I am unable to sudo but I can login to this system. This host is a member of host group
"admin", others hosts in the admin group are able to sudo. From
troubleshooting, the issue appears to be isolated to this host only.
IPA Server is 4.9.11 but client is 4.9.12
[root@gsil-v-lc10 log]# rpm -qa | grep ipa-client
ipa-client-4.9.12-9.module+el8.9.0+1535+eb844c6f.x86_64
ipa-client-common-4.9.12-9.module+el8.9.0+1535+eb844c6f.noarch
[root@gsil-v-lc10 log]# cat /etc/redhat-release
Rocky Linux release 8.9 (Green Obsidian)
The ipa-client installed without any issues.
kinit jtourville.sa(a)gsil.org works as expected. A klist shows the ticket
id jtourville.sa works as expected and the appropriate groups are displayed.
Logs show the following while attempting to sudo:
tail -f /var/log/audit/audit.log -f /var/log/sssd/*.log -f /var/log/messages
==> /var/log/audit/audit.log <==
node=gsil-v-lc10.idm.gsil.org type=SYSCALL msg=audit(1708441835.339:2331): arch=c000003e
syscall=59 success=yes exit=0 a0=561a46512ff0 a1=561a465111a0 a2=561a46512590 a3=8 items=2
ppid=6267 pid=6543 auid=10044 uid=10044 gid=4001 euid=0 suid=0 fsuid=0 egid=4001 sgid=4001
fsgid=4001 tty=pts1 ses=7 comm="sudo" exe="/usr/bin/sudo"
subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key="privileged"
ARCH=x86_64 SYSCALL=execve AUID="jtourville.sa" UID="jtourville.sa"
GID="gsil_sa" EUID="root" SUID="root" FSUID="root"
EGID="gsil_sa" SGID="gsil_sa" FSGID="gsil_sa"
node=gsil-v-lc10.idm.gsil.org type=EXECVE msg=audit(1708441835.339:2331): argc=2
a0="sudo" a1="su"
node=gsil-v-lc10.idm.gsil.org type=CWD msg=audit(1708441835.339:2331):
cwd="/home/gsil.org/jtourville.sa"
node=gsil-v-lc10.idm.gsil.org type=PATH msg=audit(1708441835.339:2331): item=0
name="/usr/bin/sudo" inode=100664031 dev=fd:01 mode=0104111 ouid=0 ogid=0
rdev=00:00 obj=system_u:object_r:sudo_exec_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0
cap_fver=0 cap_frootid=0
OUID="root" OGID="root"
node=gsil-v-lc10.idm.gsil.org type=PATH msg=audit(1708441835.339:2331): item=1
name="/lib64/ld-linux-x86-64.so.2" inode=72105 dev=fd:01 mode=0100755 ouid=0
ogid=0 rdev=00:00 obj=system_u:object_r:ld_so_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0
cap_fe=0 cap_fver=0 cap_frootid=0
OUID="root" OGID="root"
node=gsil-v-lc10.idm.gsil.org type=PROCTITLE msg=audit(1708441835.339:2331):
proctitle=7375646F007375
==> /var/log/sssd/sssd_kcm.log <==
(2024-02-20 15:10:39): [kcm] [orderly_shutdown] (0x3f7c0): SIGTERM: killing children
(2024-02-20 15:10:39): [kcm] [orderly_shutdown] (0x3f7c0): Shutting down (status = 0)
==> /var/log/audit/audit.log <==
node=gsil-v-lc10.idm.gsil.org type=SERVICE_STOP msg=audit(1708441839.721:2332): pid=1
uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0
msg='unit=sssd-kcm comm="systemd" exe="/usr/lib/systemd/systemd"
hostname=? addr=? terminal=? res=success'
UID="root" AUID="unset"
==> /var/log/messages <==
Feb 20 15:10:39 gsil-v-lc10 sssd_kcm[6533]: Shutting down (status = 0)
Feb 20 15:10:39 gsil-v-lc10 systemd[1]: sssd-kcm.service: Succeeded.
==> /var/log/audit/audit.log <==
node=gsil-v-lc10.idm.gsil.org type=SERVICE_START msg=audit(1708441848.576:2333): pid=1
uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0
msg='unit=sssd-kcm comm="systemd" exe="/usr/lib/systemd/systemd"
hostname=? addr=? terminal=? res=success'
UID="root" AUID="unset"
==> /var/log/sssd/sssd_kcm.log <==
(2024-02-20 15:10:48): [kcm] [server_setup] (0x3f7c0): Starting with debug level = 0x0070
==> /var/log/sssd/krb5_child.log <==
(2024-02-20 15:10:48): [krb5_child[6547]] [get_and_save_tgt] (0x0020): [RID#20] 2250:
[-1765328230][Cannot find KDC for realm "gsil.org"]
********************** PREVIOUS MESSAGE WAS TRIGGERED BY THE FOLLOWING BACKTRACE:
* (2024-02-20 15:10:48): [krb5_child[6547]] [main] (0x0400): [RID#20] krb5_child
started.
