[Freeipa-users] Setting up sudo clients

Wed Jun 6 17:59:29 UTC 2012

Hi Folks:

I am trying to configure sudo clients using FreeIPA 2.1.3 on CentOS 6.2
but it I am running into a problem that I do not know how to debug. I
used the instructions provided here:
http://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/example
-configuring-sudo.html. 

The server installation went fine and I even did a sudo client
installation on the server which worked well. Unfortunately, when I did
the same client setup on another host in the network I got the message:
<user> not in sudoers files when I tried to execute a command.

Here is the output from /var/log/secure on the client. I didn't see
anything strange on the server. The user name is bigbob.

Jun  6 10:38:35 docs unix_chkpwd[8737]: password check failed for user
(bigbob)

Jun  6 10:38:35 docs sudo: pam_unix(sudo:auth): authentication failure;
logname=bigbob uid=0 euid=0 tty=/dev/pts/2 ruser=bigbob rhost=
user=bigbob

Jun  6 10:38:36 docs sudo: pam_sss(sudo:auth): authentication success;
logname=bigbob uid=0 euid=0 tty=/dev/pts/2 ruser=bigbob rhost=
user=bigbob

Jun  6 10:38:36 docs sudo:   bigbob : user NOT in sudoers ; TTY=pts/2 ;
PWD=/home/bigbob ; USER=root ; COMMAND=/bin/ls

Jun  6 10:44:09 docs unix_chkpwd[8767]: password check failed for user
(bigbob)

Jun  6 10:44:09 docs sudo: pam_unix(sudo:auth): authentication failure;
logname=bigbob uid=0 euid=0 tty=/dev/pts/2 ruser=bigbob rhost=
user=bigbob

Jun  6 10:44:10 docs sudo: pam_sss(sudo:auth): authentication success;
logname=bigbob uid=0 euid=0 tty=/dev/pts/2 ruser=bigbob rhost=
user=bigbob

Jun  6 10:44:10 docs sudo:   bigbob : user NOT in sudoers ; TTY=pts/2 ;
PWD=/home/bigbob ; USER=root ; COMMAND=/bin/pwd

The command "/bin/pwd" is in the sudo commands and in the sudo command
group.

Any help would be greatly appreciated.

Here are the setup steps that I performed on the client. The domain is
foo.example.com.

# CITATION:
http://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/example
-configuring-sudo.html 

# ================================================================

# Update /etc/nsswitch.conf

# ================================================================

cat >/etc/nsswitch.conf <<EOF

# ================================================================

# FreeIPA sudo support

# ================================================================

sudoers:  files ldap

sudoers_debug: 1

EOF

# ================================================================

# Insert this just after the ipa_server line and restart sssd:

# ldap_netgroup_search_base = cn=ng,cn=compat,dc=foo,dc=example,dc=com

# ================================================================

cat /etc/sssd/sssd.conf | \

awk '{print $0;if($1=="ipa_server"){printf("ldap_netgroup_search_base =
cn=ng,cn=compat,dc=foo,dc=example,dc=com\n");}}' >/tmp/x

cp /tmp/x /etc/sssd/sssd.conf

rm -f /tmp/x

service sssd restart

# ================================================================

# Create the /etc/nslcd.conf file

# ================================================================

ls /etc/nslcd.conf

cat >/etc/nslcd.conf <<EOF

binddn uid=sudo,cn=sysaccounts,cn=etc,dc=foo,dc=example,dc=com

bindpw pwd/sudo

ssl start_tls

tls_cacertfile /etc/ipa/ca.crt

tls_checkpeer yes

bind_timelimit 5

timelimit 15

uri ldap://cuthbert.foo.example.com

sudoers_base ou=SUDOers,dc=foo,dc=example,dc=com

EOF

# ================================================================

# Set the NIS domain name (even though NIS is not used)

# ================================================================

nisdomainname foo.example.com

Thank you,

Joe

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20120606/523ae0d6/attachment.htm>