Centos – sudo is not working on the Centos 7.3

active-directorycentossudo

I have spent considerable time on my Centos 7 with sudo. I added local user test to /etc/sudoers via visudo as follows:

## Next comes the main part: which users can run what software on
## which machines (the sudoers file can be shared between multiple
## systems).
## Syntax:
##
##      user    MACHINE=COMMANDS
##
## The COMMANDS section may have other options added to it.
##
## Allow root to run any commands anywhere 
root    ALL=(ALL)       ALL 
test    ALL=(ALL)       ALL

Also added test to the wheel group:

[root@ark-centos-smb4 ~]# groups test
test : bin wheel arkgrp

Then I su to test, and try to run a command as root, but I get an error saying that the user in not in the sudoers file.

[root@ark-centos-smb4 ~]# su - test
Last login: Tue Aug  8 01:03:48 PDT 2017 on pts/0
[test@ark-centos-smb4 ~]$ sudo ls /root/
[sudo] password for test:
test is not in the sudoers file.  This incident will be reported.

Interestingly, the root user is also refused to run sudo:

[root@ark-centos-smb4 ~]# sudo ls
root is not allowed to run sudo on ark-centos-smb4.  This incident will be reported.

visudo result:

[root@ark-centos-smb4 ~]# visudo -c
/etc/sudoers: parsed OK
/etc/sudoers.d/arkgrp-users: parsed OK

sudo -V result:

[root@ark-centos-smb4 ~]# sudo -V
Sudo version 1.8.6p7
Configure options: --build=x86_64-redhat-linux-gnu --host=x86_64-redhat-linux-gnu --program-prefix= --disable-dependency-tracking --prefix=/usr --exec-prefix=/usr --bindir=/usr/bin --sbindir=/usr/sbin --sysconfdir=/etc --datadir=/usr/share --includedir=/usr/include --libdir=/usr/lib64 --libexecdir=/usr/libexec --localstatedir=/var --sharedstatedir=/var/lib --mandir=/usr/share/man --infodir=/usr/share/info --prefix=/usr --sbindir=/usr/sbin --libdir=/usr/lib64 --docdir=/usr/share/doc/sudo-1.8.6p7 --with-logging=syslog --with-logfac=authpriv --with-pam --with-pam-login --with-editor=/bin/vi --with-env-editor --with-ignore-dot --with-tty-tickets --with-ldap --with-ldap-conf-file=/etc/sudo-ldap.conf --with-selinux --with-passprompt=[sudo] password for %p:  --with-linux-audit --with-sssd --with-gcrypt
Sudoers policy plugin version 1.8.6p7
Sudoers file grammar version 42

Sudoers path: /etc/sudoers
nsswitch path: /etc/nsswitch.conf
ldap.conf path: /etc/sudo-ldap.conf
ldap.secret path: /etc/ldap.secret
Authentication methods: 'pam'
Syslog facility if syslog is being used for logging: authpriv
Syslog priority to use when user authenticates successfully: notice
Syslog priority to use when user authenticates unsuccessfully: alert
Ignore '.' in $PATH
Send mail if the user is not in sudoers
Use a separate timestamp for each user/tty combo
Lecture user the first time they run sudo
Require users to authenticate by default
Root may run sudo
Allow some information gathering to give useful error messages
Visudo will honor the EDITOR environment variable
Set the LOGNAME and USER environment variables
Length at which to wrap log file lines (0 for no wrap): 80
Authentication timestamp timeout: 5.0 minutes
Password prompt timeout: 5.0 minutes
Number of tries to enter a password: 3
Umask to use or 0777 to use user's: 022
Path to mail program: /usr/sbin/sendmail
Flags for mail program: -t
Address to send mail to: root
Subject line for mail messages: *** SECURITY information for %h ***
Incorrect password message: Sorry, try again.
Path to authentication timestamp dir: /var/db/sudo
Default password prompt: [sudo] password for %p:
Default user to run commands as: root
Path to the editor for use by visudo: /bin/vi
When to require a password for 'list' pseudocommand: any
When to require a password for 'verify' pseudocommand: all
File descriptors >= 3 will be closed before executing a command
Reset the environment to a default set of variables
Environment variables to check for sanity:
        TZ
        TERM
        LINGUAS
        LC_*
        LANGUAGE
        LANG
        COLORTERM
Environment variables to remove:
        RUBYOPT
        RUBYLIB
        PYTHONUSERBASE
        PYTHONINSPECT
        PYTHONPATH
        PYTHONHOME
        TMPPREFIX
        ZDOTDIR
        READNULLCMD
        NULLCMD
        FPATH
        PERL5DB
        PERL5OPT
        PERL5LIB
        PERLLIB
        PERLIO_DEBUG
        JAVA_TOOL_OPTIONS
        SHELLOPTS
        GLOBIGNORE
        PS4
        BASH_ENV
        ENV
        TERMCAP
        TERMPATH
        TERMINFO_DIRS
        TERMINFO
        _RLD*
        LD_*
        PATH_LOCALE
        NLSPATH
        HOSTALIASES
        RES_OPTIONS
        LOCALDOMAIN
        CDPATH
        IFS
Environment variables to preserve:
        XAUTHORIZATION
        XAUTHORITY
        PS2
        PS1
        PATH
        LS_COLORS
        KRB5CCNAME
        HOSTNAME
        DISPLAY
        COLORS
Locale to use while parsing sudoers: C
Compress I/O logs using zlib
Directory in which to store input/output logs: /var/log/sudo-io
File in which to store the input/output log: %{seq}
Add an entry to the utmp/utmpx file when allocating a pty
Don't pre-resolve all group names
PAM service name to use
PAM service name to use for login shells

