Albert Adams wrote:
I have a small IPA domain setup on RHEL 6 server with a FreeIPA server,
a replica and two clients.  There are six users setup in the domain.
All users are able
to login over SSH to both client systems.  I am not using IPA to control
sudo access.  Sudo privilges are granted by group membership (group
memberships are managed
by IPA).  So here is where it gets weird.

Client Systems

system1 - testuser1 can authenticate over SSH using public key,can login
at the console, and CAN sudo (all other users are able to do the same)
system2 - testuser1 can authenticate over SSH using public key and
CANNOT login at the console or sudo (two out of six users can login and
sudo)

So for example:

system1 - SSH, console and sudo access
testuser1, testuser2, testuser3, testuser4, testuser5, testuser6

system2 - SSH access only
testuser1, testuser2, testuser3, testuser4

system2 - SSH, console and sudo access
testuser5, testuser6

All users have the same group memberships and use SSH keys to
authenticate to the system.

Errors when the user tries to sudo
------------------------------------------------------------
/var/log/secure
Dec  6 18:54:39 ipa-client1 sudo: pam_sss(sudo:auth): authentication
failure; logname=testuser1 uid=0 euid=0 tty=/dev/pts/1 ruser=testuser1
rhost= user=testuser1
Dec  6 18:54:39 ipa-client1 sudo: pam_sss(sudo:auth): received for user
testuser1: 4 (System error)
Dec  6 18:54:47 ipa-client1 sudo: pam_sss(sudo:auth): authentication
failure; logname=testuser1 uid=0 euid=0 tty=/dev/pts/1 ruser=testuser1
rhost= user=testuser1
Dec  6 18:54:47 ipa-client1 sudo: pam_sss(sudo:auth): received for user
testuser1: 4 (System error)
Dec  6 18:54:51 ipa-client1 sudo: pam_sss(sudo:auth): authentication
failure; logname=testuser1 uid=0 euid=0 tty=/dev/pts/1 ruser=testuser1
rhost= user=testuser1
Dec  6 18:54:51 ipa-client1 sudo: pam_sss(sudo:auth): received for user
testuser1: 4 (System error)
Dec  6 18:54:52 ipa-client1 sudo: testuser1 : 3 incorrect password
attempts ; TTY=pts/1 ; PWD=/home/testuser1 ; USER=root ; COMMAND=/bin/su -

Errors when the user tries to login at the console
-------------------------------------------------------------
/var/log/secure
Dec  6 19:53:56 ipa-client1 login: pam_unix(login:auth): authentication
failure; logname=LOGIN uid=0 euid=0 tty=tty1 ruser= rhost=  user=testuser1
Dec  6 19:53:56 ipa-client1 login: pam_sss(login:auth): authentication
failure; logname=LOGIN uid=0 euid=0 tty=tty1 ruser= rhost= user=testuser1
Dec  6 19:53:56 ipa-client1 login: pam_sss(login:auth): received for
user testuser1: 4 (System error)
Dec  6 19:53:58 ipa-client1 login: FAILED LOGIN 1 FROM (null) FOR
testuser1, Authentication failure


I found this post and it looks similar but my
/var/log/sssd/krb5_child.log is empty.

https://www.redhat.com/archives/freeipa-users/2012-October/msg00004.html

The link to
http://www.mail-archive.com/sssd-devel%20lists%20fedorahosted%20org/msg10176.html
was dead but I check the /tmp permissions like the guy in the
forum post and they were:

# ll -dZ /tmp/
drwxrwxrwt. root root system_u:object_r:tmp_t:s0       /tmp/

It's really puzzling that sudo works for some users but not others and
it's only on one system.  I've thought about enrolling additional
systems to the IPA domain
to determine if this one system is just a problem child but I'd rather
get it ironed out before moving over any additional systems.

Thanks in advance,
Albert

I would look to see if you have any Host-based access (HBAC) rules defined. This would explain the behavior.

rob

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to