Hello all,
In our Nagios system we have some checks that require the nrpe user to use sudo in order to elevate privileges. This works fine on our IPA clients but not on our IPA servers. It appears that on the IPA servers it tries to find the nrpe user as nrpe@LIDS.VIRGINIA.EDU, which does not exist, and on the client it’s just the local nrpe user. The nrpe user exists identically in the /etc/passwd and /etc/shadow files on both servers.
Any insight that anyone could give into what is going on here would be greatly appreciated.
Now some relevant info/logs:
Server is running on Red Hat Enterprise Linux Server release 7.7 (Maipo) and is version:
Name : ipa-server Arch : x86_64 Version : 4.6.5 Release : 11.el7_7.3
Client is running on CentOS Linux release 7.7.1908 (Core) and is version:
Name : ipa-client Arch : x86_64 Version : 4.6.5 Release : 11.el7.centos.3
The client and server have identical /etc/pam.d/system-auth and /etc/nsswitch.conf files. Here are the sssd.conf files for both.
Server: -------------------------------------------------------------------------- [domain/idm.domain.edu]
cache_credentials = True krb5_store_password_if_offline = True ipa_domain = idm.domain.edu id_provider = ipa auth_provider = ipa access_provider = ipa ldap_tls_cacert = /etc/ipa/ca.crt ipa_hostname = lidm01.idm.domain.edu chpass_provider = ipa ipa_server = lidm01.idm.domain.edu ipa_server_mode = True ignore_group_members = True ldap_purge_cache_timeout = 0 subdomain_inherit = ignore_group_members, ldap_purge_cache_timeout dns_discovery_domain = idm.domain.edu
[sssd] services = nss, sudo, ifp, pam, ssh domains = idm.domain.edu
[nss] homedir_substring = /home override_homedir = /home/%u entry_negative_timeout = 0 local_negative_timeout = 0
[pam]
[sudo]
[autofs]
[ssh]
[pac]
[ifp] allowed_uids = ipaapi, root
[secrets]
[session_recording] --------------------------------------------------------------------------
Client: -------------------------------------------------------------------------- [domain/idm.domain.edu]
cache_credentials = True krb5_store_password_if_offline = True ipa_domain = idm.domain.edu id_provider = ipa auth_provider = ipa access_provider = ipa ldap_tls_cacert = /etc/ipa/ca.crt ipa_hostname = dbm3.it.domain.edu chpass_provider = ipa ipa_server = _srv_, lidm01.idm.domain.edu krb5_auth_timeout = 30 dns_discovery_domain = idm.domain.edu
[sssd] services = nss, sudo, pam, ssh domains = idm.domain.edu
[nss] homedir_substring = /home override_homedir = /home/%u entry_negative_timeout = 0 local_negative_timeout = 0
[pam] pam_id_timeout = 30
[sudo]
[autofs]
[ssh]
[pac]
[ifp]
[secrets]
[session_recording] --------------------------------------------------------------------------
Okay, here are the pertinent messages in /var/log/secure when nrpe tries to use sudo:
Server: -------------------------------------------------------------------------- Nov 20 16:56:05 lidm01.idm.domain.edu sudo[15034]: nrpe : unable to open /run/sudo/ts/nrpe : Permission denied ; TTY=unknown ; PWD=/ ; USER=root ; COMMAND=EXAMPLE_COMMAND Nov 20 16:56:05 lidm01.idm.domain.edu sudo[15034]: pam_unix(sudo:auth): conversation failed Nov 20 16:56:05 lidm01.idm.domain.edu sudo[15034]: pam_unix(sudo:auth): auth could not identify password for [nrpe] Nov 20 16:56:05 lidm01.idm.domain.edu sudo[15034]: pam_sss(sudo:auth): authentication failure; logname= uid=995 euid=0 tty= ruser=nrpe rhost= user=nrpe Nov 20 16:56:05 lidm01.idm.domain.edu sudo[15034]: pam_sss(sudo:auth): received for user nrpe: 10 (User not known to the underlying authentication module) Nov 20 16:56:05 lidm01.idm.domain.edu sudo[15034]: pam_krb5[15034]: authentication fails for 'nrpe' (nrpe@LIDS.VIRGINIA.EDU): User not known to the underlying authentication module (Client not found in Kerberos database) Nov 20 16:56:07 lidm01.idm.domain.edu sudo[15034]: nrpe : command not allowed ; TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/bin/systemctl start sssd --------------------------------------------------------------------------
Client: -------------------------------------------------------------------------- Nov 20 16:58:23 dbm3.it.domain.edu sudo[11533]: nrpe : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=EXAMPLE_COMMAND Nov 20 16:58:23 dbm3.it.domain.edu sudo[11533]: pam_unix(sudo:session): session opened for user root by (uid=0) Nov 20 16:58:26 dbm3.it.domain.edu sudo[11533]: pam_unix(sudo:session): session closed for user root --------------------------------------------------------------------------
Thanks, — Bob Jones Lead Linux Services Engineer ITS ECP - Linux Services
freeipa-users@lists.fedorahosted.org