Opps, typo in the subject.
On 02/20/2016 09:47 PM, Joshua Schaeffer wrote:
I setup an SSO environment using Debian 8 systems. I have a Kerberos server
which uses LDAP as its backend. I have users and groups created in OpenLDAP.
The SSO environment seems to be working correctly. I installed SASL, GSSAPI,
and SSSD on a test client. I can see my users and groups using getent from my
test client and I can log into the server (locally and through SSH).
I also have sudo-ldap installed and I'm trying to get SSSD to lookup my sudo users in
LDAP, but I can seem to get this to work. I keep getting a "user is not in the
sudoers file. This incident will be reported." error. My configuration for the test
client is below:
root@korhal: cat /etc/sssd/sssd.conf
[sssd]
config_file_version = 2
services = nss,pam
domains = HARMONYWAVE
[nss]
debug_level = 5
filter_users = root
filter_groups = root
#fallback_homedir = /home/%u
[pam]
[domain/HARMONYWAVE]
debug_level = 5
auth_provider = krb5
chpass_provider = krb5
krb5_server = immortal.harmonywave.com
krb5_realm = HARMONYWAVE.COM
cache_credentials = false
access_provider = simple
id_provider = ldap
ldap_uri = ldap://baneling.harmonywave.com
ldap_tls_reqcert = demand
ldap_tls_cacert = /etc/ssl/certs/ca.harmonywave.com.pem
ldap_search_base = dc=harmonywave,dc=com
ldap_id_use_start_tls = true
ldap_sasl_mech = GSSAPI
ldap_user_search_base = ou=People,dc=harmonywave,dc=com
ldap_group_search_base = ou=Group,dc=harmonywave,dc=com
ldap_user_object_class = posixAccount
ldap_user_name = uid
ldap_fullname = cn
ldap_user_home_directory = homeDirectory
ldap_group_object_class = posixGroup
ldap_group_name = cn
ldap_sudo_search_base = ou=SUDOers,dc=harmonywave,dc=com
sudo_provider = ldap
Getent shows that it can find me, my group, and that I am part of the wheel
group:
root@korhal:/home/jschaeffer# getent passwd jschaeffer
jschaeffer:*:5000:5000:Joshua Schaeffer:/home/jschaeffer:/bin/bash
root@korhal:/home/jschaeffer# getent group jschaeffer
jschaeffer:*:5000:jschaeffer
root@korhal:/home/jschaeffer# getent group wheel
wheel:*:4002:jschaeffer
I have the wheel group in OpenLDAP:
root@korhal:/home/jschaeffer# ldapsearch -LLL -Y GSSAPI -H
ldap://baneling.harmonywave.com -b ou=SUDOers,dc=harmonywave,dc=com
SASL/GSSAPI authentication started
SASL username: jschaef...@harmonywave.com
SASL SSF: 56
SASL data security layer installed.
dn: ou=SUDOers,dc=harmonywave,dc=com
objectClass: top
objectClass: organizationalUnit
ou: SUDOers
dn: cn=%wheel,ou=SUDOers,dc=harmonywave,dc=com
objectClass: top
objectClass: sudoRole
cn: %wheel
sudoUser: %wheel
sudoHost: ALL
sudoCommand: ALL
dn: cn=defaults,ou=SUDOers,dc=harmonywave,dc=com
objectClass: top
objectClass: sudoRole
cn: defaults
description: Add default sudoOptions's here
When I try to run any command with sudo it fails:
jschaeffer@korhal:~$ sudo ls
[sudo] password for jschaeffer:
jschaeffer is not in the sudoers file. This incident will be reported.
Any help would be appreciated. Thanks,
Joshua
