RHEL 7 Beta NSCD, SUDOers, authconfig issues
When trying to adapt RHEL 7 to our NSS-LDAP scheme, came across a couple of annoyances that were worth noting.
Firstly there seem to be some new bugs in authconfig.
Bug 1:
The option "--ldapserver=" seems to be more strictly evaluating the values. For RHEL4 through RHEL6, I've been able to provide multiple URI's simply by keeping them in a quoted list with spaces.
For example:
--ldapserver='ldap://ldap1.example.com ldap://ldap2.example.com ldap://ldap3.example.com'
This syntax has always worked before but with RHEL 7 Beta I get the following error:
authconfig: Invalid LDAP URI.
...and no URI is added to the LDAP config at all.
Didn't see anything about a syntax change in the man pages but I tried a couple of different field separators with no luck. Had to resort to using sed to add multiple LDAP servers to the configs. I'm all for stricter syntax checking, but there's nothing technically wrong with the syntax I'm using, and in this state authconfig doesn't seem to offer any way to set up multiple servers for high availability. I don't know of many organizations that would be happy with a single point of failure like this, so I'm calling this a bug.
Bug 2:
The option "--enableforcelegacy" disabled all of the "SSSD" stuff in RHEL 6, including removing the "sss" sources from /etc/nsswitch.conf. In this version it doesn't remove the "sss" targets at all.
Secondly, NSCD seems to be having trouble with netgroups.
I stumbled across this while trying to get SUDO to work through LDAP. We use NIS Negroups to create SUDO roles so both the sudoHost and sudoUser values are always netgroups. With NSCD running, SUDO fails to find any
The first odd behavior is the following warning:
Dec 26 13:22:31 swtest-7b64v nscd[20056]: 20056 cannot stat() file `/etc/netgroup': No such file or directory
This warning occurs even if "ldap" is the only target for "netgroups" in /etc/nsswitch.conf.
The second issue occurs when we attempt to evaluate SUDOers roles with NSCD active. For whatever reason the two aren't playing nicely together. With NSCD active, getent is able to properly evaluate netgroups, but SUDO isn't for some reason.
Here are some nitty-gritty details:
:::AUTHCONFIG COMMAND:::
/usr/sbin/authconfig --enableshadow --passalgo=sha512 --enablemd5 --disablenis --enableldap --enableldapauth --ldapserver='ldap://ldap1.ds.example.com' --ldapbasedn='dc=ds,dc=example,dc=com' --enableldaptls --enableforcelegacy --enablecache --enablelocauthorize --enablepamaccess --enablemkhomedir --updateall
NOTE: as mentioned above, the additional servers had to be added manually to their respective configuration files as authconfig refused to accept a multiple server URI.
:::WHAT THE SUDO ROLE LOOKS LIKE IN LDAP:::
[root@swtest-7b64v opt]# ldapsearch -x '(cn=SWTESTOPEN_role)' # extended LDIF # # LDAPv3 # base(default) with scope subtree # filter: (cn=SWTESTOPEN_role) # requesting: ALL # # SWTESTOPEN_role, SUDOers, ds.example.com dn: cn=SWTESTOPEN_role,ou=SUDOers,dc=ds,dc=example,dc=com description: Open Role to Test sudoOption: !authenticate sudoCommand: ALL sudoCommand: !/bin/su sudoCommand: !/bin/bash sudoCommand: !/bin/sh sudoCommand: !/bin/ksh sudoCommand: !/bin/tcsh sudoHost: +swtest_hosts sudoUser: +Test_users cn: SWTESTOPEN_role objectClass: top objectClass: sudorole # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1
:::RELEVANT NSSWITCH ENTRIES:::
[root@swtest-7b64v opt]# egrep '^passwd|^shadow|^group|^netgroup|^sudoers' /etc/nsswitch.conf passwd: files sss ldap shadow: files sss ldap group: files sss ldap netgroup: files sss ldap sudoers: ldap
Note: as noted above, the --enableforcelegacy switch for authconfig did not remove the "sss" source. Left it in as removing it had no noticeable effect.
