[Freeipa-users] Re: Issues with sudo permissions

Mon, 05 Feb 2024 05:37:36 -0800 




Sent with Proton Mail secure email.

On Friday, February 2nd, 2024 at 10:36, slek kus via FreeIPA-users 
<[email protected]> wrote:

> Hi Jochen, nsswitch.conf checks local files and sss. Below is the contents of 
> etc/pam.d/sudo:
> 
> ----
> #%PAM-1.0
> 
> # Set up user limits from /etc/security/limits.conf.
> session required pam_limits.so
> 
> @include common-auth
> @include common-account
> @include common-session-noninteractive
> ----
> 
> sudo -l:
> 
> ----
> ansible@debclient1:~$ sudo -l
> [sudo] password for ansible:
> Sorry, user ansible may not run sudo on debclient1.
> ----
> 
> sssd_[domain].log:
> https://privatebin.net/?e841ce0e62791e1b#CU9EhpDrajzQXEihhp2jmjbD92RtG8YZ6Sw4FxaZw1Zx
> 
> sssd_sudo.log:
> https://privatebin.net/?40e60858ff984c15#HcQQK2u8wCTYzA6tcttnaiQMsoQ1mVbjCnAovkvDpY6V
> 
> 
> I have created a new testuser, placed this one in the same hbac rules group. 
> also no sudo access.
> Added this new test user to the local sudo group, and access has been 
> granted. It shouldn't be nessecary to add IPA users to local groups, or am I 
> wrong here.
> 
> kind regards.
> --
> _______________________________________________
> FreeIPA-users mailing list -- [email protected]
> To unsubscribe send an email to [email protected]
> Fedora Code of Conduct: 
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: 
> https://lists.fedorahosted.org/archives/list/[email protected]
> Do not reply to spam, report it: 
> https://pagure.io/fedora-infrastructure/new_issue


Hi Jochen, thanks for taking the time to help.
While done the sudo debug and not finding anything, I tried and enabled the 
default "allow_all" rule and it worked.
Then disabled allow_all again and it continued working as there's a dedicated 
policy. No idea why it functions now.
Issue has been solved and today it still is OK.

kind regards.
--
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue






















					Reply via email to