[Freeipa-users] sudo rules question on ubuntu 16.0.1

Justin Stephenson jstephen at redhat.com
Fri Aug 12 18:27:17 UTC 2016 

This looks suspicious

    /Aug 12 08:45:00 sudo[31732] val[0]=+office//
    //Aug 12 08:45:00 sudo[31732] -> addr_matches @
    /build/sudo-L2mAoN/sudo-1.8.16/plugins/sudoers/match_addr.c:195//
    //Aug 12 08:45:00 sudo[31732] -> addr_matches_if @
    /build/sudo-L2mAoN/sudo-1.8.16/plugins/sudoers/match_addr.c:56//
    //Aug 12 08:45:00 sudo[31732] <- addr_matches_if @
    /build/sudo-L2mAoN/sudo-1.8.16/plugins/sudoers/match_addr.c:66 :=
    false//
    //Aug 12 08:45:00 sudo[31732] IP address +office matches local host:
    false @ addr_matches()
    /build/sudo-L2mAoN/sudo-1.8.16/plugins/sudoers/match_addr.c:206//
    //Aug 12 08:45:00 sudo[31732] <- addr_matches @
    /build/sudo-L2mAoN/sudo-1.8.16/plugins/sudoers/match_addr.c:207 :=
    false//
    //Aug 12 08:45:00 sudo[31732] -> netgr_matches @
    /build/sudo-L2mAoN/sudo-1.8.16/plugins/sudoers/match.c:1015//
    //Aug 12 08:45:00 sudo[31732] -> sudo_getdomainname @
    /build/sudo-L2mAoN/sudo-1.8.16/plugins/sudoers/match.c:953//
    //Aug 12 08:45:00 sudo[31732] <- sudo_getdomainname @
    /build/sudo-L2mAoN/sudo-1.8.16/plugins/sudoers/match.c:992 := (null)//
    //Aug 12 08:45:00 sudo[31732] netgroup office matches
    (//docker-dev-01.internal.emerlyn.com
    <http://docker-dev-01.internal.emerlyn.com>//|//docker-dev-01.internal.emerlyn.com
    <http://docker-dev-01.internal.emerlyn.com>//, jgoddard, ): false @
    netgr_matches()
    /build/sudo-L2mAoN/sudo-1.8.16/plugins/sudoers/match.c:1041//
    //Aug 12 08:45:00 sudo[31732] <- netgr_matches @
    /build/sudo-L2mAoN/sudo-1.8.16/plugins/sudoers/match.c:1044 := false//
    //Aug 12 08:45:00 sudo[31732] -> hostname_matches @
    /build/sudo-L2mAoN/sudo-1.8.16/plugins/sudoers/match.c:819//
    //Aug 12 08:45:00 sudo[31732] host
    //docker-dev-01.internal.emerlyn.com
    <http://docker-dev-01.internal.emerlyn.com>//matches sudoers pattern
    +office: false @ hostname_matches()
    /build/sudo-L2mAoN/sudo-1.8.16/plugins/sudoers/match.c:829//
    //Aug 12 08:45:00 sudo[31732] <- hostname_matches @
    /build/sudo-L2mAoN/sudo-1.8.16/plugins/sudoers/match.c:830 := false//
    //Aug 12 08:45:00 sudo[31732] sssd/ldap sudoHost '+office' ... not//
    //Aug 12 08:45:00 sudo[31732] <- sudo_sss_check_host @
    /build/sudo-L2mAoN/sudo-1.8.16/plugins/sudoers/sssd.c:687 := false/

It doesn't seem to find this host as part of the hostgroup, I suspect 
the problem is because of this entry in nsswitch:

      netgroup:       nis sss

Could you try just 'sss' or 'files sss' ?

A successful hostgroup match should look something like this instead:

        /Aug 12 14:20:32 sudo[25075] val[0]=+nonproduction//
        //Aug 12 14:20:32 sudo[25075] -> addr_matches @ ./match_addr.c:190//
        //Aug 12 14:20:32 sudo[25075] -> addr_matches_if @
        ./match_addr.c:62//
        //Aug 12 14:20:32 sudo[25075] <- addr_matches_if @
        ./match_addr.c:100 := false//
        //Aug 12 14:20:32 sudo[25075] <- addr_matches @
        ./match_addr.c:200 := false//
        //Aug 12 14:20:32 sudo[25075] -> sudo_sss_ipa_hostname_matches @
        ./sssd.c:558//
        //Aug 12 14:20:32 sudo[25075] -> hostname_matches @ ./match.c:740//
        //Aug 12 14:20:32 sudo[25075] <- hostname_matches @
        ./match.c:751 := false//
        //Aug 12 14:20:32 sudo[25075] -> netgr_matches @ ./match.c:856//
        //Aug 12 14:20:32 sudo[25075] (rhel7-ipa-client.example.com, *,
        example.com) found in netgroup nonproduction//
        //Aug 12 14:20:32 sudo[25075] <- netgr_matches @ ./match.c:909
        := true//
        //Aug 12 14:20:32 sudo[25075] IPA hostname
        (rhel7-ipa-client.example.com) matches +nonproduction => true//
        //Aug 12 14:20:32 sudo[25075] <- sudo_sss_ipa_hostname_matches @
        ./sssd.c:569 := true//
        //Aug 12 14:20:32 sudo[25075] sssd/ldap sudoHost
        '+nonproduction' ... MATCH!//
        //Aug 12 14:20:32 sudo[25075] <- sudo_sss_check_host @
        ./sssd.c:614 := true/

Kind regards,
Justin Stephenson

On 08/12/2016 10:00 AM, Jeff Goddard wrote:
> The rule is defined that all members of the developer group have sudo 
> access to all commands available on the machines in the office group.
>
> Jeff
>
> On Fri, Aug 12, 2016 at 9:58 AM, Jakub Hrozek <jhrozek at redhat.com 
> <mailto:jhrozek at redhat.com>> wrote:
>
>     On Fri, Aug 12, 2016 at 08:53:53AM -0400, Jeff Goddard wrote:
>     > Jakub,
>     >
>     > Here is the log file output:
>
>     How is the sudorule defined?
>
>     > Aug 12 08:45:00 sudo[31732] user_in_group: user jgoddard NOT in
>     group admin
>     > Aug 12 08:45:00 sudo[31732] <- user_in_group @
>     > /build/sudo-L2mAoN/sudo-1.8.16/plugins/sudoers/pwutil.c:855 := false
>     > Aug 12 08:45:00 sudo[31732] user jgoddard matches group admin:
>     false @
>     > usergr_matches()
>     /build/sudo-L2mAoN/sudo-1.8.16/plugins/sudoers/match.c:940
>     > Aug 12 08:45:00 sudo[31732] <- usergr_matches @
>
>     Here it looks like sudo tried to match user's groups against the
>     groups
>     allowed to run sudo and admin didn't match.
>
>
>
>
> -- 
> Jeff Goddard
> Director of Information Technology
> Emerlyn Technology
>
> Email: jgoddard at emerlyn.com <mailto:jgoddard at emerlyn.com>
> Telephone: (603) 447-8571
> Toll free: (888) 363-7596 ext. 108
> Fax: (603) 356-3346
>
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160812/82e7ad28/attachment.htm>

More information about the Freeipa-users mailing list