Hi everyone,

I've spent a couple of days digging around the web, watching logs, and
poking things, and I'm stuck getting sudo working with IPA on a new box
I've just set up. I have had it working in the past on a test box, but
something about this box is blocking me, and I can't for the life of me
figure out what.

The basic symptom is that I can log into the Ubuntu box as an IPA user, but
sudo is always denied:

[root@security-core-1 log]# ssh dru@jenkins

dru@jenkins's password:


Could not chdir to home directory /home/dru: No such file or directory

dru@jenkins:/$ sudo -l

[sudo] password for dru:

Sorry, user dru may not run sudo on jenkins.

I've appended version output, config files, sample logs, and ipa config -
which I think is all of the relevant material, but I'll gladly share more
if it's needed.

Thanks so much in advance for any debugging advice, hints, or help!




Version info



# ipa --version

VERSION: 4.1.0, API_VERSION: 2.112

# cat /etc/redhat-release

CentOS Linux release 7.1.1503 (Core)


# cat /etc/lsb-release





#sssd --version



hostname, nisdomainname, config files, etc.


On the client:

# hostname


# nisdomainname


# getent netgroup rdn | grep $HOSTNAME

rdn                   (jenkins.us-ca1.prod.mydomain.com,-,mydomain.com)

# cat /etc/sssd/sssd.conf


cache_credentials = True

krb5_store_password_if_offline = True

ipa_domain = mydomain.com

id_provider = ipa

auth_provider = ipa

access_provider = ipa

ldap_tls_cacert = /etc/ipa/ca.crt

ipa_hostname = jenkins.us-ca1.prod.mydomain.com

chpass_provider = ipa

ipa_server = _srv_, security-core-1.prod.mydomain.com

dns_discovery_domain = mydomain.com



services = nss, pam, ssh, sudo

config_file_version = 2

domains = mydomain.com




debug_level = 9




# cat /etc/nsswitch.conf

# /etc/nsswitch.conf


# Example configuration of GNU Name Service Switch functionality.

# If you have the `glibc-doc-reference' and `info' packages installed, try:

# `info libc "Name Service Switch"' for information about this file.

passwd:         compat sss

group:          compat sss

shadow:         compat

hosts:          files dns

networks:       files

protocols:      db files

services:       db files

ethers:         db files

rpc:            db files

netgroup:       nis sss

sudoers:        files sss


Host & group & user info in IPA


# ipa host-show jenkins.us-ca1.prod.mydomain.com

  Host name: jenkins.us-ca1.prod.mydomain.com

  Certificate: ...

  Principal name: host/jenkins.us-ca1.prod.mydomain....@mydomain.com

  Password: False

  Member of host-groups: rdn

  Member of Sudo rule: priv_sudo_anywhere, dru_security

  Keytab: True

  Managed by: jenkins.us-ca1.prod.mydomain.com

  Subject: CN=jenkins.us-ca1.prod.mydomain.com,O=MYDOMAIN.COM

  Serial Number: 14

  Serial Number (hex): 0xE

  Issuer: CN=Certificate Authority,O=MYDOMAIN.COM

  Not Before: Fri Apr 10 17:43:10 2015 UTC

  Not After: Mon Apr 10 17:43:10 2017 UTC

  Fingerprint (MD5): ...

  Fingerprint (SHA1): ...

  SSH public key fingerprint: ...

# ipa sudorule-show priv_sudo_anywhere

  Rule name: priv_sudo_anywhere

  Description: Allow anyone with priv_sudo_anywhere to actually run sudo

  Enabled: TRUE

  Command category: all

  RunAs User category: all

  RunAs Group category: all

  User Groups: priv_sudo_anywhere

  Hosts: jenkins.us-ca1.prod.mydomain.com

  Host Groups: security, dev-infrastructure, rdn, dev, prod

# ipa group-show priv_sudo_anywhere

  Group name: priv_sudo_anywhere

  Description: Give the privilege to SSH anywhere.

  GID: 19000007

  Member users: dru, ...

  Member groups: role_prod_engineer

  Member of Sudo rule: priv_sudo_anywhere, ...

  Member of HBAC rule: sudo_anywhere_anywhere

  Indirect Member users: ....


Relevant (I think) log entries


# tail -f /var/log/sssd/sssd_sudo.log


(Fri Apr 17 17:20:16 2015) [sssd[sudo]] [sbus_dispatch] (0x4000): dbus conn:

(Fri Apr 17 17:20:16 2015) [sssd[sudo]] [sbus_dispatch] (0x4000):

(Fri Apr 17 17:20:16 2015) [sssd[sudo]] [sbus_message_handler] (0x4000):
Received SBUS method [ping]


(From a different attempt to run sudo)

# tail -f /var/log/auth.log


Apr 17 17:20:55 jenkins sshd[3335]: pam_unix(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=
security-core-1.prod.mydomain.com  user=dru

Apr 17 17:20:55 jenkins sshd[3335]: pam_sss(sshd:auth): authentication
success; logname= uid=0 euid=0 tty=ssh ruser= rhost=
security-core-1.prod.mydomain.com user=dru

Apr 17 17:20:56 jenkins sshd[3335]: Accepted password for dru from port 39910 ssh2

Apr 17 17:20:56 jenkins sshd[3335]: pam_unix(sshd:session): session opened
for user dru by (uid=0)

Apr 17 17:20:56 jenkins sshd[3335]: pam_systemd(sshd:session): Failed to
create session: No such file or directory

Apr 17 17:21:10 jenkins sudo: pam_unix(sudo:auth): authentication failure;
logname=dru uid=19000001 euid=0 tty=/dev/pts/3 ruser=dru rhost=  user=dru

Apr 17 17:21:11 jenkins sudo: pam_sss(sudo:auth): authentication success;
logname=dru uid=19000001 euid=0 tty=/dev/pts/3 ruser=dru rhost= user=dru

Apr 17 17:21:11 jenkins sudo:      dru : command not allowed ; TTY=pts/3 ;
PWD=/ ; USER=root ; COMMAND=list
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to