Hello! I've got interesting problem, I have very simple hbac and sudo rules, one hbac for admins group and the same sudo rule for the same user group - all members of this group could do anything and everywhere. I cannot do sudo on some of machines, it's just doesn't accepting password, but initial login via ssh always successful. There is no different between hosts where sudo working and where is not, for freeIPA.
audit log tells me why it's happening: ========= type=USER_AUTH msg=audit(1512995488.051:15986): pid=30997 uid=50019 auid=50019 ses=2221 msg='op=PAM:authentication grantors=? acct="andreios" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=failed' type=USER_AUTH msg=audit(1512995497.531:15987): pid=30997 uid=50019 auid=50019 ses=2221 msg='op=PAM:authentication grantors=? acct="andreios" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=failed' type=USER_AUTH msg=audit(1512995500.247:15988): pid=30997 uid=50019 auid=50019 ses=2221 msg='op=PAM:authentication grantors=? acct="andreios" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=failed' ========== You see? op=PAM:authentication grantors=? On the other hosts it's following: op=PAM:authentication grantors=pam_succeed_if,pam_succeed_if,pam_sss Obviously, sudo for whatever reason doesn't try to auth via pam modules, it's just doesn't seeing them. sudo debug doesn't tell anything useful: ============ Dec 11 16:22:28 sudo[31666] -> getln @ ./tgetpass.c:303 Dec 11 16:22:33 sudo[31666] <- getln @ ./tgetpass.c:346 := ********** Dec 11 16:22:33 sudo[31666] -> sudo_term_restore_v1 @ ./term.c:112 Dec 11 16:22:33 sudo[31666] <- sudo_term_restore_v1 @ ./term.c:120 := true Dec 11 16:22:33 sudo[31666] <- tgetpass @ ./tgetpass.c:231 := ********** Dec 11 16:22:35 sudo[31666] -> tgetpass @ ./tgetpass.c:93 Dec 11 16:22:35 sudo[31666] -> tty_present @ ./tgetpass.c:360 Dec 11 16:22:35 sudo[31666] <- tty_present @ ./tgetpass.c:361 := true Dec 11 16:22:35 sudo[31666] -> sudo_term_noecho_v1 @ ./term.c:130 Dec 11 16:22:35 sudo[31666] <- sudo_term_noecho_v1 @ ./term.c:141 := true Dec 11 16:22:35 sudo[31666] -> getln @ ./tgetpass.c:303 ============ freeipa client installed via ipa-client-install without any errors OS: Centos 7.3.1611 OS without problems: 7.4.1708, 7.2.1511 So, have anyone idea of what's going happening and why? Thanks! -- Best regards, Andrew.
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org