I don’t get these warnings in sssd status.
Did you try systemctl restart sssd nsdc
or a reboot ?
I don’t get these warnings in sssd status.
Did you try systemctl restart sssd nsdc
or a reboot ?
Tried both but both had the same result: invalid credentials…
It seems just to be the httpd-admin because I can log in with SSH with both root and a Samba4 user
Couldn’t reproduce it, tried with vpn too. Even if I stop sssd and nsdc I can login with root. I only got “invalid credentials” for samba users.
What kind of device do you use? Maybe Android?
I’m asking, because I’ve a similar issue with proxmox console. When I use gboard or swipe sofwarekeyboard it doesn’t work, when I use the hardware keyboard to this device it works.
Who knows why…
Thnx for the suggestion @flatspin, but no. I try to log in from my laptop. Did try different browsers also: FF and chromium. All give the same result.
Some blind shots:
# get more info
id srvmgr
sudo -l -U srvmgr|grep pam-authenticate-pw
[root@ns7 ~]# id srvmgr
uid=996(srvmgr) gid=993(srvmgr) groups=993(srvmgr),4(adm)
[root@ns7 ~]# sudo -l -U srvmgr|grep pam-authenticate-pw
[root@ns7 ~]#
The first does give a response. The 2nd command returns empty
What response should it give?
We might have a winner. The script should be in the list of sudo permissions for srvmgr user.
You can get the full list without grepping it:
sudo -l -U srvmgr
EDIT: can you share the outcome of:
getent group adm
rpm -q nethserver-base
cat /etc/sudoers.d/20_nethserver_base
After checking that, try to run:
signal-event nethserver-base-update
[root@ns7 ~]# sudo -l -U srvmgr
User srvmgr is not allowed to run sudo on ns7.
Is there a syntax typo in this command or something really wrong?
root@ns7 ~]# getent group adm
adm:x:4:srvmgr
[root@ns7 ~]# rpm -q nethserver-base
nethserver-base-3.4.2-1.ns7.noarch
[root@ns7 ~]# cat /etc/sudoers.d/20_nethserver_base
#
# 20_nethserver_base
#
%adm ALL=NOPASSWD: /sbin/e-smith/db, \
/sbin/e-smith/signal-event, \
/sbin/e-smith/validate, \
/sbin/e-smith/pam-authenticate-pw, \
/sbin/e-smith/logviewer, \
/usr/libexec/nethserver/pkgaction, \
/usr/libexec/nethserver/pkginfo, \
/usr/libexec/nethserver/read-service-status, \
/usr/libexec/nethserver/pki-info, \
/usr/libexec/nethserver/sigev-batch, \
/usr/libexec/nethserver/admin-todos, \
/usr/libexec/nethserver/nic-info, \
/usr/libexec/nethserver/control-service, \
/usr/libexec/nethserver/cert-list, \
/usr/libexec/nethserver/letsencrypt-certs, \
/usr/bin/yum clean all, \
/sbin/service [a-zA-Z0-9_-]* status, \
/etc/e-smith/events/actions/nethserver-generate-certificate, \
/usr/libexec/nethserver/yum-packages-to-remove
No typo, more of the latter but lets hope is not too bad.
# sudo -l -U srvmgr
Matching Defaults entries for srvmgr on server:
!visiblepw, always_set_home, match_group_by_gid, env_reset, env_keep="COLORS DISPLAY HOSTNAME
HISTSIZE KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE",
env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME
LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET
XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin, !requiretty, env_keep+=PTRACK_SOCKETPATH
User srvmgr may run the following commands on server:
(root) NOPASSWD: /usr/libexec/nethserver/backup-data-search,
/usr/libexec/nethserver/pki-vpn-gencert, /usr/libexec/nethserver/pki-vpn-revoke,
/usr/bin/traceroute, /usr/sbin/arp-scan, /usr/bin/speedtest-cli,
/usr/libexec/nethserver/fail2ban-listban, /usr/libexec/nethserver/fail2ban-listip,
/usr/libexec/nethserver/shorewall-check, /usr/libexec/nethserver/providers-status,
/usr/sbin/dmidecode
(root) NOPASSWD: /sbin/e-smith/backup-config, /sbin/e-smith/restore-config,
/usr/libexec/nethserver/backup-config-history
(root) NOPASSWD: /sbin/e-smith/db, /sbin/e-smith/signal-event, /sbin/e-smith/validate,
/sbin/e-smith/pam-authenticate-pw, /sbin/e-smith/logviewer, /usr/libexec/nethserver/pkgaction,
/usr/libexec/nethserver/pkginfo, /usr/libexec/nethserver/read-service-status,
/usr/libexec/nethserver/pki-info, /usr/libexec/nethserver/sigev-batch,
/usr/libexec/nethserver/admin-todos, /usr/libexec/nethserver/nic-info,
