RHEL 7 Beta NSCD, SUDOers, authconfig issues
When trying to adapt RHEL 7 to our NSS-LDAP scheme, came across a couple of annoyances that were worth noting.
Firstly there seem to be some new bugs in authconfig.
Bug 1:
The option "--ldapserver=" seems to be more strictly evaluating the values. For RHEL4 through RHEL6, I've been able to provide multiple URI's simply by keeping them in a quoted list with spaces.
For example:
--ldapserver='ldap://ldap1.example.com ldap://ldap2.example.com ldap://ldap3.example.com'
This syntax has always worked before but with RHEL 7 Beta I get the following error:
authconfig: Invalid LDAP URI.
...and no URI is added to the LDAP config at all.
Didn't see anything about a syntax change in the man pages but I tried a couple of different field separators with no luck. Had to resort to using sed to add multiple LDAP servers to the configs. I'm all for stricter syntax checking, but there's nothing technically wrong with the syntax I'm using, and in this state authconfig doesn't seem to offer any way to set up multiple servers for high availability. I don't know of many organizations that would be happy with a single point of failure like this, so I'm calling this a bug.
Bug 2:
The option "--enableforcelegacy" disabled all of the "SSSD" stuff in RHEL 6, including removing the "sss" sources from /etc/nsswitch.conf. In this version it doesn't remove the "sss" targets at all.
Secondly, NSCD seems to be having trouble with netgroups.
I stumbled across this while trying to get SUDO to work through LDAP. We use NIS Negroups to create SUDO roles so both the sudoHost and sudoUser values are always netgroups. With NSCD running, SUDO fails to find any
The first odd behavior is the following warning:
Dec 26 13:22:31 swtest-7b64v nscd[20056]: 20056 cannot stat() file `/etc/netgroup': No such file or directory
This warning occurs even if "ldap" is the only target for "netgroups" in /etc/nsswitch.conf.
The second issue occurs when we attempt to evaluate SUDOers roles with NSCD active. For whatever reason the two aren't playing nicely together. With NSCD active, getent is able to properly evaluate netgroups, but SUDO isn't for some reason.
Here are some nitty-gritty details:
:::AUTHCONFIG COMMAND:::
/usr/sbin/authconfig --enableshadow --passalgo=sha512 --enablemd5 --disablenis --enableldap --enableldapauth --ldapserver='ldap://ldap1.ds.example.com' --ldapbasedn='dc=ds,dc=example,dc=com' --enableldaptls --enableforcelegacy --enablecache --enablelocauthorize --enablepamaccess --enablemkhomedir --updateall
NOTE: as mentioned above, the additional servers had to be added manually to their respective configuration files as authconfig refused to accept a multiple server URI.
:::WHAT THE SUDO ROLE LOOKS LIKE IN LDAP:::
[root@swtest-7b64v opt]# ldapsearch -x '(cn=SWTESTOPEN_role)'
# extended LDIF
#
# LDAPv3
# base <dc=ds,dc=example,dc=com> (default) with scope subtree
# filter: (cn=SWTESTOPEN_role)
# requesting: ALL
#
# SWTESTOPEN_role, SUDOers, ds.example.com
dn: cn=SWTESTOPEN_role,ou=SUDOers,dc=ds,dc=example,dc=com
description: Open Role to Test
sudoOption: !authenticate
sudoCommand: ALL
sudoCommand: !/bin/su
sudoCommand: !/bin/bash
sudoCommand: !/bin/sh
sudoCommand: !/bin/ksh
sudoCommand: !/bin/tcsh
sudoHost: +swtest_hosts
sudoUser: +Test_users
cn: SWTESTOPEN_role
objectClass: top
objectClass: sudorole
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
:::RELEVANT NSSWITCH ENTRIES:::
[root@swtest-7b64v opt]# egrep '^passwd|^shadow|^group|^netgroup|^sudoers' /etc/nsswitch.conf
passwd: files sss ldap
shadow: files sss ldap
group: files sss ldap
netgroup: files sss ldap
sudoers: ldap
Note: as noted above, the --enableforcelegacy switch for authconfig did not remove the "sss" source. Left it in as removing it had no noticeable effect.
