[Freeipa-users] unable to sudo

Dmitri Pal dpal at redhat.com
Thu Nov 6 03:34:18 UTC 2014 

On 11/05/2014 05:05 PM, Craig White wrote:
>
> First 10 ipa clients I set up -- no problem.
>
> Set up 2 more, perhaps this is a problem with the fact that these 2 
> hosts were on a totally new VLAN and the firewall rules weren't 
> correct when I set them up.
>
> Been through the part on sudo here...
>
> http://www.freeipa.org/page/Troubleshooting
>
> nisdomainname is correct on the machines and also in 
> /etc/sysconfig/network
>
> had to add 'sudo' to
>
> [sssd]
>
> services = nss, sudo, pam, ssh
>
> and restarted sssd though I don't know why it wasn't added automatically
>
> checked nsswitch.conf and netgroup is set to 'files sss'
>
> getent netgroup hgroup1
>
> returns nothing on machines where sudo works and doesn't work -- can't 
> tell the difference.
>
> Added 'sudoers_debug 2' to /etc/sudo_ldap.conf but don't know where 
> that logs
>
> And finally, on a machine where ipa users cannot sudo...
>
> # sudo -l
>
> Matching Defaults entries for root on this host:
>
>     requiretty, !visiblepw, always_set_home, env_reset, 
> env_keep="COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS",
>
>     env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", 
> env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES",
>
>     env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", 
> env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY",
>
> secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin
>
> User root may run the following commands on this host:
>
>     (ALL) ALL
>
> $ sudo -l
>
> [sudo] password for craig.white:
>
> Sorry, user craig.white may not run sudo on 599330-stash001.
>
> Craig White
>
> System Administrator
>
> O623-201-8179 M602-377-9752
>
> cid:image001.png at 01CF86FE.42D51630
>
> SkyTouch Technology 4225 E. Windrose Dr.     Phoenix, AZ 85032
>
>
>

What is the OS and version of this machine?
Rise the debug_level to 7 or higher in SSSD config and send the 
sanitized logs.
The full SSSD config file will also help.

BTW it is more a question for the SSSD user list.

-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20141105/b19d0e6c/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/png
Size: 7660 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20141105/b19d0e6c/attachment.png>

More information about the Freeipa-users mailing list