[Freeipa-users] Password failing for sudo-ldap authentication only from one host

Rob Crittenden rcritten at redhat.com
Wed Sep 26 19:06:40 UTC 2012 

David Sastre wrote:
> Hello,
>
> I'm experiencing an issue with sudo-ldap:
> I have some commands defined in a rule, have granted permissions to my
> user to execute them via sudo following the docs:
>
>  1.
>     # ipa sudorule-show networking-commands
>  2.
>     Rule name: networking-commands
>  3.
>     Enabled: TRUE
>  4.
>     Users: dsastrem
>  5.
>     Host Groups: des
>  6.
>     Sudo Allow Command Groups: networking
>  7.
>  8.
>     # ipa sudocmdgroup-show networking
>  9.
>     Sudo Command Group: networking
> 10.
>     Description: commands for network configuration and troubleshooting
> 11.
>     Member Sudo commands: /sbin/route, /sbin/ifconfig, /sbin/iptables,
>     /sbin/mii-tool, /sbin/ethtool, /sbin/ip
> 12.
> 13.
>     /etc/nsswitch.conf
> 14.
>     ==================
> 15.
>     passwd: files sss
> 16.
>     shadow: files sss
> 17.
>     group: files sss
> 18.
>     hosts: files dns
> 19.
>     bootparams: nisplus [NOTFOUND=return] files
> 20.
>     ethers: files
> 21.
>     netmasks: files
> 22.
>     networks: files
> 23.
>     protocols: files
> 24.
>     rpc: files
> 25.
>     services: files sss
> 26.
>     netgroup: files sss
> 27.
>     publickey: nisplus
> 28.
>     automount: files
> 29.
>     aliases: files nisplus
> 30.
>     sudoers: files ldap sss
> 31.
> 32.
>     /etc/sudo-ldap.conf
> 33.
>     ===================
> 34.
>     uri ldap://panoramix.some.domain.com <http://panoramix.some.domain.com>
> 35.
>     sudoers_base ou=SUDOers,dc=some,dc=domain,dc=com
> 36.
>     bind_timelimit 5
> 37.
>     timelimit 15
> 38.
>     binddn uid=sudo,cn=sysaccounts,cn=etc,dc=some,dc=domain,dc=com
> 39.
>     bindpw secret
> 40.
>     ssl start_tls
> 41.
>     tls_cacertfile /etc/ipa/ca.crt
> 42.
>     tls_checkpeer yes
> 43.
> 44.
>     /etc/rc.local
> 45.
>     =============
> 46.
>     touch /var/lock/subsys/local
> 47.
>     nisdomainname some.domain.com <http://some.domain.com>
>
> All three config files are equal in several hosts, but sudo is failing
> from one hosts in this way:
> Pam_tally2 count gets increased with failed attempts, but the password
> is (obviously) the same (my kerberos passwd)
>
>  1.
>     dsastrem at obelix ~
>  2.
>     $ sudo ip addr show
>  3.
>     LDAP Config Summary
>  4.
>     ===================
>  5.
>     uri ldap://panoramix.some.domain.com <http://panoramix.some.domain.com>
>  6.
>     ldap_version 3
>  7.
>     sudoers_base ou=SUDOers,dc=some,dc=domain,dc=com
>  8.
>     binddn uid=sudo,cn=sysaccounts,cn=etc,dc=some,dc=domain,dc=com
>  9.
>     bindpw secret
> 10.
>     bind_timelimit 5000
> 11.
>     timelimit 15
> 12.
>     ssl start_tls
> 13.
>     tls_checkpeer (yes)
> 14.
>     tls_cacertfile /etc/ipa/ca.crt
> 15.
>     ===================
> 16.
>     sudo: ldap_set_option: debug -> 0
> 17.
>     sudo: ldap_set_option: tls_checkpeer -> 1
> 18.
>     sudo: ldap_set_option: tls_cacertfile -> /etc/ipa/ca.crt
> 19.
>     sudo: ldap_set_option: tls_cacert -> /etc/ipa/ca.crt
> 20.
>     sudo: ldap_initialize(ld, ldap://panoramix.some.domain.com
>     <http://panoramix.some.domain.com>)
> 21.
>     sudo: ldap_set_option: ldap_version -> 3
> 22.
>     sudo: ldap_set_option: timelimit -> 15
> 23.
>     sudo: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT, 5)
> 24.
>     sudo: ldap_start_tls_s() ok
> 25.
>     sudo: ldap_sasl_bind_s() ok
> 26.
>     sudo: no default options found in ou=SUDOers,dc=some,dc=domain,dc=com
> 27.
>     sudo: ldap search
>     '(|(sudoUser=dsastrem)(sudoUser=%dsastrem)(sudoUser=%admins)(sudoUser=ALL))'
> 28.
>     sudo: found:cn=networking-commands,ou=sudoers,dc=some,dc=domain,dc=com
> 29.
>     sudo: ldap sudoHost '+des' ... MATCH!
> 30.
>     sudo: ldap sudoCommand '/sbin/route' ... not
> 31.
>     sudo: ldap sudoCommand '/sbin/ifconfig' ... not
> 32.
>     sudo: ldap sudoCommand '/sbin/iptables' ... not
> 33.
>     sudo: ldap sudoCommand '/sbin/mii-tool' ... not
> 34.
>     sudo: ldap sudoCommand '/sbin/ethtool' ... not
> 35.
>     sudo: ldap sudoCommand '/sbin/ip' ... MATCH!
> 36.
>     sudo: Command allowed
> 37.
>     sudo: user_matches=1
> 38.
>     sudo: host_matches=1
> 39.
>     sudo: sudo_ldap_lookup(0)=0x02
> 40.
>     [sudo] password for dsastrem:
> 41.
>     Sorry, try again.
> 42.
>     [sudo] password for dsastrem:
> 43.
>     sudo: 1 incorrect password attempt
> 44.
> 45.
>     # pam_tally2 -u dsastrem
> 46.
>     Login Failures Latest failure From
> 47.
>     dsastrem 2 09/26/12 17:22:54 /dev/pts/1
>
> Any idea of what could be wrong? Thanks in advance.

Does sssd work on this machine otherwise? getent passwd <foo>, you can 
log into the console as the user, or perhaps kinit to the user?

rob

More information about the Freeipa-users mailing list