[Freeipa-users] Sudo not working
Stephen Gallagher
sgallagh at redhat.com
Wed Oct 31 17:33:26 UTC 2012
On Wed 31 Oct 2012 11:53:15 AM EDT, Bret Wortman wrote:
> I'm pretty certain there's a painfully simple solution to this that
> I'm not seeing, but my current configuration isn't picking up the
> freeipa sudoer rule that I've set.
>
> /etc/nsswitch.conf specifies:
> sudoers: files ldap
>
> /etc/nslcd.conf contains:
>
> binddn uid=sudo,cn=sysaccounts,cn=etc,dc=wedgeofli,dc=me
> bindpw password
>
> ssl start_tls
> tls_cacertfile /etc/ipa/ca.crt
> tls_checkpeer yes
>
> bind_timelimit 5
> timelimit 15
>
> uri ldap://fs1.wedgeofli.me <http://fs1.wedgeofli.me>
> sudoers_base ou=SUDOers,dc=wedgeofli,dc=me
>
>
> The sssd_DOMAIN.log file contains this when I try to sudo:
>
<snip>
The SSSD logs aren't showing anything wrong because they have nothing
to do with the execution of the SUDO rules in this situation. All the
SSSD is doing is verifying the authentication (when sudo prompts you
for your password).
The problem with the rule is most likely happening inside SUDO itself.
When you specify 'sudoers: files, ldap' in nsswitch.conf, it's telling
SUDO to use its own internal LDAP driver to look up the rules. So you
need to check sudo logs to see what's happening (probably you will need
to enable debug logging in /etc/sudo.conf).
Recent versions of SUDO (1.8.6 and later) have support for setting
'sudoers: files, sss' in nsswitch.conf which DOES use SSSD (1.9.0 and
later) for lookups (and caching) of sudo rules.
More information about the Freeipa-users
mailing list