LinuxQuestions.org
Page 1 of 2 1 2
Show 50 post(s) from this thread on one page

LinuxQuestions.org (/questions/)
-   CentOS (https://www.linuxquestions.org/questions/centos-111/)
-   -   Sudo is not working on my centos7.3 (https://www.linuxquestions.org/questions/centos-111/sudo-is-not-working-on-my-centos7-3-a-4175612112/)

xq10907 08-17-2017 03:43 AM
Sudo is not working on my centos7.3
 
Hello guys

I have paid a considerable time on my centos7 with sudo,I added local user test to /etc/sudoers via visudo as follows

Code:
## Next comes the main part: which users can run what software on
## which machines (the sudoers file can be shared between multiple
## systems).
## Syntax:
##
##      user    MACHINE=COMMANDS
##
## The COMMANDS section may have other options added to it.
##
## Allow root to run any commands anywhere
root    ALL=(ALL)      ALL
test    ALL=(ALL)      ALL
also add test to wheel
Quote:
[root@ark-centos-smb4 ~]# groups test
test : bin wheel arkgrp
then su to test,run command as root get error says the user in not in sudoers file,please give some suggestion,thanks

Quote:
[root@ark-centos-smb4 ~]# su - test
Last login: Tue Aug 8 01:03:48 PDT 2017 on pts/0
[test@ark-centos-smb4 ~]$ sudo ls /root/
[sudo] password for test:
test is not in the sudoers file. This incident will be reported.
intesting, root user is also refused to run sudo
Quote:
[root@ark-centos-smb4 ~]# sudo ls
root is not allowed to run sudo on ark-centos-smb4. This incident will be reported.
please give some advice,very appreciate!

michaelk 08-17-2017 11:49 AM
It works for me. Have you tried logging out and then back in.

MensaWater 08-17-2017 12:00 PM
"test" is a command so your system might be confused with a user by that name.

Try changing the username to "testuser".

The wheel group is not required for RHEL/CentOS like it is for some other distros. Although you can setup grants by group the fact you did it for a specific user means he doesn't need to be in wheel.

Also you mention /etc/sudoers which makes it sound as if you did a direct edit of that file. The appropriate way to edit the file is using the "visudo" command. It will check for syntax errors before you save. I'd suggest doing a visudo then a write to see if it complains of any issues.

Finally RHEL/CentOS have SELinux. If that is enabled and enforcing you may have modified context on /etc/sudoers if you did direct edit. You should check /etc/sudoers if you are in fact enforcing in SELinux.

xq10907 08-17-2017 09:19 PM
Quote:
Originally Posted by michaelk (Post 5749314)
It works for me. Have you tried logging out and then back in.
michaelk, tried it still not working

xq10907 08-17-2017 09:33 PM
Quote:
Quote:
Originally Posted by MensaWater (Post 5749317)
"test" is a command so your system might be confused with a user by that name.

Try changing the username to "testuser".
tried it,not working

Quote:
The wheel group is not required for RHEL/CentOS like it is for some other distros. Although you can setup grants by group the fact you did it for a specific user means he doesn't need to be in wheel.
I add user usera to /etc/sudoers via visudo,not working,see below commands result
Code:
[root@ark-centos-smb4 ~]# su - usera
Last login: Thu Aug 17 19:14:40 PDT 2017 on pts/0
[root@ark-centos-smb4 ~]# su - usera
Last login: Thu Aug 17 19:16:16 PDT 2017 from dln-l-qx01.***.com on pts/1
[usera@ark-centos-smb4 ~]$ sudo ls
[sudo] password for usera:
usera is not in the sudoers file.  This incident will be reported.

