[Freeipa-users] sudo not work in linux

Jakub Hrozek jhrozek at redhat.com
Wed Sep 23 20:49:10 UTC 2015 

On Wed, Sep 23, 2015 at 12:48:47PM +0330, alireza baghery wrote:
> hi
> i have centos 6.7 (ipa server)
> and i have centos 6.5 (client)

I would advise to upgrade, 6.5 is old. I'm not sure if 6.5 already
supported sudo_provider=ipa, but I'm pretty sure 6.6 did. That would
simplify the configuration a lot.

> i can not sudo on client
> i add rule sudo on ipa
> i config file sss.conf

Are there any rules in the cache (ldbsearch -H
/var/lib/sss/db/cache_l.infotechpsp.net) at all?

If not, then I guess the rules don't match the host, because your domain
log snippet indicates sssd couldn't fetch the rules..

> +++++++
> 
> [domain/l.infotechpsp.net]
> debug_level = 6
> #cache_credentials = True
> #krb5_store_password_if_offline = True
> ipa_domain = l.infotechpsp.net
> id_provider = ipa
> #auth_provider = ipa
> #access_provider = ipa
> #ipa_hostname = switchlive.l.infotechpsp.net
> #chpass_provider = ipa
> ipa_server = _srv_, ipasrv.l.infotechpsp.net
> ldap_tls_cacert = /etc/ipa/ca.crt
> sudo_provider = ldap
> ldap_uri =ldap://ipasrv.l.infotechpsp.net
> ldap_sudo_search_base = ou=sudoers,dc=l,dc=infotechpsp,dc=net
> ldap_sasl_mech = GSSAPI
> ldap_sasl_authid = host/ussd7rep.l.infotechpsp.net
> ldap_sasl_realm = L.INFOTECHPSP.NET
> krb5_server = ipasrv.l.infotechpsp.net
> [sssd]
> config_file_version = 2
> 
> # Number of times services should attempt to reconnect in the
> # event of a crash or restart before they give up
> reconnection_retries = 3
> 
> # If a back end is particularly slow you can raise this timeout here
> sbus_timeout = 30
> services = nss, pam, ssh, sudo
> 
> domains = l.infotechpsp.net
> [nss]
> 
> 
> [pam]
> +++++++
> in file nsswitch.conf
> add sudoers: files sss
> 
> and log file /var/log/sss/sss_l.....
> +++++
> 
> (Wed Sep 23 12:28:52 2015) [sssd[be[l.infotechpsp.net]]]
> [be_resolve_server_process] (0x0200): Found address for server
> ipasrv.l.infotechpsp.net: [10.30.160.19] TTL 1200
> (Wed Sep 23 12:28:52 2015) [sssd[be[l.infotechpsp.net]]]
> [set_tgt_child_timeout] (0x0400): Setting 6 seconds timeout for tgt child
> (Wed Sep 23 12:28:52 2015) [sssd[be[l.infotechpsp.net]]]
> [write_pipe_handler] (0x0400): All data has been sent!
> (Wed Sep 23 12:28:52 2015) [sssd[be[l.infotechpsp.net]]]
> [read_pipe_handler] (0x0400): EOF received, client finished
> (Wed Sep 23 12:28:52 2015) [sssd[be[l.infotechpsp.net]]]
> [sdap_get_tgt_recv] (0x0400): Child responded: 0 [FILE:/var/lib/sss/db/
> ccache_L.INFOTECHPSP.NET], expired on [1443085132]
> (Wed Sep 23 12:28:52 2015) [sssd[be[l.infotechpsp.net]]]
> [sdap_cli_auth_step] (0x0100): expire timeout is 900
> (Wed Sep 23 12:28:52 2015) [sssd[be[l.infotechpsp.net]]] [sasl_bind_send]
> (0x0100): Executing sasl bind mech: GSSAPI, user: host/
> ussd7rep.l.infotechpsp.net
> (Wed Sep 23 12:28:53 2015) [sssd[be[l.infotechpsp.net]]]
> [child_sig_handler] (0x0100): child [12755] finished successfully.
> (Wed Sep 23 12:28:53 2015) [sssd[be[l.infotechpsp.net]]]
> [fo_set_port_status] (0x0100): Marking port 389 of server '
> ipasrv.l.infotechpsp.net' as 'working'
> (Wed Sep 23 12:28:53 2015) [sssd[be[l.infotechpsp.net]]]
> [set_server_common_status] (0x0100): Marking server '
> ipasrv.l.infotechpsp.net' as 'working'
> (Wed Sep 23 12:28:53 2015) [sssd[be[l.infotechpsp.net]]]
> [sdap_sudo_refresh_connect_done] (0x0400): SUDO LDAP connection successful
> (Wed Sep 23 12:28:53 2015) [sssd[be[l.infotechpsp.net]]]
> [sdap_sudo_load_sudoers_next_base] (0x0400): Searching for sudo rules with
> base [ou=sudoers,dc=l,dc=infotechpsp,dc=net]
> (Wed Sep 23 12:28:53 2015) [sssd[be[l.infotechpsp.net]]]
> [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with
> [(&(&(objectclass=sudoRole)(entryUSN>=128274)(!(entryUSN=128274)))(|(!(sudoHost=*))(sudoHost=ALL)(sudoHost=
> ussd7rep.l.infotechpsp.net
> )(sudoHost=ussd7rep)(sudoHost=10.30.110.11)(sudoHost=
> 10.30.110.0/24)(sudoHost=fe80::250:56ff:feaf:3ca6)(sudoHost=fe80::/64)(sudoHost=+*)(|(sudoHost=*\\*)(sudoHost=*?*)(sudoHost=*\**)(sudoHost=*[*]*))))][ou=sudoers,dc=l,dc=infotechpsp,dc=net
> ].
> (Wed Sep 23 12:28:53 2015) [sssd[be[l.infotechpsp.net]]]
> [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg
> set
> (Wed Sep 23 12:28:53 2015) [sssd[be[l.infotechpsp.net]]]
> [sdap_sudo_load_sudoers_process] (0x0400): Receiving sudo rules with base
> [ou=sudoers,dc=l,dc=infotechpsp,dc=net]
> (Wed Sep 23 12:28:53 2015) [sssd[be[l.infotechpsp.net]]]
> [sdap_sudo_load_sudoers_done] (0x0400): Received 0 rules
> (Wed Sep 23 12:28:53 2015) [sssd[be[l.infotechpsp.net]]]
> [sdap_sudo_load_sudoers_done] (0x0400): Sudoers is successfuly stored in
> cache
> (Wed Sep 23 12:28:53 2015) [sssd[be[l.infotechpsp.net]]]
> [sdap_sudo_smart_refresh_done] (0x0400): Successful smart refresh of sudo
> rules
> +++++

> -- 
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project

More information about the Freeipa-users mailing list