[Freeipa-users] Unable to get sudo commend to work...
Steven Jones
Steven.Jones at vuw.ac.nz
Tue Aug 14 21:13:02 UTC 2012
Hi,
I am trying to get a sudo-group command to work such that a group of users can reload apache's config....I know the password is fine as I can ssh into the server....
[thing-sudo at vuwunicocatd001 ~]$ sudo /sbin/service httpd reload
LDAP Config Summary
===================
uri ldap://vuwunicoipam001.ods.vuw.ac.nz ldap://vuwunicoipam002.ods.vuw.ac.nz ldap://vuwunicoipam003.ods.vuw.ac.nz
ldap_version 3
sudoers_base ou=SUDOers,dc=ods,dc=vuw,dc=ac,dc=nz
binddn uid=sudo,cn=sysaccounts,cn=etc,dc=ods,dc=vuw,dc=ac,dc=nz
bindpw xxxxxxxxxxxx
bind_timelimit 5000000
ssl start_tls
tls_checkpeer (no)
tls_cacertfile /etc/ipa/ca.crt
===================
sudo: ldap_set_option: debug -> 0
sudo: ldap_set_option: tls_checkpeer -> 0
sudo: ldap_set_option: tls_cacertfile -> /etc/ipa/ca.crt
sudo: ldap_set_option: tls_cacert -> /etc/ipa/ca.crt
sudo: ldap_initialize(ld, ldap://vuwunicoipam001.ods.vuw.ac.nz ldap://vuwunicoipam002.ods.vuw.ac.nz ldap://vuwunicoipam003.ods.vuw.ac.nz)
sudo: ldap_set_option: ldap_version -> 3
sudo: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT, 5000)
sudo: ldap_start_tls_s() ok
sudo: ldap_sasl_bind_s() ok
sudo: no default options found in ou=SUDOers,dc=ods,dc=vuw,dc=ac,dc=nz
sudo: ldap search '(|(sudoUser=thing-sudo)(sudoUser=%thing-sudo)(sudoUser=%ipausers)(sudoUser=%collectriveaccess-student)(sudoUser=%login04-mysql)(sudoUser=%360-ftp)(sudoUser=%become-mysql-users)(sudoUser=ALL))'
sudo: found:cn=sudo-commands-catd-students,ou=sudoers,dc=ods,dc=vuw,dc=ac,dc=nz
sudo: ldap sudoHost 'vuwunicocatd001.ods.vuw.ac.nz' ... MATCH!
sudo: ldap sudoCommand '/sbin/service httpd reload' ... MATCH!
sudo: ldap sudoCommand '/etc/init.d/httpd reload' ... MATCH!
sudo: Command allowed
sudo: user_matches=1
sudo: host_matches=1
sudo: sudo_ldap_lookup(0)=0x02
[sudo] password for thing-sudo:
Sorry, try again.
[sudo] password for thing-sudo:
Sorry, try again.
[sudo] password for thing-sudo:
Sorry, try again.
