[Freeipa-users] Password failing for sudo-ldap authentication only from one host
Rob Crittenden
rcritten at redhat.com
Wed Sep 26 19:06:40 UTC 2012
David Sastre wrote:
> Hello,
>
> I'm experiencing an issue with sudo-ldap:
> I have some commands defined in a rule, have granted permissions to my
> user to execute them via sudo following the docs:
>
> 1.
> # ipa sudorule-show networking-commands
> 2.
> Rule name: networking-commands
> 3.
> Enabled: TRUE
> 4.
> Users: dsastrem
> 5.
> Host Groups: des
> 6.
> Sudo Allow Command Groups: networking
> 7.
> 8.
> # ipa sudocmdgroup-show networking
> 9.
> Sudo Command Group: networking
> 10.
> Description: commands for network configuration and troubleshooting
> 11.
> Member Sudo commands: /sbin/route, /sbin/ifconfig, /sbin/iptables,
> /sbin/mii-tool, /sbin/ethtool, /sbin/ip
> 12.
> 13.
> /etc/nsswitch.conf
> 14.
> ==================
> 15.
> passwd: files sss
> 16.
> shadow: files sss
> 17.
> group: files sss
> 18.
> hosts: files dns
> 19.
> bootparams: nisplus [NOTFOUND=return] files
> 20.
> ethers: files
> 21.
> netmasks: files
> 22.
> networks: files
> 23.
> protocols: files
> 24.
> rpc: files
> 25.
> services: files sss
> 26.
> netgroup: files sss
> 27.
> publickey: nisplus
> 28.
> automount: files
> 29.
> aliases: files nisplus
> 30.
> sudoers: files ldap sss
> 31.
> 32.
> /etc/sudo-ldap.conf
> 33.
> ===================
> 34.
> uri ldap://panoramix.some.domain.com <http://panoramix.some.domain.com>
> 35.
> sudoers_base ou=SUDOers,dc=some,dc=domain,dc=com
> 36.
> bind_timelimit 5
> 37.
> timelimit 15
> 38.
> binddn uid=sudo,cn=sysaccounts,cn=etc,dc=some,dc=domain,dc=com
> 39.
> bindpw secret
> 40.
> ssl start_tls
> 41.
> tls_cacertfile /etc/ipa/ca.crt
> 42.
> tls_checkpeer yes
> 43.
> 44.
> /etc/rc.local
> 45.
> =============
> 46.
> touch /var/lock/subsys/local
> 47.
> nisdomainname some.domain.com <http://some.domain.com>
>
> All three config files are equal in several hosts, but sudo is failing
> from one hosts in this way:
> Pam_tally2 count gets increased with failed attempts, but the password
> is (obviously) the same (my kerberos passwd)
>
> 1.
> dsastrem at obelix ~
> 2.
> $ sudo ip addr show
> 3.
> LDAP Config Summary
> 4.
> ===================
> 5.
> uri ldap://panoramix.some.domain.com <http://panoramix.some.domain.com>
> 6.
> ldap_version 3
> 7.
> sudoers_base ou=SUDOers,dc=some,dc=domain,dc=com
> 8.
> binddn uid=sudo,cn=sysaccounts,cn=etc,dc=some,dc=domain,dc=com
> 9.
> bindpw secret
> 10.
> bind_timelimit 5000
> 11.
> timelimit 15
> 12.
> ssl start_tls
> 13.
> tls_checkpeer (yes)
> 14.
> tls_cacertfile /etc/ipa/ca.crt
> 15.
> ===================
> 16.
> sudo: ldap_set_option: debug -> 0
> 17.
> sudo: ldap_set_option: tls_checkpeer -> 1
> 18.
> sudo: ldap_set_option: tls_cacertfile -> /etc/ipa/ca.crt
> 19.
> sudo: ldap_set_option: tls_cacert -> /etc/ipa/ca.crt
> 20.
> sudo: ldap_initialize(ld, ldap://panoramix.some.domain.com
> <http://panoramix.some.domain.com>)
> 21.
> sudo: ldap_set_option: ldap_version -> 3
> 22.
> sudo: ldap_set_option: timelimit -> 15
> 23.
> sudo: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT, 5)
> 24.
> sudo: ldap_start_tls_s() ok
> 25.
> sudo: ldap_sasl_bind_s() ok
> 26.
> sudo: no default options found in ou=SUDOers,dc=some,dc=domain,dc=com
> 27.
> sudo: ldap search
> '(|(sudoUser=dsastrem)(sudoUser=%dsastrem)(sudoUser=%admins)(sudoUser=ALL))'
> 28.
> sudo: found:cn=networking-commands,ou=sudoers,dc=some,dc=domain,dc=com
> 29.
> sudo: ldap sudoHost '+des' ... MATCH!
> 30.
> sudo: ldap sudoCommand '/sbin/route' ... not
> 31.
> sudo: ldap sudoCommand '/sbin/ifconfig' ... not
> 32.
> sudo: ldap sudoCommand '/sbin/iptables' ... not
> 33.
> sudo: ldap sudoCommand '/sbin/mii-tool' ... not
> 34.
> sudo: ldap sudoCommand '/sbin/ethtool' ... not
> 35.
> sudo: ldap sudoCommand '/sbin/ip' ... MATCH!
> 36.
> sudo: Command allowed
> 37.
> sudo: user_matches=1
> 38.
> sudo: host_matches=1
> 39.
> sudo: sudo_ldap_lookup(0)=0x02
> 40.
> [sudo] password for dsastrem:
> 41.
> Sorry, try again.
> 42.
> [sudo] password for dsastrem:
> 43.
> sudo: 1 incorrect password attempt
> 44.
> 45.
> # pam_tally2 -u dsastrem
> 46.
> Login Failures Latest failure From
> 47.
> dsastrem 2 09/26/12 17:22:54 /dev/pts/1
>
> Any idea of what could be wrong? Thanks in advance.
Does sssd work on this machine otherwise? getent passwd <foo>, you can
log into the console as the user, or perhaps kinit to the user?
rob
More information about the Freeipa-users
mailing list