[Freeipa-users] Sudo command not working

Dewangga Bachrul Alam dewanggaba at xtremenitro.org
Wed Aug 12 12:44:15 UTC 2015 

Hello!

On 08/12/2015 07:36 PM, Jakub Hrozek wrote:
> On Wed, Aug 12, 2015 at 07:30:52PM +0700, Dewangga Bachrul Alam wrote:
>> Hello!
>>
>> I'm having problem with sudo command, the sudo command was sucessfully
>> initiated. But user still requested for password. For example :
>>
>> ipa-client $ sudo -l
>> Matching Defaults entries for subhan on this host:
>>     requiretty, !visiblepw, always_set_home, env_reset, env_keep="COLORS
>> DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS", env_keep+="MAIL PS1
>>     PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE
>> LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY
>>     LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL
>> LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY",
>>     secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin
>>
>> User subhan may run the following commands on this host:
>>     (subhan) NOPASSWD: /bin/tail, /usr/bin/tail
>>
>> ipa-server $ ipa user-show subhan
>>   User login: subhan
>>   First name: [REMOVED]
>>   Last name: [REMOVED]
>>   Home directory: /home/subhan
>>   Login shell: /bin/bash
>>   Email address: [REMOVED]
>>   UID: 642000007
>>   GID: 642000007
>>   Job Title: Developer
>>   Account disabled: False
>>   Password: False
>>   Member of groups: g_gmt_developer, developer
>>   Member of Sudo rule: gmt_developer
>>   Member of HBAC rule: gmt_webserver
>>   Kerberos keys available: False
>>   SSH public key fingerprint: [REMOVED]
>>
>> ipa-server $ ipa sudocmd-find
>> -----------------------
>> 2 Sudo Commands matched
>> -----------------------
>>   Sudo Command: /bin/tail
>>   Sudo Command Groups: reading-files
>>
>>   Sudo Command: /usr/bin/tail
>>   Sudo Command Groups: reading-files
>>
>> ipa-server $ ipa sudorule-show gmt_developer
>>   Rule name: gmt_developer
>>   Enabled: TRUE
>>   Users: subhan
>>   User Groups: g_gmt_developer
>>   Host Groups: gmt_webserver
>>   Sudo Allow Command Groups: reading-files
>>   RunAs Users: subhan
>>   Sudo Option: !authenticate
>>
>>
>> ipa-client $ sudo tail -f /var/log/nginx/access.log
>> [sudo] password for subhan:
>> ipa-client $ sudo tail /var/log/nginx/access.log
>> [sudo] password for subhan:
>>
>> There's nothing information from sssd_sudo.log about this issue.
> 
> In general sssd acts as a cache of the sudo rules, the decision to auth
> or not is done by sudo. So on the sssd side you can make sure the sudo
> option value was fetched, but you'll probably get a more useful
> debugging from sudo itself.
> 

Here is the sudo message from /var/log/secure :

Aug 12 19:41:05 rosaliaindah su: pam_unix(su-l:session): session opened
for user subhan by dewangga(uid=0)
Aug 12 19:41:14 rosaliaindah sudo: pam_unix(sudo:auth): conversation failed
Aug 12 19:41:14 rosaliaindah sudo: pam_unix(sudo:auth): auth could not
identify password for [subhan]
Aug 12 19:41:14 rosaliaindah sudo: pam_sss(sudo:auth): authentication
failure; logname=dewangga uid=642000007 euid=0 tty=/dev/pts/0
ruser=subhan rhost= user=subhan
Aug 12 19:41:14 rosaliaindah sudo: pam_sss(sudo:auth): received for user
subhan: 7 (Authentication failure)
Aug 12 19:41:14 rosaliaindah sudo: subhan : command not allowed ;
TTY=pts/0 ; PWD=/home/subhan ; USER=root ; COMMAND=/bin/tail -f
/var/log/nginx/error.log

The sudo option (!authenticate) should be working, because I can invoke
`sudo -l` command without password. So I think sssd is not the problem.
CMIIW. :)

More information about the Freeipa-users mailing list