[Freeipa-users] Sudo command not working
Dewangga Bachrul Alam
dewanggaba at xtremenitro.org
Thu Aug 13 08:01:40 UTC 2015
Hello!
Should I reboot the machine after changing sudo.conf file?
On 08/12/2015 09:26 PM, Jakub Hrozek wrote:
> On Wed, Aug 12, 2015 at 07:44:15PM +0700, Dewangga Bachrul Alam wrote:
>> Hello!
>>
>> On 08/12/2015 07:36 PM, Jakub Hrozek wrote:
>>> On Wed, Aug 12, 2015 at 07:30:52PM +0700, Dewangga Bachrul Alam wrote:
>>>> Hello!
>>>>
>>>> I'm having problem with sudo command, the sudo command was sucessfully
>>>> initiated. But user still requested for password. For example :
>>>>
>>>> ipa-client $ sudo -l
>>>> Matching Defaults entries for subhan on this host:
>>>> requiretty, !visiblepw, always_set_home, env_reset, env_keep="COLORS
>>>> DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS", env_keep+="MAIL PS1
>>>> PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE
>>>> LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY
>>>> LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL
>>>> LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY",
>>>> secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin
>>>>
>>>> User subhan may run the following commands on this host:
>>>> (subhan) NOPASSWD: /bin/tail, /usr/bin/tail
>>>>
>>>> ipa-server $ ipa user-show subhan
>>>> User login: subhan
>>>> First name: [REMOVED]
>>>> Last name: [REMOVED]
>>>> Home directory: /home/subhan
>>>> Login shell: /bin/bash
>>>> Email address: [REMOVED]
>>>> UID: 642000007
>>>> GID: 642000007
>>>> Job Title: Developer
>>>> Account disabled: False
>>>> Password: False
>>>> Member of groups: g_gmt_developer, developer
>>>> Member of Sudo rule: gmt_developer
>>>> Member of HBAC rule: gmt_webserver
>>>> Kerberos keys available: False
>>>> SSH public key fingerprint: [REMOVED]
>>>>
>>>> ipa-server $ ipa sudocmd-find
>>>> -----------------------
>>>> 2 Sudo Commands matched
>>>> -----------------------
>>>> Sudo Command: /bin/tail
>>>> Sudo Command Groups: reading-files
>>>>
>>>> Sudo Command: /usr/bin/tail
>>>> Sudo Command Groups: reading-files
>>>>
>>>> ipa-server $ ipa sudorule-show gmt_developer
>>>> Rule name: gmt_developer
>>>> Enabled: TRUE
>>>> Users: subhan
>>>> User Groups: g_gmt_developer
>>>> Host Groups: gmt_webserver
>>>> Sudo Allow Command Groups: reading-files
>>>> RunAs Users: subhan
>>>> Sudo Option: !authenticate
>>>>
>>>>
>>>> ipa-client $ sudo tail -f /var/log/nginx/access.log
>>>> [sudo] password for subhan:
>>>> ipa-client $ sudo tail /var/log/nginx/access.log
>>>> [sudo] password for subhan:
>>>>
>>>> There's nothing information from sssd_sudo.log about this issue.
>>>
>>> In general sssd acts as a cache of the sudo rules, the decision to auth
>>> or not is done by sudo. So on the sssd side you can make sure the sudo
>>> option value was fetched, but you'll probably get a more useful
>>> debugging from sudo itself.
>>>
>>
>> Here is the sudo message from /var/log/secure :
>>
>> Aug 12 19:41:05 rosaliaindah su: pam_unix(su-l:session): session opened
>> for user subhan by dewangga(uid=0)
>> Aug 12 19:41:14 rosaliaindah sudo: pam_unix(sudo:auth): conversation failed
>> Aug 12 19:41:14 rosaliaindah sudo: pam_unix(sudo:auth): auth could not
>> identify password for [subhan]
>> Aug 12 19:41:14 rosaliaindah sudo: pam_sss(sudo:auth): authentication
>> failure; logname=dewangga uid=642000007 euid=0 tty=/dev/pts/0
>> ruser=subhan rhost= user=subhan
>> Aug 12 19:41:14 rosaliaindah sudo: pam_sss(sudo:auth): received for user
>> subhan: 7 (Authentication failure)
>> Aug 12 19:41:14 rosaliaindah sudo: subhan : command not allowed ;
>> TTY=pts/0 ; PWD=/home/subhan ; USER=root ; COMMAND=/bin/tail -f
>> /var/log/nginx/error.log
>>
>> The sudo option (!authenticate) should be working, because I can invoke
>> `sudo -l` command without password. So I think sssd is not the problem.
>> CMIIW. :)
>
> Look into man sudo.conf, depending on your sudo version the options to
> enable debugging for sudo differ.
>
More information about the Freeipa-users
mailing list