AIX Open Source

AIX Open Source

Share your experiences and connect with fellow developers to discover how to build and manage open source software for the AIX operating system

 View Only
Back to discussions
Expand all | Collapse all

SUDO part 2

  • 1.  SUDO part 2

    Posted Fri October 20, 2023 10:39 AM

    Hi all

    I have update sudo version to 1.9.13p2. Thanks for all HELP of this with all dependencies!
    but
    We can't get SUDO to work with IDM (User authentication)? 
    We have follow all documentation and it works fine....EXCEPT for SUDO part?

    Anyone that can help on this part ?
    Question is,
    Need to provide sudo access for other group also from IDM end.....

    The configuration of, AllowGroups and DenyGroups is working as excepted. 

    root@techa0011# cat sshd_config |grep -iE 'AllowGroups|DenyGroups'
    DenyGroups unix_techemother_high_users
    AllowGroups system unix_techemaixdbadm_high_users unix_unix_high_users unix_sapbasis_high_users unix_sapbasis_medium_users unix_monitoring_medium_users.

    We test with this 3 users here under and only user=nr 3, is able to logon and use sudo?
    Why not the other users ?

    1) hx12254  user id (unix_sapbasis_high_users) was unable to do sudo to this server . 
    2) dei02099 user id (unix_techemaixdbadm_high_users) was unable to do sudo to this server 
    3) hx11775 user id (unix_unix_high_users) was able to do sudo to this server .

    root@techa0011# sudo -V |head
    Sudo version 1.9.13p2

    Configure options: --prefix=/opt/freeware --sbindir=/opt/freeware/sbin --libdir=/opt/freeware/lib --mandir=/opt/freeware/man --libexecdir=/opt/freeware/libexec --with-logging=syslog --with-logfac=auth --with-pam --with-pam-login --with-env-editor --with-ignore-dot --with-aixauth --disable-year2038 --with-tty-tickets --with-ldap=/opt/freeware --with-ldap-conf-file=/opt/freeware/etc/openldap/ldap.conf

    Sudoers policy plugin version 1.9.13p2
    Sudoers file grammar version 50

    Sudoers path: /etc/sudoers
    ldap.conf path: /opt/freeware/etc/openldap/ldap.conf
    ldap.secret path: /etc/ldap.secret
    Authentication methods: 'aixauth' 'pam'
    Syslog facility if syslog is being used for logging: auth

    root@techa0011# sudo -l -U hx12254
    User hx12254 is not allowed to run sudo on techa0011.

    root@techa0011# lsuser hx12254
    hx12254 id=11170 pgrp=hx12254 groups=hx12254,unix_sapbasis_medium_users,unix_sapbasis_high_users home=/home/hx12254 shell=/bin/bash gecos=Srinivas Ramanna Ramanna login=true su=true rlogin=true daemon=true admin=false sugroups=ALL admgroups= tpath=nosak ttys=ALL expires=0 auth1=SYSTEM auth2=NONE umask=22 registry=KRB5LDAP SYSTEM=KRB5LDAP OR compat logintimes= loginretries=0 pwdwarntime=0 account_locked=false minage=0 maxage=0 maxexpired=-1 minalpha=0 minloweralpha=0 minupperalpha=0 minother=0 mindigit=0 minspecialchar=0 mindiff=0 maxrepeats=8 minlen=0 histexpire=0 histsize=0 pwdchecks= dictionlist= default_roles= datecreated=0 fsize=-1 cpu=-1 data=-1 stack=-1 core=2097151 rss=65536 nofiles=32000 time_last_unsuccessful_login=1692701242 tty_last_unsuccessful_login=ssh host_last_unsuccessful_login=153.112.6.40 unsuccessful_login_count=2 roles=

    root@techa0011# lsldap -a group unix_sapbasis_high_users |grep -i hx12254
    memberUid: hx12254
    root@techa0011#
    root@techa0011# sudo -l -U dei02099
    User dei02099 is not allowed to run sudo on techa0011.

    root@techa0011# lsuser dei02099
    dei02099 id=63367 pgrp=techmgrp groups=techmgrp,unix_techemother_high_users,unix_techemaixdbadm_high_users,admins,unix_techemaixdbops_high_users home=/home/dei02099 shell=/bin/bash gecos=Leander Dahlmann login=true su=true rlogin=true daemon=true admin=false sugroups=ALL admgroups= tpath=nosak ttys=ALL expires=0 auth1=SYSTEM auth2=NONE umask=22 registry=KRB5LDAP SYSTEM=KRB5LDAP OR compat logintimes= loginretries=0 pwdwarntime=0 account_locked=false minage=0 maxage=0 maxexpired=-1 minalpha=0 minloweralpha=0 minupperalpha=0 minother=0 mindigit=0 minspecialchar=0 mindiff=0 maxrepeats=8 minlen=0 histexpire=0 histsize=0 pwdchecks= dictionlist= default_roles= datecreated=0 fsize=-1 cpu=-1 data=-1 stack=-1 core=2097151 rss=65536 nofiles=32000 time_last_login=1694492571 time_last_unsuccessful_login=1683639247 tty_last_login=ssh tty_last_unsuccessful_login=ssh host_last_login=10.196.73.65 host_last_unsuccessful_login=10.196.73.65 unsuccessful_login_count=0 roles=

