Orion Poplawski
2017-01-27 21:15:16 UTC
EL7.3
Users are in active directory via AD trust with IPA server
sudo is configured via files - users in our default "nwra" group can run
certain sudo commands, e.g.:
Cmnd_Alias WAKEUP = /sbin/ether-wake *
%nwra,%visitor,%ivm ALL=NOPASSWD: WAKEUP
However, sometimes when I run sudo /sbin/ether-wake I get prompted for my
password. Other times it works fine. I've attached some logs from failed
attempt.
In particular, these entries:
-barry.cora.DNSDOMAIN sssd_be[701]: Got request with the following data
-barry.cora.DNSDOMAIN sssd_be[701]: command: SSS_PAM_PREAUTH
-barry.cora.DNSDOMAIN sssd_be[701]: domain: ad.DNSDOMAIN
-barry.cora.DNSDOMAIN sssd_be[701]: user: ***@ad.DNSDOMAIN
-barry.cora.DNSDOMAIN sssd_be[701]: service: sudo
-barry.cora.DNSDOMAIN sssd_be[701]: tty: /dev/pts/0
-barry.cora.DNSDOMAIN sssd_be[701]: ruser: USER
-barry.cora.DNSDOMAIN sssd_be[701]: rhost:
-barry.cora.DNSDOMAIN sssd_be[701]: authtok type: 0
-barry.cora.DNSDOMAIN sssd_be[701]: newauthtok type: 0
-barry.cora.DNSDOMAIN sssd_be[701]: priv: 0
-barry.cora.DNSDOMAIN sssd_be[701]: cli_pid: 2860
-barry.cora.DNSDOMAIN sssd_be[701]: logon name: not set
-barry.cora.DNSDOMAIN sssd_be[701]: Trying to resolve service 'IPA'
-barry.cora.DNSDOMAIN sssd_be[701]: The status of SRV lookup is resolved
-barry.cora.DNSDOMAIN sssd_be[701]: Found address for server ipa1.DNSDOMAIN:
[10.0.1.74] TTL 86400
-barry.cora.DNSDOMAIN krb5_child[2869]: cmd [249] uid [22603] gid [22603]
validate [true] enterprise principal [false] offline [false] UPN
[***@AD.NWRA.COM]
-barry.cora.DNSDOMAIN krb5_child[2869]: SSSD_KRB5_FAST_PRINCIPAL is set to
[host/***@NWRA.COM]
-barry.cora.DNSDOMAIN krb5_child[2869]: FAST TGT is still valid.
-barry.cora.DNSDOMAIN krb5_child[2869]: Trying to become user [22603][22603].
-barry.cora.DNSDOMAIN krb5_child[2869]: Cannot read
[SSSD_KRB5_RENEWABLE_LIFETIME] from environment.
-barry.cora.DNSDOMAIN krb5_child[2869]: Cannot read [SSSD_KRB5_LIFETIME] from
environment.
-barry.cora.DNSDOMAIN krb5_child[2869]: SSSD_KRB5_CANONICALIZE is set to [true]
-barry.cora.DNSDOMAIN krb5_child[2869]: Cannot handle password prompts.
-barry.cora.DNSDOMAIN krb5_child[2869]: Received error code 0
-barry.cora.DNSDOMAIN sssd_be[701]: child [2869] finished successfully.
-barry.cora.DNSDOMAIN sssd_be[701]: Marking port 389 of server
'ipa1.DNSDOMAIN' as 'working'
-barry.cora.DNSDOMAIN sssd_be[701]: Marking server 'ipa1.DNSDOMAIN' as 'working'
-barry.cora.DNSDOMAIN sssd_be[701]: connection is about to expire, releasing it
-barry.cora.DNSDOMAIN sssd_be[701]: Trying to resolve service 'IPA'
-barry.cora.DNSDOMAIN sssd_be[701]: The status of SRV lookup is resolved
-barry.cora.DNSDOMAIN sssd_be[701]: Found address for server ipa1.DNSDOMAIN:
[10.0.1.74] TTL 86400
-barry.cora.DNSDOMAIN sssd_be[701]: Trying to resolve service 'IPA'
-barry.cora.DNSDOMAIN sssd_be[701]: The status of SRV lookup is resolved
-barry.cora.DNSDOMAIN sssd_be[701]: Found address for server ipa1.DNSDOMAIN:
[10.0.1.74] TTL 86400
-barry.cora.DNSDOMAIN ldap_child[2889]: Will run as [0][0].
-barry.cora.DNSDOMAIN ldap_child[2889]: Trying to become user [0][0].
