[Freeipa-users] Re: ubuntu freeipa client how to enable sudo

Mon, 28 Oct 2024 03:11:08 -0700 

On Пан, 28 кас 2024, Carlos Lopez Molina via FreeIPA-users wrote:

Thank you Florence.
In ubuntu systems there is neither authselect nor authconfig.
In my current client IPA configuration, there is:
/etc/nsswitch.conf
sudoers:        files sss

Nevertheless, I'm getting this error when I do sudo in the client IPA:
$ sudo <whatever>
sudo: PAM account management error: Permission denied
sudo: a password is required

I'm not even asked for a password, it just fails.


SUDO as an application first uses PAM stack to authenticate the user to
access SUDO itself. If this authentication step succeeds, then it looks
up rules associated with this user account and then evaluates them.

The error you see means your PAM stack configuration for sudo is
reporting that issue.
On Debian-like systems ipa-client-install uses 
  pam-auth-update --package --enable mkhomedir

if 'ipa-client-install --with-mkhomedir' was used. Otherwise, it does
not do anything.

When libsss-pam package is installed, it should pre-configure
pam-auth-update to use pam_sss.so. See, for example:
https://git.launchpad.net/ubuntu/+source/sssd/tree/debian/libpam-sss.pam-auth-update?h=applied/ubuntu/devel

Account-Type: Additional
Account:
        sufficient                      pam_localuser.so
        [default=bad success=ok user_unknown=ignore]    pam_sss.so

It basically says that when pam_sss.so is available, it will be tried in
account state of PAM stack in case the pam_localuser.so failed.

So you need to look at your PAM stack configuration and understand
whether it is properly configured to consult pam_sss.so at all.


--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland

--
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Reply via email to