On 06/06/2012 01:59 PM, Joe Linoff wrote: > > Hi Folks: > > > > I am trying to configure sudo clients using FreeIPA 2.1.3 on CentOS > 6.2 but it I am running into a problem that I do not know how to > debug. I used the instructions provided here: > http://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/example-configuring-sudo.html. > > > > > The server installation went fine and I even did a sudo client > installation on the server which worked well. Unfortunately, when I > did the same client setup on another host in the network I got the > message: <user> not in sudoers files when I tried to execute a command. > > > > Here is the output from /var/log/secure on the client. I didn't see > anything strange on the server. The user name is bigbob. > > > > Jun 6 10:38:35 docs unix_chkpwd[8737]: password check failed for user > (bigbob) > > Jun 6 10:38:35 docs sudo: pam_unix(sudo:auth): authentication > failure; logname=bigbob uid=0 euid=0 tty=/dev/pts/2 ruser=bigbob > rhost= user=bigbob > > Jun 6 10:38:36 docs sudo: pam_sss(sudo:auth): authentication success; > logname=bigbob uid=0 euid=0 tty=/dev/pts/2 ruser=bigbob rhost= user=bigbob > > Jun 6 10:38:36 docs sudo: bigbob : user NOT in sudoers ; TTY=pts/2 > ; PWD=/home/bigbob ; USER=root ; COMMAND=/bin/ls > > Jun 6 10:44:09 docs unix_chkpwd[8767]: password check failed for user > (bigbob) > > Jun 6 10:44:09 docs sudo: pam_unix(sudo:auth): authentication > failure; logname=bigbob uid=0 euid=0 tty=/dev/pts/2 ruser=bigbob > rhost= user=bigbob > > Jun 6 10:44:10 docs sudo: pam_sss(sudo:auth): authentication success; > logname=bigbob uid=0 euid=0 tty=/dev/pts/2 ruser=bigbob rhost= user=bigbob > > Jun 6 10:44:10 docs sudo: bigbob : user NOT in sudoers ; TTY=pts/2 > ; PWD=/home/bigbob ; USER=root ; COMMAND=/bin/pwd > > >
Looks like sudo utility is not going over the ldap and tries to find user in the local file. Can you bind to the ldap server? Is firewall port open? > The command "/bin/pwd" is in the sudo commands and in the sudo command > group. > > > > Any help would be greatly appreciated. > > > > Here are the setup steps that I performed on the client. The domain is > foo.example.com. > > > > # CITATION: > http://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/example-configuring-sudo.html > > > > > # ================================================================ > > # Update /etc/nsswitch.conf > > # ================================================================ > > cat>/etc/nsswitch.conf <<EOF > > > > # ================================================================ > > # FreeIPA sudo support > > # ================================================================ > > sudoers: files ldap > > sudoers_debug: 1 > > EOF > > > > # ================================================================ > > # Insert this just after the ipa_server line and restart sssd: > > # ldap_netgroup_search_base = cn=ng,cn=compat,dc=foo,dc=example,dc=com > > # ================================================================ > > cat/etc/sssd/sssd.conf | \ > > awk'{print $0;if($1=="ipa_server"){printf("ldap_netgroup_search_base = > cn=ng,cn=compat,dc=foo,dc=example,dc=com\n");}}'>/tmp/x > > cp/tmp/x/etc/sssd/sssd.conf > > rm-f /tmp/x > > service sssd restart > > > > # ================================================================ > > # Create the /etc/nslcd.conf file > > # ================================================================ > > ls/etc/nslcd.conf > > cat>/etc/nslcd.conf <<EOF > > binddn uid=sudo,cn=sysaccounts,cn=etc,dc=foo,dc=example,dc=com > > bindpw pwd/sudo > > > > ssl start_tls > > tls_cacertfile /etc/ipa/ca.crt > > tls_checkpeer yes > > > > bind_timelimit 5 > > timelimit 15 > > > > uri ldap://cuthbert.foo.example.com > > sudoers_base ou=SUDOers,dc=foo,dc=example,dc=com > > EOF > > > > # ================================================================ > > # Set the NIS domain name (even though NIS is not used) > > # ================================================================ > > nisdomainname foo.example.com > > > > Thank you, > > > > Joe > > > > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/
_______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