Quote:
Also you mention /etc/sudoers which makes it sound as if you did a direct edit of that file. The appropriate way to edit the file is using the "visudo" command. It will check for syntax errors before you save. I'd suggest doing a visudo then a write to see if it complains of any issues.
I edited /etc/sudoers via visudo each time
Code:
[root@ark-centos-smb4 ~]# visudo -c
/etc/sudoers: parsed OK
/etc/sudoers.d/arkgrp-users: parsed OK
Quote:
Finally RHEL/CentOS have SELinux. If that is enabled and enforcing you may have modified context on /etc/sudoers if you did direct edit. You should check /etc/sudoers if you are in fact enforcing in SELinux.
according above visudo result, /etc/sudoers has no error
thanks

pan64 08-18-2017 02:18 AM
is there anything else in that /etc/sudoers file?

xq10907 08-18-2017 03:31 AM
1 Attachment(s)
Quote:
Originally Posted by pan64 (Post 5749531)
is there anything else in that /etc/sudoers file?
attached /etc/sudoers,add .txt suffix to let upload working

MensaWater 08-18-2017 08:17 AM
visudo will check syntax but doesn't check SELinux status. Did you check whether you have that enabled and enforcing? If it is did you check the SELinux context of /etc/sudoers?

Also did you verify permissions of /etc itself and /etc/sudoers?

If you look in /var/log/secure does it show any more detail about the failure?

MensaWater 08-18-2017 08:25 AM
In your sudoers file can you verify the following are actually each a single line rather than two lines as appears when I viewed your attachment:

Quote:
Defaults env_keep += "MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS
LC_CTYPE"
Quote:
Defaults env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT
LC_MESSAGES"
Quote:
Defaults env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER
LC_TELEPHONE"
Quote:
Defaults env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET
XAUTHORITY"
That is when I go to, for example, the line that appears to end in "LINGUAS _XKB_CHARSET" the "XAUTHORITY" appears to me to be a separate line. It should in fact be the end of the first line. The other things I quoted appear the same way to me.

pan64 08-18-2017 11:51 AM
and what is in /etc/sudoers.d/arkgrp-users ?

MensaWater 08-18-2017 12:23 PM
Quote:
Originally Posted by pan64 (Post 5749668)
and what is in /etc/sudoers.d/arkgrp-users ?
I wouldn't think that would matter given the sudoers file itself has the includedir line commented out.

pan64 08-19-2017 03:47 AM
see post #5, it was parsed. I don't know why, but visudo -c processed that.
And the sudoers file has a relatively strange behaviour: the rules are order dependent, and probably the users are disabled somewhere....

probably need to set logging to catch it.

xq10907 08-21-2017 03:13 AM
Quote:
visudo will check syntax but doesn't check SELinux status. Did you check whether you have that enabled and enforcing? If it is did you check the SELinux context of /etc/sudoers?
ran following to verify
Code:
[root@ark-centos-smb4 ~]# sestatus
SELinux status:                enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:        /etc/selinux
Loaded policy name:            targeted
Current mode:                  enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:    allowed
Max kernel policy version:      28
Quote:
Also did you verify permissions of /etc itself and /etc/sudoers?
Code:
[root@ark-centos-smb4 /]# ls -laZ / | grep etc
-rw-r--r--. root root system_u:object_r:etc_runtime_t:s0 00
-rw-r--r--+ root root system_u:object_r:etc_runtime_t:s0 0039
-rw-r--r--. root root system_u:object_r:etc_runtime_t:s0 0051
-rw-r--r--. root root system_u:object_r:etc_runtime_t:s0 0155
-rw-r--r--. root root system_u:object_r:etc_runtime_t:s0 1
-rw-rwxr--+ root root system_u:object_r:etc_runtime_t:s0 2330
-rw-r--r--. root root system_u:object_r:etc_runtime_t:s0 5m
-rw-r--r--+ root root system_u:object_r:etc_runtime_t:s0 aa
-rw-r--r--+ root root system_u:object_r:etc_runtime_t:s0 aaa
-rwxr--r--. root root system_u:object_r:etc_runtime_t:s0 ca_qa_base64.cer
-rw-r--r--. root root system_u:object_r:etc_runtime_t:s0 ca_qa_base64.pem
-r--------. root root system_u:object_r:etc_runtime_t:s0 centosDecCRC.keytab
-rw-r--r--. root root system_u:object_r:etc_runtime_t:s0 centosDecMd5.keytab
-rw-r--r--. root root system_u:object_r:etc_runtime_t:s0 dumper.bat
drwxr-xr-x. root root system_u:object_r:etc_t:s0      etc
-rw-r--r--. root root system_u:object_r:etc_runtime_t:s0 krb5.conf
-rw-r-xr--+ root root system_u:object_r:etc_runtime_t:s0 ll
-rw-r--r--+ root root system_u:object_r:etc_runtime_t:s0 lll
-rw-r--r--. root root system_u:object_r:etc_runtime_t:s0 network
-rw-r--r--. root root system_u:object_r:etc_runtime_t:s0 qaDer.pem
-rw-r--r--. root root system_u:object_r:etc_runtime_t:s0 smb4DecMd5.keytab
-rw-r--r--. root root system_u:object_r:etc_runtime_t:s0 sss
-rw-r--r--. root root system_u:object_r:etc_runtime_t:s0 sssd.conf.redhat

