[Freeipa-users] Sudo command not working
Dewangga Bachrul Alam
dewanggaba at xtremenitro.org
Wed Aug 12 12:30:52 UTC 2015
Hello!
I'm having problem with sudo command, the sudo command was sucessfully
initiated. But user still requested for password. For example :
ipa-client $ sudo -l
Matching Defaults entries for subhan on this host:
requiretty, !visiblepw, always_set_home, env_reset, env_keep="COLORS
DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS", env_keep+="MAIL PS1
PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE
LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY
LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL
LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY",
secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin
User subhan may run the following commands on this host:
(subhan) NOPASSWD: /bin/tail, /usr/bin/tail
ipa-server $ ipa user-show subhan
User login: subhan
First name: [REMOVED]
Last name: [REMOVED]
Home directory: /home/subhan
Login shell: /bin/bash
Email address: [REMOVED]
UID: 642000007
GID: 642000007
Job Title: Developer
Account disabled: False
Password: False
Member of groups: g_gmt_developer, developer
Member of Sudo rule: gmt_developer
Member of HBAC rule: gmt_webserver
Kerberos keys available: False
SSH public key fingerprint: [REMOVED]
ipa-server $ ipa sudocmd-find
-----------------------
2 Sudo Commands matched
-----------------------
Sudo Command: /bin/tail
Sudo Command Groups: reading-files
Sudo Command: /usr/bin/tail
Sudo Command Groups: reading-files
ipa-server $ ipa sudorule-show gmt_developer
Rule name: gmt_developer
Enabled: TRUE
Users: subhan
User Groups: g_gmt_developer
Host Groups: gmt_webserver
Sudo Allow Command Groups: reading-files
RunAs Users: subhan
Sudo Option: !authenticate
ipa-client $ sudo tail -f /var/log/nginx/access.log
[sudo] password for subhan:
ipa-client $ sudo tail /var/log/nginx/access.log
[sudo] password for subhan:
There's nothing information from sssd_sudo.log about this issue.
ipa-server $ cat /etc/sssd/sssd.conf
... snip ...
[sudo]
debug_level = 7
... snip ...
FYI, running on IPA Server 4.1.4 on EL7.
$ ipa --version
VERSION: 4.1.4, API_VERSION: 2.114
$ uname -a
Linux [REMOVED] 3.10.0-229.7.2.el7.x86_64 #1 SMP Tue Jun 23 22:06:11 UTC
2015 x86_64 x86_64 x86_64 GNU/Linux
Any hints to debug and solve this issue? Any help are appreciated. :)
More information about the Freeipa-users
mailing list