David Sastre wrote:
Hello,

I'm experiencing an issue with sudo-ldap:
I have some commands defined in a rule, have granted permissions to my
user to execute them via sudo following the docs:

 1.
    # ipa sudorule-show networking-commands
 2.
    Rule name: networking-commands
 3.
    Enabled: TRUE
 4.
    Users: dsastrem
 5.
    Host Groups: des
 6.
    Sudo Allow Command Groups: networking
 7.
 8.
    # ipa sudocmdgroup-show networking
 9.
    Sudo Command Group: networking
10.
    Description: commands for network configuration and troubleshooting
11.
    Member Sudo commands: /sbin/route, /sbin/ifconfig, /sbin/iptables,
    /sbin/mii-tool, /sbin/ethtool, /sbin/ip
12.
13.
    /etc/nsswitch.conf
14.
    ==================
15.
    passwd: files sss
16.
    shadow: files sss
17.
    group: files sss
18.
    hosts: files dns
19.
    bootparams: nisplus [NOTFOUND=return] files
20.
    ethers: files
21.
    netmasks: files
22.
    networks: files
23.
    protocols: files
24.
    rpc: files
25.
    services: files sss
26.
    netgroup: files sss
27.
    publickey: nisplus
28.
    automount: files
29.
    aliases: files nisplus
30.
    sudoers: files ldap sss
31.
32.
    /etc/sudo-ldap.conf
33.
    ===================
34.
    uri ldap://panoramix.some.domain.com <http://panoramix.some.domain.com>
35.
    sudoers_base ou=SUDOers,dc=some,dc=domain,dc=com
36.
    bind_timelimit 5
37.
    timelimit 15
38.
    binddn uid=sudo,cn=sysaccounts,cn=etc,dc=some,dc=domain,dc=com
39.
    bindpw secret
40.
    ssl start_tls
41.
    tls_cacertfile /etc/ipa/ca.crt
42.
    tls_checkpeer yes
43.
44.
    /etc/rc.local
45.
    =============
46.
    touch /var/lock/subsys/local
47.
    nisdomainname some.domain.com <http://some.domain.com>

All three config files are equal in several hosts, but sudo is failing
from one hosts in this way:
Pam_tally2 count gets increased with failed attempts, but the password
is (obviously) the same (my kerberos passwd)

 1.
    dsastrem@obelix ~
 2.
    $ sudo ip addr show
 3.
    LDAP Config Summary
 4.
    ===================
 5.
    uri ldap://panoramix.some.domain.com <http://panoramix.some.domain.com>
 6.
    ldap_version 3
 7.
    sudoers_base ou=SUDOers,dc=some,dc=domain,dc=com
 8.
    binddn uid=sudo,cn=sysaccounts,cn=etc,dc=some,dc=domain,dc=com
 9.
    bindpw secret
10.
    bind_timelimit 5000
11.
    timelimit 15
12.
    ssl start_tls
13.
    tls_checkpeer (yes)
14.
    tls_cacertfile /etc/ipa/ca.crt
15.
    ===================
16.
    sudo: ldap_set_option: debug -> 0
17.
    sudo: ldap_set_option: tls_checkpeer -> 1
18.
    sudo: ldap_set_option: tls_cacertfile -> /etc/ipa/ca.crt
19.
    sudo: ldap_set_option: tls_cacert -> /etc/ipa/ca.crt
20.
    sudo: ldap_initialize(ld, ldap://panoramix.some.domain.com
    <http://panoramix.some.domain.com>)
21.
    sudo: ldap_set_option: ldap_version -> 3
22.
    sudo: ldap_set_option: timelimit -> 15
23.
    sudo: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT, 5)
24.
    sudo: ldap_start_tls_s() ok
25.
    sudo: ldap_sasl_bind_s() ok
26.
    sudo: no default options found in ou=SUDOers,dc=some,dc=domain,dc=com
27.
    sudo: ldap search
    '(|(sudoUser=dsastrem)(sudoUser=%dsastrem)(sudoUser=%admins)(sudoUser=ALL))'
28.
    sudo: found:cn=networking-commands,ou=sudoers,dc=some,dc=domain,dc=com
29.
    sudo: ldap sudoHost '+des' ... MATCH!
30.
    sudo: ldap sudoCommand '/sbin/route' ... not
31.
    sudo: ldap sudoCommand '/sbin/ifconfig' ... not
32.
    sudo: ldap sudoCommand '/sbin/iptables' ... not
33.
    sudo: ldap sudoCommand '/sbin/mii-tool' ... not
34.
    sudo: ldap sudoCommand '/sbin/ethtool' ... not
35.
    sudo: ldap sudoCommand '/sbin/ip' ... MATCH!
36.
    sudo: Command allowed
37.
    sudo: user_matches=1
38.
    sudo: host_matches=1
39.
    sudo: sudo_ldap_lookup(0)=0x02
40.
    [sudo] password for dsastrem:
41.
    Sorry, try again.
42.
    [sudo] password for dsastrem:
43.
    sudo: 1 incorrect password attempt
44.
45.
    # pam_tally2 -u dsastrem
46.
    Login Failures Latest failure From
47.
    dsastrem 2 09/26/12 17:22:54 /dev/pts/1

Any idea of what could be wrong? Thanks in advance.

Does sssd work on this machine otherwise? getent passwd <foo>, you can log into the console as the user, or perhaps kinit to the user?

rob

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to