sudo 在我的 Centos 7.3 上不起作用

sudo 在我的 Centos 7.3 上不起作用

我在 Centos 7 上花费了相当多的时间和sudo.我将本地用户添加test/etc/sudoersvia visudo,如下所示:

## Next comes the main part: which users can run what software on
## which machines (the sudoers file can be shared between multiple
## systems).
## Syntax:
##
##      user    MACHINE=COMMANDS
##
## The COMMANDS section may have other options added to it.
##
## Allow root to run any commands anywhere 
root    ALL=(ALL)       ALL 
test    ALL=(ALL)       ALL

还添加test到了轮组:

[root@ark-centos-smb4 ~]# groups test
test : bin wheel arkgrp

然后我su尝试test以 root 身份运行命令,但收到一条错误消息,指出该用户不在 sudoers 文件中。

[root@ark-centos-smb4 ~]# su - test
Last login: Tue Aug  8 01:03:48 PDT 2017 on pts/0
[test@ark-centos-smb4 ~]$ sudo ls /root/
[sudo] password for test:
test is not in the sudoers file.  This incident will be reported.

有趣的是,root 用户也被拒绝运行 sudo:

[root@ark-centos-smb4 ~]# sudo ls
root is not allowed to run sudo on ark-centos-smb4.  This incident will be reported.

视觉结果:

[root@ark-centos-smb4 ~]# visudo -c
/etc/sudoers: parsed OK
/etc/sudoers.d/arkgrp-users: parsed OK

sudo -V 结果:

[root@ark-centos-smb4 ~]# sudo -V
Sudo version 1.8.6p7
Configure options: --build=x86_64-redhat-linux-gnu --host=x86_64-redhat-linux-gnu --program-prefix= --disable-dependency-tracking --prefix=/usr --exec-prefix=/usr --bindir=/usr/bin --sbindir=/usr/sbin --sysconfdir=/etc --datadir=/usr/share --includedir=/usr/include --libdir=/usr/lib64 --libexecdir=/usr/libexec --localstatedir=/var --sharedstatedir=/var/lib --mandir=/usr/share/man --infodir=/usr/share/info --prefix=/usr --sbindir=/usr/sbin --libdir=/usr/lib64 --docdir=/usr/share/doc/sudo-1.8.6p7 --with-logging=syslog --with-logfac=authpriv --with-pam --with-pam-login --with-editor=/bin/vi --with-env-editor --with-ignore-dot --with-tty-tickets --with-ldap --with-ldap-conf-file=/etc/sudo-ldap.conf --with-selinux --with-passprompt=[sudo] password for %p:  --with-linux-audit --with-sssd --with-gcrypt
Sudoers policy plugin version 1.8.6p7
Sudoers file grammar version 42

Sudoers path: /etc/sudoers
nsswitch path: /etc/nsswitch.conf
ldap.conf path: /etc/sudo-ldap.conf
ldap.secret path: /etc/ldap.secret
Authentication methods: 'pam'
Syslog facility if syslog is being used for logging: authpriv
Syslog priority to use when user authenticates successfully: notice
Syslog priority to use when user authenticates unsuccessfully: alert
Ignore '.' in $PATH
Send mail if the user is not in sudoers
Use a separate timestamp for each user/tty combo
Lecture user the first time they run sudo
Require users to authenticate by default
Root may run sudo
Allow some information gathering to give useful error messages
Visudo will honor the EDITOR environment variable
Set the LOGNAME and USER environment variables
Length at which to wrap log file lines (0 for no wrap): 80
Authentication timestamp timeout: 5.0 minutes
Password prompt timeout: 5.0 minutes
Number of tries to enter a password: 3
Umask to use or 0777 to use user's: 022
Path to mail program: /usr/sbin/sendmail
Flags for mail program: -t
Address to send mail to: root
Subject line for mail messages: *** SECURITY information for %h ***
Incorrect password message: Sorry, try again.
Path to authentication timestamp dir: /var/db/sudo
Default password prompt: [sudo] password for %p:
Default user to run commands as: root
Path to the editor for use by visudo: /bin/vi
When to require a password for 'list' pseudocommand: any
When to require a password for 'verify' pseudocommand: all
File descriptors >= 3 will be closed before executing a command
Reset the environment to a default set of variables
Environment variables to check for sanity:
        TZ
        TERM
        LINGUAS
        LC_*
        LANGUAGE
        LANG
        COLORTERM
Environment variables to remove:
        RUBYOPT
        RUBYLIB
        PYTHONUSERBASE
        PYTHONINSPECT
        PYTHONPATH
        PYTHONHOME
        TMPPREFIX
        ZDOTDIR
        READNULLCMD
        NULLCMD
        FPATH
        PERL5DB
        PERL5OPT
        PERL5LIB
        PERLLIB
        PERLIO_DEBUG
        JAVA_TOOL_OPTIONS
        SHELLOPTS
        GLOBIGNORE
        PS4
        BASH_ENV
        ENV
        TERMCAP
        TERMPATH
        TERMINFO_DIRS
        TERMINFO
        _RLD*
        LD_*
        PATH_LOCALE
        NLSPATH
        HOSTALIASES
        RES_OPTIONS
        LOCALDOMAIN
        CDPATH
        IFS
Environment variables to preserve:
        XAUTHORIZATION
        XAUTHORITY
        PS2
        PS1
        PATH
        LS_COLORS
        KRB5CCNAME
        HOSTNAME
        DISPLAY
        COLORS
Locale to use while parsing sudoers: C
Compress I/O logs using zlib
Directory in which to store input/output logs: /var/log/sudo-io
File in which to store the input/output log: %{seq}
Add an entry to the utmp/utmpx file when allocating a pty
Don't pre-resolve all group names
PAM service name to use
PAM service name to use for login shells