[root@ark-centos-smb4 /]# ls -laZ /etc | grep sudoer
-r--r-----. root root  unconfined_u:object_r:etc_t:s0  sudoers
drwxr-x---. root root  system_u:object_r:etc_t:s0      sudoers.d
Quote:
If you look in /var/log/secure does it show any more detail about the failure?
i ran sudo with local user usera and captured /var/log/secure, /var/log/messages content

Code:
[usera@ark-centos-smb4 ~]$ sudo ls
[sudo] password for usera:
usera is not in the sudoers file.  This incident will be reported.

/var/log/secure message:
Aug 21 01:03:17 ark-centos-smb4 sudo:  usera : user NOT in sudoers ; TTY=pts/1 ; PWD=/home/usera ; USER=root ; COMMAND=/usr/bin/ls

/var/log/messages result:
Aug 21 01:05:21 ark-centos-smb4 nslcd[988]: [b2491e] <group/member="root"> ldap_result() failed: Operations error: 000004DC: LdapErr: DSID-0C090A22, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v3839
Aug 21 01:05:21 ark-centos-smb4 nslcd[988]: [b2491e] <group/member="root"> ldap_result() failed: Operations error: 000004DC: LdapErr: DSID-0C090A22, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v3839
Aug 21 01:05:26 ark-centos-smb4 nslcd[988]: [68239f] <group/member="postfix"> ldap_result() failed: Operations error: 000004DC: LdapErr: DSID-0C090A22, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v3839
Aug 21 01:05:26 ark-centos-smb4 nslcd[988]: [68239f] <group/member="postfix"> ldap_result() failed: Operations error: 000004DC: LdapErr: DSID-0C090A22, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v3839
Aug 21 01:05:26 ark-centos-smb4 nslcd[988]: [8049f8] <group/member="postfix"> ldap_result() failed: Operations error: 000004DC: LdapErr: DSID-0C090A22, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v3839
Aug 21 01:05:26 ark-centos-smb4 nslcd[988]: [8049f8] <group/member="postfix"> ldap_result() failed: Operations error: 000004DC: LdapErr: DSID-0C090A22, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v3839

xq10907 08-21-2017 03:21 AM
Quote:
Originally Posted by MensaWater (Post 5749608)
In your sudoers file can you verify the following are actually each a single line rather than two lines as appears when I viewed your attachment:









That is when I go to, for example, the line that appears to end in "LINGUAS _XKB_CHARSET" the "XAUTHORITY" appears to me to be a separate line. It should in fact be the end of the first line. The other things I quoted appear the same way to me.
i checked the /etc/sudoers with notepad++ it shows these Defaults* lines are single line instead of two lines

xq10907 08-21-2017 03:25 AM
Quote:
Originally Posted by pan64 (Post 5749857)
see post #5, it was parsed. I don't know why, but visudo -c processed that.
And the sudoers file has a relatively strange behaviour: the rules are order dependent, and probably the users are disabled somewhere....

probably need to set logging to catch it.
by referring other posts, just want members of group arkgrp could run sudo as well
Code:
[root@ark-centos-smb4 /]# more /etc/sudoers.d/arkgrp-users
%arkgrp ALL=(ALL) ALL


All times are GMT -5. The time now is 09:09 AM.
Page 1 of 2 1 2
Show 50 post(s) from this thread on one page