Hello! Should I reboot the machine after changing sudo.conf file?
On 08/12/2015 09:26 PM, Jakub Hrozek wrote: > On Wed, Aug 12, 2015 at 07:44:15PM +0700, Dewangga Bachrul Alam wrote: >> Hello! >> >> On 08/12/2015 07:36 PM, Jakub Hrozek wrote: >>> On Wed, Aug 12, 2015 at 07:30:52PM +0700, Dewangga Bachrul Alam wrote: >>>> Hello! >>>> >>>> I'm having problem with sudo command, the sudo command was sucessfully >>>> initiated. But user still requested for password. For example : >>>> >>>> ipa-client $ sudo -l >>>> Matching Defaults entries for subhan on this host: >>>> requiretty, !visiblepw, always_set_home, env_reset, env_keep="COLORS >>>> DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS", env_keep+="MAIL PS1 >>>> PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE >>>> LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY >>>> LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL >>>> LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY", >>>> secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin >>>> >>>> User subhan may run the following commands on this host: >>>> (subhan) NOPASSWD: /bin/tail, /usr/bin/tail >>>> >>>> ipa-server $ ipa user-show subhan >>>> User login: subhan >>>> First name: [REMOVED] >>>> Last name: [REMOVED] >>>> Home directory: /home/subhan >>>> Login shell: /bin/bash >>>> Email address: [REMOVED] >>>> UID: 642000007 >>>> GID: 642000007 >>>> Job Title: Developer >>>> Account disabled: False >>>> Password: False >>>> Member of groups: g_gmt_developer, developer >>>> Member of Sudo rule: gmt_developer >>>> Member of HBAC rule: gmt_webserver >>>> Kerberos keys available: False >>>> SSH public key fingerprint: [REMOVED] >>>> >>>> ipa-server $ ipa sudocmd-find >>>> ----------------------- >>>> 2 Sudo Commands matched >>>> ----------------------- >>>> Sudo Command: /bin/tail >>>> Sudo Command Groups: reading-files >>>> >>>> Sudo Command: /usr/bin/tail >>>> Sudo Command Groups: reading-files >>>> >>>> ipa-server $ ipa sudorule-show gmt_developer >>>> Rule name: gmt_developer >>>> Enabled: TRUE >>>> Users: subhan >>>> User Groups: g_gmt_developer >>>> Host Groups: gmt_webserver >>>> Sudo Allow Command Groups: reading-files >>>> RunAs Users: subhan >>>> Sudo Option: !authenticate >>>> >>>> >>>> ipa-client $ sudo tail -f /var/log/nginx/access.log >>>> [sudo] password for subhan: >>>> ipa-client $ sudo tail /var/log/nginx/access.log >>>> [sudo] password for subhan: >>>> >>>> There's nothing information from sssd_sudo.log about this issue. >>> >>> In general sssd acts as a cache of the sudo rules, the decision to auth >>> or not is done by sudo. So on the sssd side you can make sure the sudo >>> option value was fetched, but you'll probably get a more useful >>> debugging from sudo itself. >>> >> >> Here is the sudo message from /var/log/secure : >> >> Aug 12 19:41:05 rosaliaindah su: pam_unix(su-l:session): session opened >> for user subhan by dewangga(uid=0) >> Aug 12 19:41:14 rosaliaindah sudo: pam_unix(sudo:auth): conversation failed >> Aug 12 19:41:14 rosaliaindah sudo: pam_unix(sudo:auth): auth could not >> identify password for [subhan] >> Aug 12 19:41:14 rosaliaindah sudo: pam_sss(sudo:auth): authentication >> failure; logname=dewangga uid=642000007 euid=0 tty=/dev/pts/0 >> ruser=subhan rhost= user=subhan >> Aug 12 19:41:14 rosaliaindah sudo: pam_sss(sudo:auth): received for user >> subhan: 7 (Authentication failure) >> Aug 12 19:41:14 rosaliaindah sudo: subhan : command not allowed ; >> TTY=pts/0 ; PWD=/home/subhan ; USER=root ; COMMAND=/bin/tail -f >> /var/log/nginx/error.log >> >> The sudo option (!authenticate) should be working, because I can invoke >> `sudo -l` command without password. So I think sssd is not the problem. >> CMIIW. :) > > Look into man sudo.conf, depending on your sudo version the options to > enable debugging for sudo differ. > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project