On Wed, May 03, 2017 at 09:04:05AM +0100, Brian Candler wrote: > Hi, > > I have FreeIPA set up under CentOS 7. When I use freeipa-client to add an > ubuntu 14.04 client it works fine (*). However when do the same with ubuntu > 16.04, sudo always refuses to run: > > $ sudo -s > [sudo] password for brian.candler: > brian.candler is not allowed to run sudo on api-dev.int.example.com. This > incident will be reported. > > I have a simple one-entry sudo policy which says that for all users in > groups X and Y, on all hosts, run all commands. (**) > > If I crank up sudo logging by setting this in /etc/sudo.conf: > > Debug sudo /var/log/sudo-debug all@info > > then on the working 14.04 machine I see > > ... various settings ... > May 2 22:05:27 sudo settings: plugin_dir=/usr/lib/sudo/ > May 2 22:05:27 sudo user_info: user=brian.candler > May 2 22:05:27 sudo user_info: pid=19175 > ... lots more user_info, perms, netgroups etc ... > May 2 22:05:29 sudo policy plugin returns 1 > ... > > but on the failing 16.04 machine I see only this: > > May 3 07:44:56 sudo will restore signal 13 on exec > May 3 07:44:56 sudo comparing dev 34817 to /dev/pts/1: match! @ > sudo_ttyname_dev() ./ttyname.c:336 > May 3 07:44:56 sudo settings: run_shell=true > May 3 07:44:56 sudo settings: progname=sudo > May 3 07:44:56 sudo settings: network_addrs=x.x.x.x/255.255.255.0 > xxxx:xxxx:xxxx:xxxx::230/ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff > fe80::1:xxxx:xxxx:xxxx/ffff:ffff:ffff:ffff:: > May 3 07:44:56 sudo settings: plugin_dir=/usr/lib/sudo/ > May 3 07:44:58 sudo policy plugin returns 0 > > That's all that gets logged - nothing more. It seems that a return of 0 > means failure: > > https://www.sudo.ws/man/1.8.15/sudo_plugin.man.html > > "open() > ... > Returns 1 on success, 0 on failure, -1 if a general error occurred, or -2 if > there was a usage error." > > But I have no idea what sort of failure or why. > > /var/log/auth.log shows: > > May 3 08:00:14 api-dev sudo: pam_unix(sudo:auth): authentication failure; > logname=brian.candler uid=1211000003 euid=0 tty=/dev/pts/1 > ruser=brian.candler rhost= user=brian.candler > May 3 08:00:14 api-dev sudo: pam_sss(sudo:auth): authentication success; > logname=brian.candler uid=1211000003 euid=0 tty=/dev/pts/1 > ruser=brian.candler rhost= user=brian.candler > May 3 08:00:14 api-dev sudo: brian.candler : user NOT in sudoers ; > TTY=pts/1 ; PWD=/home/brian.candler ; USER=root ; COMMAND=/bin/bash > > (which shows I gave the correct FreeIPA password, but not why the sudoers > lookup failed) > > I really can't see where else to look. Both machines have "sudo: files sss" > in /etc/nsswitch.conf, and both have the same /etc/sssd/sssd.conf. Setting > "sss_debuglevel 7" and "sss_cache -UG" shows a lot of noise but no obvious > errors.
do you have 'sudo: files sss" or "sudoers: files sss"? The former doesn't do anything, the latter is correct. if you crank up debugging in the sudo section in sssd.conf do you see any activity at all? do you have '/usr/lib64/libsss_sudo.so' installed? On fedora/rhel, this is provided by libsss_sudo, I don't know what provides it on Debian. > > I've also upgraded to the latest sudo_1.8.19-3_amd64.deb package from > https://www.sudo.ws/download.html, but this makes no difference. > > Has anyone seen this problem before, or have some ideas where else to look? > > Thanks, > > Brian Candler. > > > (*) In Ubuntu 14.04 I had to manually add sudo to the list of sssd services: > > |[sssd]| > |services = nss, pam, ssh, sudo| > > but this was done automatically by freeipa-client in Ubuntu 16.04. > > (**) Therefore I'm pretty sure this is not the netgroups problem, for which > the fix has been released anyway: > https://bugs.launchpad.net/ubuntu/+source/sudo/+bug/1607666 > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project