[Freeipa-users] SUDO does not always works on first try
Zoske, Fabian
f.zoske at euroimmun.de
Fri Oct 9 11:04:15 UTC 2015
Hi Jakub,
I increased the log level in every SSSD section to 6 and got following output, hope that helps.
KRB5_CHILD.LOG: https://s.mit42.de/IR6tu
SSSD_SUDO.LOG (two tries are logged in it): https://s.mit42.de/WF1Jl
SSSD_IPA-LX.COM: https://s.mit42.de/frBvx
Best regards,
Fabian
-----Ursprüngliche Nachricht-----
Von: freeipa-users-bounces at redhat.com [mailto:freeipa-users-bounces at redhat.com] Im Auftrag von Jakub Hrozek
Gesendet: Mittwoch, 7. Oktober 2015 10:03
An: freeipa-users at redhat.com
Betreff: Re: [Freeipa-users] SUDO does not always works on first try
On Mon, Oct 05, 2015 at 01:25:09PM +0000, Zoske, Fabian wrote:
> Dear Jakub,
>
> I found only the following entries in the /var/log/auth.log:
>
> Oct 5 11:57:38 hl-srv10 sudo: pam_unix(sudo:auth): conversation
> failed Oct 5 11:57:38 hl-srv10 sudo: pam_unix(sudo:auth): auth could
> not identify password for [f.zoske at de.eu.local] Oct 5 11:57:38
> hl-srv10 sudo: pam_sss(sudo:auth): authentication failure;
> logname=f.zoske at de.eu.local uid=1948403038 euid=0 tty=/dev/pts/1
> ruser=f.zoske at de.eu.local rhost= user=f.zoske at de.eu.local Oct 5
> 11:57:38 hl-srv10 sudo: pam_sss(sudo:auth): received for user
> f.zoske at de.eu.local: 7 (Authentication failure) Oct 5 11:57:38
> hl-srv10 sudo: f.zoske at de.eu.local : user NOT authorized on host ;
> TTY=pts/1 ; PWD=/home/de.eu.local/f.zoske ; USER=root ;
> COMMAND=/bin/cat /etc/sssd/sssd.conf Oct 5 11:57:42 hl-srv10 sudo:
> pam_unix(sudo:auth): authentication failure;
> logname=f.zoske at de.eu.local uid=1948403038 euid=0 tty=/dev/pts/1
> ruser=f.zoske at de.eu.local rhost= user=f.zoske at de.eu.local Oct 5
> 11:57:42 hl-srv10 sudo: pam_sss(sudo:auth): authentication success;
> logname=f.zoske at de.eu.local uid=1948403038 euid=0 tty=/dev/pts/1
> ruser=f.zoske at de.eu.local rhost= user=f.zoske at de.eu.local Oct 5
> 11:57:43 hl-srv10 sudo: f.zoske at de.eu.local : user NOT authorized on
> host ; TTY=pts/1 ; PWD=/home/de.eu.local/f.zoske ; USER=root ;
> COMMAND=/bin/bash Oct 5 11:57:46 hl-srv10 sudo: pam_unix(sudo:auth):
> authentication failure; logname=f.zoske at de.eu.local uid=1948403038
> euid=0 tty=/dev/pts/1 ruser=f.zoske at de.eu.local rhost=
> user=f.zoske at de.eu.local Oct 5 11:57:47 hl-srv10 sudo:
> pam_sss(sudo:auth): authentication success;
> logname=f.zoske at de.eu.local uid=1948403038 euid=0 tty=/dev/pts/1
> ruser=f.zoske at de.eu.local rhost= user=f.zoske at de.eu.local Oct 5
> 11:57:47 hl-srv10 sudo: f.zoske at de.eu.local : TTY=pts/1 ;
> PWD=/home/de.eu.local/f.zoske ; USER=root ; COMMAND=/bin/bash Oct 5
> 11:57:47 hl-srv10 sudo: pam_unix(sudo:session): session opened for
> user root by
> f.zoske at de.eu.local(uid=0)<mailto:f.zoske at de.eu.local(uid=0)>
>
> In /var/log/sssd/ no entries were logged.
Nothing gets logged in by default, you need to increase debug_level,
see:
https://fedorahosted.org/sssd/wiki/Troubleshooting
I would look into the domain log and krb5_child.log first
>
> My sssd.conf:
> [domain/ipa-lx.com]
>
> cache_credentials = True
> krb5_store_password_if_offline = True
> ipa_domain = ipa-lx.com
> id_provider = ipa
> auth_provider = ipa
> access_provider = ipa
> ipa_hostname = hl-srv10.ipa-lx.com
> chpass_provider = ipa
> ipa_server = _srv_, dc01.ipa-lx.com
> ldap_tls_cacert = /etc/ipa/ca.crt
> ldap_sudo_use_host_filter = false
>
> [sssd]
> services = nss, pam, ssh, sudo
> config_file_version = 2
> default_domain_suffix = de.eu.local
> domains = ei-ag.it
>
> [nss]
> override_shell = /bin/bash
>
> [pam]
>
> [sudo]
>
> [autofs]
>
> [ssh]
>
> [pac]
>
>
> Best regards,
> Fabian
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
More information about the Freeipa-users
mailing list