[Freeipa-users] Stuck getting sudo working with Ubuntu client
Andrew Sacamano
asacamano at gmail.com
Fri Apr 17 17:32:00 UTC 2015
Hi everyone,
I've spent a couple of days digging around the web, watching logs, and
poking things, and I'm stuck getting sudo working with IPA on a new box
I've just set up. I have had it working in the past on a test box, but
something about this box is blocking me, and I can't for the life of me
figure out what.
The basic symptom is that I can log into the Ubuntu box as an IPA user, but
sudo is always denied:
[root at security-core-1 log]# ssh dru at jenkins
dru at jenkins's password:
...
Could not chdir to home directory /home/dru: No such file or directory
dru at jenkins:/$ sudo -l
[sudo] password for dru:
Sorry, user dru may not run sudo on jenkins.
I've appended version output, config files, sample logs, and ipa config -
which I think is all of the relevant material, but I'll gladly share more
if it's needed.
Thanks so much in advance for any debugging advice, hints, or help!
Cheers,
Andrew
===========
Version info
===========
Server:
# ipa --version
VERSION: 4.1.0, API_VERSION: 2.112
# cat /etc/redhat-release
CentOS Linux release 7.1.1503 (Core)
Client:
# cat /etc/lsb-release
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=14.04
DISTRIB_CODENAME=trusty
DISTRIB_DESCRIPTION="Ubuntu 14.04.2 LTS"
#sssd --version
1.11.5
===========
hostname, nisdomainname, config files, etc.
===========
On the client:
# hostname
jenkins.us-ca1.prod.mydomain.com
# nisdomainname
mydomain.com
# getent netgroup rdn | grep $HOSTNAME
rdn (jenkins.us-ca1.prod.mydomain.com,-,mydomain.com)
# cat /etc/sssd/sssd.conf
[domain/mydomain.com]
cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = mydomain.com
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ldap_tls_cacert = /etc/ipa/ca.crt
ipa_hostname = jenkins.us-ca1.prod.mydomain.com
chpass_provider = ipa
ipa_server = _srv_, security-core-1.prod.mydomain.com
dns_discovery_domain = mydomain.com
sudo_provider=ipa
[sssd]
services = nss, pam, ssh, sudo
config_file_version = 2
domains = mydomain.com
[nss]
[pam]
[sudo]
debug_level = 9
[autofs]
[ssh]
[pac]
# cat /etc/nsswitch.conf
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.
passwd: compat sss
group: compat sss
shadow: compat
hosts: files dns
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis sss
sudoers: files sss
===================
Host & group & user info in IPA
===================
# ipa host-show jenkins.us-ca1.prod.mydomain.com
Host name: jenkins.us-ca1.prod.mydomain.com
Certificate: ...
Principal name: host/jenkins.us-ca1.prod.mydomain.com at MYDOMAIN.COM
Password: False
Member of host-groups: rdn
Member of Sudo rule: priv_sudo_anywhere, dru_security
Keytab: True
Managed by: jenkins.us-ca1.prod.mydomain.com
Subject: CN=jenkins.us-ca1.prod.mydomain.com,O=MYDOMAIN.COM
Serial Number: 14
Serial Number (hex): 0xE
Issuer: CN=Certificate Authority,O=MYDOMAIN.COM
Not Before: Fri Apr 10 17:43:10 2015 UTC
Not After: Mon Apr 10 17:43:10 2017 UTC
Fingerprint (MD5): ...
Fingerprint (SHA1): ...
SSH public key fingerprint: ...
# ipa sudorule-show priv_sudo_anywhere
Rule name: priv_sudo_anywhere
Description: Allow anyone with priv_sudo_anywhere to actually run sudo
anywhere
Enabled: TRUE
Command category: all
RunAs User category: all
RunAs Group category: all
User Groups: priv_sudo_anywhere
Hosts: jenkins.us-ca1.prod.mydomain.com
Host Groups: security, dev-infrastructure, rdn, dev, prod
# ipa group-show priv_sudo_anywhere
Group name: priv_sudo_anywhere
Description: Give the privilege to SSH anywhere.
GID: 19000007
Member users: dru, ...
Member groups: role_prod_engineer
Member of Sudo rule: priv_sudo_anywhere, ...
Member of HBAC rule: sudo_anywhere_anywhere
Indirect Member users: ....
===================
Relevant (I think) log entries
===================
# tail -f /var/log/sssd/sssd_sudo.log
...
(Fri Apr 17 17:20:16 2015) [sssd[sudo]] [sbus_dispatch] (0x4000): dbus conn:
0x15b6520
(Fri Apr 17 17:20:16 2015) [sssd[sudo]] [sbus_dispatch] (0x4000):
Dispatching.
(Fri Apr 17 17:20:16 2015) [sssd[sudo]] [sbus_message_handler] (0x4000):
Received SBUS method [ping]
....
(From a different attempt to run sudo)
# tail -f /var/log/auth.log
...
Apr 17 17:20:55 jenkins sshd[3335]: pam_unix(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=
security-core-1.prod.mydomain.com user=dru
Apr 17 17:20:55 jenkins sshd[3335]: pam_sss(sshd:auth): authentication
success; logname= uid=0 euid=0 tty=ssh ruser= rhost=
security-core-1.prod.mydomain.com user=dru
Apr 17 17:20:56 jenkins sshd[3335]: Accepted password for dru from
10.100.0.1 port 39910 ssh2
Apr 17 17:20:56 jenkins sshd[3335]: pam_unix(sshd:session): session opened
for user dru by (uid=0)
Apr 17 17:20:56 jenkins sshd[3335]: pam_systemd(sshd:session): Failed to
create session: No such file or directory
Apr 17 17:21:10 jenkins sudo: pam_unix(sudo:auth): authentication failure;
logname=dru uid=19000001 euid=0 tty=/dev/pts/3 ruser=dru rhost= user=dru
Apr 17 17:21:11 jenkins sudo: pam_sss(sudo:auth): authentication success;
logname=dru uid=19000001 euid=0 tty=/dev/pts/3 ruser=dru rhost= user=dru
Apr 17 17:21:11 jenkins sudo: dru : command not allowed ; TTY=pts/3 ;
PWD=/ ; USER=root ; COMMAND=list
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150417/02af9ead/attachment.htm>
More information about the Freeipa-users
mailing list