[Freeipa-users] sudo sometimes doesn't work

[Orion Poplawski]

EL7.3
Users are in active directory via AD trust with IPA server

sudo is configured via files - users in our default "nwra" group can run
certain sudo commands, e.g.:

Cmnd_Alias WAKEUP = /sbin/ether-wake *
%nwra,%visitor,%ivm   ALL=NOPASSWD: WAKEUP

However, sometimes when I run sudo /sbin/ether-wake I get prompted for my
password.  Other times it works fine.  I've attached some logs from failed
attempt.

In particular, these entries:

-barry.cora.DNSDOMAIN sssd_be[701]: Got request with the following data
-barry.cora.DNSDOMAIN sssd_be[701]: command: SSS_PAM_PREAUTH
-barry.cora.DNSDOMAIN sssd_be[701]: domain: ad.DNSDOMAIN
-barry.cora.DNSDOMAIN sssd_be[701]: user: USER at ad.DNSDOMAIN
-barry.cora.DNSDOMAIN sssd_be[701]: service: sudo
-barry.cora.DNSDOMAIN sssd_be[701]: tty: /dev/pts/0
-barry.cora.DNSDOMAIN sssd_be[701]: ruser: USER
-barry.cora.DNSDOMAIN sssd_be[701]: rhost:
-barry.cora.DNSDOMAIN sssd_be[701]: authtok type: 0
-barry.cora.DNSDOMAIN sssd_be[701]: newauthtok type: 0
-barry.cora.DNSDOMAIN sssd_be[701]: priv: 0
-barry.cora.DNSDOMAIN sssd_be[701]: cli_pid: 2860
-barry.cora.DNSDOMAIN sssd_be[701]: logon name: not set
-barry.cora.DNSDOMAIN sssd_be[701]: Trying to resolve service 'IPA'
-barry.cora.DNSDOMAIN sssd_be[701]: The status of SRV lookup is resolved
-barry.cora.DNSDOMAIN sssd_be[701]: Found address for server ipa1.DNSDOMAIN:
[10.0.1.74] TTL 86400
-barry.cora.DNSDOMAIN krb5_child[2869]: cmd [249] uid [22603] gid [22603]
validate [true] enterprise principal [false] offline [false] UPN
[USER at AD.NWRA.COM]
-barry.cora.DNSDOMAIN krb5_child[2869]: SSSD_KRB5_FAST_PRINCIPAL is set to
[host/barry.cora.DNSDOMAIN at NWRA.COM]
-barry.cora.DNSDOMAIN krb5_child[2869]: FAST TGT is still valid.
-barry.cora.DNSDOMAIN krb5_child[2869]: Trying to become user [22603][22603].
-barry.cora.DNSDOMAIN krb5_child[2869]: Cannot read
[SSSD_KRB5_RENEWABLE_LIFETIME] from environment.
-barry.cora.DNSDOMAIN krb5_child[2869]: Cannot read [SSSD_KRB5_LIFETIME] from
environment.
-barry.cora.DNSDOMAIN krb5_child[2869]: SSSD_KRB5_CANONICALIZE is set to [true]
-barry.cora.DNSDOMAIN krb5_child[2869]: Cannot handle password prompts.
-barry.cora.DNSDOMAIN krb5_child[2869]: Received error code 0
-barry.cora.DNSDOMAIN sssd_be[701]: child [2869] finished successfully.
-barry.cora.DNSDOMAIN sssd_be[701]: Marking port 389 of server
'ipa1.DNSDOMAIN' as 'working'
-barry.cora.DNSDOMAIN sssd_be[701]: Marking server 'ipa1.DNSDOMAIN' as 'working'
-barry.cora.DNSDOMAIN sssd_be[701]: connection is about to expire, releasing it
-barry.cora.DNSDOMAIN sssd_be[701]: Trying to resolve service 'IPA'
-barry.cora.DNSDOMAIN sssd_be[701]: The status of SRV lookup is resolved
-barry.cora.DNSDOMAIN sssd_be[701]: Found address for server ipa1.DNSDOMAIN:
[10.0.1.74] TTL 86400
-barry.cora.DNSDOMAIN sssd_be[701]: Trying to resolve service 'IPA'
-barry.cora.DNSDOMAIN sssd_be[701]: The status of SRV lookup is resolved
-barry.cora.DNSDOMAIN sssd_be[701]: Found address for server ipa1.DNSDOMAIN:
[10.0.1.74] TTL 86400
-barry.cora.DNSDOMAIN ldap_child[2889]: Will run as [0][0].
-barry.cora.DNSDOMAIN ldap_child[2889]: Trying to become user [0][0].
-barry.cora.DNSDOMAIN ldap_child[2889]: Already user [0].
-barry.cora.DNSDOMAIN ldap_child[2889]: Principal name is:
[host/barry.cora.DNSDOMAIN at NWRA.COM]
-barry.cora.DNSDOMAIN ldap_child[2889]: Using keytab [MEMORY:/etc/krb5.keytab]
-barry.cora.DNSDOMAIN ldap_child[2889]: Will canonicalize principals
-barry.cora.DNSDOMAIN sssd_be[701]: GSSAPI client step 1
-barry.cora.DNSDOMAIN sssd_be[701]: expire timeout is 900
-barry.cora.DNSDOMAIN sssd_be[701]: GSSAPI client step 1
-barry.cora.DNSDOMAIN sssd_be[701]: Executing sasl bind mech: GSSAPI, user:
host/barry.cora.DNSDOMAIN
-barry.cora.DNSDOMAIN sssd_be[701]: GSSAPI client step 1
-barry.cora.DNSDOMAIN sssd_be[701]: GSSAPI client step 2
-barry.cora.DNSDOMAIN sssd_be[701]: child [2889] finished successfully.
-barry.cora.DNSDOMAIN sssd_be[701]: Marking port 389 of server
'ipa1.DNSDOMAIN' as 'working'
-barry.cora.DNSDOMAIN sssd_be[701]: Marking server 'ipa1.DNSDOMAIN' as 'working'
-barry.cora.DNSDOMAIN sssd_be[701]: No host groups were dereferenced
-barry.cora.DNSDOMAIN sssd_be[701]: Received 0 additional command groups
-barry.cora.DNSDOMAIN sssd_be[701]: Received 0 sudo rules
-barry.cora.DNSDOMAIN sssd_be[701]: SUDO higher USN value: [1]
-barry.cora.DNSDOMAIN sudo[2860]:    USER : command not allowed ; TTY=pts/0 ;
PWD=/export/home/USER/fedora/fail2ban ; USER=root ; COMMAND=/sbin/ether-wake
-i eth0 00:25:64:e0:05:fa

seem to appear in the failed attempt but not a successful one.

-- 
Orion Poplawski
Technical Manager                          720-772-5637
NWRA, Boulder/CoRA Office             FAX: 303-415-9702
3380 Mitchell Lane                       orion at nwra.com
Boulder, CO 80301                   http://www.nwra.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: sudo.log
Type: text/x-log
Size: 13053 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20170127/ab7874ba/attachment.bin>