:::STATUS OF NSCD DAEMON:::
[root@swtest-7b64v opt]# systemctl status nscd nscd.service - Name Service Cache Daemon Loaded: loaded (/usr/lib/systemd/system/nscd.service; enabled) Active: active (running) since Thu 2013-12-26 13:22:31 CST; 2min 1s ago Process: 20053 ExecStop=/usr/sbin/nscd --shutdown (code=exited, status=0/SUCCESS) Main PID: 20056 (nscd) CGroup: /system.slice/nscd.service ââ20056 /usr/sbin/nscd --foreground Dec 26 13:22:31 swtest-7b64v systemd[1]: Starting Name Service Cache Daemon... Dec 26 13:22:31 swtest-7b64v systemd[1]: Started Name Service Cache Daemon. Dec 26 13:22:31 swtest-7b64v nscd[20056]: 20056 cannot stat() file `/etc/netgroup': No such file or directory [root@swtest-7b64v opt]#
NOTE: As noted above the warning about '/etc/netgroup' occurs even if "files" is not a source for "netgroup" in nsswitch.conf
:::GETENT's VIEW OF THE NETGROUPS:::
[root@swtest-7b64v opt]# getent netgroup swtest_hosts swtest_hosts (swtest-7b64v,-,) [root@swtest-7b64v opt]# getent netgroup Test_users Test_users (-,swick,)
:::SUDO-LDAP CONFIGURATION:::
[root@swtest-7b64v opt]# egrep -v '^#|^$' /etc/sudo-ldap.conf uid nslcd gid ldap base dc=ds,dc=example,dc=com ssl start_tls tls_cacertdir /etc/openldap/cacerts uri ldap://ldap1.ds.example.com ldap://ldap2.ds.example.com ldap://ldap3.ds.example.com idle_timelimit 300 sudoers_base ou=SUDOers,dc=ds,dc=example,dc=com sudoers_debug 2
:::WHAT HAPPENS TO SUDO WITH NSCD RUNNING:::
[root@swtest-7b64v opt]# su - swick [swick@swtest-7b64v ~]$ sudo -l LDAP Config Summary =================== uri ldap://ldap1.ds.example.com ldap://ldap2.ds.example.com ldap://ldap3.ds.example.com ldap_version 3 sudoers_base ou=SUDOers,dc=ds,dc=example,dc=com binddn (anonymous) bindpw (anonymous) ssl start_tls tls_cacertdir /etc/openldap/cacerts =================== sudo: ldap_set_option: debug -> 0 sudo: ldap_set_option: tls_cacertdir -> /etc/openldap/cacerts sudo: ldap_initialize(ld, ldap://ldap1.ds.example.com ldap://ldap2.ds.example.com ldap://ldap3.ds.example.com) sudo: ldap_set_option: ldap_version -> 3 sudo: ldap_start_tls_s() ok sudo: ldap_sasl_bind_s() ok sudo: Looking for cn=defaults: cn=defaults sudo: found:cn=defaults,ou=SUDOers,dc=ds,dc=example,dc=com sudo: ldap sudoOption: 'always_set_home' sudo: ldap search '(|(sudoUser=swick)(sudoUser=%unixhw)(sudoUser=%#140)(sudoUser=ALL))' sudo: searching from base 'ou=SUDOers,dc=ds,dc=example,dc=com' sudo: adding search result sudo: result now has 0 entries sudo: ldap search '(sudoUser=+*)' sudo: searching from base 'ou=SUDOers,dc=ds,dc=example,dc=com' sudo: adding search result sudo: result now has 0 entries sudo: sorting remaining 0 entries sudo: perform search for pwflag 52 sudo: done with LDAP searches sudo: user_matches=1 sudo: host_matches=0 sudo: sudo_ldap_lookup(52)=0x42 sudo: ldap search for command list sudo: reusing previous result (user swick) with 0 entries User swick is not allowed to run sudo on swtest-7b64v. sudo: removing reusable search result
:::WHAT HAPPENS WITH NSCD STOPPED:::