Local IP address and netmask pairs:
        192.168.32.26/255.255.252.0
        2001:21:21:32:250:56ff:feb4:720d/ffff:ffff:ffff:ffff::
        fe80::250:56ff:feb4:720d/ffff:ffff:ffff:ffff::

Sudoers I/O plugin version 1.8.6p7

/etc/sudoers非注释内容:

Defaults   !visiblepw

Defaults    always_set_home

Defaults    env_reset
Defaults    env_keep =  "COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS"
Defaults    env_keep += "MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE"
Defaults    env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES"
Defaults    env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE"
Defaults    env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY"

Defaults    secure_path = /sbin:/bin:/usr/sbin:/usr/bin

root    ALL=(ALL:ALL)   ALL
test    ALL=(ALL:ALL)   ALL
usera   ALL=(ALL:ALL)   ALL

%wheel  ALL=(ALL)   ALL

## Read drop-in files from /etc/sudoers.d (the # here does not mean a comment)
#includedir /etc/sudoers.d

/etc/sudoers.d/arkgrp-users 内容:

%arkgrp ALL=(ALL) ALL

我通过以下方式将centos加入到我们的windows域中realm join QA.ARKIVIO.COM

[root@ark-centos-smb4 ~]# realm list
qa.arkivio.com
  type: kerberos
  realm-name: QA.ARKIVIO.COM
  domain-name: qa.arkivio.com
  configured: kerberos-member
  server-software: active-directory
  client-software: winbind
  required-package: oddjob-mkhomedir
  required-package: oddjob
  required-package: samba-winbind-clients
  required-package: samba-winbind
  required-package: samba-common-tools
  login-formats: QA\%U
  login-policy: allow-any-login
QA.ARKIVIO.COM
  type: kerberos
  realm-name: QA.ARKIVIO.COM
  domain-name: qa.arkivio.com
  configured: kerberos-member
  server-software: active-directory
  client-software: sssd
  required-package: oddjob
  required-package: oddjob-mkhomedir
  required-package: sssd
  required-package: adcli
  required-package: samba-common-tools
  login-formats: %[email protected]
  login-policy: allow-realm-logins

/etc/sssd/sssd.conf内容

[sssd]
config_file_version = 2
#services = nss, pam, pac, ssh, ifp
services = nss, pam, pac, ssh, ifp, sudo
#domains = QA
domains = QA.ARKIVIO.COM
#debug_level = 0 - Set this to troubleshoot; 0-10 are valid values
#debug_level = 0
debug_level = 9
#ldap_sasl_authid = host/[email protected]

[nss]
#filter_users = root,ldap,named,avahi,haldaemon,dbus,radiusd,news,nscd
filter_groups = root
filter_users = root
reconnection_retries = 3

[pam]
reconnection_retries = 3

[domain/QA.ARKIVIO.COM]
ad_domain = QA.ARKIVIO.COM
krb5_realm = QA.ARKIVIO.COM
realmd_tags = manages-system joined-with-samba
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
ldap_schema = ad
#ldap_access_order = expire
#ldap_account_expire_policy = ad
use_fully_qualified_names = True
fallback_homedir = /home/%u@%d
access_provider = ad
auth_provider = ad

/etc/nsswitch.conf 中的 sudo 项

[root@ark-centos-smb4 /]# grep sudo /etc/nsswitch.conf
sudoers:        ldap

请给一些建议。

答案1

这里的问题是,当您将 CentOS 系统加入 Active Directory 域时,该realm命令也被修改/etc/nsswitch.conf以接管以下配置sudo

grep sudo /etc/nsswitch.conf
sudoers:        ldap

如果您想保留本地配置,则sudo需要将其恢复为原始设置:

sudoers:        files

有趣的是,在我的(Debian 和 Raspbian)已加入 AD 的系统上,我有一个合并的配置:

sudoers:        files sss

除了分发之外,我很想了解为什么您的配置不是合并的配置,并且您的配置是直接通过 LDAP 配置的,而我的配置是通过sssd. (如果有人能够解释这一点,我会很高兴。但也许这只是分布差异。)

答案2

编辑你的/etc/sudoers如下:

# User privilege specification
root    ALL=(ALL:ALL) ALL
test  ALL=(ALL:ALL) ALL

# Allow members of group sudo to execute any command
%sudo   ALL=(ALL:ALL) ALL

相关内容