[Freeipa-users] Password failing for sudo-ldap authentication only from one host
David Sastre
d.sastre.medina at gmail.com
Wed Sep 26 15:35:51 UTC 2012
Hello,
I'm experiencing an issue with sudo-ldap:
I have some commands defined in a rule, have granted permissions to my user
to execute them via sudo following the docs:
1. # ipa sudorule-show networking-commands
2. Rule name: networking-commands
3. Enabled: TRUE
4. Users: dsastrem
5. Host Groups: des
6. Sudo Allow Command Groups: networking
7.
8. # ipa sudocmdgroup-show networking
9. Sudo Command Group: networking
10. Description: commands for network configuration and troubleshooting
11. Member Sudo commands: /sbin/route, /sbin/ifconfig,
/sbin/iptables, /sbin/mii-tool, /sbin/ethtool, /sbin/ip
12.
13. /etc/nsswitch.conf
14. ==================
15. passwd: files sss
16. shadow: files sss
17. group: files sss
18. hosts: files dns
19. bootparams: nisplus [NOTFOUND=return] files
20. ethers: files
21. netmasks: files
22. networks: files
23. protocols: files
24. rpc: files
25. services: files sss
26. netgroup: files sss
27. publickey: nisplus
28. automount: files
29. aliases: files nisplus
30. sudoers: files ldap sss
31.
32. /etc/sudo-ldap.conf
33. ===================
34. uri ldap://panoramix.some.domain.com
35. sudoers_base ou=SUDOers,dc=some,dc=domain,dc=com
36. bind_timelimit 5
37. timelimit 15
38. binddn uid=sudo,cn=sysaccounts,cn=etc,dc=some,dc=domain,dc=com
39. bindpw secret
40. ssl start_tls
41. tls_cacertfile /etc/ipa/ca.crt
42. tls_checkpeer yes
43.
44. /etc/rc.local
45. =============
46. touch /var/lock/subsys/local
47. nisdomainname some.domain.com
All three config files are equal in several hosts, but sudo is failing
from one hosts in this way:
Pam_tally2 count gets increased with failed attempts, but the password is
(obviously) the same (my kerberos passwd)
1. dsastrem at obelix ~
2. $ sudo ip addr show
3. LDAP Config Summary
4. ===================
5. uri ldap://panoramix.some.domain.com
6. ldap_version 3
7. sudoers_base ou=SUDOers,dc=some,dc=domain,dc=com
8. binddn uid=sudo,cn=sysaccounts,cn=etc,dc=some,dc=domain,dc=com
9. bindpw secret
10. bind_timelimit 5000
11. timelimit 15
12. ssl start_tls
13. tls_checkpeer (yes)
14. tls_cacertfile /etc/ipa/ca.crt
15. ===================
16. sudo: ldap_set_option: debug -> 0
17. sudo: ldap_set_option: tls_checkpeer -> 1
18. sudo: ldap_set_option: tls_cacertfile -> /etc/ipa/ca.crt
19. sudo: ldap_set_option: tls_cacert -> /etc/ipa/ca.crt
20. sudo: ldap_initialize(ld, ldap://panoramix.some.domain.com)
21. sudo: ldap_set_option: ldap_version -> 3
22. sudo: ldap_set_option: timelimit -> 15
23. sudo: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT, 5)
24. sudo: ldap_start_tls_s() ok
25. sudo: ldap_sasl_bind_s() ok
26. sudo: no default options found in ou=SUDOers,dc=some,dc=domain,dc=com
27. sudo: ldap search
'(|(sudoUser=dsastrem)(sudoUser=%dsastrem)(sudoUser=%admins)(sudoUser=ALL))'
28. sudo: found:cn=networking-commands,ou=sudoers,dc=some,dc=domain,dc=com
29. sudo: ldap sudoHost '+des' ... MATCH!
30. sudo: ldap sudoCommand '/sbin/route' ... not
31. sudo: ldap sudoCommand '/sbin/ifconfig' ... not
32. sudo: ldap sudoCommand '/sbin/iptables' ... not
33. sudo: ldap sudoCommand '/sbin/mii-tool' ... not
34. sudo: ldap sudoCommand '/sbin/ethtool' ... not
35. sudo: ldap sudoCommand '/sbin/ip' ... MATCH!
36. sudo: Command allowed
37. sudo: user_matches=1
38. sudo: host_matches=1
39. sudo: sudo_ldap_lookup(0)=0x02
40. [sudo] password for dsastrem:
41. Sorry, try again.
42. [sudo] password for dsastrem:
43. sudo: 1 incorrect password attempt
44.
45. # pam_tally2 -u dsastrem
46. Login Failures Latest failure From
47. dsastrem 2 09/26/12 17:22:54 /dev/pts/1
Any idea of what could be wrong? Thanks in advance.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20120926/aff2427d/attachment.htm>
More information about the Freeipa-users
mailing list