[Freeipa-users] Sudo command not working

Dewangga Bachrul Alam dewanggaba at xtremenitro.org
Wed Aug 12 12:30:52 UTC 2015 

Hello!

I'm having problem with sudo command, the sudo command was sucessfully
initiated. But user still requested for password. For example :

ipa-client $ sudo -l
Matching Defaults entries for subhan on this host:
    requiretty, !visiblepw, always_set_home, env_reset, env_keep="COLORS
DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS", env_keep+="MAIL PS1
    PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE
LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY
    LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL
LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY",
    secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin

User subhan may run the following commands on this host:
    (subhan) NOPASSWD: /bin/tail, /usr/bin/tail

ipa-server $ ipa user-show subhan
  User login: subhan
  First name: [REMOVED]
  Last name: [REMOVED]
  Home directory: /home/subhan
  Login shell: /bin/bash
  Email address: [REMOVED]
  UID: 642000007
  GID: 642000007
  Job Title: Developer
  Account disabled: False
  Password: False
  Member of groups: g_gmt_developer, developer
  Member of Sudo rule: gmt_developer
  Member of HBAC rule: gmt_webserver
  Kerberos keys available: False
  SSH public key fingerprint: [REMOVED]

ipa-server $ ipa sudocmd-find
-----------------------
2 Sudo Commands matched
-----------------------
  Sudo Command: /bin/tail
  Sudo Command Groups: reading-files

  Sudo Command: /usr/bin/tail
  Sudo Command Groups: reading-files

ipa-server $ ipa sudorule-show gmt_developer
  Rule name: gmt_developer
  Enabled: TRUE
  Users: subhan
  User Groups: g_gmt_developer
  Host Groups: gmt_webserver
  Sudo Allow Command Groups: reading-files
  RunAs Users: subhan
  Sudo Option: !authenticate


ipa-client $ sudo tail -f /var/log/nginx/access.log
[sudo] password for subhan:
ipa-client $ sudo tail /var/log/nginx/access.log
[sudo] password for subhan:

There's nothing information from sssd_sudo.log about this issue.

ipa-server $ cat /etc/sssd/sssd.conf

... snip ...
[sudo]
debug_level = 7
... snip ...

FYI, running on IPA Server 4.1.4 on EL7.
$ ipa --version
VERSION: 4.1.4, API_VERSION: 2.114

$ uname -a
Linux [REMOVED] 3.10.0-229.7.2.el7.x86_64 #1 SMP Tue Jun 23 22:06:11 UTC
2015 x86_64 x86_64 x86_64 GNU/Linux

Any hints to debug and solve this issue? Any help are appreciated. :)

More information about the Freeipa-users mailing list