[Freeipa-users] Sudo Commands and groups confusion

Pavel Březina pbrezina at redhat.com
Wed Jun 12 12:51:57 UTC 2013 

On 06/12/2013 02:37 PM, Jakub Hrozek wrote:
> On Wed, Jun 12, 2013 at 11:22:35AM +0200, Matt . wrote:
>> Hi,
>>
>> The package as you described is installed, the configlines are set as you
>> show it.
>>
>> This is what I see in auth.log, my sssd_sudo does not show a thing:
>>
>> Jun 12 11:19:16 server sudo: pam_unix(sudo:auth): authentication failure;
>> logname=USERNAME uid=866600006 euid=0 tty=/dev/pts/0 ruser=USERNAME rhost=
>> user=USERNAME
>> Jun 12 11:19:16 server sudo: pam_sss(sudo:auth): User info message: Your
>> password will expire in 89 day(s).
>> Jun 12 11:19:16 server sudo: pam_sss(sudo:auth): authentication success;
>> logname=USERNAME uid=866600006 euid=0 tty=/dev/pts/0 ruser=USERNAME rhost=
>> user=USERNAME
>> Jun 12 11:19:16 server sudo: USERNAME : user NOT in sudoers ; TTY=pts/0 ;
>> PWD=/ ; USER=root ; COMMAND=/bin/su
>
> Pavel, I know you were debugging this problem on IRC, was there any
> conclusion?
>

No. I'm waiting for our lab to come back online so I can try to 
reproduce it.

>> Jun 12 11:19:16 server sudo: unable to execute /usr/sbin/sendmail: No such
>> file or directory
>>
>> I really cannot figure out what to check more.
>>
>>
>> 2013/6/12 Alexander Bokovoy <abokovoy at redhat.com>
>>
>>> On Wed, 12 Jun 2013, Matt . wrote:
>>>
>>>> Hi,
>>>>
>>>> A lot of people seem to have problem with Sudo and FreeIPA.
>>>>
>>>> How to enable sudo is described here:
>>>>
>>>> http://www.freeipa.org/images/**7/77/Freeipa30_SSSD_SUDO_**
>>>> Integration.pdf<http://www.freeipa.org/images/7/77/Freeipa30_SSSD_SUDO_Integration.pdf>
>>>>
>>>> The problem we are facing, also discussed on IRC is that there is looked
>>>> in
>>>> the local sudoers file of the client if the loggedin user may sudo. Of
>>>> course the username is not known there.
>>>>
>>> Not sure what exactly is your problem? Could you please rephrase and
>>> show it with logs again?
>>>
>>> If you are using SSSD's sudo integration against IPA server, then here
>>> is what you need to get it working on Fedora 18/19 and RHEL 6.4:
>>>
>>> 1. install libsss_sudo package
>>>
>>> 2. Add/change following line to /etc/nsswitch.conf
>>>
>>> sudoers: files sss
>>>
>>> 3. Make sure your /etc/sssd/sssd.conf looks like this example:
>>> http://abbra.fedorapeople.org/**.paste/sssd.conf.example<http://abbra.fedorapeople.org/.paste/sssd.conf.example>
>>> 4. Restart sssd
>>>
>>> These are the only actions I needed to get sudo working for IPA users on
>>> Fedora 19 and RHEL 6.4.
>>>
>>> Please note that    sudoers: files sss
>>> gives you chance to have local users configured in local sudoers. If you
>>> don't want them to be able to use sudo, just change the line in
>>> /etc/nsswitch.conf to
>>>     sudoers: sss
>>>
>>>
>>> --
>>> / Alexander Bokovoy
>>>
>
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>

More information about the Freeipa-users mailing list