Local IP address and netmask pairs:
        192.168.32.26/255.255.252.0
        2001:21:21:32:250:56ff:feb4:720d/ffff:ffff:ffff:ffff::
        fe80::250:56ff:feb4:720d/ffff:ffff:ffff:ffff::

Sudoers I/O plugin version 1.8.6p7

/etc/sudoers non-comment content:

Defaults   !visiblepw

Defaults    always_set_home

Defaults    env_reset
Defaults    env_keep =  "COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS"
Defaults    env_keep += "MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE"
Defaults    env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES"
Defaults    env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE"
Defaults    env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY"

Defaults    secure_path = /sbin:/bin:/usr/sbin:/usr/bin

root    ALL=(ALL:ALL)   ALL
test    ALL=(ALL:ALL)   ALL
usera   ALL=(ALL:ALL)   ALL

%wheel  ALL=(ALL)   ALL

## Read drop-in files from /etc/sudoers.d (the # here does not mean a comment)
#includedir /etc/sudoers.d

/etc/sudoers.d/arkgrp-users content:

%arkgrp ALL=(ALL) ALL

i joined centos to our windows domain by realm join QA.ARKIVIO.COM

[root@ark-centos-smb4 ~]# realm list
qa.arkivio.com
  type: kerberos
  realm-name: QA.ARKIVIO.COM
  domain-name: qa.arkivio.com
  configured: kerberos-member
  server-software: active-directory
  client-software: winbind
  required-package: oddjob-mkhomedir
  required-package: oddjob
  required-package: samba-winbind-clients
  required-package: samba-winbind
  required-package: samba-common-tools
  login-formats: QA\%U
  login-policy: allow-any-login
QA.ARKIVIO.COM
  type: kerberos
  realm-name: QA.ARKIVIO.COM
  domain-name: qa.arkivio.com
  configured: kerberos-member
  server-software: active-directory
  client-software: sssd
  required-package: oddjob
  required-package: oddjob-mkhomedir
  required-package: sssd
  required-package: adcli
  required-package: samba-common-tools
  login-formats: %U@qa.arkivio.com
  login-policy: allow-realm-logins

/etc/sssd/sssd.conf content

[sssd]
config_file_version = 2
#services = nss, pam, pac, ssh, ifp
services = nss, pam, pac, ssh, ifp, sudo
#domains = QA
domains = QA.ARKIVIO.COM
#debug_level = 0 - Set this to troubleshoot; 0-10 are valid values
#debug_level = 0
debug_level = 9
#ldap_sasl_authid = host/ark-centos-smb4.qa.arkivio.com@QA.ARKIVIO.COM

[nss]
#filter_users = root,ldap,named,avahi,haldaemon,dbus,radiusd,news,nscd
filter_groups = root
filter_users = root
reconnection_retries = 3

[pam]
reconnection_retries = 3

[domain/QA.ARKIVIO.COM]
ad_domain = QA.ARKIVIO.COM
krb5_realm = QA.ARKIVIO.COM
realmd_tags = manages-system joined-with-samba
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
ldap_schema = ad
#ldap_access_order = expire
#ldap_account_expire_policy = ad
use_fully_qualified_names = True
fallback_homedir = /home/%u@%d
access_provider = ad
auth_provider = ad

sudo item in /etc/nsswitch.conf

[root@ark-centos-smb4 /]# grep sudo /etc/nsswitch.conf
sudoers:        ldap

Please give some advice.

