Centos
sudo 在我的 Centos 7.3 上不起作用
我在我的 Centos 7 上花費了相當多的時間
sudo。我將本地使用者添加test到/etc/sudoersviavisudo如下:## Next comes the main part: which users can run what software on ## which machines (the sudoers file can be shared between multiple ## systems). ## Syntax: ## ## user MACHINE=COMMANDS ## ## The COMMANDS section may have other options added to it. ## ## Allow root to run any commands anywhere root ALL=(ALL) ALL test ALL=(ALL) ALL還添加
test到輪組:[root@ark-centos-smb4 ~]# groups test test : bin wheel arkgrp然後我
su到test,並嘗試以 root 身份執行命令,但我收到一條錯誤消息,指出使用者不在 sudoers 文件中。[root@ark-centos-smb4 ~]# su - test Last login: Tue Aug 8 01:03:48 PDT 2017 on pts/0 [test@ark-centos-smb4 ~]$ sudo ls /root/ [sudo] password for test: test is not in the sudoers file. This incident will be reported.有趣的是,root使用者也被拒絕執行sudo:
[root@ark-centos-smb4 ~]# sudo ls root is not allowed to run sudo on ark-centos-smb4. This incident will be reported.視覺結果:
[root@ark-centos-smb4 ~]# visudo -c /etc/sudoers: parsed OK /etc/sudoers.d/arkgrp-users: parsed OKsudo -V 結果:
[root@ark-centos-smb4 ~]# sudo -V Sudo version 1.8.6p7 Configure options: --build=x86_64-redhat-linux-gnu --host=x86_64-redhat-linux-gnu --program-prefix= --disable-dependency-tracking --prefix=/usr --exec-prefix=/usr --bindir=/usr/bin --sbindir=/usr/sbin --sysconfdir=/etc --datadir=/usr/share --includedir=/usr/include --libdir=/usr/lib64 --libexecdir=/usr/libexec --localstatedir=/var --sharedstatedir=/var/lib --mandir=/usr/share/man --infodir=/usr/share/info --prefix=/usr --sbindir=/usr/sbin --libdir=/usr/lib64 --docdir=/usr/share/doc/sudo-1.8.6p7 --with-logging=syslog --with-logfac=authpriv --with-pam --with-pam-login --with-editor=/bin/vi --with-env-editor --with-ignore-dot --with-tty-tickets --with-ldap --with-ldap-conf-file=/etc/sudo-ldap.conf --with-selinux --with-passprompt=[sudo] password for %p: --with-linux-audit --with-sssd --with-gcrypt Sudoers policy plugin version 1.8.6p7 Sudoers file grammar version 42 Sudoers path: /etc/sudoers nsswitch path: /etc/nsswitch.conf ldap.conf path: /etc/sudo-ldap.conf ldap.secret path: /etc/ldap.secret Authentication methods: 'pam' Syslog facility if syslog is being used for logging: authpriv Syslog priority to use when user authenticates successfully: notice Syslog priority to use when user authenticates unsuccessfully: alert Ignore '.' in $PATH Send mail if the user is not in sudoers Use a separate timestamp for each user/tty combo Lecture user the first time they run sudo Require users to authenticate by default Root may run sudo Allow some information gathering to give useful error messages Visudo will honor the EDITOR environment variable Set the LOGNAME and USER environment variables Length at which to wrap log file lines (0 for no wrap): 80 Authentication timestamp timeout: 5.0 minutes Password prompt timeout: 5.0 minutes Number of tries to enter a password: 3 Umask to use or 0777 to use user's: 022 Path to mail program: /usr/sbin/sendmail Flags for mail program: -t Address to send mail to: root Subject line for mail messages: *** SECURITY information for %h *** Incorrect password message: Sorry, try again. Path to authentication timestamp dir: /var/db/sudo Default password prompt: [sudo] password for %p: Default user to run commands as: root Path to the editor for use by visudo: /bin/vi When to require a password for 'list' pseudocommand: any When to require a password for 'verify' pseudocommand: all File descriptors >= 3 will be closed before executing a command Reset the environment to a default set of variables Environment variables to check for sanity: TZ TERM LINGUAS LC_* LANGUAGE LANG COLORTERM Environment variables to remove: RUBYOPT RUBYLIB PYTHONUSERBASE PYTHONINSPECT PYTHONPATH PYTHONHOME TMPPREFIX ZDOTDIR READNULLCMD NULLCMD FPATH PERL5DB PERL5OPT PERL5LIB PERLLIB PERLIO_DEBUG