[Freeipa-users] Sudo command not working

Thu Aug 13 08:01:40 UTC 2015

Hello!

Should I reboot the machine after changing sudo.conf file?

On 08/12/2015 09:26 PM, Jakub Hrozek wrote:
> On Wed, Aug 12, 2015 at 07:44:15PM +0700, Dewangga Bachrul Alam wrote:
>> Hello!
>>
>> On 08/12/2015 07:36 PM, Jakub Hrozek wrote:
>>> On Wed, Aug 12, 2015 at 07:30:52PM +0700, Dewangga Bachrul Alam wrote:
>>>> Hello!
>>>>
>>>> I'm having problem with sudo command, the sudo command was sucessfully
>>>> initiated. But user still requested for password. For example :
>>>>
>>>> ipa-client $ sudo -l
>>>> Matching Defaults entries for subhan on this host:
>>>>     requiretty, !visiblepw, always_set_home, env_reset, env_keep="COLORS
>>>> DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS", env_keep+="MAIL PS1
>>>>     PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE
>>>> LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY
>>>>     LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL
>>>> LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY",
>>>>     secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin
>>>>
>>>> User subhan may run the following commands on this host:
>>>>     (subhan) NOPASSWD: /bin/tail, /usr/bin/tail
>>>>
>>>> ipa-server $ ipa user-show subhan
>>>>   User login: subhan
>>>>   First name: [REMOVED]
>>>>   Last name: [REMOVED]
>>>>   Home directory: /home/subhan
>>>>   Login shell: /bin/bash
>>>>   Email address: [REMOVED]
>>>>   UID: 642000007
>>>>   GID: 642000007
>>>>   Job Title: Developer
>>>>   Account disabled: False
>>>>   Password: False
>>>>   Member of groups: g_gmt_developer, developer
>>>>   Member of Sudo rule: gmt_developer
>>>>   Member of HBAC rule: gmt_webserver
>>>>   Kerberos keys available: False
>>>>   SSH public key fingerprint: [REMOVED]
>>>>
>>>> ipa-server $ ipa sudocmd-find
>>>> -----------------------
>>>> 2 Sudo Commands matched
>>>> -----------------------
>>>>   Sudo Command: /bin/tail
>>>>   Sudo Command Groups: reading-files
>>>>
>>>>   Sudo Command: /usr/bin/tail
>>>>   Sudo Command Groups: reading-files
>>>>
>>>> ipa-server $ ipa sudorule-show gmt_developer
>>>>   Rule name: gmt_developer
>>>>   Enabled: TRUE
>>>>   Users: subhan
>>>>   User Groups: g_gmt_developer
>>>>   Host Groups: gmt_webserver
>>>>   Sudo Allow Command Groups: reading-files
>>>>   RunAs Users: subhan
>>>>   Sudo Option: !authenticate
>>>>
>>>>
>>>> ipa-client $ sudo tail -f /var/log/nginx/access.log
>>>> [sudo] password for subhan:
>>>> ipa-client $ sudo tail /var/log/nginx/access.log
>>>> [sudo] password for subhan:
>>>>
>>>> There's nothing information from sssd_sudo.log about this issue.
>>>
>>> In general sssd acts as a cache of the sudo rules, the decision to auth
>>> or not is done by sudo. So on the sssd side you can make sure the sudo
>>> option value was fetched, but you'll probably get a more useful
>>> debugging from sudo itself.
>>>
>>
>> Here is the sudo message from /var/log/secure :
>>
>> Aug 12 19:41:05 rosaliaindah su: pam_unix(su-l:session): session opened
>> for user subhan by dewangga(uid=0)
>> Aug 12 19:41:14 rosaliaindah sudo: pam_unix(sudo:auth): conversation failed
>> Aug 12 19:41:14 rosaliaindah sudo: pam_unix(sudo:auth): auth could not
>> identify password for [subhan]
>> Aug 12 19:41:14 rosaliaindah sudo: pam_sss(sudo:auth): authentication
>> failure; logname=dewangga uid=642000007 euid=0 tty=/dev/pts/0
>> ruser=subhan rhost= user=subhan
>> Aug 12 19:41:14 rosaliaindah sudo: pam_sss(sudo:auth): received for user
>> subhan: 7 (Authentication failure)
>> Aug 12 19:41:14 rosaliaindah sudo: subhan : command not allowed ;
>> TTY=pts/0 ; PWD=/home/subhan ; USER=root ; COMMAND=/bin/tail -f
>> /var/log/nginx/error.log
>>
>> The sudo option (!authenticate) should be working, because I can invoke
>> `sudo -l` command without password. So I think sssd is not the problem.
>> CMIIW. :)
> 
> Look into man sudo.conf, depending on your sudo version the options to
> enable debugging for sudo differ.
> 