    root@techa0011# lsldap -a group unix_techemaixdbadm_high_users |grep -i dei02099
    memberUid: dei02099
    root@techa0011#
    root@techa0011# sudo -l -U hx11775
    User hx11775 may run the following commands on techa0011:
      (ALL : ALL) ALL
    root@techa0011# lsuser hx11775
    hx11775 id=11183 pgrp=hx11775 groups=hx11775,unix_unix_high_users home=/home/hx11775 shell=/bin/bash gecos=Elangovan Subramaniyan login=true su=true rlogin=true daemon=true admin=false sugroups=ALL admgroups= tpath=nosak ttys=ALL expires=0 auth1=SYSTEM auth2=NONE umask=22 registry=KRB5LDAP SYSTEM=KRB5LDAP OR compat logintimes= loginretries=0 pwdwarntime=0 account_locked=false minage=0 maxage=0 maxexpired=-1 minalpha=0 minloweralpha=0 minupperalpha=0 minother=0 mindigit=0 minspecialchar=0 mindiff=0 maxrepeats=8 minlen=0 histexpire=0 histsize=0 pwdchecks= dictionlist= default_roles= datecreated=0 fsize=-1 cpu=-1 data=-1 stack=-1 core=2097151 rss=65536 nofiles=32000 time_last_login=1697807116 time_last_unsuccessful_login=1697807106 tty_last_login=ssh tty_last_unsuccessful_login=ssh host_last_login=153.112.6.40 host_last_unsuccessful_login=153.112.6.40 unsuccessful_login_count=0 roles=

    root@techa0011#
    root@techa0011# lsldap -a group unix_unix_high_users |grep -i hx11775
    memberUid: hx11775
    root@techa0011#

    *Regards

    Per-Ola



    ------------------------------
    Per-Ola Hassle
    ------------------------------


  • 2.  RE: SUDO part 2

    Posted Fri October 20, 2023 10:46 AM
    On Fri, Oct 20, 2023 at 02:39:12PM +0000, Per-Ola Hassle via IBM TechXchange Community wrote:
    > We can't get SUDO to work with IDM (User authentication)?

    Can you post your sudoers?

    > The configuration of, AllowGroups and DenyGroups is working as
    > excepted.

    This is SSH configuration, not sudo.

    Also why it's better to just use SSH keys to elevate privs instead of sudo.

    ------------------------------------------------------------------
    Russell Adams Russell.Adams@AdamsSystems.nl
    Principal Consultant Adams Systems Consultancy
    https://adamssystems.nl/


    Original Message


  • 3.  RE: SUDO part 2

    Posted Fri October 20, 2023 11:20 AM
    Please find the /etc/sudoers file from AIX end . Sudo access is working fine for all users under unix_unix_high_users groups . But other users under UNIX_SAPBASIS_MEDIUM_USERS , UNIX_SAPBASIS_HIGH_USERS , UNIX_MONITORING_MEDIUM_USERS these group unable to do sudo  
    User hx12254 is not allowed to run sudo on AIX server name 
    cat sudoers
    ## sudoers file.
    ##
    ## This file MUST be edited with the 'visudo' command as root.
    ## Failure to use 'visudo' may result in syntax or file permission errors
    ## that prevent sudo from running.
    ##
    ## See the sudoers man page for the details on how to write a sudoers file.
    ##
     
    ##
    ## Host alias specification
    ##
    ## Groups of machines. These may include host names (optionally with wildcards),
    ## IP addresses, network numbers or netgroups.
    # Host_Alias    WEBSERVERS = www1, www2, www3
     
    ##
    ## User alias specification
    ##
    ## Groups of users.  These may consist of user names, uids, Unix groups,
    ## or netgroups.
    # User_Alias    ADMINS = millert, dowdy, mikef
     
    ##
    ## Cmnd alias specification
    ##
    ## Groups of commands.  Often used to group related commands together.
    # Cmnd_Alias    PROCESSES = /usr/bin/nice, /bin/kill, /usr/bin/renice, \
    #                           /usr/bin/pkill, /usr/bin/top
    # Cmnd_Alias    REBOOT = /sbin/halt, /sbin/reboot, /sbin/poweroff
     
