[Freeipa-users] select users cannot sudo or login at the console

Rob Crittenden rcritten at redhat.com
Fri Dec 7 14:33:22 UTC 2012 

Albert Adams wrote:
> Rob,
> There are no HBAC rules defined other than the default "allow_all" rule
> which has not been customized.  It is a vanilla instal at this point.  I
> have not added anything other than the replica, a few clients, one user
> group and the users to the system.

Ok. I would update the sssd debug level and restart it, then try the 
login again. On system2 are you able to use nss tools to identify IPA 
users (id, getent, etc)?

rob

>
>
> On Thu, Dec 6, 2012 at 11:08 PM, Rob Crittenden <rcritten at redhat.com
> <mailto:rcritten at redhat.com>> wrote:
>
>     Albert Adams wrote:
>
>         I have a small IPA domain setup on RHEL 6 server with a FreeIPA
>         server,
>         a replica and two clients.  There are six users setup in the domain.
>         All users are able
>         to login over SSH to both client systems.  I am not using IPA to
>         control
>         sudo access.  Sudo privilges are granted by group membership (group
>         memberships are managed
>         by IPA).  So here is where it gets weird.
>
>         Client Systems
>
>         system1 - testuser1 can authenticate over SSH using public
>         key,can login
>         at the console, and CAN sudo (all other users are able to do the
>         same)
>         system2 - testuser1 can authenticate over SSH using public key and
>         CANNOT login at the console or sudo (two out of six users can
>         login and
>         sudo)
>
>         So for example:
>
>         system1 - SSH, console and sudo access
>         testuser1, testuser2, testuser3, testuser4, testuser5, testuser6
>
>         system2 - SSH access only
>         testuser1, testuser2, testuser3, testuser4
>
>         system2 - SSH, console and sudo access
>         testuser5, testuser6
>
>         All users have the same group memberships and use SSH keys to
>         authenticate to the system.
>
>         Errors when the user tries to sudo
>         ------------------------------__------------------------------
>         /var/log/secure
>         Dec  6 18:54:39 ipa-client1 sudo: pam_sss(sudo:auth): authentication
>         failure; logname=testuser1 uid=0 euid=0 tty=/dev/pts/1
>         ruser=testuser1
>         rhost= user=testuser1
>         Dec  6 18:54:39 ipa-client1 sudo: pam_sss(sudo:auth): received
>         for user
>         testuser1: 4 (System error)
>         Dec  6 18:54:47 ipa-client1 sudo: pam_sss(sudo:auth): authentication
>         failure; logname=testuser1 uid=0 euid=0 tty=/dev/pts/1
>         ruser=testuser1
>         rhost= user=testuser1
>         Dec  6 18:54:47 ipa-client1 sudo: pam_sss(sudo:auth): received
>         for user
>         testuser1: 4 (System error)
>         Dec  6 18:54:51 ipa-client1 sudo: pam_sss(sudo:auth): authentication
>         failure; logname=testuser1 uid=0 euid=0 tty=/dev/pts/1
>         ruser=testuser1
>         rhost= user=testuser1
>         Dec  6 18:54:51 ipa-client1 sudo: pam_sss(sudo:auth): received
>         for user
>         testuser1: 4 (System error)
>         Dec  6 18:54:52 ipa-client1 sudo: testuser1 : 3 incorrect password
>         attempts ; TTY=pts/1 ; PWD=/home/testuser1 ; USER=root ;
>         COMMAND=/bin/su -
>
>         Errors when the user tries to login at the console
>         ------------------------------__------------------------------__-
>         /var/log/secure
>         Dec  6 19:53:56 ipa-client1 login: pam_unix(login:auth):
>         authentication
>         failure; logname=LOGIN uid=0 euid=0 tty=tty1 ruser= rhost=
>           user=testuser1
>         Dec  6 19:53:56 ipa-client1 login: pam_sss(login:auth):
>         authentication
>         failure; logname=LOGIN uid=0 euid=0 tty=tty1 ruser= rhost=
>         user=testuser1
>         Dec  6 19:53:56 ipa-client1 login: pam_sss(login:auth): received for
>         user testuser1: 4 (System error)
>         Dec  6 19:53:58 ipa-client1 login: FAILED LOGIN 1 FROM (null) FOR
>         testuser1, Authentication failure
>
>
>         I found this post and it looks similar but my
>         /var/log/sssd/krb5_child.log is empty.
>
>         https://www.redhat.com/__archives/freeipa-users/2012-__October/msg00004.html
>         <https://www.redhat.com/archives/freeipa-users/2012-October/msg00004.html>
>
>         The link to
>         http://www.mail-archive.com/__sssd-devel%20lists%__20fedorahosted%20org/msg10176.__html
>         <http://www.mail-archive.com/sssd-devel%20lists%20fedorahosted%20org/msg10176.html>
>         was dead but I check the /tmp permissions like the guy in the
>         forum post and they were:
>
>         # ll -dZ /tmp/
>         drwxrwxrwt. root root system_u:object_r:tmp_t:s0       /tmp/
>
>         It's really puzzling that sudo works for some users but not
>         others and
>         it's only on one system.  I've thought about enrolling additional
>         systems to the IPA domain
>         to determine if this one system is just a problem child but I'd
>         rather
>         get it ironed out before moving over any additional systems.
>
>         Thanks in advance,
>         Albert
>
>
>     I would look to see if you have any Host-based access (HBAC) rules
>     defined. This would explain the behavior.
>
>     rob
>
>

More information about the Freeipa-users mailing list