[Freeipa-users] Sudo Commands and groups confusion

Jakub Hrozek jhrozek at redhat.com
Wed Jun 12 12:37:22 UTC 2013 

On Wed, Jun 12, 2013 at 11:22:35AM +0200, Matt . wrote:
> Hi,
> 
> The package as you described is installed, the configlines are set as you
> show it.
> 
> This is what I see in auth.log, my sssd_sudo does not show a thing:
> 
> Jun 12 11:19:16 server sudo: pam_unix(sudo:auth): authentication failure;
> logname=USERNAME uid=866600006 euid=0 tty=/dev/pts/0 ruser=USERNAME rhost=
> user=USERNAME
> Jun 12 11:19:16 server sudo: pam_sss(sudo:auth): User info message: Your
> password will expire in 89 day(s).
> Jun 12 11:19:16 server sudo: pam_sss(sudo:auth): authentication success;
> logname=USERNAME uid=866600006 euid=0 tty=/dev/pts/0 ruser=USERNAME rhost=
> user=USERNAME
> Jun 12 11:19:16 server sudo: USERNAME : user NOT in sudoers ; TTY=pts/0 ;
> PWD=/ ; USER=root ; COMMAND=/bin/su

Pavel, I know you were debugging this problem on IRC, was there any
conclusion?

> Jun 12 11:19:16 server sudo: unable to execute /usr/sbin/sendmail: No such
> file or directory
> 
> I really cannot figure out what to check more.
> 
> 
> 2013/6/12 Alexander Bokovoy <abokovoy at redhat.com>
> 
> > On Wed, 12 Jun 2013, Matt . wrote:
> >
> >> Hi,
> >>
> >> A lot of people seem to have problem with Sudo and FreeIPA.
> >>
> >> How to enable sudo is described here:
> >>
> >> http://www.freeipa.org/images/**7/77/Freeipa30_SSSD_SUDO_**
> >> Integration.pdf<http://www.freeipa.org/images/7/77/Freeipa30_SSSD_SUDO_Integration.pdf>
> >>
> >> The problem we are facing, also discussed on IRC is that there is looked
> >> in
> >> the local sudoers file of the client if the loggedin user may sudo. Of
> >> course the username is not known there.
> >>
> > Not sure what exactly is your problem? Could you please rephrase and
> > show it with logs again?
> >
> > If you are using SSSD's sudo integration against IPA server, then here
> > is what you need to get it working on Fedora 18/19 and RHEL 6.4:
> >
> > 1. install libsss_sudo package
> >
> > 2. Add/change following line to /etc/nsswitch.conf
> >
> > sudoers: files sss
> >
> > 3. Make sure your /etc/sssd/sssd.conf looks like this example:
> > http://abbra.fedorapeople.org/**.paste/sssd.conf.example<http://abbra.fedorapeople.org/.paste/sssd.conf.example>
> > 4. Restart sssd
> >
> > These are the only actions I needed to get sudo working for IPA users on
> > Fedora 19 and RHEL 6.4.
> >
> > Please note that    sudoers: files sss
> > gives you chance to have local users configured in local sudoers. If you
> > don't want them to be able to use sudo, just change the line in
> > /etc/nsswitch.conf to
> >    sudoers: sss
> >
> >
> > --
> > / Alexander Bokovoy
> >

> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users

More information about the Freeipa-users mailing list