So I have this centos 5.10 box which authenticates network users against ldap(authorizing)+kerberos(authentication). And I now would like to have sudo be able to allow admins (netgroup chinbeards) to sudo about. I am not using sssd though (yet).
Here is the output of me trying sudo (debug on):
[raub@centos5-x64 ~]$ sudo pwd LDAP Config Summary =================== uri ldap://idir1.internal.domain.com/ ldap://idir2.internal.domain.com/ ldap_version 3 sudoers_base ou=SUDOers,dc=domain,dc=com binddn (anonymous) bindpw (anonymous) bind_timelimit 120000 timelimit 120 ssl start_tls tls_cacertdir /etc/openldap/cacerts =================== sudo: ldap_initialize(ld, ldap://idir1.internal.domain.com/ ldap://idir2.internal.domain.com/) sudo: ldap_set_option: debug -> 0 sudo: ldap_set_option: ldap_version -> 3 sudo: ldap_set_option: tls_cacertdir -> /etc/openldap/cacerts sudo: ldap_set_option: timelimit -> 120 sudo: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT, 120)
sudo: ldap_start_tls_s() ok sudo: ldap_sasl_bind_s() ok sudo: found:cn=defaults,ou=SUDOers,dc=domain,dc=com sudo: ldap sudoOption: 'env_keep+=SSH_AGENT_PID' sudo: ldap sudoOption: 'env_keep+=SSH_AUTH_SOCK' sudo: ldap sudoOption: 'env_keep+=SVN_SSH' sudo: ldap sudoOption: 'env_reset' sudo: ldap sudoOption: 'ignore_local_sudoers' sudo: ldap search '(|(sudoUser=raub)(sudoUser=%raub)(sudoUser=%chinbeards)(sudoUser=ALL))' sudo: ldap search 'sudoUser=+*' sudo: found:cn=defaults,ou=SUDOers,dc=domain,dc=com sudo: ldap sudoUser netgroup '+chinbeards' ... MATCH! sudo: ldap sudoHost 'ALL' ... MATCH! sudo: ldap sudoCommand 'ALL' ... MATCH! sudo: Command allowed sudo: ldap sudoOption: 'env_keep+=SSH_AGENT_PID' sudo: ldap sudoOption: 'env_keep+=SSH_AUTH_SOCK' sudo: ldap sudoOption: 'env_keep+=SVN_SSH' sudo: ldap sudoOption: 'env_reset' sudo: ldap sudoOption: 'ignore_local_sudoers' sudo: user_matches=1 sudo: host_matches=1 sudo: sudo_ldap_lookup(0)=0x02 [sudo] password for raub:
It seems to me that it had no issues finding that I belong to the netgroup chinbeards (allowed to sudo), and realizing I can do a command. So, to me the sudo+ldap part of the transaction (authorization, kinda of what is mentioned in http://www.sudo.ws/sudoers.ldap.man.html and http://www.gratisoft.us/sudo/readme_ldap.html) seem to be fine.
But, in the next step -- it asks for password -- is when things get interesting. At this point I would expect it to pass that to pam, which would then autenticate me with kerberos (I wonder if it would work by checking if I have a valid kerberos ticket. That is what happens when I, say, do ldapsearch. but I digress). But, according to /var/log/secure,
Jan 17 10:07:13 centos5-x64 sudo: pam_unix(sudo:auth): authentication failure; logname=raub uid=0 euid=0 tty=/dev/pts/0 ruser= rhost= user=raub
It seems to have failed to authenticate me. Would it be due to pam not knowing about kerberos?
Reading http://www.centos.org/docs/5/html/5.2/Deployment_Guide/s1-kerberos-pam.html, should I be able to get pam_krb5 in, say, /etc/pam.d/system-auth like this:
#%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth sufficient pam_krb5.so use_first_pass auth required pam_deny.so
account required pam_unix.so account sufficient pam_succeed_if.so uid < 500 quiet account [default=bad success=ok user_unknown=ignore] pam_krb5.so account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3 password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok password sufficient pam_krb5.so use_authtok password required pam_deny.so
session optional pam_keyinit.so revoke session required pam_limits.so session optional pam_mkhomedir.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_krb5.so
On Sun, Jan 19, 2014 at 6:12 PM, Mauricio Tavares raubvogel@gmail.com wrote:
So I have this centos 5.10 box which authenticates network users against ldap(authorizing)+kerberos(authentication). And I now would like to have sudo be able to allow admins (netgroup chinbeards) to sudo about. I am not using sssd though (yet).
