18:02:07 2013) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'user1' matched without domain, user is user1
(Thu Dec 19 18:02:07 2013) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): using default domain [(null)]
(Thu Dec 19 18:02:07 2013) [sssd[sudo]] [sudosrv_cmd_parse_query_done] (0x0200): Requesting rules for [user1] from [<ALL>]
(Thu Dec 19 18:02:07 2013) [sssd[sudo]] [sudosrv_get_user] (0x0200): Requesting info about [[email protected]]
(Thu Dec 19 18:02:07 2013) [sssd[sudo]] [sudosrv_get_user] (0x0400): Returning info for user [[email protected]]
(Thu Dec 19 18:02:07 2013) [sssd[sudo]] [sudosrv_get_rules] (0x0400): Retrieving rules for [user1] from [example.com]
(Thu Dec 19 18:02:07 2013) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=user1)(sudoUser=#1219400005)(sudoUser=%apache)(sudoUser=%superadmins)(sudoUser=%user1)(sudoUser=+*))(&(dataExpireTimestamp<=1387476127)))]
(Thu Dec 19 18:02:07 2013) [sssd[sudo]] [sudosrv_get_rules] (0x2000): About to get sudo rules from cache
(Thu Dec 19 18:02:07 2013) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=user1)(sudoUser=#1219400005)(sudoUser=%apache)(sudoUser=%superadmins)(sudoUser=%user1)(sudoUser=+*)))]
(Thu Dec 19 18:02:07 2013) [sssd[sudo]] [sudosrv_get_sudorules_from_cache] (0x0400): Returning 0 rules for [[email protected]]
(Thu Dec 19 18:02:11 2013) [sssd[sudo]] [client_recv] (0x0200): Client disconnected!
(Thu Dec 19 18:02:11 2013) [sssd[sudo]] [client_destructor] (0x2000): Terminated client [0x2095c60][18]
sudo

1 个回答

  1. Best Answer

    确保您的配置遵循此处描述的简单设置:https ://www.redhat.com/archives/freeipa-users/2013-June/msg00064.html

    好的,因为我在验证它适用于 RHEL 6.x 和 Fedora 18 后进行了简单的设置,我希望您指定更多详细信息来帮助您。

    这是我使用 Fedora 19 的工作示例(使用 RHEL 6.5 修复正向移植的测试 sudo 包):

    [root@id ~]# nisdomainname 
example.com
[root@id ~]# sudo -U admin -l
Matching Defaults entries for admin on this host:
    requiretty, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR
    LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE",
    env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES",
    env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME
    LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY",
    secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin

User admin may run the following commands on this host:
    (root) /usr/bin/bash
[root@id ~]# LANG=en_US.utf8 ipa sudorule-show admins --all
  dn: ipaUniqueID=83814998-68c1-11e3-a7ad-001a4a418612,cn=sudorules,cn=sudo,dc=example,dc=com
  Rule name: admins
  Enabled: TRUE
  User Groups: admins
  Hosts: id.example.com
  Sudo Allow Commands: /usr/bin/bash
  RunAs External User: root
  ipauniqueid: 83814998-68c1-11e3-a7ad-001a4a418612
  objectclass: ipaassociation, ipasudorule
[root@id ~]# su - admin
[admin@id ~]$ sudo /usr/bin/bash
[sudo] password for admin: 
[root@id admin]# exit
[admin@id ~]$

    您是否定义了 nisdomainname?

    • 3

相关问题