[Freeipa-users] Sudo Commands and groups confusion

Thu Jun 13 11:49:10 UTC 2013

On 06/12/2013 02:51 PM, Pavel Březina wrote:
> On 06/12/2013 02:37 PM, Jakub Hrozek wrote:
>> On Wed, Jun 12, 2013 at 11:22:35AM +0200, Matt . wrote:
>>> Hi,
>>>
>>> The package as you described is installed, the configlines are set as
>>> you
>>> show it.
>>>
>>> This is what I see in auth.log, my sssd_sudo does not show a thing:
>>>
>>> Jun 12 11:19:16 server sudo: pam_unix(sudo:auth): authentication
>>> failure;
>>> logname=USERNAME uid=866600006 euid=0 tty=/dev/pts/0 ruser=USERNAME
>>> rhost=
>>> user=USERNAME
>>> Jun 12 11:19:16 server sudo: pam_sss(sudo:auth): User info message: Your
>>> password will expire in 89 day(s).
>>> Jun 12 11:19:16 server sudo: pam_sss(sudo:auth): authentication success;
>>> logname=USERNAME uid=866600006 euid=0 tty=/dev/pts/0 ruser=USERNAME
>>> rhost=
>>> user=USERNAME
>>> Jun 12 11:19:16 server sudo: USERNAME : user NOT in sudoers ;
>>> TTY=pts/0 ;
>>> PWD=/ ; USER=root ; COMMAND=/bin/su
>>
>> Pavel, I know you were debugging this problem on IRC, was there any
>> conclusion?
>>
>
> No. I'm waiting for our lab to come back online so I can try to
> reproduce it.

I followed the deployment guide and everything works fine. If you still 
have problem, please start over and follow:
[1] for sudo-ldap-ipa
[2] for sudo-sssd-ipa

Check list:
- NIS domain has to be set to IPA domain

- hostname must be set to fqdn

- sudo-ldap configuration file on RHEL systems is located at
   # sudo -V | grep ldap.conf
   ldap.conf path: /etc/sudo-ldap.conf

- nsswitch must contain sudoers: ldap or sudoers: sss
   # cat /etc/nsswitch.conf  | grep sudoers
   sudoers: files ldap

[1] 
https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html-single/Identity_Management_Guide/index.html#example-configuring-sudo

[2] http://www.freeipa.org/images/7/77/Freeipa30_SSSD_SUDO_Integration.pdf

>
>>> Jun 12 11:19:16 server sudo: unable to execute /usr/sbin/sendmail: No
>>> such
>>> file or directory
>>>
>>> I really cannot figure out what to check more.
>>>
>>>
>>> 2013/6/12 Alexander Bokovoy <abokovoy at redhat.com>
>>>
>>>> On Wed, 12 Jun 2013, Matt . wrote:
>>>>
>>>>> Hi,
>>>>>
>>>>> A lot of people seem to have problem with Sudo and FreeIPA.
>>>>>
>>>>> How to enable sudo is described here:
>>>>>
>>>>> http://www.freeipa.org/images/**7/77/Freeipa30_SSSD_SUDO_**
>>>>> Integration.pdf<http://www.freeipa.org/images/7/77/Freeipa30_SSSD_SUDO_Integration.pdf>
>>>>>
>>>>>
>>>>> The problem we are facing, also discussed on IRC is that there is
>>>>> looked
>>>>> in
>>>>> the local sudoers file of the client if the loggedin user may sudo. Of
>>>>> course the username is not known there.
>>>>>
>>>> Not sure what exactly is your problem? Could you please rephrase and
>>>> show it with logs again?
>>>>
>>>> If you are using SSSD's sudo integration against IPA server, then here
>>>> is what you need to get it working on Fedora 18/19 and RHEL 6.4:
>>>>
>>>> 1. install libsss_sudo package
>>>>
>>>> 2. Add/change following line to /etc/nsswitch.conf
>>>>
>>>> sudoers: files sss
>>>>
>>>> 3. Make sure your /etc/sssd/sssd.conf looks like this example:
>>>> http://abbra.fedorapeople.org/**.paste/sssd.conf.example<http://abbra.fedorapeople.org/.paste/sssd.conf.example>
>>>>
>>>> 4. Restart sssd
>>>>
>>>> These are the only actions I needed to get sudo working for IPA
>>>> users on
>>>> Fedora 19 and RHEL 6.4.
>>>>
>>>> Please note that    sudoers: files sss
>>>> gives you chance to have local users configured in local sudoers. If
>>>> you
>>>> don't want them to be able to use sudo, just change the line in
>>>> /etc/nsswitch.conf to
>>>>     sudoers: sss
>>>>
>>>>
>>>> --
>>>> / Alexander Bokovoy
>>>>
>>
>>> _______________________________________________
>>> Freeipa-users mailing list
>>> Freeipa-users at redhat.com
>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users