/usr/libexec/nethserver/control-service, /usr/libexec/nethserver/cert-list,
/usr/libexec/nethserver/letsencrypt-certs, /usr/bin/yum clean all, /sbin/service [a-zA-Z0-9_-]*
status, /etc/e-smith/events/actions/nethserver-generate-certificate,
/usr/libexec/nethserver/yum-packages-to-remove
(root) NOPASSWD: /usr/libexec/nethserver/read-nssamba-version
(root) NOPASSWD: /usr/sbin/postqueue, /usr/sbin/postsuper
(root) NOPASSWD: /usr/libexec/nethserver/mail-quota, /usr/bin/doveadm mailbox list -u vmail *,
/usr/bin/doveadm -f tab acl get -u vmail *
(root) NOPASSWD: /usr/libexec/nethserver/openvpn-tunnels, /usr/libexec/nethserver/openvpn-tunnel-pem
(root) NOPASSWD: /usr/sbin/realm join *, /usr/libexec/nethserver/net-ads-info,
/usr/libexec/nethserver/list-users, /usr/libexec/nethserver/list-groups,
/usr/libexec/nethserver/list-user-membership, /usr/libexec/nethserver/list-group-members,
/usr/libexec/nethserver/count-accounts
(root) NOPASSWD: /sbin/e-smith/restore-file, /usr/libexec/nethserver/nethserver-restore-data-helper
20_nethserver_base
is OK
What says:
egrep "root|wheel" /etc/sudoers
egrep -i "srvmgr|adm" /etc/sudoers.d/{10_nethserver,20_nethserver_httpd_admin}
[root@ns7 ~]# egrep “root|wheel” /etc/sudoers
.## the root user, without needing the root password.
.## Allow root to run any commands anywhere
root ALL=(ALL) ALL
.## Allows people in group wheel to run all commands
.%wheel ALL=(ALL) ALL
.# %wheel ALL=(ALL) NOPASSWD: ALL
.## cdrom as root
[root@ns7 ~]# egrep -i “srvmgr|adm” /etc/sudoers.d/{10_nethserver,20_nethserver_httpd_admin}
/etc/sudoers.d/10_nethserver:# 30nethserver_adm
/etc/sudoers.d/10_nethserver:Cmnd_Alias NETHSERVER_ADM = /usr/libexec/nethserver/backup-data-search, /usr/libexec/nethserver/pki-vpn-gencert, /usr/libexec/nethserver/pki-vpn-revoke, /usr/bin/traceroute, /usr/sbin/arp-scan, /usr/bin/speedtest-cli, /usr/libexec/nethserver/fail2ban-listban, /usr/libexec/nethserver/fail2ban-listip, /usr/libexec/nethserver/shorewall-check, /usr/libexec/nethserver/providers-status, /usr/sbin/dmidecode
/etc/sudoers.d/10_nethserver:%adm ALL=NOPASSWD: NETHSERVER_ADM
/etc/sudoers.d/10_nethserver:Defaults:srvmgr !requiretty
/etc/sudoers.d/20_nethserver_httpd_admin:# 20_nethserver_httpd_admin
/etc/sudoers.d/20_nethserver_httpd_admin:Defaults:%adm env_keep += “PTRACK_SOCKETPATH”
You may check sudoers files with
visudo -c
If the points at the beginning of lines are yours (not from files), then config looks good.
Markus advice for verification is a better idea.
Looks like srvmgr (within adm group) fails to get sudo permissions from sudoers.
Yeah, I added those points. The double hashtags messed up formatting
Seems ok:
[root@ns7 ~]# visudo -c
/etc/sudoers: parsed OK
Checked what groups srvmgr is member of:
[root@ns7 ~]# groups srvmgr
srvmgr : srvmgr adm
That seems to be ok. Got the same on another server.
Any action taken before having this issue? (updates, installs, password expiration…)
Does you AD has a group with the same name (adm)?
Can you list the files in sudoers.d ? (to identify involved modules)
Is this the whole result?
/etc/sudoers: parsed OK
/etc/sudoers.d/10_nethserver: parsed OK
/etc/sudoers.d/20_nethserver_backup_config: parsed OK
/etc/sudoers.d/20_nethserver_base: parsed OK
/etc/sudoers.d/20_nethserver_dc: parsed OK
/etc/sudoers.d/20_nethserver_httpd_admin: parsed OK
/etc/sudoers.d/20_nethserver_mail_common: parsed OK
/etc/sudoers.d/20_nethserver_mail_server: parsed OK
/etc/sudoers.d/20_nethserver_sssd: parsed OK
/etc/sudoers.d/40_nethserver_restore_data: parsed OK
/etc/sudoers.d/90_nethserver_nextcloud: parsed OK
If yes check the last line of /etc/sudoers
, it should be #includedir /etc/sudoers.d
.
Yes that was the whole result…
That line was missing from /etc/sudoers
Do I need to restart some service to make it active or is the /etc/sudoers file checked every time an action needs sudo rights?
/edit: @mrmarkuz: you nailed it. That line was missing. Question is HOW could it be deleted?
btw… the line is including the #. I can log in again into the admin webinterface. Thnx a LOT.
That’s a good question but I am just happy it works again!