On 06/06/2012 01:59 PM, Joe Linoff wrote:
Hi Folks:
I am trying to configure sudo clients using FreeIPA 2.1.3 on CentOS
6.2 but it I am running into a problem that I do not know how to
debug. I used the instructions provided here:
http://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/example-configuring-sudo.html.
The server installation went fine and I even did a sudo client
installation on the server which worked well. Unfortunately, when I
did the same client setup on another host in the network I got the
message: user not in sudoers files when I tried to execute a command.
Here is the output from /var/log/secure on the client. I didn't see
anything strange on the server. The user name is bigbob.
Jun 6 10:38:35 docs unix_chkpwd[8737]: password check failed for user
(bigbob)
Jun 6 10:38:35 docs sudo: pam_unix(sudo:auth): authentication
failure; logname=bigbob uid=0 euid=0 tty=/dev/pts/2 ruser=bigbob
rhost= user=bigbob
Jun 6 10:38:36 docs sudo: pam_sss(sudo:auth): authentication success;
logname=bigbob uid=0 euid=0 tty=/dev/pts/2 ruser=bigbob rhost= user=bigbob
Jun 6 10:38:36 docs sudo: bigbob : user NOT in sudoers ; TTY=pts/2
; PWD=/home/bigbob ; USER=root ; COMMAND=/bin/ls
Jun 6 10:44:09 docs unix_chkpwd[8767]: password check failed for user
(bigbob)
Jun 6 10:44:09 docs sudo: pam_unix(sudo:auth): authentication
failure; logname=bigbob uid=0 euid=0 tty=/dev/pts/2 ruser=bigbob
rhost= user=bigbob
Jun 6 10:44:10 docs sudo: pam_sss(sudo:auth): authentication success;
logname=bigbob uid=0 euid=0 tty=/dev/pts/2 ruser=bigbob rhost= user=bigbob
Jun 6 10:44:10 docs sudo: bigbob : user NOT in sudoers ; TTY=pts/2
; PWD=/home/bigbob ; USER=root ; COMMAND=/bin/pwd
Looks like sudo utility is not going over the ldap and tries to find
user in the local file.
Can you bind to the ldap server? Is firewall port open?
The command /bin/pwd is in the sudo commands and in the sudo command
group.
Any help would be greatly appreciated.
Here are the setup steps that I performed on the client. The domain is
foo.example.com.
# CITATION:
http://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/example-configuring-sudo.html
#
# Update /etc/nsswitch.conf
#
cat/etc/nsswitch.conf EOF
#
# FreeIPA sudo support
#
sudoers: files ldap
sudoers_debug: 1
EOF
#
# Insert this just after the ipa_server line and restart sssd:
# ldap_netgroup_search_base = cn=ng,cn=compat,dc=foo,dc=example,dc=com
#
cat/etc/sssd/sssd.conf | \
awk'{print $0;if($1==ipa_server){printf(ldap_netgroup_search_base =
cn=ng,cn=compat,dc=foo,dc=example,dc=com\n);}}'/tmp/x
cp/tmp/x/etc/sssd/sssd.conf
rm-f /tmp/x
service sssd restart
#
# Create the /etc/nslcd.conf file
#
ls/etc/nslcd.conf
cat/etc/nslcd.conf EOF
binddn uid=sudo,cn=sysaccounts,cn=etc,dc=foo,dc=example,dc=com
bindpw pwd/sudo
ssl start_tls
tls_cacertfile /etc/ipa/ca.crt
tls_checkpeer yes
bind_timelimit 5
timelimit 15
uri ldap://cuthbert.foo.example.com
sudoers_base ou=SUDOers,dc=foo,dc=example,dc=com
EOF
#
# Set the NIS domain name (even though NIS is not used)
#
nisdomainname foo.example.com
Thank you,
Joe
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IPA project,
Red Hat Inc.
---
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users