[Freeipa-users] unable to sudo

Craig White CWhite at skytouchtechnology.com
Thu Nov 6 15:42:25 UTC 2014 

As Bob pointed out in a direct e-mail to me, there was the detail of adding sudo and sss to /etc/nsswitch.conf but – once I did so, it pointed out that the Rackspace RHEL packaging that doesn’t provide what I need – possibly need from epel.

# yum search /usr/lib64/libsss_sudo.so
Loaded plugins: rhnplugin, security
This system is receiving updates from RHN Classic or RHN Satellite.
rackspace                                                | 1.3 kB     00:00
rackspace-rhel-x86_64-server-6.5.z-common                |  871 B     00:00
rackspace-rhel-x86_64-server-6.5.z-ius                   |  871 B     00:00
rhel-x86_64-server-6.5.z                                 | 1.5 kB     00:00
rhel-x86_64-server-optional-6.5.z                        | 1.5 kB     00:00
rhn-tools-rhel-x86_64-server-6.5.z                       | 1.3 kB     00:00
vmware-tools                                             |  951 B     00:00
Warning: No matches found for: /usr/lib64/libsss_sudo.so
No Matches found

Blockage identified, solution being searched

Craig White
System Administrator
O 623-201-8179   M 602-377-9752

[cid:image001.png at 01CF86FE.42D51630]

SkyTouch Technology     4225 E. Windrose Dr.     Phoenix, AZ 85032

From: tlau at tetrioncapital.com [mailto:tlau at tetrioncapital.com]
Sent: Wednesday, November 05, 2014 6:11 PM
To: Craig White; freeipa-users at redhat.com
Subject: Re: [Freeipa-users] unable to sudo

Hi,

Did you config HBAC to allow sudo, then in sudo rules, allow your sudo command, next would be adding HBAC rules to user group‎?

Sent from my BlackBerry 10 smartphone.
From: Craig White
Sent: Thursday, 6 November, 2014 6:11 AM
To: freeipa-users at redhat.com<mailto:freeipa-users at redhat.com>
Subject: [Freeipa-users] unable to sudo


First 10 ipa clients I set up – no problem.

Set up 2 more, perhaps this is a problem with the fact that these 2 hosts were on a totally new VLAN and the firewall rules weren’t correct when I set them up.

Been through the part on sudo here…
http://www.freeipa.org/page/Troubleshooting

nisdomainname is correct on the machines and also in /etc/sysconfig/network

had to add ‘sudo’ to
[sssd]
services = nss, sudo, pam, ssh
and restarted sssd though I don’t know why it wasn’t added automatically

checked nsswitch.conf and netgroup is set to ‘files sss’

getent netgroup hgroup1
returns nothing on machines where sudo works and doesn’t work – can’t tell the difference.

Added ‘sudoers_debug 2’ to /etc/sudo_ldap.conf but don’t know where that logs

And finally, on a machine where ipa users cannot sudo…
# sudo -l
Matching Defaults entries for root on this host:
    requiretty, !visiblepw, always_set_home, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS",
    env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES",
    env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY",
    secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin

User root may run the following commands on this host:
    (ALL) ALL

$ sudo -l
[sudo] password for craig.white:
Sorry, user craig.white may not run sudo on 599330-stash001.

Craig White
System Administrator
O 623-201-8179   M 602-377-9752

[cid:image001.png at 01CF86FE.42D51630]

SkyTouch Technology     4225 E. Windrose Dr.     Phoenix, AZ 85032



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20141106/b86e6fee/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 7660 bytes
Desc: image001.png
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20141106/b86e6fee/attachment.png>

More information about the Freeipa-users mailing list