IPA sudo not working with hostgroups

Solution Verified - Updated -

Environment

  • Red Hat Enterprise Linux 6
  • Clients configured to use sudo rules from Identity Management using sssd or ldap
  • Sudo rules using hostgroups

Issue

  • We had Identitity Management configured with HBAC and sudo rules. Users can access fine, and sudo rules configured to use individual hosts works fine but if we configure a sudorule to use hostgroup users can not run sudo commands.

Resolution

  • Remove the following line from /etc/sssd/sssd.conf
ldap_netgroup_search_base = cn=ng,cn=compat,dc=exampple,dc=com
  • Restart the sssd service:
service sssd restart
  • Clean the sss cache:
sss_cache -UNG

Root Cause

  • ldap_netgroup_search_base parameter was incorrectly set at sssd.conf. That was preventing the system to get the netgroups information and therefore the sudo rules using hostgroups were not matching and users could not run sudo commands.

Diagnostic Steps

a. Check which configuration file sudo uses (version dependent) by running the following command as root:

# sudo -V | grep "^ldap.conf"

The output will show something similar to:
ldap.conf path: /etc/sudo-ldap.conf

b. Enable sudo debug to the conf file found in step a:

echo "sudoers_debug 2" >> /etc/sudo-ldap.conf

c. Test the sudo command as the relevant user that you have set-up in IPA. With debugging enabled, and /etc/nsswitch.conf configured so sudo directly access via LDAP (sudoers: files ldap), you should get output similar to:

LDAP Config Summary
===================
uri              ldap://ipaserver.example.com
ldap_version     3
sudoers_base     ou=SUDOers,dc=example,dc=com
binddn           uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com
bindpw           sudo_password
bind_timelimit   5000000
timelimit        15
ssl              start_tls
tls_checkpeer    (no)
tls_cacertfile   /etc/ipa/ca.crt
===================
sudo: ldap_initialize(ld, ldap://ipaserver.example.com)
sudo: ldap_set_option: debug -> 0
sudo: ldap_set_option: ldap_version -> 3
sudo: ldap_set_option: tls_checkpeer -> 0
sudo: ldap_set_option: tls_cacertfile -> /etc/ipa/ca.crt
sudo: ldap_set_option: timelimit -> 15
sudo: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT, 5000)

sudo: ldap_start_tls_s() ok
sudo: ldap_sasl_bind_s() ok
sudo: no default options found!
sudo: ldap search '(|(sudoUser=sudotest)(sudoUser=%sudotest)(sudoUser=%ipausers)(sudoUser=%sudo-group)(sudoUser=ALL))'
sudo: found:cn=sudo-test,ou=sudoers,dc=example,dc=com
sudo: ldap sudoHost '+test-hg1' ... not
sudo: ldap search 'sudoUser=+*'
sudo: user_matches=1
sudo: host_matches=0
sudo: sudo_ldap_lookup(0)=0x40
[sudo] password for sudotest: 
sudotest is not allowed to run sudo on ipaserver.  This incident will be reported.

d. Confirm that nisdomainname is set:

# nisdomainname

e. Check that nsswitch.conf is configured to use sss to retrieve netgroup information:

netgroup:   files sss

f. Check that netgroup information can be retrieved:

# getent netgroup test-hg1

g. Because netgroup information is provided by sss, we can check /var/log/sssd/sssd_ejemplo.com.log to see which value is being used for ldap_netgroup_search_base, in a standard configuration it should show that no value is set and then a default value is set using ipa_get_id_options:

sssd_example.com.log:(Fri Nov 28 12:48:00 2014) [sssd[be[example.com]]] [dp_get_options] (0x0400): Option ldap_netgroup_search_base has no value 
sssd_example.com.log:(Fri Nov 28 12:48:00 2014) [sssd[be[example.com]]] [ipa_get_id_options] (0x0400): Option ldap_netgroup_search_base set to cn=ng,cn=alt,dc=example,dc=com
sssd_example.com.log:(Fri Nov 28 12:48:00 2014) [sssd[be[example.com]]] [dp_get_options] (0x0400): Option ldap_netgroup_search_base has no value 

But if the parameter is set, the output would be similar to:

sssd_example.com.log:(Fri Nov 28 10:40:05 2014) [sssd[be[example.com]]] [dp_get_options] (0x0400): Option ldap_netgroup_search_base has value cn=ng,cn=compat,dc=example,dc=com
sssd_example.com.log:(Fri Nov 28 10:40:05 2014) [sssd[be[ejemplo.com]]] [dp_get_options] (0x0400): Option ldap_netgroup_search_base has value cn=ng,cn=compat,dc=example,dc=com

Additionally for testing hostgroup rules you should add a shorter time-out period for sssd on the client by editing /etc/sssd/sssd.conf and adding the following line in the [domain/yourdomain.com] section:

entry_cache_netgroup_timeout = 10

Without this when you add or remove hosts to the hostgroup the change will not be picked up until the timeout limit is reached which by default is 90 minutes.

Alternately you can also clear the cache:

# service sssd stop ; sss_cache -UNG ; service sssd start

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

1 Comments

I am experiencing the same symptoms (sudo rules not working when the match depends on a hostgroup vs adding the host directly to the rule) but the root cause does not seem to apply in my case.