LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > CentOS
User Name
Password
CentOS This forum is for the discussion of CentOS Linux. Note: This forum does not have any official participation.

Notices


Reply
  Search this Thread
Old 08-17-2017, 03:43 AM   #1
xq10907
LQ Newbie
 
Registered: Aug 2017
Posts: 15

Rep: Reputation: Disabled
Sudo is not working on my centos7.3


Hello guys

I have paid a considerable time on my centos7 with sudo,I added local user test to /etc/sudoers via visudo as follows

Code:
## Next comes the main part: which users can run what software on
## which machines (the sudoers file can be shared between multiple
## systems).
## Syntax:
##
##      user    MACHINE=COMMANDS
##
## The COMMANDS section may have other options added to it.
##
## Allow root to run any commands anywhere
root    ALL=(ALL)       ALL
test    ALL=(ALL)       ALL
also add test to wheel
Quote:
[root@ark-centos-smb4 ~]# groups test
test : bin wheel arkgrp
then su to test,run command as root get error says the user in not in sudoers file,please give some suggestion,thanks

Quote:
[root@ark-centos-smb4 ~]# su - test
Last login: Tue Aug 8 01:03:48 PDT 2017 on pts/0
[test@ark-centos-smb4 ~]$ sudo ls /root/
[sudo] password for test:
test is not in the sudoers file. This incident will be reported.
intesting, root user is also refused to run sudo
Quote:
[root@ark-centos-smb4 ~]# sudo ls
root is not allowed to run sudo on ark-centos-smb4. This incident will be reported.
please give some advice,very appreciate!
 
Old 08-17-2017, 11:49 AM   #2
michaelk
Moderator
 
Registered: Aug 2002
Posts: 16,034

Rep: Reputation: 1853Reputation: 1853Reputation: 1853Reputation: 1853Reputation: 1853Reputation: 1853Reputation: 1853Reputation: 1853Reputation: 1853Reputation: 1853Reputation: 1853
It works for me. Have you tried logging out and then back in.
 
Old 08-17-2017, 12:00 PM   #3
MensaWater
LQ Guru
 
Registered: May 2005
Location: Atlanta Georgia USA
Distribution: Redhat (RHEL), CentOS, Fedora, CoreOS, Debian, FreeBSD, HP-UX, Solaris, SCO
Posts: 6,953
Blog Entries: 14

Rep: Reputation: 1166Reputation: 1166Reputation: 1166Reputation: 1166Reputation: 1166Reputation: 1166Reputation: 1166Reputation: 1166Reputation: 1166
"test" is a command so your system might be confused with a user by that name.

Try changing the username to "testuser".

The wheel group is not required for RHEL/CentOS like it is for some other distros. Although you can setup grants by group the fact you did it for a specific user means he doesn't need to be in wheel.

Also you mention /etc/sudoers which makes it sound as if you did a direct edit of that file. The appropriate way to edit the file is using the "visudo" command. It will check for syntax errors before you save. I'd suggest doing a visudo then a write to see if it complains of any issues.

Finally RHEL/CentOS have SELinux. If that is enabled and enforcing you may have modified context on /etc/sudoers if you did direct edit. You should check /etc/sudoers if you are in fact enforcing in SELinux.
 
Old 08-17-2017, 09:19 PM   #4
xq10907
LQ Newbie
 
Registered: Aug 2017
Posts: 15

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by michaelk View Post
It works for me. Have you tried logging out and then back in.
michaelk, tried it still not working
 
Old 08-17-2017, 09:33 PM   #5
xq10907
LQ Newbie
 
Registered: Aug 2017
Posts: 15

Original Poster
Rep: Reputation: Disabled
Quote:
Quote:
Originally Posted by MensaWater View Post
"test" is a command so your system might be confused with a user by that name.

Try changing the username to "testuser".
tried it,not working

Quote:
The wheel group is not required for RHEL/CentOS like it is for some other distros. Although you can setup grants by group the fact you did it for a specific user means he doesn't need to be in wheel.
I add user usera to /etc/sudoers via visudo,not working,see below commands result
Code:
[root@ark-centos-smb4 ~]# su - usera
Last login: Thu Aug 17 19:14:40 PDT 2017 on pts/0
[root@ark-centos-smb4 ~]# su - usera
Last login: Thu Aug 17 19:16:16 PDT 2017 from dln-l-qx01.***.com on pts/1
[usera@ark-centos-smb4 ~]$ sudo ls
[sudo] password for usera:
usera is not in the sudoers file.  This incident will be reported.

Quote:
Also you mention /etc/sudoers which makes it sound as if you did a direct edit of that file. The appropriate way to edit the file is using the "visudo" command. It will check for syntax errors before you save. I'd suggest doing a visudo then a write to see if it complains of any issues.
I edited /etc/sudoers via visudo each time
Code:
[root@ark-centos-smb4 ~]# visudo -c
/etc/sudoers: parsed OK
/etc/sudoers.d/arkgrp-users: parsed OK
Quote:
Finally RHEL/CentOS have SELinux. If that is enabled and enforcing you may have modified context on /etc/sudoers if you did direct edit. You should check /etc/sudoers if you are in fact enforcing in SELinux.
according above visudo result, /etc/sudoers has no error
thanks
 
Old 08-18-2017, 02:18 AM   #6
pan64
LQ Guru
 
Registered: Mar 2012
Location: Hungary
Distribution: debian/ubuntu/suse ...
Posts: 9,582

Rep: Reputation: 2816Reputation: 2816Reputation: 2816Reputation: 2816Reputation: 2816Reputation: 2816Reputation: 2816Reputation: 2816Reputation: 2816Reputation: 2816Reputation: 2816
is there anything else in that /etc/sudoers file?
 
