We've recently started enabling access to our linux machines using Windows Active Directory users. The chosen method was kerberos+samba+sssd and it's working fine.
Our next step is to allow certain AD Groups to have sudo rights, and we have to do it without adding unix attributes to our Active Directory (this restriction comes from above the department and can't do anything about it).
Before I started enabling every machine I made some tests on new machine and everything worked just fine, but after replicating the configurations on the rest no user has sudo privileges.
These are the files:
/etc/krb5.conf
includedir /etc/krb5.conf.d/
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
ticket_lifetime = 24h
renew_lifetime = 7d
default_realm = DOMAIN.COM
[realms]
DOMAIN.COM = {
kdc = 172.20.10.12
default_domain = DOMAIN.COM
}
[kdc]
profile = /etc/krb5kdc/kdc.conf
[domain_realm]
.domain.com = DOMAIN.COM
domain.com = DOMAIN.COM
/etc/samba/smb.conf (there's more on the file but not relevant)
[global]
workgroup = DOMAINWORKGROUP
security = ads
client signing = yes
client use spnego = yes
kerberos method = secrets and keytab
realm = DOMAIN.COM
idmap config * : range = 3000-9999
idmap config * : backend = tdb
idmap config DOMAIN : range = 10000-19999
idmap config DOMAIN : backend = nss
/etc/sssd/sssd.conf
[sssd]
config_file_version = 2
services = nss,pam
domains = DOMAIN.COM
[nss]
[pam]
[domain/domain.com]
id_provider = ad
auth_provider= ad
access_provider = simple
default_shell = /bin/bash
fallback_homedir = /home/%u
ldap_id_mapping = true
simple_allow_groups = produ
/etc/nsswitch.conf (mostly default configuration)
passwd: files sss
shadow: files sss
group: files sss
hosts: files dns
bootparams: nisplus [NOTFOUND=return] files
ethers: files
netmasks: files
networks: files
protocols: files
rpc: files
services: files sss
netgroup: files sss
publickey: nisplus
automount: files
aliases: files nisplus
sudoers: files
/etc/sudoers (only group permission here, rest of the file is default)
%produ ALL=(ALL) ALL
This is the content of /var/log/secure for the test machine, where sudo works:
Apr 1 12:16:58 testlinuxauth sshd[795]: Authorized to pgarcia, krb5 principal pgarcia@DOMAIN.COM (ssh_gssapi_krb5_cmdok)
Apr 1 12:16:58 testlinuxauth sshd[795]: Accepted gssapi-with-mic for pgarcia from 172.19.20.35 port 53139 ssh2
Apr 1 12:16:58 testlinuxauth sshd[795]: pam_unix(sshd:session): session opened for user pgarcia by (uid=0)
Apr 1 12:17:03 testlinuxauth sudo: pam_sss(sudo:auth): authentication success; logname=pgarcia uid=1731417387 euid=0 tty=/dev/pts/1 ruser=pgarcia rhost= user=pgarcia
Apr 1 12:17:03 testlinuxauth sudo: pgarcia : TTY=pts/1 ; PWD=/home/pgarcia ; USER=root ; COMMAND=/bin/pwd
Apr 1 12:17:03 testlinuxauth sudo: pam_unix(sudo:session): session opened for user root by pgarcia(uid=0)
Apr 1 12:17:03 testlinuxauth sudo: pam_unix(sudo:session): session closed for user root
This is the content of the same file for another machine where sudo does not work:
Apr 1 12:09:34 em13 sshd[30061]: Authorized to pgarcia, krb5 principal pgarcia@DOMAIN.COM (ssh_gssapi_krb5_cmdok)
Apr 1 12:09:34 em13 sshd[30061]: Accepted gssapi-with-mic for pgarcia from 172.19.20.35 port 53031 ssh2
Apr 1 12:09:34 em13 sshd[30061]: pam_unix(sshd:session): session opened for user pgarcia by (uid=0)
Apr 1 12:09:49 em13 sudo: pam_unix(sudo:auth): authentication failure; logname=pgarcia uid=1731417387 euid=0 tty=/dev/pts/1 ruser=pgarcia rhost= user=pgarcia
Apr 1 12:09:49 em13 sudo: pam_ldap(sudo:auth): error reading from nslcd: Connection restarted by the remote machine <- I had to translate this, so maybe is not accurate at all?
Apr 1 12:09:53 em13 sudo: pam_unix(sudo:auth): conversation failed
Apr 1 12:09:53 em13 sudo: pam_unix(sudo:auth): auth could not identify password for [pgarcia]
Apr 1 12:09:53 em13 sudo: pam_ldap(sudo:auth): failed to get password: Authentication token tampering error <- I had to translate this too
Apr 1 12:09:53 em13 sudo: pgarcia : 1 incorrect password attempt ; TTY=pts/1 ; PWD=/home/pgarcia ; USER=root ; COMMAND=/bin/pwd
Note: pgarcia is my user and member of produ group.
The config files are the same for both machines. So obviously I'm missing something I did on the test machine but can't find what o where. I've read tons of questions here and solutions in other websites including redhat documentation, but no luck at all. Not sure why pam_sss is taking care of sudo in the first machine, but guess it's what I need in order to succeed?
Thank you all
