[Freeipa-users] sudo su - works on one server for a user but not on another (its twin)

Steven Jones Steven.Jones at vuw.ac.nz
Wed Aug 22 21:48:19 UTC 2012 

Hi,

To quote myself,

"Try a reboot...oh god a windows solution...."

so sssd cache problem?

The rc.local was missing so I put it in and restarted ssh, proof,

========
[root at vuwunicobandbt1 ~]# history |grep service
   19  service sssd restart
   25  service sssd restart
   75  history |grep service
[root at vuwunicobandbt1 ~]# history |grep vi
   17  vi /etc/rc.d/rc.local
   24  vi /etc/sudo-ldap.conf 
   76  history |grep vi
[root at vuwunicobandbt1 ~]# 
=========

hrmmm....did I miss anything?

regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272

________________________________________
From: Rob Crittenden [rcritten at redhat.com]
Sent: Thursday, 23 August 2012 9:42 a.m.
To: Steven Jones
Cc: freeipa-users at redhat.com
Subject: Re: [Freeipa-users] sudo su - works on one server for a user but not on another (its twin)

Steven Jones wrote:
> Hi,
>
> Im trying to fault find why a user can sudo su - on a server but not its
> twin.
>
> I have nisdoaminnamae ods.vuw.ac.nz in rc.local.....
> and sudo-ldap.conf and nsswitch.conf appear to be identical but the
> hostname match fails.
>
> So for the working server,
> ========
> sudo: ldap sudoHost '+servers-saas-root' ... MATCH!
> sudo: ldap sudoCommand '/bin/su -' ... MATCH!
> sudo: ldap sudoCommand '/bin/su - banner' ... MATCH!
> sudo: Command allowed sudo: user_matches=1 sudo: host_matches=1
> ========
>
> For the failing server,
> ========
> sudo: ldap sudoHost '+servers-saas-root' ... not
> sudo: ldap search 'sudoUser=+*'
> sudo: user_matches=1
> sudo: host_matches=0
> ========
>
> I have a host failure, yet the server is in that host group...the HBAC
> rule allows ssh and sudo....ssh works for both, so HBAC rule should be OK.
>
> The sudo command uses the same user and host groups as the HBAC...
>
> Damned if I can see a setup error.
>
> Ideas where to go looking next please?

Try temporarily enabling the allow_all HBAC rule so you can see if it is
an HBAC or a sudo problem?

rob

More information about the Freeipa-users mailing list