[Freeipa-users] select users cannot sudo or login at the console
Rob Crittenden
rcritten at redhat.com
Fri Dec 7 04:08:11 UTC 2012
Albert Adams wrote:
> I have a small IPA domain setup on RHEL 6 server with a FreeIPA server,
> a replica and two clients. There are six users setup in the domain.
> All users are able
> to login over SSH to both client systems. I am not using IPA to control
> sudo access. Sudo privilges are granted by group membership (group
> memberships are managed
> by IPA). So here is where it gets weird.
>
> Client Systems
>
> system1 - testuser1 can authenticate over SSH using public key,can login
> at the console, and CAN sudo (all other users are able to do the same)
> system2 - testuser1 can authenticate over SSH using public key and
> CANNOT login at the console or sudo (two out of six users can login and
> sudo)
>
> So for example:
>
> system1 - SSH, console and sudo access
> testuser1, testuser2, testuser3, testuser4, testuser5, testuser6
>
> system2 - SSH access only
> testuser1, testuser2, testuser3, testuser4
>
> system2 - SSH, console and sudo access
> testuser5, testuser6
>
> All users have the same group memberships and use SSH keys to
> authenticate to the system.
>
> Errors when the user tries to sudo
> ------------------------------------------------------------
> /var/log/secure
> Dec 6 18:54:39 ipa-client1 sudo: pam_sss(sudo:auth): authentication
> failure; logname=testuser1 uid=0 euid=0 tty=/dev/pts/1 ruser=testuser1
> rhost= user=testuser1
> Dec 6 18:54:39 ipa-client1 sudo: pam_sss(sudo:auth): received for user
> testuser1: 4 (System error)
> Dec 6 18:54:47 ipa-client1 sudo: pam_sss(sudo:auth): authentication
> failure; logname=testuser1 uid=0 euid=0 tty=/dev/pts/1 ruser=testuser1
> rhost= user=testuser1
> Dec 6 18:54:47 ipa-client1 sudo: pam_sss(sudo:auth): received for user
> testuser1: 4 (System error)
> Dec 6 18:54:51 ipa-client1 sudo: pam_sss(sudo:auth): authentication
> failure; logname=testuser1 uid=0 euid=0 tty=/dev/pts/1 ruser=testuser1
> rhost= user=testuser1
> Dec 6 18:54:51 ipa-client1 sudo: pam_sss(sudo:auth): received for user
> testuser1: 4 (System error)
> Dec 6 18:54:52 ipa-client1 sudo: testuser1 : 3 incorrect password
> attempts ; TTY=pts/1 ; PWD=/home/testuser1 ; USER=root ; COMMAND=/bin/su -
>
> Errors when the user tries to login at the console
> -------------------------------------------------------------
> /var/log/secure
> Dec 6 19:53:56 ipa-client1 login: pam_unix(login:auth): authentication
> failure; logname=LOGIN uid=0 euid=0 tty=tty1 ruser= rhost= user=testuser1
> Dec 6 19:53:56 ipa-client1 login: pam_sss(login:auth): authentication
> failure; logname=LOGIN uid=0 euid=0 tty=tty1 ruser= rhost= user=testuser1
> Dec 6 19:53:56 ipa-client1 login: pam_sss(login:auth): received for
> user testuser1: 4 (System error)
> Dec 6 19:53:58 ipa-client1 login: FAILED LOGIN 1 FROM (null) FOR
> testuser1, Authentication failure
>
>
> I found this post and it looks similar but my
> /var/log/sssd/krb5_child.log is empty.
>
> https://www.redhat.com/archives/freeipa-users/2012-October/msg00004.html
>
> The link to
> http://www.mail-archive.com/sssd-devel%20lists%20fedorahosted%20org/msg10176.html
> was dead but I check the /tmp permissions like the guy in the
> forum post and they were:
>
> # ll -dZ /tmp/
> drwxrwxrwt. root root system_u:object_r:tmp_t:s0 /tmp/
>
> It's really puzzling that sudo works for some users but not others and
> it's only on one system. I've thought about enrolling additional
> systems to the IPA domain
> to determine if this one system is just a problem child but I'd rather
> get it ironed out before moving over any additional systems.
>
> Thanks in advance,
> Albert
I would look to see if you have any Host-based access (HBAC) rules
defined. This would explain the behavior.
rob
More information about the Freeipa-users
mailing list