    ##
    ## Defaults specification
    ##
    ## You may wish to keep some of the following environment variables
    ## when running commands via sudo.
    ##
    ## Locale settings
    # Defaults env_keep += "LANG LANGUAGE LINGUAS LC_* _XKB_CHARSET"
    ##
    ## Run X applications through sudo; HOME is used to find the
    ## .Xauthority file.  Note that other programs use HOME to find
    ## configuration files and this may lead to privilege escalation!
    # Defaults env_keep += "HOME"
    ##
    ## X11 resource path settings
    # Defaults env_keep += "XAPPLRESDIR XFILESEARCHPATH XUSERFILESEARCHPATH"
    ##
    ## Desktop path settings
    # Defaults env_keep += "QTDIR KDEDIR"
    ##
    ## Allow sudo-run commands to inherit the callers' ConsoleKit session
    # Defaults env_keep += "XDG_SESSION_COOKIE"
    ##
    ## Uncomment to enable special input methods.  Care should be taken as
    ## this may allow users to subvert the command being run via sudo.
    # Defaults env_keep += "XMODIFIERS GTK_IM_MODULE QT_IM_MODULE QT_IM_SWITCHER"
    ##
    ## Uncomment to use a hard-coded PATH instead of the user's to find commands
    # Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
    ##
    ## Uncomment to send mail if the user does not enter the correct password.
    # Defaults mail_badpass
    ##
    ## Uncomment to enable logging of a command's output, except for
    ## sudoreplay and reboot.  Use sudoreplay to play back logged sessions.
    # Defaults log_output
    # Defaults!/usr/bin/sudoreplay !log_output
    # Defaults!/usr/local/bin/sudoreplay !log_output
    # Defaults!REBOOT !log_output
     
    ##
    ## Runas alias specification
    ##
     
    ##
    ## User privilege specification
    ##
    root ALL=(ALL) ALL
     
    ## Uncomment to allow members of group wheel to execute any command
    # %wheel ALL=(ALL) ALL
     
    ## Same thing without a password
    # %wheel ALL=(ALL) NOPASSWD: ALL
     
    ## Uncomment to allow members of group sudo to execute any command
    # %sudo ALL=(ALL) ALL
     
    ## Uncomment to allow any user to run sudo if they know the password
    ## of the user they are running the command as (root by default).
    # Defaults targetpw  # Ask for the password of the target user
    # ALL ALL=(ALL) ALL  # WARNING: only use this together with 'Defaults targetpw'
     
    ## Read drop-in files from /etc/sudoers.d
    ## (the '#' here does not indicate a comment)
    #includedir /etc/sudoers.d



    ------------------------------
    Elangovan Subramaniyan
    ------------------------------

    Original Message


  • 4.  RE: SUDO part 2

    Posted Mon October 30, 2023 04:15 AM

    Hello all,

    To nail down the problem we have and if somebody know this ?

    Sudo access is working fine for all users but ONLY under group=unix_unix_high_users
    These other groups here under users is unable to do sudo?
    unix_sapbasis_medium
    unix_sapbasis_high_users
    unix_monitoring_medium_users
    .............and more groups....
    Is there something in sudoers file that we must change to make the other groups work for Sudo  From AIX end?
    Or
    Something needs to be checked from IDM end? To be change here ?
    I mean if unix_unix_high users are able to do sudo WHY can't the other groups do sudo ?
    This is the big Q?
    Thanks
    Per-Ola



    ------------------------------
    Per-Ola Hassle
    ------------------------------

    Original Message


  • 5.  RE: SUDO part 2

    Posted Mon October 30, 2023 06:54 AM
    Edited by C- -T Mon October 30, 2023 06:54 AM

    as you are using ldap users you need to instruct the aix secldapclient to use domainless groups...

    https://www.ibm.com/support/pages/using-domainless-group-feature-allow-ldap-users-belong-local-groups

    so still no sudo issue..



    ------------------------------
    I regret starting this entire conversation
    ------------------------------

    Original Message


  • 6.  RE: SUDO part 2

    Posted Mon October 30, 2023 07:04 AM

    öö C- -T regret....you have not understand and not even try to read anything :)



    ------------------------------
    Per-Ola Hassle
    ------------------------------

    Original Message


  • 7.  RE: SUDO part 2

    Posted Mon October 30, 2023 08:01 AM
    Edited by C- -T Mon October 30, 2023 08:06 AM

    no need to regret...but as far as my understanding goes, you are unable to use sudo for users which have mixed ldap and local groups, so IF this is the case the provided link contains exactly the solution for this problem. 

    edit:

    ok, found this between all the clutter...