-barry.cora.DNSDOMAIN ldap_child[2889]: Already user [0].
-barry.cora.DNSDOMAIN ldap_child[2889]: Principal name is:
[host/***@NWRA.COM]
-barry.cora.DNSDOMAIN ldap_child[2889]: Using keytab [MEMORY:/etc/krb5.keytab]
-barry.cora.DNSDOMAIN ldap_child[2889]: Will canonicalize principals
-barry.cora.DNSDOMAIN sssd_be[701]: GSSAPI client step 1
-barry.cora.DNSDOMAIN sssd_be[701]: expire timeout is 900
-barry.cora.DNSDOMAIN sssd_be[701]: GSSAPI client step 1
-barry.cora.DNSDOMAIN sssd_be[701]: Executing sasl bind mech: GSSAPI, user:
host/barry.cora.DNSDOMAIN
-barry.cora.DNSDOMAIN sssd_be[701]: GSSAPI client step 1
-barry.cora.DNSDOMAIN sssd_be[701]: GSSAPI client step 2
-barry.cora.DNSDOMAIN sssd_be[701]: child [2889] finished successfully.
-barry.cora.DNSDOMAIN sssd_be[701]: Marking port 389 of server
'ipa1.DNSDOMAIN' as 'working'
-barry.cora.DNSDOMAIN sssd_be[701]: Marking server 'ipa1.DNSDOMAIN' as 'working'
-barry.cora.DNSDOMAIN sssd_be[701]: No host groups were dereferenced
-barry.cora.DNSDOMAIN sssd_be[701]: Received 0 additional command groups
-barry.cora.DNSDOMAIN sssd_be[701]: Received 0 sudo rules
-barry.cora.DNSDOMAIN sssd_be[701]: SUDO higher USN value: [1]
-barry.cora.DNSDOMAIN sudo[2860]: USER : command not allowed ; TTY=pts/0 ;
PWD=/export/home/USER/fedora/fail2ban ; USER=root ; COMMAND=/sbin/ether-wake
-i eth0 00:25:64:e0:05:fa
seem to appear in the failed attempt but not a successful one.
Users are in active directory via AD trust with IPA server
sudo is configured via files - users in our default "nwra" group can run
certain sudo commands, e.g.:
Cmnd_Alias WAKEUP = /sbin/ether-wake *
%nwra,%visitor,%ivm ALL=NOPASSWD: WAKEUP
However, sometimes when I run sudo /sbin/ether-wake I get prompted for my
password. Other times it works fine. I've attached some logs from failed
attempt.
In particular, these entries:
-barry.cora.DNSDOMAIN sssd_be[701]: Got request with the following data
-barry.cora.DNSDOMAIN sssd_be[701]: command: SSS_PAM_PREAUTH
-barry.cora.DNSDOMAIN sssd_be[701]: domain: ad.DNSDOMAIN
-barry.cora.DNSDOMAIN sssd_be[701]: user: ***@ad.DNSDOMAIN
-barry.cora.DNSDOMAIN sssd_be[701]: service: sudo
-barry.cora.DNSDOMAIN sssd_be[701]: tty: /dev/pts/0
-barry.cora.DNSDOMAIN sssd_be[701]: ruser: USER
-barry.cora.DNSDOMAIN sssd_be[701]: rhost:
-barry.cora.DNSDOMAIN sssd_be[701]: authtok type: 0
-barry.cora.DNSDOMAIN sssd_be[701]: newauthtok type: 0
-barry.cora.DNSDOMAIN sssd_be[701]: priv: 0
-barry.cora.DNSDOMAIN sssd_be[701]: cli_pid: 2860
-barry.cora.DNSDOMAIN sssd_be[701]: logon name: not set
-barry.cora.DNSDOMAIN sssd_be[701]: Trying to resolve service 'IPA'
-barry.cora.DNSDOMAIN sssd_be[701]: The status of SRV lookup is resolved
-barry.cora.DNSDOMAIN sssd_be[701]: Found address for server ipa1.DNSDOMAIN:
[10.0.1.74] TTL 86400
-barry.cora.DNSDOMAIN krb5_child[2869]: cmd [249] uid [22603] gid [22603]
validate [true] enterprise principal [false] offline [false] UPN
[***@AD.NWRA.COM]
-barry.cora.DNSDOMAIN krb5_child[2869]: SSSD_KRB5_FAST_PRINCIPAL is set to
[host/***@NWRA.COM]
-barry.cora.DNSDOMAIN krb5_child[2869]: FAST TGT is still valid.
-barry.cora.DNSDOMAIN krb5_child[2869]: Trying to become user [22603][22603].
