[Freeipa-users] SUDO does not always works on first try

Wed Oct 7 08:02:41 UTC 2015

On Mon, Oct 05, 2015 at 01:25:09PM +0000, Zoske, Fabian wrote:
> Dear Jakub,
> 
> I found only the following entries in the /var/log/auth.log:
> 
> Oct  5 11:57:38 hl-srv10 sudo: pam_unix(sudo:auth): conversation failed
> Oct  5 11:57:38 hl-srv10 sudo: pam_unix(sudo:auth): auth could not identify password for [f.zoske at de.eu.local]
> Oct  5 11:57:38 hl-srv10 sudo: pam_sss(sudo:auth): authentication failure; logname=f.zoske at de.eu.local uid=1948403038 euid=0 tty=/dev/pts/1 ruser=f.zoske at de.eu.local rhost= user=f.zoske at de.eu.local
> Oct  5 11:57:38 hl-srv10 sudo: pam_sss(sudo:auth): received for user f.zoske at de.eu.local: 7 (Authentication failure)
> Oct  5 11:57:38 hl-srv10 sudo: f.zoske at de.eu.local : user NOT authorized on host ; TTY=pts/1 ; PWD=/home/de.eu.local/f.zoske ; USER=root ; COMMAND=/bin/cat /etc/sssd/sssd.conf
> Oct  5 11:57:42 hl-srv10 sudo: pam_unix(sudo:auth): authentication failure; logname=f.zoske at de.eu.local uid=1948403038 euid=0 tty=/dev/pts/1 ruser=f.zoske at de.eu.local rhost=  user=f.zoske at de.eu.local
> Oct  5 11:57:42 hl-srv10 sudo: pam_sss(sudo:auth): authentication success; logname=f.zoske at de.eu.local uid=1948403038 euid=0 tty=/dev/pts/1 ruser=f.zoske at de.eu.local rhost= user=f.zoske at de.eu.local
> Oct  5 11:57:43 hl-srv10 sudo: f.zoske at de.eu.local : user NOT authorized on host ; TTY=pts/1 ; PWD=/home/de.eu.local/f.zoske ; USER=root ; COMMAND=/bin/bash
> Oct  5 11:57:46 hl-srv10 sudo: pam_unix(sudo:auth): authentication failure; logname=f.zoske at de.eu.local uid=1948403038 euid=0 tty=/dev/pts/1 ruser=f.zoske at de.eu.local rhost=  user=f.zoske at de.eu.local
> Oct  5 11:57:47 hl-srv10 sudo: pam_sss(sudo:auth): authentication success; logname=f.zoske at de.eu.local uid=1948403038 euid=0 tty=/dev/pts/1 ruser=f.zoske at de.eu.local rhost= user=f.zoske at de.eu.local
> Oct  5 11:57:47 hl-srv10 sudo: f.zoske at de.eu.local : TTY=pts/1 ; PWD=/home/de.eu.local/f.zoske ; USER=root ; COMMAND=/bin/bash
> Oct  5 11:57:47 hl-srv10 sudo: pam_unix(sudo:session): session opened for user root by f.zoske at de.eu.local(uid=0)<mailto:f.zoske at de.eu.local(uid=0)>
> 
> In /var/log/sssd/ no entries were logged.

Nothing gets logged in by default, you need to increase debug_level,
see:
    https://fedorahosted.org/sssd/wiki/Troubleshooting

I would look into the domain log and krb5_child.log first

> 
> My sssd.conf:
> [domain/ipa-lx.com]
> 
> cache_credentials = True
> krb5_store_password_if_offline = True
> ipa_domain = ipa-lx.com
> id_provider = ipa
> auth_provider = ipa
> access_provider = ipa
> ipa_hostname = hl-srv10.ipa-lx.com
> chpass_provider = ipa
> ipa_server = _srv_, dc01.ipa-lx.com
> ldap_tls_cacert = /etc/ipa/ca.crt
> ldap_sudo_use_host_filter = false
> 
> [sssd]
> services = nss, pam, ssh, sudo
> config_file_version = 2
> default_domain_suffix = de.eu.local
> domains = ei-ag.it
> 
> [nss]
> override_shell = /bin/bash
> 
> [pam]
> 
> [sudo]
> 
> [autofs]
> 
> [ssh]
> 
> [pac]
> 
> 
> Best regards,
> Fabian

> -- 
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project