[Freeipa-users] issues with sudo on RHEL5.8

Jakub Hrozek jhrozek at redhat.com
Tue Feb 17 10:09:50 UTC 2015 

On Tue, Feb 17, 2015 at 03:52:31AM -0500, Nicolas Zin wrote:
> Hi,
> 
> With a RHEL7 IDM installation, I try to make sudo working.
> On RHEL6 no problem (via sssd)
> On RHEL5.8 I don't manage to make it working (credential are good, I manage to request the schema, see below)
> Where can I found more logs?
> What did I forget?
> 
> 
> [root at srv-rhel58-01 ~]# cat /etc/nss_ldap.conf
> bindn uid=sudo,cn=sysaccounts,cn=etc,dc=company,dc=com
> binpw redhat5Sudo
> ssl start_tls
> tls_cacertfile /etc/openldap/cacerts/ipa.crt
> #tls_cacert /etc/openldap/cacerts/ipa.crt
> tls_checkpeer yes
> #uri ldap://srv-idm7-01.company.com, ldap://srv-idm7-02.company.com
> uri ldap://srv-idm7-01.company.com
> sudoers_base ou=SUDOers,dc=company,dc=com
> sudoers_debug: 2
> 
> 
> 
> 
> 
> [root at srv-rhel58-01 ~]# ldapsearch -x -ZZ -D "uid=sudo,cn=sysaccounts,cn=etc,dc=company,dc=com" -b "ou=SUDOers,dc=company,dc=com" -h srv-idm7-01.company.com -W
> Enter LDAP Password:
> # extended LDIF
> #
> # LDAPv3
> # base <ou=SUDOers,dc=company,dc=com> with scope subtree
> # filter: (objectclass=*)
> # requesting: ALL
> #
> 
> # sudoers, company.com
> dn: ou=sudoers,dc=company,dc=com
> objectClass: extensibleObject
> ou: sudoers
> 
> # sudo4admin, sudoers, company.com
> dn: cn=sudo4admin,ou=sudoers,dc=company,dc=com
> objectClass: sudoRole
> sudoUser: nzin
> sudoHost: ALL
> sudoCommand: ALL
> cn: sudo4admin
> 
> # search result
> search: 3
> result: 0 Success
> 
> # numResponses: 3
> # numEntries: 2
> 
> 
> 
> 
> 
> In /var/log/secure:
> Feb 17 04:35:59 srv-rhel58-01 sudo: pam_unix(sudo-i:auth): authentication failure; logname=nzin uid=0 euid=0 tty=/dev/pts/3 ruser= rhost=  user=nzin
> Feb 17 04:35:59 srv-rhel58-01 sudo: pam_sss(sudo-i:auth): authentication success; logname=nzin uid=0 euid=0 tty=/dev/pts/3 ruser= rhost= user=nzin
> Feb 17 04:35:59 srv-rhel58-01 sudo:     nzin : user NOT in sudoers ; TTY=pts/3 ; PWD=/home/nzin ; USER=root ; COMMAND=/bin/bash
> 
> 
> 
> 
> Regards,

I don't have a 5.8 machine around, but I would suggest to enable
debugging from sudo itself. In newer versions, there is a Debug
directive in sudo.conf, IIRC in earlier versions there was a '-D'
option.

More information about the Freeipa-users mailing list