Hi Folks:
I am trying to configure sudo clients using FreeIPA 2.1.3 on CentOS 6.2 but it I am running into a problem that I do not know how to debug. I used the instructions provided here: http://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/example -configuring-sudo.html. The server installation went fine and I even did a sudo client installation on the server which worked well. Unfortunately, when I did the same client setup on another host in the network I got the message: <user> not in sudoers files when I tried to execute a command. Here is the output from /var/log/secure on the client. I didn't see anything strange on the server. The user name is bigbob. Jun 6 10:38:35 docs unix_chkpwd[8737]: password check failed for user (bigbob) Jun 6 10:38:35 docs sudo: pam_unix(sudo:auth): authentication failure; logname=bigbob uid=0 euid=0 tty=/dev/pts/2 ruser=bigbob rhost= user=bigbob Jun 6 10:38:36 docs sudo: pam_sss(sudo:auth): authentication success; logname=bigbob uid=0 euid=0 tty=/dev/pts/2 ruser=bigbob rhost= user=bigbob Jun 6 10:38:36 docs sudo: bigbob : user NOT in sudoers ; TTY=pts/2 ; PWD=/home/bigbob ; USER=root ; COMMAND=/bin/ls Jun 6 10:44:09 docs unix_chkpwd[8767]: password check failed for user (bigbob) Jun 6 10:44:09 docs sudo: pam_unix(sudo:auth): authentication failure; logname=bigbob uid=0 euid=0 tty=/dev/pts/2 ruser=bigbob rhost= user=bigbob Jun 6 10:44:10 docs sudo: pam_sss(sudo:auth): authentication success; logname=bigbob uid=0 euid=0 tty=/dev/pts/2 ruser=bigbob rhost= user=bigbob Jun 6 10:44:10 docs sudo: bigbob : user NOT in sudoers ; TTY=pts/2 ; PWD=/home/bigbob ; USER=root ; COMMAND=/bin/pwd The command "/bin/pwd" is in the sudo commands and in the sudo command group. Any help would be greatly appreciated. Here are the setup steps that I performed on the client. The domain is foo.example.com. # CITATION: http://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/example -configuring-sudo.html # ================================================================ # Update /etc/nsswitch.conf # ================================================================ cat >/etc/nsswitch.conf <<EOF # ================================================================ # FreeIPA sudo support # ================================================================ sudoers: files ldap sudoers_debug: 1 EOF # ================================================================ # Insert this just after the ipa_server line and restart sssd: # ldap_netgroup_search_base = cn=ng,cn=compat,dc=foo,dc=example,dc=com # ================================================================ cat /etc/sssd/sssd.conf | \ awk '{print $0;if($1=="ipa_server"){printf("ldap_netgroup_search_base = cn=ng,cn=compat,dc=foo,dc=example,dc=com\n");}}' >/tmp/x cp /tmp/x /etc/sssd/sssd.conf rm -f /tmp/x service sssd restart # ================================================================ # Create the /etc/nslcd.conf file # ================================================================ ls /etc/nslcd.conf cat >/etc/nslcd.conf <<EOF binddn uid=sudo,cn=sysaccounts,cn=etc,dc=foo,dc=example,dc=com bindpw pwd/sudo ssl start_tls tls_cacertfile /etc/ipa/ca.crt tls_checkpeer yes bind_timelimit 5 timelimit 15 uri ldap://cuthbert.foo.example.com sudoers_base ou=SUDOers,dc=foo,dc=example,dc=com EOF # ================================================================ # Set the NIS domain name (even though NIS is not used) # ================================================================ nisdomainname foo.example.com Thank you, Joe
_______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