Best Answer

The problem here is that when you joined your CentOS system to the Active Directory domain, the realm command also modified /etc/nsswitch.conf to take over the configuration of sudo:

grep sudo /etc/nsswitch.conf
sudoers:        ldap

If you want to retain local configuration of sudo you need to revert this to its original setting:

sudoers:        files

Interestingly, on my (Debian and Raspbian) systems that have been joined to AD I have a merged configuration:

sudoers:        files sss

Distribution aside, I'm curious to understand why yours isn't also a merged configuration and that yours is configured directly via LDAP whereas mine is through sssd. (I'd be pleased if someone to be able to explain that. But perhaps it's just a distribution difference.)

Related Solutions

KDE – Using Sudo on GUI Applications in Arch Linux

This looks like an intentional configuration in Arch Linux. See this for discussion with links to solutions.

The best tip there seems to be adding "DISPLAY XAUTHORITY" to to the "env_keep" defaults in /etc/sudoers.

Fedora has in /etc/sudoers the following and this allows sudo somexapp to succeed.

Defaults    env_reset
Defaults    env_keep =  "COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS"
Defaults    env_keep += "MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE"
Defaults    env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES"
Defaults    env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE"
Defaults    env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY"

Bash – How to prevent the caller’s shell from being used in sudo

Then answer is that sudo has a bug. First, the workaround: I put this in my /etc/sudoers.d/zabbix file:

zabbix    ALL=(root) NOPASSWD:       /bin/env SHELL=/bin/sh /usr/local/bin/zabbix_raid_discovery

and now subcommands called from zabbix_raid_discovery work.

A patch to fix this will be in sudo 1.8.15. From the maintainer, Todd Miller:

This is just a case of "it's always been like that".  There's not
really a good reason for it.  The diff below should make the behavior
match the documentation.

 - todd

diff -r adb927ad5e86 plugins/sudoers/env.c
--- a/plugins/sudoers/env.c     Tue Oct 06 09:33:27 2015 -0600
+++ b/plugins/sudoers/env.c     Tue Oct 06 10:04:03 2015 -0600
@@ -939,8 +939,6 @@
            CHECK_SETENV2("USERNAME", runas_pw->pw_name,
                ISSET(didvar, DID_USERNAME), true);
        } else {
-           if (!ISSET(didvar, DID_SHELL))
-               CHECK_SETENV2("SHELL", sudo_user.pw->pw_shell, false, true);
            /* We will set LOGNAME later in the def_set_logname case. */
            if (!def_set_logname) {
                if (!ISSET(didvar, DID_LOGNAME))
@@ -984,6 +982,8 @@
            if (!env_should_delete(*ep)) {
                if (strncmp(*ep, "SUDO_PS1=", 9) == 0)
                    ps1 = *ep + 5;
+               else if (strncmp(*ep, "SHELL=", 6) == 0)
+                   SET(didvar, DID_SHELL);
                else if (strncmp(*ep, "PATH=", 5) == 0)
                    SET(didvar, DID_PATH);
                else if (strncmp(*ep, "TERM=", 5) == 0)
@@ -1039,7 +1039,9 @@
     if (reset_home)
        CHECK_SETENV2("HOME", runas_pw->pw_dir, true, true);

-    /* Provide default values for $TERM and $PATH if they are not set. */
+    /* Provide default values for $SHELL, $TERM and $PATH if not set. */
+    if (!ISSET(didvar, DID_SHELL))
+       CHECK_SETENV2("SHELL", runas_pw->pw_shell, false, false);
     if (!ISSET(didvar, DID_TERM))
        CHECK_PUTENV("TERM=unknown", false, false);
     if (!ISSET(didvar, DID_PATH))

Best Answer

Related Solutions

KDE – Using Sudo on GUI Applications in Arch Linux

Bash – How to prevent the caller’s shell from being used in sudo

Related Question