sudo não está funcionando no meu Centos 7.3

3

Eu passei um tempo considerável no meu Centos 7 com sudo . Eu adicionei o usuário local test a /etc/sudoers via visudo da seguinte forma:

## Next comes the main part: which users can run what software on
## which machines (the sudoers file can be shared between multiple
## systems).
## Syntax:
##
##      user    MACHINE=COMMANDS
##
## The COMMANDS section may have other options added to it.
##
## Allow root to run any commands anywhere 
root    ALL=(ALL)       ALL 
test    ALL=(ALL)       ALL

Também adicionei test ao grupo de rodas:

[root@ark-centos-smb4 ~]# groups test
test : bin wheel arkgrp

Então, eu su to test e tento executar um comando como root, mas recebo um erro dizendo que o usuário não está no arquivo sudoers.

[root@ark-centos-smb4 ~]# su - test
Last login: Tue Aug  8 01:03:48 PDT 2017 on pts/0
[test@ark-centos-smb4 ~]$ sudo ls /root/
[sudo] password for test:
test is not in the sudoers file.  This incident will be reported.

Curiosamente, o usuário root também é recusado para executar o sudo:

[root@ark-centos-smb4 ~]# sudo ls
root is not allowed to run sudo on ark-centos-smb4.  This incident will be reported.

resultado visudo:

[root@ark-centos-smb4 ~]# visudo -c
/etc/sudoers: parsed OK
/etc/sudoers.d/arkgrp-users: parsed OK

sudo -V result:

[root@ark-centos-smb4 ~]# sudo -V
Sudo version 1.8.6p7
Configure options: --build=x86_64-redhat-linux-gnu --host=x86_64-redhat-linux-gnu --program-prefix= --disable-dependency-tracking --prefix=/usr --exec-prefix=/usr --bindir=/usr/bin --sbindir=/usr/sbin --sysconfdir=/etc --datadir=/usr/share --includedir=/usr/include --libdir=/usr/lib64 --libexecdir=/usr/libexec --localstatedir=/var --sharedstatedir=/var/lib --mandir=/usr/share/man --infodir=/usr/share/info --prefix=/usr --sbindir=/usr/sbin --libdir=/usr/lib64 --docdir=/usr/share/doc/sudo-1.8.6p7 --with-logging=syslog --with-logfac=authpriv --with-pam --with-pam-login --with-editor=/bin/vi --with-env-editor --with-ignore-dot --with-tty-tickets --with-ldap --with-ldap-conf-file=/etc/sudo-ldap.conf --with-selinux --with-passprompt=[sudo] password for %p:  --with-linux-audit --with-sssd --with-gcrypt
Sudoers policy plugin version 1.8.6p7
Sudoers file grammar version 42

Sudoers path: /etc/sudoers
nsswitch path: /etc/nsswitch.conf
ldap.conf path: /etc/sudo-ldap.conf
ldap.secret path: /etc/ldap.secret
Authentication methods: 'pam'
Syslog facility if syslog is being used for logging: authpriv
Syslog priority to use when user authenticates successfully: notice
Syslog priority to use when user authenticates unsuccessfully: alert
Ignore '.' in $PATH
Send mail if the user is not in sudoers
Use a separate timestamp for each user/tty combo
Lecture user the first time they run sudo
Require users to authenticate by default
Root may run sudo
Allow some information gathering to give useful error messages
Visudo will honor the EDITOR environment variable
Set the LOGNAME and USER environment variables
Length at which to wrap log file lines (0 for no wrap): 80
Authentication timestamp timeout: 5.0 minutes
Password prompt timeout: 5.0 minutes
Number of tries to enter a password: 3
Umask to use or 0777 to use user's: 022
Path to mail program: /usr/sbin/sendmail
Flags for mail program: -t
Address to send mail to: root
Subject line for mail messages: *** SECURITY information for %h ***
Incorrect password message: Sorry, try again.
Path to authentication timestamp dir: /var/db/sudo
Default password prompt: [sudo] password for %p:
Default user to run commands as: root
Path to the editor for use by visudo: /bin/vi
When to require a password for 'list' pseudocommand: any
When to require a password for 'verify' pseudocommand: all
File descriptors >= 3 will be closed before executing a command
Reset the environment to a default set of variables
Environment variables to check for sanity:
        TZ
        TERM
        LINGUAS
        LC_*
        LANGUAGE
        LANG
        COLORTERM
Environment variables to remove:
        RUBYOPT
        RUBYLIB
        PYTHONUSERBASE
        PYTHONINSPECT
        PYTHONPATH
        PYTHONHOME
        TMPPREFIX
        ZDOTDIR
        READNULLCMD
        NULLCMD
        FPATH
        PERL5DB
        PERL5OPT
        PERL5LIB
        PERLLIB
        PERLIO_DEBUG
        JAVA_TOOL_OPTIONS
        SHELLOPTS
        GLOBIGNORE
        PS4
        BASH_ENV
        ENV
        TERMCAP
        TERMPATH
        TERMINFO_DIRS
        TERMINFO
        _RLD*
        LD_*
        PATH_LOCALE
        NLSPATH
        HOSTALIASES
        RES_OPTIONS
        LOCALDOMAIN
        CDPATH
        IFS
Environment variables to preserve:
        XAUTHORIZATION
        XAUTHORITY
        PS2
        PS1
        PATH
        LS_COLORS
        KRB5CCNAME
        HOSTNAME
        DISPLAY
        COLORS
Locale to use while parsing sudoers: C
Compress I/O logs using zlib
Directory in which to store input/output logs: /var/log/sudo-io
File in which to store the input/output log: %{seq}
Add an entry to the utmp/utmpx file when allocating a pty
Don't pre-resolve all group names
PAM service name to use
PAM service name to use for login shells