sudo: 3 incorrect password attempts
[thing-sudo at vuwunicocatd001 ~]$ sudo /sbin/service httpd reload
LDAP Config Summary
===================
uri ldap://vuwunicoipam001.ods.vuw.ac.nz ldap://vuwunicoipam002.ods.vuw.ac.nz ldap://vuwunicoipam003.ods.vuw.ac.nz
ldap_version 3
sudoers_base ou=SUDOers,dc=ods,dc=vuw,dc=ac,dc=nz
binddn uid=sudo,cn=sysaccounts,cn=etc,dc=ods,dc=vuw,dc=ac,dc=nz
bindpw xxxxxxxxxxxxx
bind_timelimit 5000000
ssl start_tls
tls_checkpeer (no)
tls_cacertfile /etc/ipa/ca.crt
===================
sudo: ldap_set_option: debug -> 0
sudo: ldap_set_option: tls_checkpeer -> 0
sudo: ldap_set_option: tls_cacertfile -> /etc/ipa/ca.crt
sudo: ldap_set_option: tls_cacert -> /etc/ipa/ca.crt
sudo: ldap_initialize(ld, ldap://vuwunicoipam001.ods.vuw.ac.nz ldap://vuwunicoipam002.ods.vuw.ac.nz ldap://vuwunicoipam003.ods.vuw.ac.nz)
sudo: ldap_set_option: ldap_version -> 3
sudo: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT, 5000)
sudo: ldap_start_tls_s() ok
sudo: ldap_sasl_bind_s() ok
sudo: no default options found in ou=SUDOers,dc=ods,dc=vuw,dc=ac,dc=nz
sudo: ldap search '(|(sudoUser=thing-sudo)(sudoUser=%thing-sudo)(sudoUser=%ipausers)(sudoUser=%collectriveaccess-student)(sudoUser=%login04-mysql)(sudoUser=%360-ftp)(sudoUser=%become-mysql-users)(sudoUser=ALL))'
sudo: found:cn=sudo-commands-catd-students,ou=sudoers,dc=ods,dc=vuw,dc=ac,dc=nz
sudo: ldap sudoHost 'vuwunicocatd001.ods.vuw.ac.nz' ... MATCH!
sudo: ldap sudoCommand '/sbin/service httpd reload' ... MATCH!
sudo: ldap sudoCommand '/etc/init.d/httpd reload' ... MATCH!
sudo: Command allowed
sudo: user_matches=1
sudo: host_matches=1
sudo: sudo_ldap_lookup(0)=0x02
[sudo] password for thing-sudo:
Sorry, try again.
[sudo] password for thing-sudo:
Sorry, try again.
[sudo] password for thing-sudo:
Sorry, try again.
sudo: 3 incorrect password attempts
[thing-sudo at vuwunicocatd001 ~]$
[thing-sudo at vuwunicocatd001 ~]$
============
The secure log says system error, unable to read password,
===============
Aug 15 08:49:09 vuwunicocatd001 sudo: pam_unix(sudo:auth): authentication failure; logname=thing-sudo uid=0 euid=0 tty=/dev/pts/2 ruser=thing-sudo rhost= user=thing-sudo
Aug 15 08:49:10 vuwunicocatd001 sudo: pam_sss(sudo:auth): authentication success; logname=thing-sudo uid=0 euid=0 tty=/dev/pts/2 ruser=thing-sudo rhost= user=thing-sudo
Aug 15 08:49:10 vuwunicocatd001 sudo: pam_sss(sudo:account): Access denied for user thing-sudo: 6 (Permission denied)
Aug 15 08:49:43 vuwunicocatd001 sudo: pam_sss(sudo:auth): system info: [Cannot read password]
Aug 15 08:49:43 vuwunicocatd001 sudo: pam_sss(sudo:auth): authentication failure; logname=thing-sudo uid=0 euid=0 tty=/dev/pts/2 ruser=thing-sudo rhost= user=thing-sudo
Aug 15 08:49:43 vuwunicocatd001 sudo: pam_sss(sudo:auth): received for user thing-sudo: 4 (System error)
Aug 15 08:49:45 vuwunicocatd001 sudo: pam_sss(sudo:auth): system info: [Cannot read password]
Aug 15 08:49:45 vuwunicocatd001 sudo: pam_sss(sudo:auth): authentication failure; logname=thing-sudo uid=0 euid=0 tty=/dev/pts/2 ruser=thing-sudo rhost= user=thing-sudo
Aug 15 08:49:45 vuwunicocatd001 sudo: pam_sss(sudo:auth): received for user thing-sudo: 4 (System error)
Aug 15 08:49:47 vuwunicocatd001 sudo: thing-sudo : 3 incorrect password attempts ; TTY=pts/2 ; PWD=/home/thing-sudo ; USER=root ; COMMAND=/sbin/service httpd reload
