[Freeipa-users] Stuck getting sudo working with Ubuntu client

Andrew Sacamano asacamano at gmail.com
Fri Apr 17 17:32:00 UTC 2015 

Hi everyone,


I've spent a couple of days digging around the web, watching logs, and
poking things, and I'm stuck getting sudo working with IPA on a new box
I've just set up. I have had it working in the past on a test box, but
something about this box is blocking me, and I can't for the life of me
figure out what.


The basic symptom is that I can log into the Ubuntu box as an IPA user, but
sudo is always denied:


[root at security-core-1 log]# ssh dru at jenkins

dru at jenkins's password:

...

Could not chdir to home directory /home/dru: No such file or directory

dru at jenkins:/$ sudo -l

[sudo] password for dru:

Sorry, user dru may not run sudo on jenkins.


I've appended version output, config files, sample logs, and ipa config -
which I think is all of the relevant material, but I'll gladly share more
if it's needed.


Thanks so much in advance for any debugging advice, hints, or help!


Cheers,


Andrew




===========

Version info

===========


Server:

# ipa --version

VERSION: 4.1.0, API_VERSION: 2.112


# cat /etc/redhat-release

CentOS Linux release 7.1.1503 (Core)


Client:

# cat /etc/lsb-release

DISTRIB_ID=Ubuntu

DISTRIB_RELEASE=14.04

DISTRIB_CODENAME=trusty

DISTRIB_DESCRIPTION="Ubuntu 14.04.2 LTS"


#sssd --version

1.11.5




===========

hostname, nisdomainname, config files, etc.

===========


On the client:


# hostname

jenkins.us-ca1.prod.mydomain.com


# nisdomainname

mydomain.com


# getent netgroup rdn | grep $HOSTNAME

rdn                   (jenkins.us-ca1.prod.mydomain.com,-,mydomain.com)



# cat /etc/sssd/sssd.conf

[domain/mydomain.com]


cache_credentials = True

krb5_store_password_if_offline = True

ipa_domain = mydomain.com

id_provider = ipa

auth_provider = ipa

access_provider = ipa

ldap_tls_cacert = /etc/ipa/ca.crt

ipa_hostname = jenkins.us-ca1.prod.mydomain.com

chpass_provider = ipa

ipa_server = _srv_, security-core-1.prod.mydomain.com

dns_discovery_domain = mydomain.com

sudo_provider=ipa

[sssd]

services = nss, pam, ssh, sudo

config_file_version = 2


domains = mydomain.com

[nss]


[pam]


[sudo]

debug_level = 9


[autofs]


[ssh]


[pac]



# cat /etc/nsswitch.conf

# /etc/nsswitch.conf

#

# Example configuration of GNU Name Service Switch functionality.

# If you have the `glibc-doc-reference' and `info' packages installed, try:

# `info libc "Name Service Switch"' for information about this file.


passwd:         compat sss

group:          compat sss

shadow:         compat


hosts:          files dns

networks:       files


protocols:      db files

services:       db files

ethers:         db files

rpc:            db files


netgroup:       nis sss

sudoers:        files sss



===================

Host & group & user info in IPA

===================


# ipa host-show jenkins.us-ca1.prod.mydomain.com

  Host name: jenkins.us-ca1.prod.mydomain.com

  Certificate: ...

  Principal name: host/jenkins.us-ca1.prod.mydomain.com at MYDOMAIN.COM

  Password: False

  Member of host-groups: rdn

  Member of Sudo rule: priv_sudo_anywhere, dru_security

  Keytab: True

  Managed by: jenkins.us-ca1.prod.mydomain.com

  Subject: CN=jenkins.us-ca1.prod.mydomain.com,O=MYDOMAIN.COM

  Serial Number: 14

  Serial Number (hex): 0xE

  Issuer: CN=Certificate Authority,O=MYDOMAIN.COM

  Not Before: Fri Apr 10 17:43:10 2015 UTC

  Not After: Mon Apr 10 17:43:10 2017 UTC

  Fingerprint (MD5): ...

  Fingerprint (SHA1): ...

  SSH public key fingerprint: ...


# ipa sudorule-show priv_sudo_anywhere

  Rule name: priv_sudo_anywhere

  Description: Allow anyone with priv_sudo_anywhere to actually run sudo
anywhere

  Enabled: TRUE

  Command category: all

  RunAs User category: all

  RunAs Group category: all

  User Groups: priv_sudo_anywhere

  Hosts: jenkins.us-ca1.prod.mydomain.com

  Host Groups: security, dev-infrastructure, rdn, dev, prod


# ipa group-show priv_sudo_anywhere

  Group name: priv_sudo_anywhere

  Description: Give the privilege to SSH anywhere.

  GID: 19000007

  Member users: dru, ...

  Member groups: role_prod_engineer

  Member of Sudo rule: priv_sudo_anywhere, ...

  Member of HBAC rule: sudo_anywhere_anywhere

  Indirect Member users: ....



===================

Relevant (I think) log entries

===================


# tail -f /var/log/sssd/sssd_sudo.log

...

(Fri Apr 17 17:20:16 2015) [sssd[sudo]] [sbus_dispatch] (0x4000): dbus conn:
0x15b6520

(Fri Apr 17 17:20:16 2015) [sssd[sudo]] [sbus_dispatch] (0x4000):
Dispatching.

(Fri Apr 17 17:20:16 2015) [sssd[sudo]] [sbus_message_handler] (0x4000):
Received SBUS method [ping]

....


(From a different attempt to run sudo)


# tail -f /var/log/auth.log

...

Apr 17 17:20:55 jenkins sshd[3335]: pam_unix(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=
security-core-1.prod.mydomain.com  user=dru

Apr 17 17:20:55 jenkins sshd[3335]: pam_sss(sshd:auth): authentication
success; logname= uid=0 euid=0 tty=ssh ruser= rhost=
security-core-1.prod.mydomain.com user=dru

Apr 17 17:20:56 jenkins sshd[3335]: Accepted password for dru from
10.100.0.1 port 39910 ssh2

Apr 17 17:20:56 jenkins sshd[3335]: pam_unix(sshd:session): session opened
for user dru by (uid=0)

Apr 17 17:20:56 jenkins sshd[3335]: pam_systemd(sshd:session): Failed to
create session: No such file or directory

Apr 17 17:21:10 jenkins sudo: pam_unix(sudo:auth): authentication failure;
logname=dru uid=19000001 euid=0 tty=/dev/pts/3 ruser=dru rhost=  user=dru

Apr 17 17:21:11 jenkins sudo: pam_sss(sudo:auth): authentication success;
logname=dru uid=19000001 euid=0 tty=/dev/pts/3 ruser=dru rhost= user=dru

Apr 17 17:21:11 jenkins sudo:      dru : command not allowed ; TTY=pts/3 ;
PWD=/ ; USER=root ; COMMAND=list
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150417/02af9ead/attachment.htm>

More information about the Freeipa-users mailing list