Having a problem getting sudo that is integrated with sssd to work correctly when we use ldap to store the groups that have the different sudo privs. This works just fine if we have sudo set to go to ldap directly.
Here's our scenario.
Have a user defined in ldap: waynea
waynea is member of 2 groups. One group, gcadmin, allows him to run specific commands as root. The other group, gcoracle, allows him to run specific commands as the local (not defined in ldap) user oracle.
waynea@pgc501> id
uid=5091(waynea) gid=5000(mcsuser) groups=5000(mcsuser),5022(gcadmin),5024(gcoracle)
Here's the ldap sudo definition of the 2 groups:
waynea@pgc501> ldapsearch -h pld101.foo.com -x "(cn=%gcadmin)"
# %gcadmin, SUDOers, foo.com
dn: cn=%gcadmin,ou=SUDOers,dc=foo,dc=com
cn: %gcadmin
objectClass: sudoRole
objectClass: top
sudoCommand: /usr/bin/id
sudoCommand: /bin/ps
sudoCommand: /u01/oracle/12.1.0/agent12c/agent_inst/bin/emctl
sudoHost: ALL
sudoUser: %gcadmin
sudoRunAs: ALL
waynea@pgc501> ldapsearch -h pld101.foo.com -x "(cn=%gcadmin)"
# %gcoracle, SUDOers, foo.com
dn: cn=%gcoracle,ou=SUDOers,dc=foo,dc=com
cn: %gcoracle
objectClass: sudoRole
objectClass: top
sudoCommand: /bin/sh
sudoCommand: /u01/oracle/12.1.0/agent12c/sbin/nmosudo *
sudoHost: ALL
sudoRunAs: oracle
sudoUser: %gcoracle
Now, when we have sudo hooked up directly to ldap. I.E. /etc/nsswitch.conf has this:
sudoers: files ldap
And I issue "sudo -ll", I get this:
waynea@pgc501 > sudo -ll
Matching Defaults entries for waynea on this host:
requiretty, !visiblepw, always_set_home, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS", env_keep+="MAIL
PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES",
env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY",
secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin
User waynea may run the following commands on this host:
RunAsUsers: oracle
Commands:
/bin/sh
/u01/oracle/12.1.0/agent12c/sbin/nmosudo *
RunAsUsers: root
Commands:
/usr/bin/id
/u01/oracle/12.1.0/agent12c/agent_inst/bin/emctl
And everything is just fine.
When we switch sudo to using sssd,
sudoers: files sss
we get this:
waynea@pgc501 > sudo -ll
Matching Defaults entries for waynea on this host:
requiretty, !visiblepw, always_set_home, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS", env_keep+="MAIL
PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES",
env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY",
secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin
User waynea may run the following commands on this host:
RunAsUsers: root
Commands:
/bin/sh
/u01/oracle/12.1.0/agent12c/sbin/nmosudo *
RunAsUsers: root
Commands:
/usr/bin/id
/u01/oracle/12.1.0/agent12c/agent_inst/bin/emctl
Which now gives waynea the permission to start a shell (/bin/sh) as root.
Here are the relevant entries from /etc/sssd/sssd.conf.
[domain/default]
id_provider = ldap
auth_provider = ldap
sudo_provider = ldap
ldap_sudo_search_base = ou=SUDOers,dc=foo,dc=com
ldap_uri = ldap://pld101.foo.com,ldap://pld301.foo.com/
ldap_search_base = dc=foo,dc=com
ldap_user_search_base = ou=People,dc=foo,dc=com
ldap_group_object_class = posixGroup
ldap_group_search_base = ou=Group,dc=foo,dc=com
ldap_group_name = cn
ldap_group_member = memberUid
ldap_id_use_start_tls = False
chpass_provider = ldap
cache_credentials = true
[sudo]
ldap_sudo_full_refresh_interval = 86400
ldap_sudo_smart_refresh_interval = 3600
Any help would be appreciated! We would like to take advantage of sssd, but this is somewhat of a showstopper.
Here's the OS/rpm versions:
Linux 6.5 (OEL)
sssd-1.9.2-129.el6_5.4.x86_64
sudo-1.8.6p3-12.el6.x86_64
libsss_sudo-1.9.2-129.el6_5.4.x86_64
sssd-client-1.9.2-129.el6_5.4.x86_64
Best Answer
user
wayneaneed to logout and login againsudo -llprint like this:User
WanJiemay run the following commands on this host: