[Freeipa-users] unable to sudo
Craig White
CWhite at skytouchtechnology.com
Thu Nov 6 15:42:25 UTC 2014
As Bob pointed out in a direct e-mail to me, there was the detail of adding sudo and sss to /etc/nsswitch.conf but – once I did so, it pointed out that the Rackspace RHEL packaging that doesn’t provide what I need – possibly need from epel.
# yum search /usr/lib64/libsss_sudo.so
Loaded plugins: rhnplugin, security
This system is receiving updates from RHN Classic or RHN Satellite.
rackspace | 1.3 kB 00:00
rackspace-rhel-x86_64-server-6.5.z-common | 871 B 00:00
rackspace-rhel-x86_64-server-6.5.z-ius | 871 B 00:00
rhel-x86_64-server-6.5.z | 1.5 kB 00:00
rhel-x86_64-server-optional-6.5.z | 1.5 kB 00:00
rhn-tools-rhel-x86_64-server-6.5.z | 1.3 kB 00:00
vmware-tools | 951 B 00:00
Warning: No matches found for: /usr/lib64/libsss_sudo.so
No Matches found
Blockage identified, solution being searched
Craig White
System Administrator
O 623-201-8179 M 602-377-9752
[cid:image001.png at 01CF86FE.42D51630]
SkyTouch Technology 4225 E. Windrose Dr. Phoenix, AZ 85032
From: tlau at tetrioncapital.com [mailto:tlau at tetrioncapital.com]
Sent: Wednesday, November 05, 2014 6:11 PM
To: Craig White; freeipa-users at redhat.com
Subject: Re: [Freeipa-users] unable to sudo
Hi,
Did you config HBAC to allow sudo, then in sudo rules, allow your sudo command, next would be adding HBAC rules to user group?
Sent from my BlackBerry 10 smartphone.
From: Craig White
Sent: Thursday, 6 November, 2014 6:11 AM
To: freeipa-users at redhat.com<mailto:freeipa-users at redhat.com>
Subject: [Freeipa-users] unable to sudo
First 10 ipa clients I set up – no problem.
Set up 2 more, perhaps this is a problem with the fact that these 2 hosts were on a totally new VLAN and the firewall rules weren’t correct when I set them up.
Been through the part on sudo here…
http://www.freeipa.org/page/Troubleshooting
nisdomainname is correct on the machines and also in /etc/sysconfig/network
had to add ‘sudo’ to
[sssd]
services = nss, sudo, pam, ssh
and restarted sssd though I don’t know why it wasn’t added automatically
checked nsswitch.conf and netgroup is set to ‘files sss’
getent netgroup hgroup1
returns nothing on machines where sudo works and doesn’t work – can’t tell the difference.
Added ‘sudoers_debug 2’ to /etc/sudo_ldap.conf but don’t know where that logs
And finally, on a machine where ipa users cannot sudo…
# sudo -l
Matching Defaults entries for root on this host:
requiretty, !visiblepw, always_set_home, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS",
env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES",
env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY",
secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin
User root may run the following commands on this host:
(ALL) ALL
$ sudo -l
[sudo] password for craig.white:
Sorry, user craig.white may not run sudo on 599330-stash001.
Craig White
System Administrator
O 623-201-8179 M 602-377-9752
[cid:image001.png at 01CF86FE.42D51630]
SkyTouch Technology 4225 E. Windrose Dr. Phoenix, AZ 85032
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20141106/b86e6fee/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 7660 bytes
Desc: image001.png
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20141106/b86e6fee/attachment.png>
More information about the Freeipa-users
mailing list