Hello, I'm experiencing an issue with sudo-ldap: I have some commands defined in a rule, have granted permissions to my user to execute them via sudo following the docs:
1. # ipa sudorule-show networking-commands 2. Rule name: networking-commands 3. Enabled: TRUE 4. Users: dsastrem 5. Host Groups: des 6. Sudo Allow Command Groups: networking 7. 8. # ipa sudocmdgroup-show networking 9. Sudo Command Group: networking 10. Description: commands for network configuration and troubleshooting 11. Member Sudo commands: /sbin/route, /sbin/ifconfig, /sbin/iptables, /sbin/mii-tool, /sbin/ethtool, /sbin/ip 12. 13. /etc/nsswitch.conf 14. ================== 15. passwd: files sss 16. shadow: files sss 17. group: files sss 18. hosts: files dns 19. bootparams: nisplus [NOTFOUND=return] files 20. ethers: files 21. netmasks: files 22. networks: files 23. protocols: files 24. rpc: files 25. services: files sss 26. netgroup: files sss 27. publickey: nisplus 28. automount: files 29. aliases: files nisplus 30. sudoers: files ldap sss 31. 32. /etc/sudo-ldap.conf 33. =================== 34. uri ldap://panoramix.some.domain.com 35. sudoers_base ou=SUDOers,dc=some,dc=domain,dc=com 36. bind_timelimit 5 37. timelimit 15 38. binddn uid=sudo,cn=sysaccounts,cn=etc,dc=some,dc=domain,dc=com 39. bindpw secret 40. ssl start_tls 41. tls_cacertfile /etc/ipa/ca.crt 42. tls_checkpeer yes 43. 44. /etc/rc.local 45. ============= 46. touch /var/lock/subsys/local 47. nisdomainname some.domain.com All three config files are equal in several hosts, but sudo is failing from one hosts in this way: Pam_tally2 count gets increased with failed attempts, but the password is (obviously) the same (my kerberos passwd) 1. dsastrem@obelix ~ 2. $ sudo ip addr show 3. LDAP Config Summary 4. =================== 5. uri ldap://panoramix.some.domain.com 6. ldap_version 3 7. sudoers_base ou=SUDOers,dc=some,dc=domain,dc=com 8. binddn uid=sudo,cn=sysaccounts,cn=etc,dc=some,dc=domain,dc=com 9. bindpw secret 10. bind_timelimit 5000 11. timelimit 15 12. ssl start_tls 13. tls_checkpeer (yes) 14. tls_cacertfile /etc/ipa/ca.crt 15. =================== 16. sudo: ldap_set_option: debug -> 0 17. sudo: ldap_set_option: tls_checkpeer -> 1 18. sudo: ldap_set_option: tls_cacertfile -> /etc/ipa/ca.crt 19. sudo: ldap_set_option: tls_cacert -> /etc/ipa/ca.crt 20. sudo: ldap_initialize(ld, ldap://panoramix.some.domain.com) 21. sudo: ldap_set_option: ldap_version -> 3 22. sudo: ldap_set_option: timelimit -> 15 23. sudo: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT, 5) 24. sudo: ldap_start_tls_s() ok 25. sudo: ldap_sasl_bind_s() ok 26. sudo: no default options found in ou=SUDOers,dc=some,dc=domain,dc=com 27. sudo: ldap search '(|(sudoUser=dsastrem)(sudoUser=%dsastrem)(sudoUser=%admins)(sudoUser=ALL))' 28. sudo: found:cn=networking-commands,ou=sudoers,dc=some,dc=domain,dc=com 29. sudo: ldap sudoHost '+des' ... MATCH! 30. sudo: ldap sudoCommand '/sbin/route' ... not 31. sudo: ldap sudoCommand '/sbin/ifconfig' ... not 32. sudo: ldap sudoCommand '/sbin/iptables' ... not 33. sudo: ldap sudoCommand '/sbin/mii-tool' ... not 34. sudo: ldap sudoCommand '/sbin/ethtool' ... not 35. sudo: ldap sudoCommand '/sbin/ip' ... MATCH! 36. sudo: Command allowed 37. sudo: user_matches=1 38. sudo: host_matches=1 39. sudo: sudo_ldap_lookup(0)=0x02 40. [sudo] password for dsastrem: 41. Sorry, try again. 42. [sudo] password for dsastrem: 43. sudo: 1 incorrect password attempt 44. 45. # pam_tally2 -u dsastrem 46. Login Failures Latest failure From 47. dsastrem 2 09/26/12 17:22:54 /dev/pts/1 Any idea of what could be wrong? Thanks in advance.
_______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users