저는 Centos 7에서 꽤 많은 시간을 보냈고 다음 과 같이 sudo
로컬 사용자를 추가했습니다 .test
/etc/sudoers
visudo
## Next comes the main part: which users can run what software on
## which machines (the sudoers file can be shared between multiple
## systems).
## Syntax:
##
## user MACHINE=COMMANDS
##
## The COMMANDS section may have other options added to it.
##
## Allow root to run any commands anywhere
root ALL=(ALL) ALL
test ALL=(ALL) ALL
또한 test
휠 세트에 추가되었습니다:
[root@ark-centos-smb4 ~]# groups test
test : bin wheel arkgrp
그런 다음 루트로 명령을 실행하려고 su
시도했지만 test
사용자가 sudoers 파일에 없다는 오류가 발생했습니다.
[root@ark-centos-smb4 ~]# su - test
Last login: Tue Aug 8 01:03:48 PDT 2017 on pts/0
[test@ark-centos-smb4 ~]$ sudo ls /root/
[sudo] password for test:
test is not in the sudoers file. This incident will be reported.
흥미롭게도 루트 사용자는 sudo를 실행할 수 없습니다.
[root@ark-centos-smb4 ~]# sudo ls
root is not allowed to run sudo on ark-centos-smb4. This incident will be reported.
시각적 결과:
[root@ark-centos-smb4 ~]# visudo -c
/etc/sudoers: parsed OK
/etc/sudoers.d/arkgrp-users: parsed OK
sudo -V 결과:
[root@ark-centos-smb4 ~]# sudo -V
Sudo version 1.8.6p7
Configure options: --build=x86_64-redhat-linux-gnu --host=x86_64-redhat-linux-gnu --program-prefix= --disable-dependency-tracking --prefix=/usr --exec-prefix=/usr --bindir=/usr/bin --sbindir=/usr/sbin --sysconfdir=/etc --datadir=/usr/share --includedir=/usr/include --libdir=/usr/lib64 --libexecdir=/usr/libexec --localstatedir=/var --sharedstatedir=/var/lib --mandir=/usr/share/man --infodir=/usr/share/info --prefix=/usr --sbindir=/usr/sbin --libdir=/usr/lib64 --docdir=/usr/share/doc/sudo-1.8.6p7 --with-logging=syslog --with-logfac=authpriv --with-pam --with-pam-login --with-editor=/bin/vi --with-env-editor --with-ignore-dot --with-tty-tickets --with-ldap --with-ldap-conf-file=/etc/sudo-ldap.conf --with-selinux --with-passprompt=[sudo] password for %p: --with-linux-audit --with-sssd --with-gcrypt
Sudoers policy plugin version 1.8.6p7
Sudoers file grammar version 42
Sudoers path: /etc/sudoers
nsswitch path: /etc/nsswitch.conf
ldap.conf path: /etc/sudo-ldap.conf
ldap.secret path: /etc/ldap.secret
Authentication methods: 'pam'
Syslog facility if syslog is being used for logging: authpriv
Syslog priority to use when user authenticates successfully: notice
Syslog priority to use when user authenticates unsuccessfully: alert
Ignore '.' in $PATH
Send mail if the user is not in sudoers
Use a separate timestamp for each user/tty combo
Lecture user the first time they run sudo
Require users to authenticate by default
Root may run sudo
Allow some information gathering to give useful error messages
Visudo will honor the EDITOR environment variable
Set the LOGNAME and USER environment variables
Length at which to wrap log file lines (0 for no wrap): 80
Authentication timestamp timeout: 5.0 minutes
Password prompt timeout: 5.0 minutes
Number of tries to enter a password: 3
Umask to use or 0777 to use user's: 022
Path to mail program: /usr/sbin/sendmail
Flags for mail program: -t
Address to send mail to: root
Subject line for mail messages: *** SECURITY information for %h ***
Incorrect password message: Sorry, try again.