:::STATUS OF NSCD DAEMON:::
[root@swtest-7b64v opt]# systemctl status nscd
nscd.service - Name Service Cache Daemon
Loaded: loaded (/usr/lib/systemd/system/nscd.service; enabled)
Active: active (running) since Thu 2013-12-26 13:22:31 CST; 2min 1s ago
Process: 20053 ExecStop=/usr/sbin/nscd --shutdown (code=exited, status=0/SUCCESS)
Main PID: 20056 (nscd)
CGroup: /system.slice/nscd.service
ââ20056 /usr/sbin/nscd --foreground
Dec 26 13:22:31 swtest-7b64v systemd[1]: Starting Name Service Cache Daemon...
Dec 26 13:22:31 swtest-7b64v systemd[1]: Started Name Service Cache Daemon.
Dec 26 13:22:31 swtest-7b64v nscd[20056]: 20056 cannot stat() file `/etc/netgroup': No such file or directory
[root@swtest-7b64v opt]#
NOTE: As noted above the warning about '/etc/netgroup' occurs even if "files" is not a source for "netgroup" in nsswitch.conf
:::GETENT's VIEW OF THE NETGROUPS:::
[root@swtest-7b64v opt]# getent netgroup swtest_hosts
swtest_hosts (swtest-7b64v,-,)
[root@swtest-7b64v opt]# getent netgroup Test_users
Test_users (-,swick,)
:::SUDO-LDAP CONFIGURATION:::
[root@swtest-7b64v opt]# egrep -v '^#|^$' /etc/sudo-ldap.conf
uid nslcd
gid ldap
base dc=ds,dc=example,dc=com
ssl start_tls
tls_cacertdir /etc/openldap/cacerts
uri ldap://ldap1.ds.example.com ldap://ldap2.ds.example.com ldap://ldap3.ds.example.com
idle_timelimit 300
sudoers_base ou=SUDOers,dc=ds,dc=example,dc=com
sudoers_debug 2
:::WHAT HAPPENS TO SUDO WITH NSCD RUNNING:::
[root@swtest-7b64v opt]# su - swick
[swick@swtest-7b64v ~]$ sudo -l
LDAP Config Summary
===================
uri ldap://ldap1.ds.example.com ldap://ldap2.ds.example.com ldap://ldap3.ds.example.com
ldap_version 3
sudoers_base ou=SUDOers,dc=ds,dc=example,dc=com
binddn (anonymous)
bindpw (anonymous)
ssl start_tls
tls_cacertdir /etc/openldap/cacerts
===================
sudo: ldap_set_option: debug -> 0
sudo: ldap_set_option: tls_cacertdir -> /etc/openldap/cacerts
sudo: ldap_initialize(ld, ldap://ldap1.ds.example.com ldap://ldap2.ds.example.com ldap://ldap3.ds.example.com)
sudo: ldap_set_option: ldap_version -> 3
sudo: ldap_start_tls_s() ok
sudo: ldap_sasl_bind_s() ok
sudo: Looking for cn=defaults: cn=defaults
sudo: found:cn=defaults,ou=SUDOers,dc=ds,dc=example,dc=com
sudo: ldap sudoOption: 'always_set_home'
sudo: ldap search '(|(sudoUser=swick)(sudoUser=%unixhw)(sudoUser=%#140)(sudoUser=ALL))'
sudo: searching from base 'ou=SUDOers,dc=ds,dc=example,dc=com'
sudo: adding search result
sudo: result now has 0 entries
sudo: ldap search '(sudoUser=+*)'
sudo: searching from base 'ou=SUDOers,dc=ds,dc=example,dc=com'
sudo: adding search result
sudo: result now has 0 entries
sudo: sorting remaining 0 entries
sudo: perform search for pwflag 52
sudo: done with LDAP searches
sudo: user_matches=1
sudo: host_matches=0
sudo: sudo_ldap_lookup(52)=0x42
sudo: ldap search for command list
sudo: reusing previous result (user swick) with 0 entries
User swick is not allowed to run sudo on swtest-7b64v.
