<div dir="ltr"><div> Hi everyone, I've spent a couple of days digging around the web, watching logs, and poking things, and I'm stuck getting sudo working with IPA on a new box I've just set up. I have had it working in the past on a test box, but something about this box is blocking me, and I can't for the life of me figure out what. The basic symptom is that I can log into the Ubuntu box as an IPA user, but sudo is always denied: [root@security-core-1 log]# ssh dru@jenkins dru@jenkins's password: ... Could not chdir to home directory /home/dru: No such file or directory dru@jenkins:/$ sudo -l [sudo] password for dru: Sorry, user dru may not run sudo on jenkins. I've appended version output, config files, sample logs, and ipa config - which I think is all of the relevant material, but I'll gladly share more if it's needed. Thanks so much in advance for any debugging advice, hints, or help! Cheers, Andrew =========== Version info =========== Server: # ipa --version VERSION: 4.1.0, API_VERSION: 2.112 # cat /etc/redhat-release CentOS Linux release 7.1.1503 (Core) Client: # cat /etc/lsb-release DISTRIB_ID=Ubuntu DISTRIB_RELEASE=14.04 DISTRIB_CODENAME=trusty DISTRIB_DESCRIPTION="Ubuntu 14.04.2 LTS" #sssd --version 1.11.5 =========== hostname, nisdomainname, config files, etc. =========== On the client: # hostname <a href="http://jenkins.us-ca1.prod.mydomain.com">jenkins.us-ca1.prod.mydomain.com</a> # nisdomainname <a href="http://mydomain.com">mydomain.com</a> # getent netgroup rdn | grep $HOSTNAME rdn (<a href="http://jenkins.us-ca1.prod.mydomain.com">jenkins.us-ca1.prod.mydomain.com</a>,-,<a href="http://mydomain.com">mydomain.com</a>) # cat /etc/sssd/sssd.conf [domain/<a href="http://mydomain.com">mydomain.com</a>] cache_credentials = True krb5_store_password_if_offline = True ipa_domain = <a href="http://mydomain.com">mydomain.com</a> id_provider = ipa auth_provider = ipa access_provider = ipa ldap_tls_cacert = /etc/ipa/ca.crt ipa_hostname = <a href="http://jenkins.us-ca1.prod.mydomain.com">jenkins.us-ca1.prod.mydomain.com</a> chpass_provider = ipa ipa_server = _srv_, <a href="http://security-core-1.prod.mydomain.com">security-core-1.prod.mydomain.com</a> dns_discovery_domain = <a href="http://mydomain.com">mydomain.com</a> sudo_provider=ipa [sssd] services = nss, pam, ssh, sudo config_file_version = 2 domains = <a href="http://mydomain.com">mydomain.com</a> [nss] [pam] [sudo] debug_level = 9 [autofs] [ssh] [pac] # cat /etc/nsswitch.conf # /etc/nsswitch.conf # # Example configuration of GNU Name Service Switch functionality. # If you have the `glibc-doc-reference' and `info' packages installed, try: # `info libc "Name Service Switch"' for information about this file. passwd: compat sss group: compat sss shadow: compat hosts: files dns networks: files protocols: db files services: db files ethers: db files rpc: db files netgroup: nis sss sudoers: files sss =================== Host & group & user info in IPA =================== # ipa host-show <a href="http://jenkins.us-ca1.prod.mydomain.com">jenkins.us-ca1.prod.mydomain.com</a> Host name: <a href="http://jenkins.us-ca1.prod.mydomain.com">jenkins.us-ca1.prod.mydomain.com</a> Certificate: ... Principal name: host/<a href="mailto:jenkins.us-ca1.prod.mydomain.com@MYDOMAIN.COM">jenkins.us-ca1.prod.mydomain.com@MYDOMAIN.COM</a> Password: False Member of host-groups: rdn Member of Sudo rule: priv_sudo_anywhere, dru_security Keytab: True Managed by: <a href="http://jenkins.us-ca1.prod.mydomain.com">jenkins.us-ca1.prod.mydomain.com</a> Subject: CN=<a href="http://jenkins.us-ca1.prod.mydomain.com">jenkins.us-ca1.prod.mydomain.com</a>,O=<a href="http://MYDOMAIN.COM">MYDOMAIN.COM</a> Serial Number: 14 Serial Number (hex): 0xE Issuer: CN=Certificate Authority,O=<a href="http://MYDOMAIN.COM">MYDOMAIN.COM</a> Not Before: Fri Apr 10 17:43:10 2015 UTC Not After: Mon Apr 10 17:43:10 2017 UTC Fingerprint (MD5): ... Fingerprint (SHA1): ... SSH public key fingerprint: ... # ipa sudorule-show priv_sudo_anywhere Rule name: priv_sudo_anywhere Description: Allow anyone with priv_sudo_anywhere to actually run sudo anywhere Enabled: TRUE Command category: all RunAs User category: all RunAs Group category: all User Groups: priv_sudo_anywhere Hosts: <a href="http://jenkins.us-ca1.prod.mydomain.com">jenkins.us-ca1.prod.mydomain.com</a> Host Groups: security, dev-infrastructure, rdn, dev, prod # ipa group-show priv_sudo_anywhere Group name: priv_sudo_anywhere Description: Give the privilege to SSH anywhere. GID: 19000007 Member users: dru, ... Member groups: role_prod_engineer Member of Sudo rule: priv_sudo_anywhere, ... Member of HBAC rule: sudo_anywhere_anywhere Indirect Member users: .... =================== Relevant (I think) log entries =================== # tail -f /var/log/sssd/sssd_sudo.log ... (Fri Apr 17 17:20:16 2015) [sssd[sudo]] [sbus_dispatch] (0x4000): dbus conn: 0x15b6520 (Fri Apr 17 17:20:16 2015) [sssd[sudo]] [sbus_dispatch] (0x4000): Dispatching. (Fri Apr 17 17:20:16 2015) [sssd[sudo]] [sbus_message_handler] (0x4000): Received SBUS method [ping] .... (From a different attempt to run sudo) # tail -f /var/log/auth.log ... Apr 17 17:20:55 jenkins sshd[3335]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=<a href="http://security-core-1.prod.mydomain.com">security-core-1.prod.mydomain.com</a> user=dru Apr 17 17:20:55 jenkins sshd[3335]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=<a href="http://security-core-1.prod.mydomain.com">security-core-1.prod.mydomain.com</a> user=dru Apr 17 17:20:56 jenkins sshd[3335]: Accepted password for dru from 10.100.0.1 port 39910 ssh2 Apr 17 17:20:56 jenkins sshd[3335]: pam_unix(sshd:session): session opened for user dru by (uid=0) Apr 17 17:20:56 jenkins sshd[3335]: pam_systemd(sshd:session): Failed to create session: No such file or directory Apr 17 17:21:10 jenkins sudo: pam_unix(sudo:auth): authentication failure; logname=dru uid=19000001 euid=0 tty=/dev/pts/3 ruser=dru rhost= user=dru Apr 17 17:21:11 jenkins sudo: pam_sss(sudo:auth): authentication success; logname=dru uid=19000001 euid=0 tty=/dev/pts/3 ruser=dru rhost= user=dru Apr 17 17:21:11 jenkins sudo: dru : command not allowed ; TTY=pts/3 ; PWD=/ ; USER=root ; COMMAND=list</div></div>