JAVA_TOOL_OPTIONS SHELLOPTS GLOBIGNORE PS4 BASH_ENV ENV TERMCAP TERMPATH TERMINFO_DIRS TERMINFO _RLD* LD_* PATH_LOCALE NLSPATH HOSTALIASES RES_OPTIONS LOCALDOMAIN CDPATH IFS Environment variables to preserve: XAUTHORIZATION XAUTHORITY PS2 PS1 PATH LS_COLORS KRB5CCNAME HOSTNAME DISPLAY COLORS Locale to use while parsing sudoers: C Compress I/O logs using zlib Directory in which to store input/output logs: /var/log/sudo-io File in which to store the input/output log: %{seq} Add an entry to the utmp/utmpx file when allocating a pty Don't pre-resolve all group names PAM service name to use PAM service name to use for login shells Local IP address and netmask pairs: 192.168.32.26/255.255.252.0 2001:21:21:32:250:56ff:feb4:720d/ffff:ffff:ffff:ffff:: fe80::250:56ff:feb4:720d/ffff:ffff:ffff:ffff:: Sudoers I/O plugin version 1.8.6p7/etc/sudoers 非註釋內容:
Defaults !visiblepw Defaults always_set_home Defaults env_reset Defaults env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS" Defaults env_keep += "MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE" Defaults env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES" Defaults env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE" Defaults env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY" Defaults secure_path = /sbin:/bin:/usr/sbin:/usr/bin root ALL=(ALL:ALL) ALL test ALL=(ALL:ALL) ALL usera ALL=(ALL:ALL) ALL %wheel ALL=(ALL) ALL ## Read drop-in files from /etc/sudoers.d (the # here does not mean a comment) #includedir /etc/sudoers.d/etc/sudoers.d/arkgrp-users 內容:
%arkgrp ALL=(ALL) ALL我通過以下方式將 centos 加入我們的 Windows 域
realm join QA.ARKIVIO.COM[root@ark-centos-smb4 ~]# realm list qa.arkivio.com type: kerberos realm-name: QA.ARKIVIO.COM domain-name: qa.arkivio.com configured: kerberos-member server-software: active-directory client-software: winbind required-package: oddjob-mkhomedir required-package: oddjob required-package: samba-winbind-clients required-package: samba-winbind required-package: samba-common-tools login-formats: QA\%U login-policy: allow-any-login QA.ARKIVIO.COM type: kerberos realm-name: QA.ARKIVIO.COM domain-name: qa.arkivio.com configured: kerberos-member server-software: active-directory client-software: sssd required-package: oddjob required-package: oddjob-mkhomedir required-package: sssd required-package: adcli required-package: samba-common-tools login-formats: %U@qa.arkivio.com login-policy: allow-realm-logins/etc/sssd/sssd.conf 內容
[sssd] config_file_version = 2 #services = nss, pam, pac, ssh, ifp services = nss, pam, pac, ssh, ifp, sudo #domains = QA domains = QA.ARKIVIO.COM #debug_level = 0 - Set this to troubleshoot; 0-10 are valid values #debug_level = 0 debug_level = 9 #ldap_sasl_authid = host/ark-centos-smb4.qa.arkivio.com@QA.ARKIVIO.COM [nss] #filter_users = root,ldap,named,avahi,haldaemon,dbus,radiusd,news,nscd filter_groups = root filter_users = root reconnection_retries = 3 [pam] reconnection_retries = 3 [domain/QA.ARKIVIO.COM] ad_domain = QA.ARKIVIO.COM krb5_realm = QA.ARKIVIO.COM realmd_tags = manages-system joined-with-samba cache_credentials = True id_provider = ad krb5_store_password_if_offline = True default_shell = /bin/bash ldap_id_mapping = True ldap_schema = ad #ldap_access_order = expire #ldap_account_expire_policy = ad use_fully_qualified_names = True fallback_homedir = /home/%u@%d access_provider = ad auth_provider = ad/etc/nsswitch.conf 中的 sudo 項
[root@ark-centos-smb4 /]# grep sudo /etc/nsswitch.conf sudoers: ldap請給一些建議。
這裡的問題是,當您將 CentOS 系統加入 Active Directory 域時,該
realm命令也被修改/etc/nsswitch.conf為接管以下配置sudo:grep sudo /etc/nsswitch.conf sudoers: ldap如果要保留本地配置,則
sudo需要將其還原為其原始設置:sudoers: files有趣的是,在我已加入 AD 的(Debian 和 Raspbian)系統上,我有一個合併的配置:
sudoers: files sss除了分發之外,我很想知道為什麼您的配置不是合併配置,而您的配置是直接通過 LDAP 配置的,而我的配置是通過
sssd. (如果有人能夠解釋這一點,我會很高興。但也許這只是分佈差異。)