[Freeipa-users] Sudo Commands and groups confusion
Pavel Březina
pbrezina at redhat.com
Thu Jun 13 11:49:10 UTC 2013
On 06/12/2013 02:51 PM, Pavel Březina wrote:
> On 06/12/2013 02:37 PM, Jakub Hrozek wrote:
>> On Wed, Jun 12, 2013 at 11:22:35AM +0200, Matt . wrote:
>>> Hi,
>>>
>>> The package as you described is installed, the configlines are set as
>>> you
>>> show it.
>>>
>>> This is what I see in auth.log, my sssd_sudo does not show a thing:
>>>
>>> Jun 12 11:19:16 server sudo: pam_unix(sudo:auth): authentication
>>> failure;
>>> logname=USERNAME uid=866600006 euid=0 tty=/dev/pts/0 ruser=USERNAME
>>> rhost=
>>> user=USERNAME
>>> Jun 12 11:19:16 server sudo: pam_sss(sudo:auth): User info message: Your
>>> password will expire in 89 day(s).
>>> Jun 12 11:19:16 server sudo: pam_sss(sudo:auth): authentication success;
>>> logname=USERNAME uid=866600006 euid=0 tty=/dev/pts/0 ruser=USERNAME
>>> rhost=
>>> user=USERNAME
>>> Jun 12 11:19:16 server sudo: USERNAME : user NOT in sudoers ;
>>> TTY=pts/0 ;
>>> PWD=/ ; USER=root ; COMMAND=/bin/su
>>
>> Pavel, I know you were debugging this problem on IRC, was there any
>> conclusion?
>>
>
> No. I'm waiting for our lab to come back online so I can try to
> reproduce it.
I followed the deployment guide and everything works fine. If you still
have problem, please start over and follow:
[1] for sudo-ldap-ipa
[2] for sudo-sssd-ipa
Check list:
- NIS domain has to be set to IPA domain
- hostname must be set to fqdn
- sudo-ldap configuration file on RHEL systems is located at
# sudo -V | grep ldap.conf
ldap.conf path: /etc/sudo-ldap.conf
- nsswitch must contain sudoers: ldap or sudoers: sss
# cat /etc/nsswitch.conf | grep sudoers
sudoers: files ldap
[1]
https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html-single/Identity_Management_Guide/index.html#example-configuring-sudo
[2] http://www.freeipa.org/images/7/77/Freeipa30_SSSD_SUDO_Integration.pdf
>
>>> Jun 12 11:19:16 server sudo: unable to execute /usr/sbin/sendmail: No
>>> such
>>> file or directory
>>>
>>> I really cannot figure out what to check more.
>>>
>>>
>>> 2013/6/12 Alexander Bokovoy <abokovoy at redhat.com>
>>>
>>>> On Wed, 12 Jun 2013, Matt . wrote:
>>>>
>>>>> Hi,
>>>>>
>>>>> A lot of people seem to have problem with Sudo and FreeIPA.
>>>>>
>>>>> How to enable sudo is described here:
>>>>>
>>>>> http://www.freeipa.org/images/**7/77/Freeipa30_SSSD_SUDO_**
>>>>> Integration.pdf<http://www.freeipa.org/images/7/77/Freeipa30_SSSD_SUDO_Integration.pdf>
>>>>>
>>>>>
>>>>> The problem we are facing, also discussed on IRC is that there is
>>>>> looked
>>>>> in
>>>>> the local sudoers file of the client if the loggedin user may sudo. Of
>>>>> course the username is not known there.
>>>>>
>>>> Not sure what exactly is your problem? Could you please rephrase and
>>>> show it with logs again?
>>>>
>>>> If you are using SSSD's sudo integration against IPA server, then here
>>>> is what you need to get it working on Fedora 18/19 and RHEL 6.4:
>>>>
>>>> 1. install libsss_sudo package
>>>>
>>>> 2. Add/change following line to /etc/nsswitch.conf
>>>>
>>>> sudoers: files sss
>>>>
>>>> 3. Make sure your /etc/sssd/sssd.conf looks like this example:
>>>> http://abbra.fedorapeople.org/**.paste/sssd.conf.example<http://abbra.fedorapeople.org/.paste/sssd.conf.example>
>>>>
>>>> 4. Restart sssd
>>>>
>>>> These are the only actions I needed to get sudo working for IPA
>>>> users on
>>>> Fedora 19 and RHEL 6.4.
>>>>
>>>> Please note that sudoers: files sss
>>>> gives you chance to have local users configured in local sudoers. If
>>>> you
>>>> don't want them to be able to use sudo, just change the line in
>>>> /etc/nsswitch.conf to
>>>> sudoers: sss
>>>>
>>>>
>>>> --
>>>> / Alexander Bokovoy
>>>>
>>
>>> _______________________________________________
>>> Freeipa-users mailing list
>>> Freeipa-users at redhat.com
>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
More information about the Freeipa-users
mailing list