[Freeipa-users] can't get sudo to work.

Tony Brian Albers tba at statsbiblioteket.dk
Tue Aug 23 07:11:44 UTC 2016 

Thanks Simon,

Is this a known issue?  We're on Centos 7.2 and yes, the sssd version is
1.13

/tony

On Tue, 2016-08-23 at 06:49 +0000, Simpson Lachlan wrote:
> What version of sssd are you using?
> 
> We found that it wouldn't work w sssd<1.14
> 
> On the IPA server, it would say "yep rule applies", but then on any particular machine it wouldn't (well, it would - but only intermittently).
> 
> There's a COPR repo for Centos7 if you aren't on Fedora/RedHat.
> 
> Cheers
> L.
> 
> -----Original Message-----
> From: freeipa-users-bounces at redhat.com [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Tony Brian Albers
> Sent: Tuesday, 23 August 2016 4:24 PM
> To: freeipa-users at redhat.com
> Subject: [Freeipa-users] can't get sudo to work.
> 
> Hi guys,
> 
> I've been trying to get sudo to work for our day-to-day admin who have their own usergroup in IPA called subadmin.
> 
> For some reason I can't really get sudo to work, I suspect I am missing something simple, but I can't really figure out what it is.
> 
> This is my config:
> 
> # ipa sudorule-find
> -------------------
> 1 Sudo Rule matched
> -------------------
>   Rule name: All
>   Enabled: TRUE
>   Host category: all
>   Command category: all
>   User Groups: subadmin
> ----------------------------
> Number of entries returned 1
> ----------------------------
> #
> 
> 
> 
> 
> # ipa group-find subadmin
> ---------------
> 1 group matched
> ---------------
>   Group name: subadmin
>   Description: For daily administration of users and hosts
>   GID: 10003
>   Member users: abr-sadm, pmd-sadm, tba-sadm, bja-sadm, alberto-ibm
>   Roles: Sub-admins
>   Member of Sudo rule: All
> ----------------------------
> Number of entries returned 1
> ----------------------------
> #
> 
> 
> 
> 
> 
> And on a client:
> 
> # cat /etc/sssd/sssd.conf
> [domain/kac.lokalnet]
> 
> cache_credentials = True
> krb5_store_password_if_offline = True
> ipa_domain = kac.sblokalnet
> id_provider = ipa
> auth_provider = ipa
> access_provider = ipa
> ipa_hostname = kac-man-001.kac.lokalnet
> chpass_provider = ipa
> ipa_server = _srv_, kac-adm-001.kac.lokalnet ldap_tls_cacert = /etc/ipa/ca.crt autofs_provider = ipa ipa_automount_location = default krb5_renewable_lifetime = 50d krb5_renew_interval = 3600 [sssd] services = nss, sudo, pam, autofs, ssh config_file_version = 2
> 
> domains = kac.lokalnet
> [nss]
> homedir_substring = /home
> 
> [pam]
> 
> [sudo]
> 
> [autofs]
> 
> [ssh]
> 
> [pac]
> 
> [ifp]
> 
> 
> 
> 
> 
> 
> nsswitch.conf:
> 
> passwd:     files sss
> shadow:     files sss
> group:      files sss
> #initgroups: files
> 
> #hosts:     db files nisplus nis dns
> hosts:      files dns myhostname
> 
> # Example - obey only what nisplus tells us...
> #services:   nisplus [NOTFOUND=return] files
> #networks:   nisplus [NOTFOUND=return] files
> #protocols:  nisplus [NOTFOUND=return] files
> #rpc:        nisplus [NOTFOUND=return] files
> #ethers:     nisplus [NOTFOUND=return] files
> #netmasks:   nisplus [NOTFOUND=return] files     
> 
> bootparams: nisplus [NOTFOUND=return] files
> 
> ethers:     files
> netmasks:   files
> networks:   files
> protocols:  files
> rpc:        files
> services:   files sss
> 
> netgroup:   files sss
> 
> publickey:  nisplus
> 
> automount:  sss files
> aliases:    files nisplus
> sudoers:    files sss
> 
> 
> 
> 
> And for a subadmin account:
> 
> -sh-4.2$ sudo -l
> [sudo] password for tba-sadm: 
> Your password will expire in 6 day(s).
> User tba-sadm is not allowed to run sudo on kac-man-001.
> -sh-4.2$
> 
> 
> 
> Any suggestions?  Help is much appreciated.
> 
> TIA
> 
> /tony
> 
> --
> Best regards,
> 
> Tony Albers
> Systems administrator, IT-development
> State and University Library, Victor Albecks Vej 1, 8000 Aarhus C, Denmark.
> Tel: +45 8946 2316
> 
> 
> 
> 
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
> This email (including any attachments or links) may contain 
> confidential and/or legally privileged information and is 
> intended only to be read or used by the addressee.  If you 
> are not the intended addressee, any use, distribution, 
> disclosure or copying of this email is strictly 
> prohibited.  
> Confidentiality and legal privilege attached to this email 
> (including any attachments) are not waived or lost by 
> reason of its mistaken delivery to you.
> If you have received this email in error, please delete it 
> and notify us immediately by telephone or email.  Peter 
> MacCallum Cancer Centre provides no guarantee that this 
> transmission is free of virus or that it has not been 
> intercepted or altered and will not be liable for any delay 
> in its receipt.
> 

-- 
Best regards,

Tony Albers
Systems administrator, IT-development
State and University Library, Victor Albecks Vej 1, 8000 Aarhus C, Denmark.
Tel: +45 8946 2316

More information about the Freeipa-users mailing list