sudo: removing reusable search result
:::WHAT HAPPENS WITH NSCD STOPPED:::
[swick@swtest-7b64v ~]$ exit
logout
[root@swtest-7b64v opt]# systemctl stop nscd
[root@swtest-7b64v opt]# systemctl status nscd
nscd.service - Name Service Cache Daemon
Loaded: loaded (/usr/lib/systemd/system/nscd.service; enabled)
Active: inactive (dead) since Thu 2013-12-26 14:49:43 CST; 1min 19s ago
Process: 20941 ExecStop=/usr/sbin/nscd --shutdown (code=exited, status=0/SUCCESS)
Process: 20692 ExecStart=/usr/sbin/nscd --foreground $NSCD_OPTIONS (code=exited, status=0/SUCCESS)
Main PID: 20692 (code=exited, status=0/SUCCESS)
Dec 26 13:32:56 swtest-7b64v systemd[1]: Starting Name Service Cache Daemon...
Dec 26 13:32:56 swtest-7b64v systemd[1]: Started Name Service Cache Daemon.
Dec 26 13:32:56 swtest-7b64v nscd[20692]: 20692 cannot stat() file `/etc/netgroup': No such file or directory
Dec 26 14:49:32 swtest-7b64v systemd[1]: Started Name Service Cache Daemon.
Dec 26 14:49:43 swtest-7b64v systemd[1]: Stopping Name Service Cache Daemon...
Dec 26 14:49:43 swtest-7b64v systemd[1]: Stopped Name Service Cache Daemon.
[root@swtest-7b64v opt]# su - swick
Last login: Thu Dec 26 14:50:54 CST 2013 on pts/0
[swick@swtest-7b64v ~]$ sudo -l
LDAP Config Summary
===================
uri ldap://ldap1.ds.example.com ldap://ldap2.ds.example.com ldap://ldap3.ds.example.com
ldap_version 3
sudoers_base ou=SUDOers,dc=ds,dc=example,dc=com
binddn (anonymous)
bindpw (anonymous)
ssl start_tls
tls_cacertdir /etc/openldap/cacerts
===================
sudo: ldap_set_option: debug -> 0
sudo: ldap_set_option: tls_cacertdir -> /etc/openldap/cacerts
sudo: ldap_initialize(ld, ldap://ldap1.ds.example.com ldap://ldap2.ds.example.com ldap://ldap3.ds.example.com)
sudo: ldap_set_option: ldap_version -> 3
sudo: ldap_start_tls_s() ok
sudo: ldap_sasl_bind_s() ok
sudo: Looking for cn=defaults: cn=defaults
sudo: found:cn=defaults,ou=SUDOers,dc=ds,dc=example,dc=com
sudo: ldap sudoOption: 'always_set_home'
sudo: ldap search '(|(sudoUser=swick)(sudoUser=%unixhw)(sudoUser=%#140)(sudoUser=ALL))'
sudo: searching from base 'ou=SUDOers,dc=ds,dc=example,dc=com'
sudo: adding search result
sudo: result now has 0 entries
sudo: ldap search '(sudoUser=+*)'
sudo: searching from base 'ou=SUDOers,dc=ds,dc=example,dc=com'
sudo: adding search result
sudo: ldap sudoUser netgroup '+LDAPAdmin_users' ... MATCH!
sudo: ldap sudoHost '+LDAPServer_hosts' ... not
sudo: ldap sudoUser netgroup '+Test_users' ... MATCH!
sudo: ldap sudoHost '+ldap_test_machine' ... not
sudo: ldap sudoUser netgroup '+Test_users' ... MATCH!
sudo: ldap sudoHost '+swtest_hosts' ... MATCH!
sudo: ldap sudoUser netgroup '+Test_users' ... MATCH!
sudo: ldap sudoHost '+swtest-6464v_machine' ... not
sudo: result now has 1 entries
sudo: sorting remaining 1 entries
sudo: perform search for pwflag 52
sudo: ldap sudoOption: '!authenticate'
sudo: done with LDAP searches
sudo: user_matches=1
sudo: host_matches=1
sudo: sudo_ldap_lookup(52)=0x02
sudo: ldap search for command list
sudo: reusing previous result (user swick) with 1 entries
Matching Defaults entries for swick on this host:
always_set_home
User swick may run the following commands on this host:
(root) NOPASSWD: ALL, !/bin/su, !/bin/bash, !/bin/sh, !/bin/ksh, !/bin/tcsh
sudo: removing reusable search result
