[Freeipa-users] select users cannot sudo or login at the console

Fri Dec 7 01:02:50 UTC 2012

I have a small IPA domain setup on RHEL 6 server with a FreeIPA server, a
replica and two clients.  There are six users setup in the domain.  All
users are able
to login over SSH to both client systems.  I am not using IPA to control
sudo access.  Sudo privilges are granted by group membership (group
memberships are managed
by IPA).  So here is where it gets weird.

Client Systems

system1 - testuser1 can authenticate over SSH using public key,can login at
the console, and CAN sudo (all other users are able to do the same)
system2 - testuser1 can authenticate over SSH using public key and CANNOT
login at the console or sudo (two out of six users can login and sudo)

So for example:

system1 - SSH, console and sudo access
testuser1, testuser2, testuser3, testuser4, testuser5, testuser6

system2 - SSH access only
testuser1, testuser2, testuser3, testuser4

system2 - SSH, console and sudo access
testuser5, testuser6

All users have the same group memberships and use SSH keys to authenticate
to the system.

Errors when the user tries to sudo
------------------------------------------------------------
/var/log/secure
Dec  6 18:54:39 ipa-client1 sudo: pam_sss(sudo:auth): authentication
failure; logname=testuser1 uid=0 euid=0 tty=/dev/pts/1 ruser=testuser1
rhost= user=testuser1
Dec  6 18:54:39 ipa-client1 sudo: pam_sss(sudo:auth): received for user
testuser1: 4 (System error)
Dec  6 18:54:47 ipa-client1 sudo: pam_sss(sudo:auth): authentication
failure; logname=testuser1 uid=0 euid=0 tty=/dev/pts/1 ruser=testuser1
rhost= user=testuser1
Dec  6 18:54:47 ipa-client1 sudo: pam_sss(sudo:auth): received for user
testuser1: 4 (System error)
Dec  6 18:54:51 ipa-client1 sudo: pam_sss(sudo:auth): authentication
failure; logname=testuser1 uid=0 euid=0 tty=/dev/pts/1 ruser=testuser1
rhost= user=testuser1
Dec  6 18:54:51 ipa-client1 sudo: pam_sss(sudo:auth): received for user
testuser1: 4 (System error)
Dec  6 18:54:52 ipa-client1 sudo: testuser1 : 3 incorrect password attempts
; TTY=pts/1 ; PWD=/home/testuser1 ; USER=root ; COMMAND=/bin/su -

Errors when the user tries to login at the console
-------------------------------------------------------------
/var/log/secure
Dec  6 19:53:56 ipa-client1 login: pam_unix(login:auth): authentication
failure; logname=LOGIN uid=0 euid=0 tty=tty1 ruser= rhost=  user=testuser1
Dec  6 19:53:56 ipa-client1 login: pam_sss(login:auth): authentication
failure; logname=LOGIN uid=0 euid=0 tty=tty1 ruser= rhost= user=testuser1
Dec  6 19:53:56 ipa-client1 login: pam_sss(login:auth): received for user
testuser1: 4 (System error)
Dec  6 19:53:58 ipa-client1 login: FAILED LOGIN 1 FROM (null) FOR
testuser1, Authentication failure

I found this post and it looks similar but my /var/log/sssd/krb5_child.log
is empty.

https://www.redhat.com/archives/freeipa-users/2012-October/msg00004.html

The link to
http://www.mail-archive.com/sssd-devel%20lists%20fedorahosted%20org/msg10176.htmlwas
dead but I check the /tmp permissions like the guy in the
forum post and they were:

# ll -dZ /tmp/
drwxrwxrwt. root root system_u:object_r:tmp_t:s0       /tmp/

It's really puzzling that sudo works for some users but not others and it's
only on one system.  I've thought about enrolling additional systems to the
IPA domain
to determine if this one system is just a problem child but I'd rather get
it ironed out before moving over any additional systems.

Thanks in advance,
Albert
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20121206/6d7dae7b/attachment.htm>