[Freeipa-users] Re: SUDO Rules not getting processed
Are you 100% sure that you have a line like "sudoers: files sss" in your /etc/nsswitch.conf? Am 7. August 2017 11:10:56 MESZ schrieb Alka Murali via FreeIPA-users : >Hello Team, > >Have checked all the logs, and the SSSD Logs are saying that it is >processing the sudo rules which I have configured on my FreeIPA Server. >However if I run sudo commands on my client, it is giving me the >message >that the user is not in sudoers file. > >Is it an issue with my SUDO package on Ubuntu or an issue with SSSD.I >have >been using the same Configuration in my other clients and all of them >are >able to fetch the SUDO Rules. > >Please provide me an update on the issue. > >Thanks and Regards, >Alka Murali > >On Fri, Aug 4, 2017 at 7:31 PM, Alka Murali >wrote: > >> Hello, >> >> I have implemented a freeipa server and enrolled many clients like >Ubuntu, >> Debian, CentOS. In all those clients, my sudo rules worked. >> >> However if I try the sudo rules to the users in Ubuntu 16, its not >> recognising the sudo user >> >> -- >> >> Aug 4 19:22:40 sudo: pam_unix(sudo:auth): authentication >failure; >> logname=device uid=144130 euid=0 tty=/dev/pts/1 ruser=device >rhost= >> user=device >> >> Aug 4 19:22:40 * sudo: pam_sss(sudo:auth): authentication >success; >> logname=device uid=144130 euid=0 tty=/dev/pts/1 ruser=device >rhost= >> user=device >> >> Aug 4 19:22:40 * sudo: device : user NOT authorized on host ; >> TTY=pts/1 ; PWD=/home/device ; USER=root ; COMMAND=/usr/bin/less >> /var/log/syslog >> >> --- >> >> I have updated the sssd and ldap configuration file as well as >nssswitch >> conf. However the rule was not being accepted. >> >> I have properly configured SSSD, LDAP and NSS. Let me know if any >> additional settings needs to be updated. >> >> >> Awaiting your reply. >> >> >> Thanks and Regards, >> >> Alka Murali >> -- Diese Nachricht wurde von meinem Android-Gerät mit K-9 Mail gesendet.___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] Re: SUDO Rules not getting processed
Hi, Thanks for the reply. I would like to mention you that the same Configuration on Ubuntu 16.04 with the same sudo version is processing the sudo rules and users are able to execute the sudo commands. So if it is an issue with sudo, then is the fix to issue is to update the sudo to a higher version Here is the result on sudo built with sssd Configure options: --prefix=/usr -v --with-all-insults --with-pam --with-fqdn --with-logging=syslog --with-logfac=authpriv --with-env-editor --with-editor=/usr/bin/editor --with-exampledir=/usr/share/doc/sudo/examples --with-timeout=15 --with-password-timeout=0 --with-passprompt=[sudo] password for %p: --without-lecture --with-tty-tickets --disable-root-mailer --enable-admin-flag --with-sendmail=/usr/sbin/sendmail --with-rundir=/var/run/sudo --mandir=/usr/share/man --libexecdir=/usr/lib/sudo --with-*sss*d --with- *sss*d-lib=/usr/lib/x86_64-linux-gnu --with-selinux --with-linux-audit -- Mean while I will compare the sudo logs and will inform you. Thanks and Regards, Alka Murali On Mon, Aug 7, 2017 at 5:53 PM, Lukas Slebodnik wrote: > On (07/08/17 17:10), Alka Murali via FreeIPA-users wrote: > >Hello Team, > > > >Have checked all the logs, and the SSSD Logs are saying that it is > >processing the sudo rules which I have configured on my FreeIPA Server. > >However if I run sudo commands on my client, it is giving me the message > >that the user is not in sudoers file. > > > >Is it an issue with my SUDO package on Ubuntu or an issue with SSSD.I have > >been using the same Configuration in my other clients and all of them are > >able to fetch the SUDO Rules. > > > If you use the same configuration on older versions of ubuntu > then it sounds like a bug in sudo package in ubuntu. > > I would recommend to compare sudo logs from different version > https://docs.pagure.org/SSSD.sssd/users/sudo_troubleshooting.html# > obtaining-logs > > > BTW it would be good to check that sudo is built with sssd support > > sudo --version | grep sss > > Here is an output from fedora > > sh# sudo --version | grep sss > Configure options: --build=x86_64-redhat-linux-gnu > --host=x86_64-redhat-linux-gnu --program-prefix= > --disable-dependency-tracking > --prefix=/usr --exec-prefix=/usr --bindir=/usr/bin --sbindir=/usr/sbin > --sysconfdir=/etc --datadir=/usr/share --includedir=/usr/include > --libdir=/usr/lib64 --libexecdir=/usr/libexec --localstatedir=/var > --sharedstatedir=/var/lib --mandir=/usr/share/man > --infodir=/usr/share/info > --prefix=/usr --sbindir=/usr/sbin --libdir=/usr/lib64 > --docdir=/usr/share/doc/sudo --disable-root-mailer --with-logging=syslog > --with-logfac=authpriv --with-pam --with-pam-login --with-editor=/bin/vi > --with-env-editor --with-ignore-dot --with-tty-tickets --with-ldap > --with-selinux --with-passprompt=[sudo] password for %p: > --with-linux-audit > --with-sssd > ^ > This is important. > > LS > ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] Re: SUDO Rules not getting processed
