sudo |
您所在的位置:网站首页 › ldap sudo › sudo |
|
I'm trying to setup sudo-ldap in a clean CentOS 7 docker environment. I've successfully setup sssd and PAM authentication, and it works. However, sudo-ldap works only if !authenticate is set: dn: cn=test,ou=SUDOers,ou=People,dc=srv,dc=world objectClass: top objectClass: sudoRole cn: test sudoUser: test sudoHost: ALL sudoRunAsUser: ALL sudoCommand: ALL sudoCommand: !/bin/cp sudoOption: !authenticateWhen I run sudo cp, I got the following debug logs: # without !authenticate sudo: searching LDAP for sudoers entries sudo: ldap sudoRunAsUser 'ALL' ... MATCH! sudo: ldap sudoCommand 'ALL' ... MATCH! sudo: ldap sudoCommand '!/bin/cp' ... MATCH! sudo: Command allowed sudo: LDAP entry: 0x55ed4d71b930 sudo: done with LDAP searches sudo: user_matches=true sudo: host_matches=true sudo: sudo_ldap_lookup(0)=0x02 [sudo] password for test: Sorry, try again. # with !authenticate sudo: searching LDAP for sudoers entries sudo: ldap sudoRunAsUser 'ALL' ... MATCH! sudo: ldap sudoCommand 'ALL' ... MATCH! sudo: Command allowed sudo: LDAP entry: 0x564d56cb9960 sudo: done with LDAP searches sudo: user_matches=true sudo: host_matches=true sudo: sudo_ldap_lookup(0)=0x02 sudo: removing reusable search result cp: missing file operand Try 'cp --help' for more information.I can use the password to login via SSH, but not able to run sudo command, does anyone know what's wrong? Attached /etc/pam.d/system-auth (sudo is including that file) #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth sufficient pam_sss.so use_first_pass auth sufficient pam_unix.so try_first_pass nullok auth required pam_deny.so account required pam_unix.so password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type= password sufficient pam_sss.so use_authtok password sufficient pam_unix.so try_first_pass use_authtok nullok sha512 shadow password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so -session optional pam_systemd.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_sss.so session required pam_mkhomedir.so skel=/etc/skel umask=0022 |
| CopyRight 2018-2019 办公设备维修网 版权所有 豫ICP备15022753号-3 |