Path to authentication timestamp dir: /var/db/sudo
Default password prompt: [sudo] password for %p:
Default user to run commands as: root
Path to the editor for use by visudo: /bin/vi
When to require a password for 'list' pseudocommand: any
When to require a password for 'verify' pseudocommand: all
File descriptors >= 3 will be closed before executing a command
Reset the environment to a default set of variables
Environment variables to check for sanity:
TZ
TERM
LINGUAS
LC_*
LANGUAGE
LANG
COLORTERM
Environment variables to remove:
RUBYOPT
RUBYLIB
PYTHONUSERBASE
PYTHONINSPECT
PYTHONPATH
PYTHONHOME
TMPPREFIX
ZDOTDIR
READNULLCMD
NULLCMD
FPATH
PERL5DB
PERL5OPT
PERL5LIB
PERLLIB
PERLIO_DEBUG
JAVA_TOOL_OPTIONS
SHELLOPTS
GLOBIGNORE
PS4
BASH_ENV
ENV
TERMCAP
TERMPATH
TERMINFO_DIRS
TERMINFO
_RLD*
LD_*
PATH_LOCALE
NLSPATH
HOSTALIASES
RES_OPTIONS
LOCALDOMAIN
CDPATH
IFS
Environment variables to preserve:
XAUTHORIZATION
XAUTHORITY
PS2
PS1
PATH
LS_COLORS
KRB5CCNAME
HOSTNAME
DISPLAY
COLORS
Locale to use while parsing sudoers: C
Compress I/O logs using zlib
Directory in which to store input/output logs: /var/log/sudo-io
File in which to store the input/output log: %{seq}
Add an entry to the utmp/utmpx file when allocating a pty
Don't pre-resolve all group names
PAM service name to use
PAM service name to use for login shells
Local IP address and netmask pairs:
192.168.32.26/255.255.252.0
2001:21:21:32:250:56ff:feb4:720d/ffff:ffff:ffff:ffff::
fe80::250:56ff:feb4:720d/ffff:ffff:ffff:ffff::
Sudoers I/O plugin version 1.8.6p7
/etc/sudoers 비주석 내용:
Defaults !visiblepw
Defaults always_set_home
Defaults env_reset
Defaults env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS"
Defaults env_keep += "MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE"
Defaults env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES"
Defaults env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE"
Defaults env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY"
Defaults secure_path = /sbin:/bin:/usr/sbin:/usr/bin
root ALL=(ALL:ALL) ALL
test ALL=(ALL:ALL) ALL
usera ALL=(ALL:ALL) ALL
%wheel ALL=(ALL) ALL
## Read drop-in files from /etc/sudoers.d (the # here does not mean a comment)
#includedir /etc/sudoers.d
/etc/sudoers.d/arkgrp-users 콘텐츠:
%arkgrp ALL=(ALL) ALL
나는 다음을 통해 Centos를 Windows 도메인에 가입했습니다.realm join QA.ARKIVIO.COM
[root@ark-centos-smb4 ~]# realm list
qa.arkivio.com
type: kerberos
realm-name: QA.ARKIVIO.COM
domain-name: qa.arkivio.com
configured: kerberos-member
server-software: active-directory
client-software: winbind
required-package: oddjob-mkhomedir
required-package: oddjob
required-package: samba-winbind-clients
required-package: samba-winbind
required-package: samba-common-tools
login-formats: QA\%U
login-policy: allow-any-login
QA.ARKIVIO.COM
type: kerberos
realm-name: QA.ARKIVIO.COM
domain-name: qa.arkivio.com
configured: kerberos-member
server-software: active-directory
client-software: sssd
required-package: oddjob
required-package: oddjob-mkhomedir
required-package: sssd
required-package: adcli
required-package: samba-common-tools
login-formats: %[email protected]
login-policy: allow-realm-logins
/etc/sssd/sssd.conf 내용
[sssd]
config_file_version = 2
#services = nss, pam, pac, ssh, ifp
services = nss, pam, pac, ssh, ifp, sudo
#domains = QA
domains = QA.ARKIVIO.COM
#debug_level = 0 - Set this to troubleshoot; 0-10 are valid values
#debug_level = 0
debug_level = 9
#ldap_sasl_authid = host/[email protected]
[nss]
#filter_users = root,ldap,named,avahi,haldaemon,dbus,radiusd,news,nscd
filter_groups = root
filter_users = root
reconnection_retries = 3
[pam]
reconnection_retries = 3
[domain/QA.ARKIVIO.COM]
ad_domain = QA.ARKIVIO.COM
krb5_realm = QA.ARKIVIO.COM
realmd_tags = manages-system joined-with-samba
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
ldap_schema = ad
#ldap_access_order = expire
#ldap_account_expire_policy = ad
use_fully_qualified_names = True
fallback_homedir = /home/%u@%d
access_provider = ad
auth_provider = ad
/etc/nsswitch.conf의 sudo 항목
[root@ark-centos-smb4 /]# grep sudo /etc/nsswitch.conf
sudoers: ldap
몇 가지 제안을 해주세요.
답변1
여기서 문제는 CentOS 시스템을 Active Directory 도메인에 가입할 때 다음 구성을 인계 받도록 realm
명령도 수정된다는 것입니다 ./etc/nsswitch.conf
sudo
grep sudo /etc/nsswitch.conf sudoers: ldap
로컬 구성을 유지하려면 sudo
원래 설정으로 복원해야 합니다.
sudoers: files
흥미롭게도 내 (Debian 및 Raspbian) AD 조인 시스템에는 병합된 구성이 있습니다.
sudoers: files sss
배포는 제쳐두고, 귀하의 구성은 병합된 구성이 아니고 귀하의 구성은 sssd
. )
답변2
/etc/sudoers
다음과 같이 편집하세요 .
# User privilege specification
root ALL=(ALL:ALL) ALL
test ALL=(ALL:ALL) ALL
# Allow members of group sudo to execute any command
%sudo ALL=(ALL:ALL) ALL