On Wed, Aug 12, 2015 at 07:44:15PM +0700, Dewangga Bachrul Alam wrote: > Hello! > > On 08/12/2015 07:36 PM, Jakub Hrozek wrote: > > On Wed, Aug 12, 2015 at 07:30:52PM +0700, Dewangga Bachrul Alam wrote: > >> Hello! > >> > >> I'm having problem with sudo command, the sudo command was sucessfully > >> initiated. But user still requested for password. For example : > >> > >> ipa-client $ sudo -l > >> Matching Defaults entries for subhan on this host: > >> requiretty, !visiblepw, always_set_home, env_reset, env_keep="COLORS > >> DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS", env_keep+="MAIL PS1 > >> PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE > >> LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY > >> LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL > >> LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY", > >> secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin > >> > >> User subhan may run the following commands on this host: > >> (subhan) NOPASSWD: /bin/tail, /usr/bin/tail > >> > >> ipa-server $ ipa user-show subhan > >> User login: subhan > >> First name: [REMOVED] > >> Last name: [REMOVED] > >> Home directory: /home/subhan > >> Login shell: /bin/bash > >> Email address: [REMOVED] > >> UID: 642000007 > >> GID: 642000007 > >> Job Title: Developer > >> Account disabled: False > >> Password: False > >> Member of groups: g_gmt_developer, developer > >> Member of Sudo rule: gmt_developer > >> Member of HBAC rule: gmt_webserver > >> Kerberos keys available: False > >> SSH public key fingerprint: [REMOVED] > >> > >> ipa-server $ ipa sudocmd-find > >> ----------------------- > >> 2 Sudo Commands matched > >> ----------------------- > >> Sudo Command: /bin/tail > >> Sudo Command Groups: reading-files > >> > >> Sudo Command: /usr/bin/tail > >> Sudo Command Groups: reading-files > >> > >> ipa-server $ ipa sudorule-show gmt_developer > >> Rule name: gmt_developer > >> Enabled: TRUE > >> Users: subhan > >> User Groups: g_gmt_developer > >> Host Groups: gmt_webserver > >> Sudo Allow Command Groups: reading-files > >> RunAs Users: subhan > >> Sudo Option: !authenticate > >> > >> > >> ipa-client $ sudo tail -f /var/log/nginx/access.log > >> [sudo] password for subhan: > >> ipa-client $ sudo tail /var/log/nginx/access.log > >> [sudo] password for subhan: > >> > >> There's nothing information from sssd_sudo.log about this issue. > > > > In general sssd acts as a cache of the sudo rules, the decision to auth > > or not is done by sudo. So on the sssd side you can make sure the sudo > > option value was fetched, but you'll probably get a more useful > > debugging from sudo itself. > > > > Here is the sudo message from /var/log/secure : > > Aug 12 19:41:05 rosaliaindah su: pam_unix(su-l:session): session opened > for user subhan by dewangga(uid=0) > Aug 12 19:41:14 rosaliaindah sudo: pam_unix(sudo:auth): conversation failed > Aug 12 19:41:14 rosaliaindah sudo: pam_unix(sudo:auth): auth could not > identify password for [subhan] > Aug 12 19:41:14 rosaliaindah sudo: pam_sss(sudo:auth): authentication > failure; logname=dewangga uid=642000007 euid=0 tty=/dev/pts/0 > ruser=subhan rhost= user=subhan > Aug 12 19:41:14 rosaliaindah sudo: pam_sss(sudo:auth): received for user > subhan: 7 (Authentication failure) > Aug 12 19:41:14 rosaliaindah sudo: subhan : command not allowed ; > TTY=pts/0 ; PWD=/home/subhan ; USER=root ; COMMAND=/bin/tail -f > /var/log/nginx/error.log > > The sudo option (!authenticate) should be working, because I can invoke > `sudo -l` command without password. So I think sssd is not the problem. > CMIIW. :)
Look into man sudo.conf, depending on your sudo version the options to enable debugging for sudo differ. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project