Local IP address and netmask pairs:
        192.168.32.26/255.255.252.0
        2001:21:21:32:250:56ff:feb4:720d/ffff:ffff:ffff:ffff::
        fe80::250:56ff:feb4:720d/ffff:ffff:ffff:ffff::

Sudoers I/O plugin version 1.8.6p7

/ etc / sudoers conteúdo sem comentário:

Defaults   !visiblepw

Defaults    always_set_home

Defaults    env_reset
Defaults    env_keep =  "COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS"
Defaults    env_keep += "MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE"
Defaults    env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES"
Defaults    env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE"
Defaults    env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY"

Defaults    secure_path = /sbin:/bin:/usr/sbin:/usr/bin

root    ALL=(ALL:ALL)   ALL
test    ALL=(ALL:ALL)   ALL
usera   ALL=(ALL:ALL)   ALL

%wheel  ALL=(ALL)   ALL

## Read drop-in files from /etc/sudoers.d (the # here does not mean a comment)
#includedir /etc/sudoers.d

/etc/sudoers.d/arkgrp-users content:

%arkgrp ALL=(ALL) ALL

eu entrei no centos em nosso domínio do Windows por realm join QA.ARKIVIO.COM

[root@ark-centos-smb4 ~]# realm list
qa.arkivio.com
  type: kerberos
  realm-name: QA.ARKIVIO.COM
  domain-name: qa.arkivio.com
  configured: kerberos-member
  server-software: active-directory
  client-software: winbind
  required-package: oddjob-mkhomedir
  required-package: oddjob
  required-package: samba-winbind-clients
  required-package: samba-winbind
  required-package: samba-common-tools
  login-formats: QA\%U
  login-policy: allow-any-login
QA.ARKIVIO.COM
  type: kerberos
  realm-name: QA.ARKIVIO.COM
  domain-name: qa.arkivio.com
  configured: kerberos-member
  server-software: active-directory
  client-software: sssd
  required-package: oddjob
  required-package: oddjob-mkhomedir
  required-package: sssd
  required-package: adcli
  required-package: samba-common-tools
  login-formats: %[email protected]
  login-policy: allow-realm-logins

Conteúdo do /etc/sssd/sssd.conf

[sssd]
config_file_version = 2
#services = nss, pam, pac, ssh, ifp
services = nss, pam, pac, ssh, ifp, sudo
#domains = QA
domains = QA.ARKIVIO.COM
#debug_level = 0 - Set this to troubleshoot; 0-10 are valid values
#debug_level = 0
debug_level = 9
#ldap_sasl_authid = host/[email protected]

[nss]
#filter_users = root,ldap,named,avahi,haldaemon,dbus,radiusd,news,nscd
filter_groups = root
filter_users = root
reconnection_retries = 3

[pam]
reconnection_retries = 3

[domain/QA.ARKIVIO.COM]
ad_domain = QA.ARKIVIO.COM
krb5_realm = QA.ARKIVIO.COM
realmd_tags = manages-system joined-with-samba
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
ldap_schema = ad
#ldap_access_order = expire
#ldap_account_expire_policy = ad
use_fully_qualified_names = True
fallback_homedir = /home/%u@%d
access_provider = ad
auth_provider = ad

item sudo em /etc/nsswitch.conf

[root@ark-centos-smb4 /]# grep sudo /etc/nsswitch.conf
sudoers:        ldap

Por favor, dê alguns conselhos.

    
por xq10907 17.08.2017 / 10:22

2 respostas

6

O problema aqui é que, quando você ingressou no sistema CentOS no domínio do Active Directory, o comando realm também modificou /etc/nsswitch.conf para assumir a configuração de sudo :

grep sudo /etc/nsswitch.conf
sudoers:        ldap

Se você quiser manter a configuração local de sudo , será necessário reverter isso para a configuração original:

sudoers:        files

Curiosamente, nos meus sistemas (Debian e Raspbian) que foram associados ao AD, tenho uma configuração mesclada:

sudoers:        files sss

Deixando de lado a distribuição, estou curioso para entender por que a sua também não é uma configuração mesclada e que a sua é configurada diretamente via LDAP, enquanto a minha passa por sssd . (Eu ficaria satisfeito se alguém puder explicar isso. Mas talvez seja apenas uma diferença de distribuição.)

    
por 21.08.2017 / 12:25
3

Edite seu /etc/sudoers da seguinte forma:

# User privilege specification
root    ALL=(ALL:ALL) ALL
test  ALL=(ALL:ALL) ALL

# Allow members of group sudo to execute any command
%sudo   ALL=(ALL:ALL) ALL
    
por 17.08.2017 / 10:39