    Question is,
Need to provide sudo access for other group also from IDM end.....

    you are using ldap groups only. so you are right...my answer was useless



    ------------------------------
    I regret starting this entire conversation
    ------------------------------

    Original Message


  • 8.  RE: SUDO part 2

    Posted Mon October 30, 2023 08:07 AM
    Edited by Per-Ola Hassle Mon October 30, 2023 08:10 AM

    Okej but

    NO

    We are using IDM with AIX.......and we have this working except the SUDO part.....

    If we take this step by step and try to solve it.
    Users can do SUDO if the belong to group=unix_unix_high_users
     
    If i go, throw the AIX configuration once again for IDM i can't find anything that is missing to make this work with AIX integration to RedHat IDM?
    Is there something we must change on IDM side to makes this work?
     

    On Every AIX server we have LDAP.CFG to point at the IDM server which sets the rules to login.

    ldapservers:txxx0745.idm

     

    On Every AIX server we have KRB5.CONF to point at the IDM server.

    root@techa0011# cat /etc/krb5/krb5.conf        techl0745.idm.eu.txx.corp = IDM.EU.T........

     

    On Every AIX server we have NETSVC.CONF to enable Sudo rules from IDM server.
    hosts = bind4,local, sudoers = files, ldap
     
    If i understand right ?
    Sudo access on an IDM client can be done,
    -Locally in the /etc/sudoers file
    -Centrally in IDM
     
    Right now, we must use Locally in the /etc/sudoers file which makes all very hard and difficult to handle.
    How can we go over to Centrally in IDM?



    ------------------------------
    Per-Ola Hassle
    ------------------------------

    Original Message


  • 9.  RE: SUDO part 2

    Posted Mon October 30, 2023 08:18 AM

    so you want pull  sudoers from ldap on aix...,your mileage will definitely vary. i tried this a while back but failed miserably.

    post with similar topic...

    https://community.ibm.com/community/user/power/discussion/sudo-users-from-ldap-with-local-groups



    ------------------------------
    I regret starting this entire conversation
    ------------------------------

    Original Message


  • 10.  RE: SUDO part 2

    Posted Mon October 30, 2023 08:33 AM

    just in case you not already seens this...there are certain thinks to be taken care of in sudo if used in an ldap environment.

    https://www.sudo.ws/docs/man/1.8.17/sudoers.ldap.man/



    ------------------------------
    I regret starting this entire conversation
    ------------------------------

    Original Message


  • 11.  RE: SUDO part 2

    Posted Tue October 31, 2023 03:03 AM
    Edited by Per-Ola Hassle Tue October 31, 2023 09:26 AM

    Hi C- -T

    Thanks for your efforts, here is info from IBM i recieved now about, problem...... 

    https://community.ibm.com/community/user/power/discussion/sudo-users-from-ldap-with-local-groups

    There is a known issue with getgrgid function in regards to domainless groups:

    https://www.ibm.com/support/pages/apar/IJ31131

    It is fixed at:

    7.3 all levels7.2tl5-sp4 and above7.2tl4-sp6 and above7.1tl5-sp10 and above

    The APARs and shipped fileset version for each level are:

    IJ32836 bos.rte.libc 7.1.5.38,IJ35379 bos.rte.libc 7.2.5.200,IJ34997 bos.rte.libc 7.2.5.101,IJ31131 bos.rte.libc 7.2.5.4,IJ32840 bos.rte.libc 7.2.4.5

    There is no APAR for 7.3 because it is grandfathered into the base release.

    End from IBM

    ---------------------------------------------------------------------------------------------------------------

    I perform test with 3 users who need sudo access and only No.1 gets this.
    1) hx11775  user id (unix_unix_high_users)            was able to do sudo for       -Unix Server(techem01).
    2) hx12254  user id (unix_sapbasis_high_users)         was unable to do sudo for     -SAP Server (techa0011).
    3) dei02099 user id (unix_techemaixdbadm_high_users) was unable to do sudo for     -Oracle Server (techa0013).
     
    The configuration of, AllowGroups and DenyGroups is working with IDM.
    Sudoer access should be provide from IDM server.......not working.
     
    Question to IBM?
    Group and netgroup are two different things. Defined as group or netgroup on the AIX side.
    Group / Netgroup are created in IDM side and we on AIX side are going to use the same.
    Does it matter for us on AIX side....if "Group or Netgroup" is created on the IDM side "the attribute" here to be able to connect in a right way?
    Is there a cross-way ("commando" in AIX) to check my "Groups" on AIX side against IDM "Groups" ?
    The Goal is-> Need to provide sudo access for other group also from IDM end.....


    Question?
    sudo_ids are this supported with Redhats ldap server?
    ------------------------------
    Per-Ola Hassle
    ------------------------------

    Original Message