Aug 15 08:55:35 vuwunicocatd001 sudo: PAM unable to dlopen(/lib64/security/pam_fprintd.so): /lib64/security/pam_fprintd.so: cannot open shared object file: No such file or directory
Aug 15 08:55:35 vuwunicocatd001 sudo: PAM adding faulty module: /lib64/security/pam_fprintd.so
Aug 15 08:55:44 vuwunicocatd001 sudo: pam_unix(sudo:auth): authentication failure; logname=thing-sudo uid=0 euid=0 tty=/dev/pts/2 ruser=thing-sudo rhost= user=thing-sudo
Aug 15 08:55:44 vuwunicocatd001 sudo: pam_sss(sudo:auth): authentication success; logname=thing-sudo uid=0 euid=0 tty=/dev/pts/2 ruser=thing-sudo rhost= user=thing-sudo
Aug 15 08:55:44 vuwunicocatd001 sudo: pam_sss(sudo:account): Access denied for user thing-sudo: 6 (Permission denied)
Aug 15 08:55:46 vuwunicocatd001 sudo: pam_sss(sudo:auth): system info: [Cannot read password]
Aug 15 08:55:46 vuwunicocatd001 sudo: pam_sss(sudo:auth): authentication failure; logname=thing-sudo uid=0 euid=0 tty=/dev/pts/2 ruser=thing-sudo rhost= user=thing-sudo
Aug 15 08:55:46 vuwunicocatd001 sudo: pam_sss(sudo:auth): received for user thing-sudo: 4 (System error)
Aug 15 08:55:52 vuwunicocatd001 sudo: pam_sss(sudo:auth): system info: [Cannot read password]
Aug 15 08:55:52 vuwunicocatd001 sudo: pam_sss(sudo:auth): authentication failure; logname=thing-sudo uid=0 euid=0 tty=/dev/pts/2 ruser=thing-sudo rhost= user=thing-sudo
Aug 15 08:55:52 vuwunicocatd001 sudo: pam_sss(sudo:auth): received for user thing-sudo: 4 (System error)
Aug 15 08:55:54 vuwunicocatd001 sudo: thing-sudo : 3 incorrect password attempts ; TTY=pts/2 ; PWD=/home/thing-sudo ; USER=root ; COMMAND=/sbin/service httpd reload
Aug 15 08:55:57 vuwunicocatd001 sudo: PAM unable to dlopen(/lib64/security/pam_fprintd.so): /lib64/security/pam_fprintd.so: cannot open shared object file: No such file or directory
Aug 15 08:55:57 vuwunicocatd001 sudo: PAM adding faulty module: /lib64/security/pam_fprintd.so
Aug 15 08:56:04 vuwunicocatd001 sudo: pam_unix(sudo:auth): authentication failure; logname=thing-sudo uid=0 euid=0 tty=/dev/pts/2 ruser=thing-sudo rhost= user=thing-sudo
Aug 15 08:56:05 vuwunicocatd001 sudo: pam_sss(sudo:auth): authentication success; logname=thing-sudo uid=0 euid=0 tty=/dev/pts/2 ruser=thing-sudo rhost= user=thing-sudo
Aug 15 08:56:05 vuwunicocatd001 sudo: pam_sss(sudo:account): Access denied for user thing-sudo: 6 (Permission denied)
Aug 15 08:56:06 vuwunicocatd001 sudo: pam_sss(sudo:auth): system info: [Cannot read password]
Aug 15 08:56:06 vuwunicocatd001 sudo: pam_sss(sudo:auth): authentication failure; logname=thing-sudo uid=0 euid=0 tty=/dev/pts/2 ruser=thing-sudo rhost= user=thing-sudo
Aug 15 08:56:06 vuwunicocatd001 sudo: pam_sss(sudo:auth): received for user thing-sudo: 4 (System error)
Aug 15 08:56:08 vuwunicocatd001 sudo: pam_sss(sudo:auth): system info: [Cannot read password]
Aug 15 08:56:08 vuwunicocatd001 sudo: pam_sss(sudo:auth): authentication failure; logname=thing-sudo uid=0 euid=0 tty=/dev/pts/2 ruser=thing-sudo rhost= user=thing-sudo
Aug 15 08:56:08 vuwunicocatd001 sudo: pam_sss(sudo:auth): received for user thing-sudo: 4 (System error)
Aug 15 08:56:09 vuwunicocatd001 sudo: thing-sudo : 3 incorrect password attempts ; TTY=pts/2 ; PWD=/home/thing-sudo ; USER=root ; COMMAND=/sbin/service httpd reload
[root at vuwunicocatd001 jonesst1]#
================
Looks like Bug 814414
:(
"Rob told me elsewhere that when he re-enabled the allow_all rule it started behaving properly, which seems highly suspect."
