1

Ok, so I'm using Windows Server 2012 as a Domain Controller. I've connected two Centos7 clients to the domain via samba.

Authentication works as expected via SSH; however, when attempting to sudo, pam still asks for a password.

Once you supply the appropriate password, everything works fine, but I'm looking for a method that would avoid the previously mentioned password request.

I've been playing around with PAM, but haven't had too much luck.

/etc/pam.d/sudo:

#%PAM-1.0
#auth       include      system-auth
auth       required     pam_sss.so
account    include      system-auth
password   include      system-auth
session    optional     pam_keyinit.so revoke
session    required     pam_limits.so

/etc/pam.d/system-auth:

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        [default=1 success=ok] pam_localuser.so
auth        [success=done ignore=ignore default=die] pam_unix.so nullok     try_first_pass
auth        requisite     pam_succeed_if.so uid >= 1000 quiet_success
auth        sufficient    pam_sss.so forward_pass
auth        required      pam_deny.so

account     required      pam_unix.so
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 1000 quiet
account     [default=bad success=ok user_unknown=ignore] pam_sss.so
account     required      pam_permit.so

password    requisite     pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password    sufficient    pam_sss.so use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
-session     optional      pam_systemd.so
session     optional      pam_oddjob_mkhomedir.so skel=/etc/skel        umask=0022
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
session     optional      pam_sss.so
Pete
  • 11
  • 2
  • You're looking in the wrong place. Kerberos tickets are irrelevant. This is configured in `sudoers`. Of course, it's also potentially dangerous to allow people to do anything without authentication. – Michael Hampton Oct 18 '16 at 03:44

1 Answers1

2

Currently this is not implemented. We (Red Hat IDM team) are thinking about implementing something along the lines of ksu(1) functionality for sudo, but currently using your TGT to authenticate to sudo doesn't work, sorry.

If you're using a commercial distribution, I would suggest to file a support case with them..

jhrozek
  • 1,370
  • 6
  • 5