Authenticating Sudo With Ipa.

Home » CentOS » Authenticating Sudo With Ipa.
CentOS 1 Comment

Hello, I have set up IPA on a private network and have hit some bumps configuring sudo access for the clients. kinit seems to work fine for both client and server, user and root.

When I run sudo on the server I see the following in /var/log/messages:

Oct 17 17:53:52 192-168-0-100 [sssd[krb5_child[29237]]]: Decrypt integrity check failed Oct 17 17:53:52 192-168-0-100 [sssd[krb5_child[29237]]]: Decrypt integrity check failed

Thanks, Andrew

## I see the following in my clients /var/log/messages after starting sssd on the client.

Oct 17 17:35:46 zabbix sssd: Starting up Oct 17 17:35:46 zabbix sssd[be[192-168-0-100.local]]: Starting up Oct 17 17:35:46 zabbix sssd[nss]: Starting up Oct 17 17:35:46 zabbix [sssd[ldap_child[6659]]]: Error processing keytab file [default]: Principal [host/192-168-0-100.local@LOCAL] was not found. Unable to create GSSAPI-encrypted LDAP connection. Oct 17 17:35:46 zabbix sssd[sudo]: Starting up Oct 17 17:35:46 zabbix sssd[ssh]: Starting up Oct 17 17:35:46 zabbix sssd[pac]: Starting up Oct 17 17:35:46 zabbix [sssd[ldap_child[6659]]]: Error writing to key table Oct 17 17:35:46 zabbix sssd[pam]: Starting up

## And the following when user “andrew” tries to sudo on the client.

Oct 17 17:37:10 zabbix [sssd[ldap_child[6667]]]: Error processing keytab file [default]: Principal [host/192-168-0-100.local@LOCAL] was not found. Unable to create GSSAPI-encrypted LDAP connection. Oct 17 17:37:10 zabbix [sssd[ldap_child[6667]]]: Error writing to key table

## The user and sudo rules in ipa.

[root@192-168-0-100 ~]# ipa sudorule-show add_sudo
Rule name: add_sudo
Enabled: TRUE
Host category: all
Command category: all
RunAs User category: all
RunAs Group category: all
Users: andrew
[root@192-168-0-100 ~]# ipa user-show andrew
User login: andrew
First name: Andrew
Last name: Holway
Home directory: /home/andrew
Login shell: /bin/bash
Email address: andrew@local.com
UID: 1876600003
GID: 1876600003
Account disabled: False
Password: True
Member of groups: admins, ipausers, trust admins
Member of Sudo rule: add_sudo
Kerberos keys available: True
SSH public key fingerprint:
35:08:9D:5E:F7:96:2A:FA:E4:60:76:4E:8A:12:FE:15 (ssh-dss)

## /etc/sssd/sssd.conf on the client

[domain/192-168-0-100.local]

cache_credentials = True krb5_store_password_if_offline = True krb5_realm = LOCAL
ipa_domain = 192-168-0-100.local id_provider = ipa auth_provider = ipa access_provider = ipa ldap_tls_cacert = /etc/ipa/ca.crt ipa_hostname = 192-168-0-110.local chpass_provider = ipa ipa_server = _srv_, 192-168-0-100.local dns_discovery_domain = 192-168-0-100.local

sudo_provider = ldap ldap_uri = ldap://192-168-0-100.local ldap_sudo_search_base = ou=sudoers,dc=local ldap_sasl_mech = GSSAPI
ldap_sasl_authid = host/192-168-0-100.local@LOCAL
ldap_sasl_realm = local krb5_server = 192-168-0-100.local

[sssd]
services = nss, pam, ssh, sudo config_file_version = 2

domains = 192-168-0-100.local
[nss]

[pam]

[sudo]

[autofs]

[ssh]

[pac]

## /etc/nsswitch.conf on client

#
# An example Name Service Switch config file. This file should be
# sorted with the most-used services at the beginning.
#
# The entry ‘[NOTFOUND=return]’ means that the search for an
# entry should stop if the search in the previous entry turned
# up nothing. Note that if the search failed due to some other reason
# (like no NIS server responding) then the search continues with the
# next entry.
#
# Valid entries include:
#
# nisplus Use NIS+ (NIS version 3)
# nis Use NIS (NIS version 2), also called YP
# dns Use DNS (Domain Name Service)
# files Use the local files
# db Use the local database (.db) files
# compat Use NIS on compat mode
# hesiod Use Hesiod for user lookups
# [NOTFOUND=return] Stop searching if not found so far
#

# To use db, put the “db” in front of “files” for entries you want to be
# looked up first in the databases
#
# Example:
#passwd: db files nisplus nis
#shadow: db files nisplus nis
#group: db files nisplus nis

passwd: files sss shadow: files sss group: files sss

#hosts: db files nisplus nis dns hosts: files dns

# Example – obey only what nisplus tells us…
#services: nisplus [NOTFOUND=return] files
#networks: nisplus [NOTFOUND=return] files
#protocols: nisplus [NOTFOUND=return] files
#rpc: nisplus [NOTFOUND=return] files
#ethers: nisplus [NOTFOUND=return] files
#netmasks: nisplus [NOTFOUND=return] files

bootparams: nisplus [NOTFOUND=return] files

ethers: files netmasks: files networks: files protocols: files rpc: files services: files sss

netgroup: files sss

publickey: nisplus

automount: files aliases: files nisplus sudoers: files sss

## selinux

SELinux status: disabled on both client and server

## /etc/krb5.conf on the client

#File modified by ipa-client-install

includedir /var/lib/sss/pubconf/krb5.include.d/

[libdefaults]
default_realm = LOCAL
dns_lookup_realm = false
dns_lookup_kdc = false
rdns = false
ticket_lifetime = 24h
forwardable = yes

[realms]
LOCAL = {
kdc = 192-168-0-100.local:88
master_kdc = 192-168-0-100.local:88
admin_server = 192-168-0-100.local:749
default_domain = 192-168-0-100.local
pkinit_anchors = FILE:/etc/ipa/ca.crt
}

[domain_realm]
.192-168-0-100.local = LOCAL
192-168-0-100.local = LOCAL
.local = LOCAL
local = LOCAL

One thought on - Authenticating Sudo With Ipa.

LEAVE A COMMENT