[Freeipa-users] SUDO does not always works on first try

Fri Oct 9 11:04:15 UTC 2015

Hi Jakub,

I increased the log level in every SSSD section to 6 and got following output, hope that helps.

KRB5_CHILD.LOG: https://s.mit42.de/IR6tu

SSSD_SUDO.LOG (two tries are logged in it): https://s.mit42.de/WF1Jl

SSSD_IPA-LX.COM: https://s.mit42.de/frBvx

Best regards,
Fabian

-----Ursprüngliche Nachricht-----
Von: freeipa-users-bounces at redhat.com [mailto:freeipa-users-bounces at redhat.com] Im Auftrag von Jakub Hrozek
Gesendet: Mittwoch, 7. Oktober 2015 10:03
An: freeipa-users at redhat.com
Betreff: Re: [Freeipa-users] SUDO does not always works on first try

On Mon, Oct 05, 2015 at 01:25:09PM +0000, Zoske, Fabian wrote:
> Dear Jakub,
> 
> I found only the following entries in the /var/log/auth.log:
> 
> Oct  5 11:57:38 hl-srv10 sudo: pam_unix(sudo:auth): conversation 
> failed Oct  5 11:57:38 hl-srv10 sudo: pam_unix(sudo:auth): auth could 
> not identify password for [f.zoske at de.eu.local] Oct  5 11:57:38 
> hl-srv10 sudo: pam_sss(sudo:auth): authentication failure; 
> logname=f.zoske at de.eu.local uid=1948403038 euid=0 tty=/dev/pts/1 
> ruser=f.zoske at de.eu.local rhost= user=f.zoske at de.eu.local Oct  5 
> 11:57:38 hl-srv10 sudo: pam_sss(sudo:auth): received for user 
> f.zoske at de.eu.local: 7 (Authentication failure) Oct  5 11:57:38 
> hl-srv10 sudo: f.zoske at de.eu.local : user NOT authorized on host ; 
> TTY=pts/1 ; PWD=/home/de.eu.local/f.zoske ; USER=root ; 
> COMMAND=/bin/cat /etc/sssd/sssd.conf Oct  5 11:57:42 hl-srv10 sudo: 
> pam_unix(sudo:auth): authentication failure; 
> logname=f.zoske at de.eu.local uid=1948403038 euid=0 tty=/dev/pts/1 
> ruser=f.zoske at de.eu.local rhost=  user=f.zoske at de.eu.local Oct  5 
> 11:57:42 hl-srv10 sudo: pam_sss(sudo:auth): authentication success; 
> logname=f.zoske at de.eu.local uid=1948403038 euid=0 tty=/dev/pts/1 
> ruser=f.zoske at de.eu.local rhost= user=f.zoske at de.eu.local Oct  5 
> 11:57:43 hl-srv10 sudo: f.zoske at de.eu.local : user NOT authorized on 
> host ; TTY=pts/1 ; PWD=/home/de.eu.local/f.zoske ; USER=root ; 
> COMMAND=/bin/bash Oct  5 11:57:46 hl-srv10 sudo: pam_unix(sudo:auth): 
> authentication failure; logname=f.zoske at de.eu.local uid=1948403038 
> euid=0 tty=/dev/pts/1 ruser=f.zoske at de.eu.local rhost=  
> user=f.zoske at de.eu.local Oct  5 11:57:47 hl-srv10 sudo: 
> pam_sss(sudo:auth): authentication success; 
> logname=f.zoske at de.eu.local uid=1948403038 euid=0 tty=/dev/pts/1 
> ruser=f.zoske at de.eu.local rhost= user=f.zoske at de.eu.local Oct  5 
> 11:57:47 hl-srv10 sudo: f.zoske at de.eu.local : TTY=pts/1 ; 
> PWD=/home/de.eu.local/f.zoske ; USER=root ; COMMAND=/bin/bash Oct  5 
> 11:57:47 hl-srv10 sudo: pam_unix(sudo:session): session opened for 
> user root by 
> f.zoske at de.eu.local(uid=0)<mailto:f.zoske at de.eu.local(uid=0)>
> 
> In /var/log/sssd/ no entries were logged.

Nothing gets logged in by default, you need to increase debug_level,
see:
    https://fedorahosted.org/sssd/wiki/Troubleshooting

I would look into the domain log and krb5_child.log first

> 
> My sssd.conf:
> [domain/ipa-lx.com]
> 
> cache_credentials = True
> krb5_store_password_if_offline = True
> ipa_domain = ipa-lx.com
> id_provider = ipa
> auth_provider = ipa
> access_provider = ipa
> ipa_hostname = hl-srv10.ipa-lx.com
> chpass_provider = ipa
> ipa_server = _srv_, dc01.ipa-lx.com
> ldap_tls_cacert = /etc/ipa/ca.crt
> ldap_sudo_use_host_filter = false
> 
> [sssd]
> services = nss, pam, ssh, sudo
> config_file_version = 2
> default_domain_suffix = de.eu.local
> domains = ei-ag.it
> 
> [nss]
> override_shell = /bin/bash
> 
> [pam]
> 
> [sudo]
> 
> [autofs]
> 
> [ssh]
> 
> [pac]
> 
> 
> Best regards,
> Fabian

> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project