* (2024-02-20 15:10:48): [krb5_child[6547]] [unpack_buffer] (0x1000): [RID#20] total
buffer size: [120]
* (2024-02-20 15:10:48): [krb5_child[6547]] [unpack_buffer] (0x0100): [RID#20] cmd
[241 (auth)] uid [10044] gid [4001] validate [true] enterprise principal [false] offline
[false] UPN [jtourville.sa(a)GSIL.ORG]
* (2024-02-20 15:10:48): [krb5_child[6547]] [unpack_buffer] (0x0100): [RID#20] ccname:
[KCM:] old_ccname: [KCM:] keytab: [/etc/krb5.keytab]
* (2024-02-20 15:10:48): [krb5_child[6547]] [switch_creds] (0x0200): [RID#20] Switch
user to [10044][4001].
* (2024-02-20 15:10:48): [krb5_child[6547]] [sss_krb5_cc_verify_ccache] (0x2000):
[RID#20] TGT not found or expired.
* (2024-02-20 15:10:48): [krb5_child[6547]] [switch_creds] (0x0200): [RID#20] Switch
user to [0][0].
* (2024-02-20 15:10:48): [krb5_child[6547]] [k5c_check_old_ccache] (0x4000): [RID#20]
Ccache_file is [KCM:] and is active and TGT is valid.
* (2024-02-20 15:10:48): [krb5_child[6547]] [k5c_setup_fast] (0x0100): [RID#20] Fast
principal is set to [host/gsil-v-lc10.idm.gsil.org(a)IDM.GSIL.ORG]
* (2024-02-20 15:10:48): [krb5_child[6547]] [find_principal_in_keytab] (0x4000):
[RID#20] Trying to find principal host/gsil-v-lc10.idm.gsil.org(a)IDM.GSIL.ORG in keytab.
* (2024-02-20 15:10:48): [krb5_child[6547]] [match_principal] (0x1000): [RID#20]
Principal matched to the sample (host/gsil-v-lc10.idm.gsil.org(a)IDM.GSIL.ORG).
* (2024-02-20 15:10:48): [krb5_child[6547]] [check_fast_ccache] (0x0200): [RID#20]
FAST TGT is still valid.
* (2024-02-20 15:10:48): [krb5_child[6547]] [become_user] (0x0200): [RID#20] Trying to
become user [10044][4001].
* (2024-02-20 15:10:48): [krb5_child[6547]] [main] (0x2000): [RID#20] Running as
[10044][4001].
* (2024-02-20 15:10:48): [krb5_child[6547]] [set_lifetime_options] (0x0100): [RID#20]
No specific renewable lifetime requested.
* (2024-02-20 15:10:48): [krb5_child[6547]] [set_lifetime_options] (0x0100): [RID#20]
No specific lifetime requested.
* (2024-02-20 15:10:48): [krb5_child[6547]] [set_canonicalize_option] (0x0100):
[RID#20] Canonicalization is set to [true]
* (2024-02-20 15:10:48): [krb5_child[6547]] [main] (0x0400): [RID#20] Will perform
auth
* (2024-02-20 15:10:48): [krb5_child[6547]] [main] (0x0400): [RID#20] Will perform
online auth
* (2024-02-20 15:10:48): [krb5_child[6547]] [tgt_req_child] (0x1000): [RID#20]
Attempting to get a TGT
* (2024-02-20 15:10:48): [krb5_child[6547]] [get_and_save_tgt] (0x0400): [RID#20]
Attempting kinit for realm [
GSIL.ORG]
* (2024-02-20 15:10:48): [krb5_child[6547]] [get_and_save_tgt] (0x0020): [RID#20]
2250: [-1765328230][Cannot find KDC for realm "GSIL.ORG"]
********************** BACKTRACE DUMP ENDS HERE *********************************
(2024-02-20 15:10:48): [krb5_child[6547]] [map_krb5_error] (0x0020): [RID#20] 2379:
[-1765328230][Cannot find KDC for realm "GSIL.ORG"]
(2024-02-20 15:10:48): [krb5_child[6551]] [get_and_save_tgt] (0x0020): [RID#20] 2250:
[-1765328230][Cannot find KDC for realm "GSIL.ORG"]
********************** PREVIOUS MESSAGE WAS TRIGGERED BY THE FOLLOWING BACKTRACE:
* (2024-02-20 15:10:48): [krb5_child[6551]] [main] (0x0400): [RID#20] krb5_child
started.
* (2024-02-20 15:10:48): [krb5_child[6551]] [unpack_buffer] (0x1000): [RID#20] total
buffer size: [120]
* (2024-02-20 15:10:48): [krb5_child[6551]] [unpack_buffer] (0x0100): [RID#20] cmd
[241 (auth)] uid [10044] gid [4001] validate [true] enterprise principal [false] offline
[false] UPN [jtourville.sa(a)GSIL.ORG]
* (2024-02-20 15:10:48): [krb5_child[6551]] [unpack_buffer] (0x0100): [RID#20] ccname:
[KCM:] old_ccname: [KCM:] keytab: [/etc/krb5.keytab]
* (2024-02-20 15:10:48): [krb5_child[6551]] [switch_creds] (0x0200): [RID#20] Switch
user to [10044][4001].
