Sean Hogan via FreeIPA-users wrote:
Morning,
Having an issue with 6 test servers not allowing sudo even though they
are in the same hostgroup as other boxes that do allow sudo.
sss_sudo.log
(Tue Feb 20 15:31:59 2018) [sssd[sudo]] [sort_sudo_rules] (0x0400):
Sorting rules with higher-wins logic
(Tue Feb 20 15:31:59 2018) [sssd[sudo]] [sudosrv_fetch_rules] (0x0400):
Returning 1 rules for [myid@mydomain.local(a)mydomain.local]
(Tue Feb 20 15:31:59 2018) [sssd[sudo]] [sudosrv_build_response]
(0x2000): error: [0]
(Tue Feb 20 15:31:59 2018) [sssd[sudo]] [sudosrv_build_response]
(0x2000): rules_num: [0]
(Tue Feb 20 15:31:59 2018) [sssd[sudo]] [sudosrv_build_response]
(0x2000): rule [1]/[1]
(Tue Feb 20 15:31:59 2018) [sssd[sudo]] [sudosrv_response_append_attr]
(0x2000): cn:whc_inf
(Tue Feb 20 15:31:59 2018) [sssd[sudo]] [sudosrv_response_append_attr]
(0x2000): objectClass:sudoRule
(Tue Feb 20 15:31:59 2018) [sssd[sudo]] [sudosrv_response_append_attr]
(0x2000): sudoCommand:/sbin/*
(Tue Feb 20 15:31:59 2018) [sssd[sudo]] [sudosrv_response_append_attr]
(0x2000): sudoCommand:/bin/*
(Tue Feb 20 15:31:59 2018) [sssd[sudo]] [sudosrv_response_append_attr]
(0x2000): sudoCommand:/usr/sbin/*
(Tue Feb 20 15:31:59 2018) [sssd[sudo]] [sudosrv_response_append_attr]
(0x2000): sudoCommand:/usr/bin/*
(Tue Feb 20 15:31:59 2018) [sssd[sudo]] [sudosrv_response_append_attr]
(0x2000): sudoHost:+whc_all THIS IS THE HBAC/SUDO RULE name allowing
sudo and the rest of the commands listed here
(Tue Feb 20 15:31:59 2018) [sssd[sudo]] [sudosrv_response_append_attr]
(0x2000): sudoHost:+whc_and
(Tue Feb 20 15:31:59 2018) [sssd[sudo]] [sudosrv_response_append_attr]
(0x2000): sudoHost:+whc_cept
(Tue Feb 20 15:31:59 2018) [sssd[sudo]] [sudosrv_response_append_attr]
(0x2000): sudoHost:+whc_inf
(Tue Feb 20 15:31:59 2018) [sssd[sudo]] [sudosrv_response_append_attr]
(0x2000): sudoHost:+whc_id
(Tue Feb 20 15:31:59 2018) [sssd[sudo]] [sudosrv_response_append_attr]
(0x2000): sudoHost:+whc_jump
(Tue Feb 20 15:31:59 2018) [sssd[sudo]] [sudosrv_response_append_attr]
(0x2000): sudoOption:!authenticate
(Tue Feb 20 15:31:59 2018) [sssd[sudo]] [sudosrv_response_append_attr]
(0x2000): sudoRunAsUser:root
(Tue Feb 20 15:31:59 2018) [sssd[sudo]] [sudosrv_response_append_attr]
(0x2000): sudoUser:#325400379
(Tue Feb 20 15:31:59 2018) [sssd[sudo]] [client_recv] (0x0200): Client
disconnected!
(Tue Feb 20 15:31:59 2018) [sssd[sudo]] [client_close_fn] (0x2000):
Terminated client [0x7f08580a8f00][18]
(Tue Feb 20 15:32:17 2018) [sssd[sudo]] [get_client_cred] (0x4000):
Client creds: euid[0] egid[1006] pid[1786].
(Tue Feb 20 15:32:17 2018) [sssd[sudo]] [get_client_cred] (0x0080): The
following failure is expected to happen in case SELinux is disabled:
SELINUX_getpeercon failed [92][Protocol not available].
Please, consider enabling SELinux in your system.
(Tue Feb 20 15:32:17 2018) [sssd[sudo]] [setup_client_idle_timer]
(0x4000): Idle timer re-set for client [0x7f08580b42d0][18]
keeps prompting even though the pw is right
[myid@server1 ~]$ sudo -i
[sudo] password for myid:
Sorry, try again.
[sudo] password for myid:
Sorry, try again.
[sudo] password for myid:
Run Sudo -L and my password is taken and shows none of the rules
sss_sudo.log returned
[myid@server1~]$ sudo -l
[sudo] password for myid:
Matching Defaults entries for myid on this host:
requiretty, !visiblepw, always_set_home, env_reset, env_keep="COLORS
DISPLAY HOSTNAME HISTSIZE INPUTRC
KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG
LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE
LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY
LC_NAME LC_NUMERIC LC_PAPER
LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET
XAUTHORITY",
secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin, logfile=/var/log/sudo.log
User myid may run the following commands on this host:
(root) !/usr/local/bin/sudo, !/usr/bin/sudo, !/bin/sudo
As you can see even thought the sss sudo log returns the correct sudo
rule to the server I am not seeing the rules with sudo -l
Client having sudo issues
ipa-client-4.5.0-22.el7_4.x86_64
sssd-client-1.15.2-50.el7_4.2.x86_64
IPA Server
ipa-server-4.5.0-21.el7_4.2.2.x86_64
sssd-client-1.15.2-50.el7_4.6.x86_64
Caveat: the real host name looks like this
hgts-aci-2-27123795-7629-4bfd-949e-5ee8e9f882664 and does enroll into
IPA but not sure if this non standard form works with everything
When sudo doesn't work for hostgroups it almost always means that
netgroups are not being resolved properly which almost always points to
the nisdomain not being set.
rob