[Freeipa-users] Sudo command not working

[Jakub Hrozek]

On Wed, Aug 12, 2015 at 07:44:15PM +0700, Dewangga Bachrul Alam wrote:
> Hello!
> 
> On 08/12/2015 07:36 PM, Jakub Hrozek wrote:
> > On Wed, Aug 12, 2015 at 07:30:52PM +0700, Dewangga Bachrul Alam wrote:
> >> Hello!
> >>
> >> I'm having problem with sudo command, the sudo command was sucessfully
> >> initiated. But user still requested for password. For example :
> >>
> >> ipa-client $ sudo -l
> >> Matching Defaults entries for subhan on this host:
> >>     requiretty, !visiblepw, always_set_home, env_reset, env_keep="COLORS
> >> DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS", env_keep+="MAIL PS1
> >>     PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE
> >> LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY
> >>     LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL
> >> LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY",
> >>     secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin
> >>
> >> User subhan may run the following commands on this host:
> >>     (subhan) NOPASSWD: /bin/tail, /usr/bin/tail
> >>
> >> ipa-server $ ipa user-show subhan
> >>   User login: subhan
> >>   First name: [REMOVED]
> >>   Last name: [REMOVED]
> >>   Home directory: /home/subhan
> >>   Login shell: /bin/bash
> >>   Email address: [REMOVED]
> >>   UID: 642000007
> >>   GID: 642000007
> >>   Job Title: Developer
> >>   Account disabled: False
> >>   Password: False
> >>   Member of groups: g_gmt_developer, developer
> >>   Member of Sudo rule: gmt_developer
> >>   Member of HBAC rule: gmt_webserver
> >>   Kerberos keys available: False
> >>   SSH public key fingerprint: [REMOVED]
> >>
> >> ipa-server $ ipa sudocmd-find
> >> -----------------------
> >> 2 Sudo Commands matched
> >> -----------------------
> >>   Sudo Command: /bin/tail
> >>   Sudo Command Groups: reading-files
> >>
> >>   Sudo Command: /usr/bin/tail
> >>   Sudo Command Groups: reading-files
> >>
> >> ipa-server $ ipa sudorule-show gmt_developer
> >>   Rule name: gmt_developer
> >>   Enabled: TRUE
> >>   Users: subhan
> >>   User Groups: g_gmt_developer
> >>   Host Groups: gmt_webserver
> >>   Sudo Allow Command Groups: reading-files
> >>   RunAs Users: subhan
> >>   Sudo Option: !authenticate
> >>
> >>
> >> ipa-client $ sudo tail -f /var/log/nginx/access.log
> >> [sudo] password for subhan:
> >> ipa-client $ sudo tail /var/log/nginx/access.log
> >> [sudo] password for subhan:
> >>
> >> There's nothing information from sssd_sudo.log about this issue.
> > 
> > In general sssd acts as a cache of the sudo rules, the decision to auth
> > or not is done by sudo. So on the sssd side you can make sure the sudo
> > option value was fetched, but you'll probably get a more useful
> > debugging from sudo itself.
> > 
> 
> Here is the sudo message from /var/log/secure :
> 
> Aug 12 19:41:05 rosaliaindah su: pam_unix(su-l:session): session opened
> for user subhan by dewangga(uid=0)
> Aug 12 19:41:14 rosaliaindah sudo: pam_unix(sudo:auth): conversation failed
> Aug 12 19:41:14 rosaliaindah sudo: pam_unix(sudo:auth): auth could not
> identify password for [subhan]
> Aug 12 19:41:14 rosaliaindah sudo: pam_sss(sudo:auth): authentication
> failure; logname=dewangga uid=642000007 euid=0 tty=/dev/pts/0
> ruser=subhan rhost= user=subhan
> Aug 12 19:41:14 rosaliaindah sudo: pam_sss(sudo:auth): received for user
> subhan: 7 (Authentication failure)
> Aug 12 19:41:14 rosaliaindah sudo: subhan : command not allowed ;
> TTY=pts/0 ; PWD=/home/subhan ; USER=root ; COMMAND=/bin/tail -f
> /var/log/nginx/error.log
> 
> The sudo option (!authenticate) should be working, because I can invoke
> `sudo -l` command without password. So I think sssd is not the problem.
> CMIIW. :)

Look into man sudo.conf, depending on your sudo version the options to
enable debugging for sudo differ.