<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=utf-8">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<p>Hi,</p>
I have FreeIPA set up under CentOS 7. When I use freeipa-client to
add an ubuntu 14.04 client it works fine (*). However when do the
same with ubuntu 16.04, sudo always refuses to run:<br>
<br>
<tt>$ sudo -s</tt><tt><br>
</tt><tt>[sudo] password for brian.candler:</tt><tt><br>
</tt><tt>brian.candler is not allowed to run sudo on
api-dev.int.example.com. This incident will be reported.</tt><tt><br>
</tt><br>
I have a simple one-entry sudo policy which says that for all users
in groups X and Y, on all hosts, run all commands. (**)<br>
<br>
If I crank up sudo logging by setting this in /etc/sudo.conf:<br>
<br>
Debug sudo /var/log/sudo-debug all@info<br>
<br>
then on the working 14.04 machine I see<br>
<br>
... various settings ...<br>
May 2 22:05:27 sudo[19175] settings: plugin_dir=/usr/lib/sudo/<br>
May 2 22:05:27 sudo[19175] user_info: user=brian.candler<br>
May 2 22:05:27 sudo[19175] user_info: pid=19175<br>
... lots more user_info, perms, netgroups etc ...<br>
May 2 22:05:29 sudo[19175] policy plugin returns 1<br>
...<br>
<br>
but on the failing 16.04 machine I see only this:<br>
<br>
May 3 07:44:56 sudo[21118] will restore signal 13 on exec<br>
May 3 07:44:56 sudo[21118] comparing dev 34817 to /dev/pts/1:
match! @ sudo_ttyname_dev() ./ttyname.c:336<br>
May 3 07:44:56 sudo[21118] settings: run_shell=true<br>
May 3 07:44:56 sudo[21118] settings: progname=sudo<br>
May 3 07:44:56 sudo[21118] settings:
network_addrs=x.x.x.x/255.255.255.0
xxxx:xxxx:xxxx:xxxx::230/ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
fe80::1:xxxx:xxxx:xxxx/ffff:ffff:ffff:ffff::<br>
May 3 07:44:56 sudo[21118] settings: plugin_dir=/usr/lib/sudo/<br>
May 3 07:44:58 sudo[21118] policy plugin returns 0<br>
<br>
That's all that gets logged - nothing more. It seems that a return
of 0 means failure:<br>
<br>
<a class="moz-txt-link-freetext" href="https://www.sudo.ws/man/1.8.15/sudo_plugin.man.html">https://www.sudo.ws/man/1.8.15/sudo_plugin.man.html</a><br>
<br>
"open()<br>
...<br>
<meta charset="utf-8">
Returns 1 on success, 0 on failure, -1 if a general error occurred,
or -2 if there was a usage error."<br>
<br>
But I have no idea what sort of failure or why.<br>
<br>
/var/log/auth.log shows:<br>
<br>
May 3 08:00:14 api-dev sudo: pam_unix(sudo:auth): authentication
failure; logname=brian.candler uid=1211000003 euid=0 tty=/dev/pts/1
ruser=brian.candler rhost= user=brian.candler<br>
May 3 08:00:14 api-dev sudo: pam_sss(sudo:auth): authentication
success; logname=brian.candler uid=1211000003 euid=0 tty=/dev/pts/1
ruser=brian.candler rhost= user=brian.candler<br>
May 3 08:00:14 api-dev sudo: brian.candler : user NOT in sudoers ;
TTY=pts/1 ; PWD=/home/brian.candler ; USER=root ; COMMAND=/bin/bash<br>
<br>
(which shows I gave the correct FreeIPA password, but not why the
sudoers lookup failed)<br>
<br>
I really can't see where else to look. Both machines have "sudo:
files sss" in /etc/nsswitch.conf, and both have the same
/etc/sssd/sssd.conf. Setting "sss_debuglevel 7" and "sss_cache -UG"
shows a lot of noise but no obvious errors.<br>
<br>
I've also upgraded to the latest
<meta charset="utf-8">
sudo_1.8.19-3_amd64.deb package from
<a class="moz-txt-link-freetext" href="https://www.sudo.ws/download.html">https://www.sudo.ws/download.html</a>, but this makes no difference.<br>
<br>
Has anyone seen this problem before, or have some ideas where else
to look?<br>
<br>
Thanks,<br>
<br>
Brian Candler.<br>
<br>
<br>
(*) In Ubuntu 14.04 I had to manually add sudo to the list of sssd
services:<br>
<br>
<meta charset="utf-8">
<code style="font-family: monospace; color: rgb(51, 51, 51);
font-size: 14px; font-style: normal; font-variant-ligatures:
normal; font-variant-caps: normal; font-weight: normal;
letter-spacing: normal; orphans: 2; text-align: left; text-indent:
0px; text-transform: none; white-space: normal; widows: 2;
word-spacing: 0px; -webkit-text-stroke-width: 0px;
background-color: rgb(255, 255, 255); text-decoration-style:
initial; text-decoration-color: initial;">[sssd]</code><br
style="color: rgb(51, 51, 51); font-family: Arial, sans-serif;
font-size: 14px; font-style: normal; font-variant-ligatures:
normal; font-variant-caps: normal; font-weight: normal;
letter-spacing: normal; orphans: 2; text-align: left; text-indent:
0px; text-transform: none; white-space: normal; widows: 2;
word-spacing: 0px; -webkit-text-stroke-width: 0px;
background-color: rgb(255, 255, 255); text-decoration-style:
initial; text-decoration-color: initial;">
<code style="font-family: monospace; color: rgb(51, 51, 51);
font-size: 14px; font-style: normal; font-variant-ligatures:
normal; font-variant-caps: normal; font-weight: normal;
letter-spacing: normal; orphans: 2; text-align: left; text-indent:
0px; text-transform: none; white-space: normal; widows: 2;
word-spacing: 0px; -webkit-text-stroke-width: 0px;
background-color: rgb(255, 255, 255); text-decoration-style:
initial; text-decoration-color: initial;">services = nss, pam,
ssh, sudo</code><br>
<meta charset="utf-8">
<br>
but this was done automatically by freeipa-client in Ubuntu 16.04.<br>
<br>
(**) Therefore I'm pretty sure this is not the netgroups problem,
for which the fix has been released anyway:<br>
<a class="moz-txt-link-freetext" href="https://bugs.launchpad.net/ubuntu/+source/sudo/+bug/1607666">https://bugs.launchpad.net/ubuntu/+source/sudo/+bug/1607666</a><br>
</body>
</html>