So lets do that, and yes,
=========
[thing-sudo at vuwunicocatd001 ~]$
[thing-sudo at vuwunicocatd001 ~]$ sudo /sbin/service httpd reload
LDAP Config Summary
===================
uri ldap://vuwunicoipam001.ods.vuw.ac.nz ldap://vuwunicoipam002.ods.vuw.ac.nz ldap://vuwunicoipam003.ods.vuw.ac.nz
ldap_version 3
sudoers_base ou=SUDOers,dc=ods,dc=vuw,dc=ac,dc=nz
binddn uid=sudo,cn=sysaccounts,cn=etc,dc=ods,dc=vuw,dc=ac,dc=nz
bindpw xxxxxxxxxxx
bind_timelimit 5000000
ssl start_tls
tls_checkpeer (no)
tls_cacertfile /etc/ipa/ca.crt
===================
sudo: ldap_set_option: debug -> 0
sudo: ldap_set_option: tls_checkpeer -> 0
sudo: ldap_set_option: tls_cacertfile -> /etc/ipa/ca.crt
sudo: ldap_set_option: tls_cacert -> /etc/ipa/ca.crt
sudo: ldap_initialize(ld, ldap://vuwunicoipam001.ods.vuw.ac.nz ldap://vuwunicoipam002.ods.vuw.ac.nz ldap://vuwunicoipam003.ods.vuw.ac.nz)
sudo: ldap_set_option: ldap_version -> 3
sudo: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT, 5000)
sudo: ldap_start_tls_s() ok
sudo: ldap_sasl_bind_s() ok
sudo: no default options found in ou=SUDOers,dc=ods,dc=vuw,dc=ac,dc=nz
sudo: ldap search '(|(sudoUser=thing-sudo)(sudoUser=%thing-sudo)(sudoUser=%ipausers)(sudoUser=%collectriveaccess-student)(sudoUser=%login04-mysql)(sudoUser=%360-ftp)(sudoUser=%become-mysql-users)(sudoUser=ALL))'
sudo: found:cn=sudo-commands-catd-students,ou=sudoers,dc=ods,dc=vuw,dc=ac,dc=nz
sudo: ldap sudoHost 'vuwunicocatd001.ods.vuw.ac.nz' ... MATCH!
sudo: ldap sudoCommand '/sbin/service httpd reload' ... MATCH!
sudo: ldap sudoCommand '/etc/init.d/httpd reload' ... MATCH!
sudo: Command allowed
sudo: user_matches=1
sudo: host_matches=1
sudo: sudo_ldap_lookup(0)=0x02
[sudo] password for thing-sudo:
Reloading httpd:
[thing-sudo at vuwunicocatd001 ~]$
===================
and as we can see that indeed "fixes it".
D:
If you let me know exactly which logs you want to see I will send them to you.
I have "sudoers_debug 3" at present, anything else needs to be set higher to help?
What I can see is I made an oops is specifying the wrong host group but that contains the host anyway....but also Ive then bypassed hostgroups and set a specific host....this still fails as above.
I am also getting other intermitant failures when I do a sudo su - but its not consistant.
regards
Steven Jones
Technical Specialist - Linux RHCE
Victoria University, Wellington, NZ
0064 4 463 6272
More information about the Freeipa-users
mailing list