I have a small IPA domain setup on RHEL 6 server with a FreeIPA server, a replica and two clients. There are six users setup in the domain. All users are able to login over SSH to both client systems. I am not using IPA to control sudo access. Sudo privilges are granted by group membership (group memberships are managed by IPA). So here is where it gets weird.
Client Systems system1 - testuser1 can authenticate over SSH using public key,can login at the console, and CAN sudo (all other users are able to do the same) system2 - testuser1 can authenticate over SSH using public key and CANNOT login at the console or sudo (two out of six users can login and sudo) So for example: system1 - SSH, console and sudo access testuser1, testuser2, testuser3, testuser4, testuser5, testuser6 system2 - SSH access only testuser1, testuser2, testuser3, testuser4 system2 - SSH, console and sudo access testuser5, testuser6 All users have the same group memberships and use SSH keys to authenticate to the system. Errors when the user tries to sudo ------------------------------------------------------------ /var/log/secure Dec 6 18:54:39 ipa-client1 sudo: pam_sss(sudo:auth): authentication failure; logname=testuser1 uid=0 euid=0 tty=/dev/pts/1 ruser=testuser1 rhost= user=testuser1 Dec 6 18:54:39 ipa-client1 sudo: pam_sss(sudo:auth): received for user testuser1: 4 (System error) Dec 6 18:54:47 ipa-client1 sudo: pam_sss(sudo:auth): authentication failure; logname=testuser1 uid=0 euid=0 tty=/dev/pts/1 ruser=testuser1 rhost= user=testuser1 Dec 6 18:54:47 ipa-client1 sudo: pam_sss(sudo:auth): received for user testuser1: 4 (System error) Dec 6 18:54:51 ipa-client1 sudo: pam_sss(sudo:auth): authentication failure; logname=testuser1 uid=0 euid=0 tty=/dev/pts/1 ruser=testuser1 rhost= user=testuser1 Dec 6 18:54:51 ipa-client1 sudo: pam_sss(sudo:auth): received for user testuser1: 4 (System error) Dec 6 18:54:52 ipa-client1 sudo: testuser1 : 3 incorrect password attempts ; TTY=pts/1 ; PWD=/home/testuser1 ; USER=root ; COMMAND=/bin/su - Errors when the user tries to login at the console ------------------------------------------------------------- /var/log/secure Dec 6 19:53:56 ipa-client1 login: pam_unix(login:auth): authentication failure; logname=LOGIN uid=0 euid=0 tty=tty1 ruser= rhost= user=testuser1 Dec 6 19:53:56 ipa-client1 login: pam_sss(login:auth): authentication failure; logname=LOGIN uid=0 euid=0 tty=tty1 ruser= rhost= user=testuser1 Dec 6 19:53:56 ipa-client1 login: pam_sss(login:auth): received for user testuser1: 4 (System error) Dec 6 19:53:58 ipa-client1 login: FAILED LOGIN 1 FROM (null) FOR testuser1, Authentication failure I found this post and it looks similar but my /var/log/sssd/krb5_child.log is empty. https://www.redhat.com/archives/freeipa-users/2012-October/msg00004.html The link to http://www.mail-archive.com/sssd-devel%20lists%20fedorahosted%20org/msg10176.htmlwas dead but I check the /tmp permissions like the guy in the forum post and they were: # ll -dZ /tmp/ drwxrwxrwt. root root system_u:object_r:tmp_t:s0 /tmp/ It's really puzzling that sudo works for some users but not others and it's only on one system. I've thought about enrolling additional systems to the IPA domain to determine if this one system is just a problem child but I'd rather get it ironed out before moving over any additional systems. Thanks in advance, Albert
_______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
