Header Shadow Image


User is not allowed to run sudo on server.  This incident will be reported.

Receiving the following when using FreeIPA to manage sudo rules?

-sh-4.2$ sudo su –
[sudo] password for tom@mds.xyz: 
tom@mds.xyz is not allowed to run sudo on idmipa04.  This incident will be reported.
-sh-4.2$

On a working node:

# ipa-compat-manage status
Directory Manager password: 

Plugin Enabled

and on a non-working node:

# ipa-compat-manage status
Directory Manager password: 

Plugin Disabled
# ipa-compat-manage enable
Directory Manager password: 

Enabling plugin
This setting will not take effect until you restart Directory Server.
# ipactl restart
Restarting Directory Service
Restarting krb5kdc Service
Restarting kadmin Service
Restarting named Service
Restarting httpd Service
Restarting ipa-custodia Service
Restarting ntpd Service
Restarting pki-tomcatd Service
Restarting ipa-otpd Service
Restarting ipa-dnskeysyncd Service
ipa: INFO: The ipactl command was successful

ipa-compat-manage status
Directory Manager password: 

Plugin Disabled

Enable the plugin:

# ipa-compat-manage enable
Directory Manager password: 

Enabling plugin
This setting will not take effect until you restart Directory Server.
# ipactl restart
Restarting Directory Service
Restarting krb5kdc Service
Restarting kadmin Service
Restarting named Service
Restarting httpd Service
Restarting ipa-custodia Service
Restarting ntpd Service
Restarting pki-tomcatd Service
Restarting ipa-otpd Service
Restarting ipa-dnskeysyncd Service
ipa: INFO: The ipactl command was successful
#

And try the sudo to root again:  All sudo rules should be visible using the following commands:

dapsearch -Y GSSAPI -b "dc=mws,dc=mds,dc=xyz" dn |grep -Ei sudo|grep -v "#"

ipa sudorule-find All

on both servers.  Verify on clients:

$ sudo su –
[sudo] password for tom@mds.xyz: 
tom@mds.xyz is not allowed to run sudo on azure-r01wn01.  This incident will be reported.
$ su –
Password: 
Last login: Thu Jan 28 21:53:55 EST 2021 on pts/0
[root@azure-r01wn01 ~]# systemctl restart sssd^C
[root@azure-r01wn01 ~]# rm -f /var/lib/sss/db/*
[root@azure-r01wn01 ~]# systemctl restart sssd
[root@azure-r01wn01 ~]# logout
$ sudo su –
[sudo] password for tom@mds.xyz: 
Last login: Fri Jan 29 00:51:40 EST 2021 on pts/1
[root@azure-r01wn01 ~]# 

Thanks,

Leave a Reply

You must be logged in to post a comment.


     
  Copyright © 2003 - 2013 Tom Kacperski (microdevsys.com). All rights reserved.

Creative Commons License
This work is licensed under a Creative Commons Attribution 3.0 Unported License