[Freeipa-users] Setting up sudo clients
Joe Linoff
jlinoff at tabula.com
Wed Jun 6 17:59:29 UTC 2012
Hi Folks:
I am trying to configure sudo clients using FreeIPA 2.1.3 on CentOS 6.2
but it I am running into a problem that I do not know how to debug. I
used the instructions provided here:
http://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/example
-configuring-sudo.html.
The server installation went fine and I even did a sudo client
installation on the server which worked well. Unfortunately, when I did
the same client setup on another host in the network I got the message:
<user> not in sudoers files when I tried to execute a command.
Here is the output from /var/log/secure on the client. I didn't see
anything strange on the server. The user name is bigbob.
Jun 6 10:38:35 docs unix_chkpwd[8737]: password check failed for user
(bigbob)
Jun 6 10:38:35 docs sudo: pam_unix(sudo:auth): authentication failure;
logname=bigbob uid=0 euid=0 tty=/dev/pts/2 ruser=bigbob rhost=
user=bigbob
Jun 6 10:38:36 docs sudo: pam_sss(sudo:auth): authentication success;
logname=bigbob uid=0 euid=0 tty=/dev/pts/2 ruser=bigbob rhost=
user=bigbob
Jun 6 10:38:36 docs sudo: bigbob : user NOT in sudoers ; TTY=pts/2 ;
PWD=/home/bigbob ; USER=root ; COMMAND=/bin/ls
Jun 6 10:44:09 docs unix_chkpwd[8767]: password check failed for user
(bigbob)
Jun 6 10:44:09 docs sudo: pam_unix(sudo:auth): authentication failure;
logname=bigbob uid=0 euid=0 tty=/dev/pts/2 ruser=bigbob rhost=
user=bigbob
Jun 6 10:44:10 docs sudo: pam_sss(sudo:auth): authentication success;
logname=bigbob uid=0 euid=0 tty=/dev/pts/2 ruser=bigbob rhost=
user=bigbob
Jun 6 10:44:10 docs sudo: bigbob : user NOT in sudoers ; TTY=pts/2 ;
PWD=/home/bigbob ; USER=root ; COMMAND=/bin/pwd
The command "/bin/pwd" is in the sudo commands and in the sudo command
group.
Any help would be greatly appreciated.
Here are the setup steps that I performed on the client. The domain is
foo.example.com.
# CITATION:
http://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/example
-configuring-sudo.html
# ================================================================
# Update /etc/nsswitch.conf
# ================================================================
cat >/etc/nsswitch.conf <<EOF
# ================================================================
# FreeIPA sudo support
# ================================================================
sudoers: files ldap
sudoers_debug: 1
EOF
# ================================================================
# Insert this just after the ipa_server line and restart sssd:
# ldap_netgroup_search_base = cn=ng,cn=compat,dc=foo,dc=example,dc=com
# ================================================================
cat /etc/sssd/sssd.conf | \
awk '{print $0;if($1=="ipa_server"){printf("ldap_netgroup_search_base =
cn=ng,cn=compat,dc=foo,dc=example,dc=com\n");}}' >/tmp/x
cp /tmp/x /etc/sssd/sssd.conf
rm -f /tmp/x
service sssd restart
# ================================================================
# Create the /etc/nslcd.conf file
# ================================================================
ls /etc/nslcd.conf
cat >/etc/nslcd.conf <<EOF
binddn uid=sudo,cn=sysaccounts,cn=etc,dc=foo,dc=example,dc=com
bindpw pwd/sudo
ssl start_tls
tls_cacertfile /etc/ipa/ca.crt
tls_checkpeer yes
bind_timelimit 5
timelimit 15
uri ldap://cuthbert.foo.example.com
sudoers_base ou=SUDOers,dc=foo,dc=example,dc=com
EOF
# ================================================================
# Set the NIS domain name (even though NIS is not used)
# ================================================================
nisdomainname foo.example.com
Thank you,
Joe
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20120606/523ae0d6/attachment.htm>
More information about the Freeipa-users
mailing list