* (2024-02-20 15:10:48): [krb5_child[6551]] [sss_krb5_cc_verify_ccache] (0x2000):
[RID#20] TGT not found or expired.
* (2024-02-20 15:10:48): [krb5_child[6551]] [switch_creds] (0x0200): [RID#20] Switch
user to [0][0].
* (2024-02-20 15:10:48): [krb5_child[6551]] [k5c_check_old_ccache] (0x4000): [RID#20]
Ccache_file is [KCM:] and is active and TGT is valid.
* (2024-02-20 15:10:48): [krb5_child[6551]] [k5c_setup_fast] (0x0100): [RID#20] Fast
principal is set to [host/gsil-v-lc10.idm.gsil.org(a)IDM.GSIL.ORG]
* (2024-02-20 15:10:48): [krb5_child[6551]] [find_principal_in_keytab] (0x4000):
[RID#20] Trying to find principal host/gsil-v-lc10.idm.gsil.org(a)IDM.GSIL.ORG in keytab.
* (2024-02-20 15:10:48): [krb5_child[6551]] [match_principal] (0x1000): [RID#20]
Principal matched to the sample (host/gsil-v-lc10.idm.gsil.org(a)IDM.GSIL.ORG).
* (2024-02-20 15:10:48): [krb5_child[6551]] [check_fast_ccache] (0x0200): [RID#20]
FAST TGT is still valid.
* (2024-02-20 15:10:48): [krb5_child[6551]] [become_user] (0x0200): [RID#20] Trying to
become user [10044][4001].
* (2024-02-20 15:10:48): [krb5_child[6551]] [main] (0x2000): [RID#20] Running as
[10044][4001].
* (2024-02-20 15:10:48): [krb5_child[6551]] [set_lifetime_options] (0x0100): [RID#20]
No specific renewable lifetime requested.
* (2024-02-20 15:10:48): [krb5_child[6551]] [set_lifetime_options] (0x0100): [RID#20]
No specific lifetime requested.
* (2024-02-20 15:10:48): [krb5_child[6551]] [set_canonicalize_option] (0x0100):
[RID#20] Canonicalization is set to [true]
* (2024-02-20 15:10:48): [krb5_child[6551]] [main] (0x0400): [RID#20] Will perform
auth
* (2024-02-20 15:10:48): [krb5_child[6551]] [main] (0x0400): [RID#20] Will perform
online auth
* (2024-02-20 15:10:48): [krb5_child[6551]] [tgt_req_child] (0x1000): [RID#20]
Attempting to get a TGT
* (2024-02-20 15:10:48): [krb5_child[6551]] [get_and_save_tgt] (0x0400): [RID#20]
Attempting kinit for realm [
GSIL.ORG]
* (2024-02-20 15:10:48): [krb5_child[6551]] [get_and_save_tgt] (0x0020): [RID#20]
2250: [-1765328230][Cannot find KDC for realm "GSIL.ORG"]
********************** BACKTRACE DUMP ENDS HERE *********************************
(2024-02-20 15:10:48): [krb5_child[6551]] [map_krb5_error] (0x0020): [RID#20] 2379:
[-1765328230][Cannot find KDC for realm "GSIL.ORG"]
==> /var/log/messages <==
Feb 20 15:10:48 gsil-v-lc10 systemd[1]: Starting SSSD Kerberos Cache Manager...
Feb 20 15:10:48 gsil-v-lc10 systemd[1]: Started SSSD Kerberos Cache Manager.
Feb 20 15:10:48 gsil-v-lc10 sssd_kcm[6550]: Starting up
Feb 20 15:10:48 gsil-v-lc10 krb5_child[6547]: Cannot find KDC for realm
"GSIL.ORG"
Feb 20 15:10:48 gsil-v-lc10 krb5_child[6547]: Cannot find KDC for realm
"GSIL.ORG"
Feb 20 15:10:48 gsil-v-lc10 krb5_child[6551]: Cannot find KDC for realm
"GSIL.ORG"
==> /var/log/sssd/sssd_idm.gsil.org.log <==
(2024-02-20 15:10:48): [be[idm.gsil.org]] [fo_resolve_service_send] (0x0020): [RID#20] No
available servers for service 'IPA'
* ... skipping repetitive backtrace ...
(2024-02-20 15:10:48): [be[idm.gsil.org]] [child_sig_handler] (0x0020): [RID#20] waitpid
did not found a child with changed status.
* ... skipping repetitive backtrace ...
(2024-02-20 15:10:48): [be[idm.gsil.org]] [krb5_auth_cache_creds] (0x0020): [RID#20]
Offline authentication failed
==> /var/log/audit/audit.log <==
node=gsil-v-lc10.idm.gsil.org type=USER_AUTH msg=audit(1708441848.898:2334): pid=6543
uid=10044 auid=10044 ses=7 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
msg='op=PAM:authentication grantors=? acct="jtourville.sa"
exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=failed'
UID="jtourville.sa" AUID="jtourville.sa"
==> /var/log/messages <==
Feb 20 15:10:48 gsil-v-lc10 krb5_child[6551]: Cannot find KDC for realm
"GSIL.ORG"