-barry.cora.DNSDOMAIN krb5_child[2869]: Cannot read
[SSSD_KRB5_RENEWABLE_LIFETIME] from environment.
-barry.cora.DNSDOMAIN krb5_child[2869]: Cannot read [SSSD_KRB5_LIFETIME] from
environment.
-barry.cora.DNSDOMAIN krb5_child[2869]: SSSD_KRB5_CANONICALIZE is set to [true]
-barry.cora.DNSDOMAIN krb5_child[2869]: Cannot handle password prompts.
-barry.cora.DNSDOMAIN krb5_child[2869]: Received error code 0
-barry.cora.DNSDOMAIN sssd_be[701]: child [2869] finished successfully.
-barry.cora.DNSDOMAIN sssd_be[701]: Marking port 389 of server
'ipa1.DNSDOMAIN' as 'working'
-barry.cora.DNSDOMAIN sssd_be[701]: Marking server 'ipa1.DNSDOMAIN' as 'working'
-barry.cora.DNSDOMAIN sssd_be[701]: connection is about to expire, releasing it
-barry.cora.DNSDOMAIN sssd_be[701]: Trying to resolve service 'IPA'
-barry.cora.DNSDOMAIN sssd_be[701]: The status of SRV lookup is resolved
-barry.cora.DNSDOMAIN sssd_be[701]: Found address for server ipa1.DNSDOMAIN:
[10.0.1.74] TTL 86400
-barry.cora.DNSDOMAIN sssd_be[701]: Trying to resolve service 'IPA'
-barry.cora.DNSDOMAIN sssd_be[701]: The status of SRV lookup is resolved
-barry.cora.DNSDOMAIN sssd_be[701]: Found address for server ipa1.DNSDOMAIN:
[10.0.1.74] TTL 86400
-barry.cora.DNSDOMAIN ldap_child[2889]: Will run as [0][0].
-barry.cora.DNSDOMAIN ldap_child[2889]: Trying to become user [0][0].
-barry.cora.DNSDOMAIN ldap_child[2889]: Already user [0].
-barry.cora.DNSDOMAIN ldap_child[2889]: Principal name is:
[host/***@NWRA.COM]
-barry.cora.DNSDOMAIN ldap_child[2889]: Using keytab [MEMORY:/etc/krb5.keytab]
-barry.cora.DNSDOMAIN ldap_child[2889]: Will canonicalize principals
-barry.cora.DNSDOMAIN sssd_be[701]: GSSAPI client step 1
-barry.cora.DNSDOMAIN sssd_be[701]: expire timeout is 900
-barry.cora.DNSDOMAIN sssd_be[701]: GSSAPI client step 1
-barry.cora.DNSDOMAIN sssd_be[701]: Executing sasl bind mech: GSSAPI, user:
host/barry.cora.DNSDOMAIN
-barry.cora.DNSDOMAIN sssd_be[701]: GSSAPI client step 1
-barry.cora.DNSDOMAIN sssd_be[701]: GSSAPI client step 2
-barry.cora.DNSDOMAIN sssd_be[701]: child [2889] finished successfully.
-barry.cora.DNSDOMAIN sssd_be[701]: Marking port 389 of server
'ipa1.DNSDOMAIN' as 'working'
-barry.cora.DNSDOMAIN sssd_be[701]: Marking server 'ipa1.DNSDOMAIN' as 'working'
-barry.cora.DNSDOMAIN sssd_be[701]: No host groups were dereferenced
-barry.cora.DNSDOMAIN sssd_be[701]: Received 0 additional command groups
-barry.cora.DNSDOMAIN sssd_be[701]: Received 0 sudo rules
-barry.cora.DNSDOMAIN sssd_be[701]: SUDO higher USN value: [1]
-barry.cora.DNSDOMAIN sudo[2860]: USER : command not allowed ; TTY=pts/0 ;
PWD=/export/home/USER/fedora/fail2ban ; USER=root ; COMMAND=/sbin/ether-wake
-i eth0 00:25:64:e0:05:fa
seem to appear in the failed attempt but not a successful one.
--
Orion Poplawski
Technical Manager 720-772-5637
NWRA, Boulder/CoRA Office FAX: 303-415-9702
3380 Mitchell Lane ***@nwra.com
Boulder, CO 80301 http://www.nwra.com
Orion Poplawski
Technical Manager 720-772-5637
NWRA, Boulder/CoRA Office FAX: 303-415-9702
3380 Mitchell Lane ***@nwra.com
Boulder, CO 80301 http://www.nwra.com