Here is the output of me trying sudo (debug on):
[raub@centos5-x64 ~]$ sudo pwd LDAP Config Summary =================== uri ldap://idir1.internal.domain.com/ ldap://idir2.internal.domain.com/ ldap_version 3 sudoers_base ou=SUDOers,dc=domain,dc=com binddn (anonymous) bindpw (anonymous) bind_timelimit 120000 timelimit 120 ssl start_tls tls_cacertdir /etc/openldap/cacerts =================== sudo: ldap_initialize(ld, ldap://idir1.internal.domain.com/ ldap://idir2.internal.domain.com/) sudo: ldap_set_option: debug -> 0 sudo: ldap_set_option: ldap_version -> 3 sudo: ldap_set_option: tls_cacertdir -> /etc/openldap/cacerts sudo: ldap_set_option: timelimit -> 120 sudo: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT, 120)
sudo: ldap_start_tls_s() ok sudo: ldap_sasl_bind_s() ok sudo: found:cn=defaults,ou=SUDOers,dc=domain,dc=com sudo: ldap sudoOption: 'env_keep+=SSH_AGENT_PID' sudo: ldap sudoOption: 'env_keep+=SSH_AUTH_SOCK' sudo: ldap sudoOption: 'env_keep+=SVN_SSH' sudo: ldap sudoOption: 'env_reset' sudo: ldap sudoOption: 'ignore_local_sudoers' sudo: ldap search '(|(sudoUser=raub)(sudoUser=%raub)(sudoUser=%chinbeards)(sudoUser=ALL))' sudo: ldap search 'sudoUser=+*' sudo: found:cn=defaults,ou=SUDOers,dc=domain,dc=com sudo: ldap sudoUser netgroup '+chinbeards' ... MATCH! sudo: ldap sudoHost 'ALL' ... MATCH! sudo: ldap sudoCommand 'ALL' ... MATCH! sudo: Command allowed sudo: ldap sudoOption: 'env_keep+=SSH_AGENT_PID' sudo: ldap sudoOption: 'env_keep+=SSH_AUTH_SOCK' sudo: ldap sudoOption: 'env_keep+=SVN_SSH' sudo: ldap sudoOption: 'env_reset' sudo: ldap sudoOption: 'ignore_local_sudoers' sudo: user_matches=1 sudo: host_matches=1 sudo: sudo_ldap_lookup(0)=0x02 [sudo] password for raub:
It seems to me that it had no issues finding that I belong to the netgroup chinbeards (allowed to sudo), and realizing I can do a command. So, to me the sudo+ldap part of the transaction (authorization, kinda of what is mentioned in http://www.sudo.ws/sudoers.ldap.man.html and http://www.gratisoft.us/sudo/readme_ldap.html) seem to be fine.
But, in the next step -- it asks for password -- is when things get interesting. At this point I would expect it to pass that to pam, which would then autenticate me with kerberos (I wonder if it would work by checking if I have a valid kerberos ticket. That is what happens when I, say, do ldapsearch. but I digress). But, according to /var/log/secure,
Jan 17 10:07:13 centos5-x64 sudo: pam_unix(sudo:auth): authentication failure; logname=raub uid=0 euid=0 tty=/dev/pts/0 ruser= rhost= user=raub
It seems to have failed to authenticate me. Would it be due to pam not knowing about kerberos?
Reading http://www.centos.org/docs/5/html/5.2/Deployment_Guide/s1-kerberos-pam.html, should I be able to get pam_krb5 in, say, /etc/pam.d/system-auth like this:
#%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth sufficient pam_krb5.so use_first_pass auth required pam_deny.so
account required pam_unix.so account sufficient pam_succeed_if.so uid < 500 quiet account [default=bad success=ok user_unknown=ignore] pam_krb5.so account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3 password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok password sufficient pam_krb5.so use_authtok password required pam_deny.so
session optional pam_keyinit.so revoke session required pam_limits.so session optional pam_mkhomedir.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_krb5.so
Ok, I am not saying what I wrote above is proper, but the auth entry is enough to satisfy sudo. But, how now I tell authconfig to edit the file properly? The way I did it was
authconfig --enableldap --enableldaptls --ldapserver=idir1.internal.domain.com,idir2.internal.domain.com --ldapbasedn=dc=domain,dc=com --enablekrb5 --passalgo=sha512 --disablemd5 --update
but that does not seem to add the line to /etc/pam.d/system-auth to tell it that kerberos is in the house.