[swick@swtest-7b64v ~]$ exit logout [root@swtest-7b64v opt]# systemctl stop nscd [root@swtest-7b64v opt]# systemctl status nscd nscd.service - Name Service Cache Daemon Loaded: loaded (/usr/lib/systemd/system/nscd.service; enabled) Active: inactive (dead) since Thu 2013-12-26 14:49:43 CST; 1min 19s ago Process: 20941 ExecStop=/usr/sbin/nscd --shutdown (code=exited, status=0/SUCCESS) Process: 20692 ExecStart=/usr/sbin/nscd --foreground $NSCD_OPTIONS (code=exited, status=0/SUCCESS) Main PID: 20692 (code=exited, status=0/SUCCESS) Dec 26 13:32:56 swtest-7b64v systemd[1]: Starting Name Service Cache Daemon... Dec 26 13:32:56 swtest-7b64v systemd[1]: Started Name Service Cache Daemon. Dec 26 13:32:56 swtest-7b64v nscd[20692]: 20692 cannot stat() file `/etc/netgroup': No such file or directory Dec 26 14:49:32 swtest-7b64v systemd[1]: Started Name Service Cache Daemon. Dec 26 14:49:43 swtest-7b64v systemd[1]: Stopping Name Service Cache Daemon... Dec 26 14:49:43 swtest-7b64v systemd[1]: Stopped Name Service Cache Daemon. [root@swtest-7b64v opt]# su - swick Last login: Thu Dec 26 14:50:54 CST 2013 on pts/0 [swick@swtest-7b64v ~]$ sudo -l LDAP Config Summary =================== uri ldap://ldap1.ds.example.com ldap://ldap2.ds.example.com ldap://ldap3.ds.example.com ldap_version 3 sudoers_base ou=SUDOers,dc=ds,dc=example,dc=com binddn (anonymous) bindpw (anonymous) ssl start_tls tls_cacertdir /etc/openldap/cacerts =================== sudo: ldap_set_option: debug -> 0 sudo: ldap_set_option: tls_cacertdir -> /etc/openldap/cacerts sudo: ldap_initialize(ld, ldap://ldap1.ds.example.com ldap://ldap2.ds.example.com ldap://ldap3.ds.example.com) sudo: ldap_set_option: ldap_version -> 3 sudo: ldap_start_tls_s() ok sudo: ldap_sasl_bind_s() ok sudo: Looking for cn=defaults: cn=defaults sudo: found:cn=defaults,ou=SUDOers,dc=ds,dc=example,dc=com sudo: ldap sudoOption: 'always_set_home' sudo: ldap search '(|(sudoUser=swick)(sudoUser=%unixhw)(sudoUser=%#140)(sudoUser=ALL))' sudo: searching from base 'ou=SUDOers,dc=ds,dc=example,dc=com' sudo: adding search result sudo: result now has 0 entries sudo: ldap search '(sudoUser=+*)' sudo: searching from base 'ou=SUDOers,dc=ds,dc=example,dc=com' sudo: adding search result sudo: ldap sudoUser netgroup '+LDAPAdmin_users' ... MATCH! sudo: ldap sudoHost '+LDAPServer_hosts' ... not sudo: ldap sudoUser netgroup '+Test_users' ... MATCH! sudo: ldap sudoHost '+ldap_test_machine' ... not sudo: ldap sudoUser netgroup '+Test_users' ... MATCH! sudo: ldap sudoHost '+swtest_hosts' ... MATCH! sudo: ldap sudoUser netgroup '+Test_users' ... MATCH! sudo: ldap sudoHost '+swtest-6464v_machine' ... not sudo: result now has 1 entries sudo: sorting remaining 1 entries sudo: perform search for pwflag 52 sudo: ldap sudoOption: '!authenticate' sudo: done with LDAP searches sudo: user_matches=1 sudo: host_matches=1 sudo: sudo_ldap_lookup(52)=0x02 sudo: ldap search for command list sudo: reusing previous result (user swick) with 1 entries Matching Defaults entries for swick on this host: always_set_home User swick may run the following commands on this host: (root) NOPASSWD: ALL, !/bin/su, !/bin/bash, !/bin/sh, !/bin/ksh, !/bin/tcsh sudo: removing reusable search result
Responses