Sorry Guys
I saw the light after hours...
Solution:
for pam.d/sudo
#%PAM-1.0
auth include system-auth
account include system-auth
password include system-auth
session optional pam_keyinit.so revoke
session required pam_limits.so
And for the ou=SUDOers APPLY read policies for the relevant users or
groups!! (That is the reason why it could not download anything from
that group. The user/group which run the bindings on sssd was NOT able
of reading that OU!!)
Thanks very much guys
On 2014-06-16 08:47, g.fer.ordas@xxxxxxxxxxxxxx wrote:
Hi
I am find problems trying to configure the sudoers on ds-389...
This is the far I have reached but still is not working... I cannot
still download any rule at all
the user "username" belongs to group1
is there anything I might be missing at all?
Sudoers Configuration in ds-389
---
dn: ou=SUDOers,dc=companyname,dc=com
objectClass: top
objectClass: OrganizationalUnit
ou: SUDOers
dn: cn=group1,ou=SUDOers,dc=companyname,dc=com
objectClass: top
objectClass: sudoRole
cn: sudogrp
sudoUser: %group1
sudoHost: ALL
sudoCommand: /usr/bin/sudo
sudoCommand: /usr/bin/su
----
/etc/sssd/sssd.conf
======
[domain/companyname]
krb5_realm = companyname.com
krb5_server = ldapserver.eweprod.companyname.com
enumerate = true
auth_provider = ldap
id_provider = ldap
sudo_provider = ldap
case_sensitive = False
debug_level = 5
chpass_provider = ldap
#pam_password = md5
#chpass_provider = krb5
cache_credentials = False
ldap_user_name = uid
ldap_default_authtok_type = password
ldap_search_base = dc=companyname,dc=com
ldap_user_search_base = ou=companynameAccts,DC=companyname,DC=com
ldap_group_search_base = OU=companynameGroups,dc=companyname,dc=com
ldap_default_bind_dn =
uid=linuxuser,ou=companynameaccts,dc=companyname,dc=com
ldap_uri = ldaps://ldapserver.eweprod.companyname.com
ldap_sudo_search_base = ou=SUDOers,dc=companyname,dc=com
ldap_tls_cacertdir = /etc/openldap/cacerts
ldap_tls_reqcert = demand
ldap_schema = rfc2307bis
ldap_id_use_start_tls = False
ldap_default_authtok = password
access_provider = simple
simple_allow_groups = tester1, tester2
use_host_filter = false
#sudo
ldap_sudo_full_refresh_interval=86400
ldap_sudo_smart_refresh_interval=3600
[sssd]
config_file_version = 2
services = nss, pam, sudo
domains = companyname
debug_level = 5
[nss]
filter_groups = root
filter_users = root
reconnection_retries = 3
[pam]
[sudo]
debug_level = 6
=====
/etc/pam.d/sudo
---
#%PAM-1.0
auth sufficient pam_ldap.so
uth required pam_unix.so try_first_pass
auth required pam_nologin.so
auth include system-auth
account include system-auth
password include system-auth
session optional pam_keyinit.so revoke
session required pam_limits.so
------
Output log:
------
(Mon Jun 16 11:37:18 2014) [sssd[sudo]] [sss_cmd_get_version]
(0x0200): Received client version [1].
(Mon Jun 16 11:37:18 2014) [sssd[sudo]] [sss_cmd_get_version]
(0x0200): Offered version [1].
(Mon Jun 16 11:37:18 2014) [sssd[sudo]] [sss_parse_name_for_domains]
(0x0200): name 'username' matched without domain, user is username
(Mon Jun 16 11:37:18 2014) [sssd[sudo]] [sss_parse_name_for_domains]
(0x0200): using default domain [(null)]
(Mon Jun 16 11:37:18 2014) [sssd[sudo]] [sss_parse_name_for_domains]
(0x0200): name 'username' matched without domain, user is username
(Mon Jun 16 11:37:18 2014) [sssd[sudo]] [sss_parse_name_for_domains]
(0x0200): using default domain [(null)]
(Mon Jun 16 11:37:18 2014) [sssd[sudo]] [sudosrv_cmd_parse_query_done]
(0x0200): Requesting default options for [username] from [<ALL>]
(Mon Jun 16 11:37:18 2014) [sssd[sudo]] [sudosrv_get_user] (0x0200):
Requesting info about [username@companyname]
(Mon Jun 16 11:37:18 2014) [sssd[sudo]] [sudosrv_get_user] (0x0400):
Returning info for user [username@companyname]
(Mon Jun 16 11:37:18 2014) [sssd[sudo]] [sudosrv_get_rules] (0x0400):
Retrieving default options for [username] from [companyname]
(Mon Jun 16 11:37:18 2014) [sssd[sudo]]
[sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with
[(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=username)(sudoUser=#1000)(sudoUser=%group1)(sudoUser=+*))(&(dataExpireTimestamp<=1402933038)))]
(Mon Jun 16 11:37:18 2014) [sssd[sudo]]
[sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with
[(&(objectClass=sudoRule)(|(name=defaults)))]
(Mon Jun 16 11:37:18 2014) [sssd[sudo]]
[sudosrv_get_sudorules_from_cache] (0x0400): Returning 0 rules for
[<default options>@companyname]
(Mon Jun 16 11:37:18 2014) [sssd[sudo]] [sss_parse_name_for_domains]
(0x0200): name 'username' matched without domain, user is username
(Mon Jun 16 11:37:18 2014) [sssd[sudo]] [sss_parse_name_for_domains]
(0x0200): using default domain [(null)]
(Mon Jun 16 11:37:18 2014) [sssd[sudo]] [sss_parse_name_for_domains]
(0x0200): name 'username' matched without domain, user is username
(Mon Jun 16 11:37:18 2014) [sssd[sudo]] [sss_parse_name_for_domains]
(0x0200): using default domain [(null)]
(Mon Jun 16 11:37:18 2014) [sssd[sudo]] [sudosrv_cmd_parse_query_done]
(0x0200): Requesting rules for [username] from [<ALL>]
(Mon Jun 16 11:37:18 2014) [sssd[sudo]] [sudosrv_get_user] (0x0200):
Requesting info about [username@companyname]
(Mon Jun 16 11:37:18 2014) [sssd[sudo]] [sudosrv_get_user] (0x0400):
Returning info for user [username@companyname]
(Mon Jun 16 11:37:18 2014) [sssd[sudo]] [sudosrv_get_rules] (0x0400):
Retrieving rules for [username] from [companyname]
(Mon Jun 16 11:37:18 2014) [sssd[sudo]]
[sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with
[(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=username)(sudoUser=#1000)(sudoUser=%group1)(sudoUser=+*))(&(dataExpireTimestamp<=1402933038)))]
(Mon Jun 16 11:37:18 2014) [sssd[sudo]]
[sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with
[(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=username)(sudoUser=#1000)(sudoUser=%group1)(sudoUser=+*)))]
(Mon Jun 16 11:37:18 2014) [sssd[sudo]]
[sudosrv_get_sudorules_from_cache] (0x0400): Returning 0 rules for
[username@companyname]
-----
Thanks very much for all your help
--
389 users mailing list
389-users@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/389-users
--
389 users mailing list
389-users@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/389-users