On (07/08/17 17:10), Alka Murali via FreeIPA-users wrote: >Hello Team, > >Have checked all the logs, and the SSSD Logs are saying that it is >processing the sudo rules which I have configured on my FreeIPA Server. >However if I run sudo commands on my client, it is giving me the message >that the user is not in sudoers file. > >Is it an issue with my SUDO package on Ubuntu or an issue with SSSD.I have >been using the same Configuration in my other clients and all of them are >able to fetch the SUDO Rules. > If you use the same configuration on older versions of ubuntu then it sounds like a bug in sudo package in ubuntu. I would recommend to compare sudo logs from different version https://docs.pagure.org/SSSD.sssd/users/sudo_troubleshooting.html#obtaining-logs BTW it would be good to check that sudo is built with sssd support sudo --version | grep sss Here is an output from fedora sh# sudo --version | grep sss Configure options: --build=x86_64-redhat-linux-gnu --host=x86_64-redhat-linux-gnu --program-prefix= --disable-dependency-tracking --prefix=/usr --exec-prefix=/usr --bindir=/usr/bin --sbindir=/usr/sbin --sysconfdir=/etc --datadir=/usr/share --includedir=/usr/include --libdir=/usr/lib64 --libexecdir=/usr/libexec --localstatedir=/var --sharedstatedir=/var/lib --mandir=/usr/share/man --infodir=/usr/share/info --prefix=/usr --sbindir=/usr/sbin --libdir=/usr/lib64 --docdir=/usr/share/doc/sudo --disable-root-mailer --with-logging=syslog --with-logfac=authpriv --with-pam --with-pam-login --with-editor=/bin/vi --with-env-editor --with-ignore-dot --with-tty-tickets --with-ldap --with-selinux --with-passprompt=[sudo] password for %p: --with-linux-audit --with-sssd ^ This is important. LS ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] Re: SUDO Rules not getting processed
Hello Team, Have checked all the logs, and the SSSD Logs are saying that it is processing the sudo rules which I have configured on my FreeIPA Server. However if I run sudo commands on my client, it is giving me the message that the user is not in sudoers file. Is it an issue with my SUDO package on Ubuntu or an issue with SSSD.I have been using the same Configuration in my other clients and all of them are able to fetch the SUDO Rules. Please provide me an update on the issue. Thanks and Regards, Alka Murali On Fri, Aug 4, 2017 at 7:31 PM, Alka Murali wrote: > Hello, > > I have implemented a freeipa server and enrolled many clients like Ubuntu, > Debian, CentOS. In all those clients, my sudo rules worked. > > However if I try the sudo rules to the users in Ubuntu 16, its not > recognising the sudo user > > -- > > Aug 4 19:22:40 sudo: pam_unix(sudo:auth): authentication failure; > logname=device uid=144130 euid=0 tty=/dev/pts/1 ruser=device rhost= > user=device > > Aug 4 19:22:40 * sudo: pam_sss(sudo:auth): authentication success; > logname=device uid=144130 euid=0 tty=/dev/pts/1 ruser=device rhost= > user=device > > Aug 4 19:22:40 * sudo: device : user NOT authorized on host ; > TTY=pts/1 ; PWD=/home/device ; USER=root ; COMMAND=/usr/bin/less > /var/log/syslog > > --- > > I have updated the sssd and ldap configuration file as well as nssswitch > conf. However the rule was not being accepted. > > I have properly configured SSSD, LDAP and NSS. Let me know if any > additional settings needs to be updated. > > > Awaiting your reply. > > > Thanks and Regards, > > Alka Murali > ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] Re: SUDO Rules not getting processed
On Fri, Aug 04, 2017 at 09:05:20AM -0300, Felipe Barreto Volpone via FreeIPA-users wrote: > Hi Alka, > > I think you can get useful info here: https://www.redhat.com/ > archives/freeipa-users/2017-May/msg00028.html Also this might be useful to pinpoint the issue: https://docs.pagure.org/SSSD.sssd/users/sudo_troubleshooting.html ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] Re: SUDO Rules not getting processed
Hi Alka, I think you can get useful info here: https://www.redhat.com/ archives/freeipa-users/2017-May/msg00028.html On Fri, Aug 4, 2017 at 8:31 AM, Alka Murali via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > Hello, > > I have implemented a freeipa server and enrolled many clients like Ubuntu, > Debian, CentOS. In all those clients, my sudo rules worked. > > However if I try the sudo rules to the users in Ubuntu 16, its not > recognising the sudo user > > -- > > Aug 4 19:22:40 sudo: pam_unix(sudo:auth): authentication failure; > logname=device uid=144130 euid=0 tty=/dev/pts/1 ruser=device rhost= > user=device > > Aug 4 19:22:40 * sudo: pam_sss(sudo:auth): authentication success; > logname=device uid=144130 euid=0 tty=/dev/pts/1 ruser=device rhost= > user=device > > Aug 4 19:22:40 * sudo: device : user NOT authorized on host ; > TTY=pts/1 ; PWD=/home/device ; USER=root ; COMMAND=/usr/bin/less > /var/log/syslog > > --- > > I have updated the sssd and ldap configuration file as well as nssswitch > conf. However the rule was not being accepted. > > I have properly configured SSSD, LDAP and NSS. Let me know if any > additional settings needs to be updated. > > > Awaiting your reply. > > > Thanks and Regards, > > Alka Murali > > ___ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > > ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org