Old 08-18-2017, 03:31 AM   #7
xq10907
LQ Newbie
 
Registered: Aug 2017
Posts: 15

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by pan64 View Post
is there anything else in that /etc/sudoers file?
attached /etc/sudoers,add .txt suffix to let upload working
Attached Files
File Type: txt sudoers.txt (4.1 KB, 9 views)
 
Old 08-18-2017, 08:17 AM   #8
MensaWater
LQ Guru
 
Registered: May 2005
Location: Atlanta Georgia USA
Distribution: Redhat (RHEL), CentOS, Fedora, CoreOS, Debian, FreeBSD, HP-UX, Solaris, SCO
Posts: 6,953
Blog Entries: 14

Rep: Reputation: 1166Reputation: 1166Reputation: 1166Reputation: 1166Reputation: 1166Reputation: 1166Reputation: 1166Reputation: 1166Reputation: 1166
visudo will check syntax but doesn't check SELinux status. Did you check whether you have that enabled and enforcing? If it is did you check the SELinux context of /etc/sudoers?

Also did you verify permissions of /etc itself and /etc/sudoers?

If you look in /var/log/secure does it show any more detail about the failure?
 
Old 08-18-2017, 08:25 AM   #9
MensaWater
LQ Guru
 
Registered: May 2005
Location: Atlanta Georgia USA
Distribution: Redhat (RHEL), CentOS, Fedora, CoreOS, Debian, FreeBSD, HP-UX, Solaris, SCO
Posts: 6,953
Blog Entries: 14

Rep: Reputation: 1166Reputation: 1166Reputation: 1166Reputation: 1166Reputation: 1166Reputation: 1166Reputation: 1166Reputation: 1166Reputation: 1166
In your sudoers file can you verify the following are actually each a single line rather than two lines as appears when I viewed your attachment:

Quote:
Defaults env_keep += "MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS
LC_CTYPE"
Quote:
Defaults env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT
LC_MESSAGES"
Quote:
Defaults env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER
LC_TELEPHONE"
Quote:
Defaults env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET
XAUTHORITY"
That is when I go to, for example, the line that appears to end in "LINGUAS _XKB_CHARSET" the "XAUTHORITY" appears to me to be a separate line. It should in fact be the end of the first line. The other things I quoted appear the same way to me.
 
Old 08-18-2017, 11:51 AM   #10
pan64
LQ Guru
 
Registered: Mar 2012
Location: Hungary
Distribution: debian/ubuntu/suse ...
Posts: 9,582

Rep: Reputation: 2816Reputation: 2816Reputation: 2816Reputation: 2816Reputation: 2816Reputation: 2816Reputation: 2816Reputation: 2816Reputation: 2816Reputation: 2816Reputation: 2816
and what is in /etc/sudoers.d/arkgrp-users ?
 
Old 08-18-2017, 12:23 PM   #11
MensaWater
LQ Guru
 
Registered: May 2005
Location: Atlanta Georgia USA
Distribution: Redhat (RHEL), CentOS, Fedora, CoreOS, Debian, FreeBSD, HP-UX, Solaris, SCO
Posts: 6,953
Blog Entries: 14

Rep: Reputation: 1166Reputation: 1166Reputation: 1166Reputation: 1166Reputation: 1166Reputation: 1166Reputation: 1166Reputation: 1166Reputation: 1166
Quote:
Originally Posted by pan64 View Post
and what is in /etc/sudoers.d/arkgrp-users ?
I wouldn't think that would matter given the sudoers file itself has the includedir line commented out.
 
Old 08-19-2017, 03:47 AM   #12
pan64
LQ Guru
 
Registered: Mar 2012
Location: Hungary
Distribution: debian/ubuntu/suse ...
Posts: 9,582

Rep: Reputation: 2816Reputation: 2816Reputation: 2816Reputation: 2816Reputation: 2816Reputation: 2816Reputation: 2816Reputation: 2816Reputation: 2816Reputation: 2816Reputation: 2816
see post #5, it was parsed. I don't know why, but visudo -c processed that.
And the sudoers file has a relatively strange behaviour: the rules are order dependent, and probably the users are disabled somewhere....

probably need to set logging to catch it.
 
Old 08-21-2017, 03:13 AM   #13
xq10907
LQ Newbie
 
Registered: Aug 2017
Posts: 15

Original Poster
Rep: Reputation: Disabled
Quote:
visudo will check syntax but doesn't check SELinux status. Did you check whether you have that enabled and enforcing? If it is did you check the SELinux context of /etc/sudoers?
ran following to verify
Code:
[root@ark-centos-smb4 ~]# sestatus
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Max kernel policy version:      28
Quote:
Also did you verify permissions of /etc itself and /etc/sudoers?
Code:
[root@ark-centos-smb4 /]# ls -laZ / | grep etc
-rw-r--r--. root root system_u:object_r:etc_runtime_t:s0 00
-rw-r--r--+ root root system_u:object_r:etc_runtime_t:s0 0039
-rw-r--r--. root root system_u:object_r:etc_runtime_t:s0 0051
-rw-r--r--. root root system_u:object_r:etc_runtime_t:s0 0155
-rw-r--r--. root root system_u:object_r:etc_runtime_t:s0 1
-rw-rwxr--+ root root system_u:object_r:etc_runtime_t:s0 2330
-rw-r--r--. root root system_u:object_r:etc_runtime_t:s0 5m
-rw-r--r--+ root root system_u:object_r:etc_runtime_t:s0 aa
-rw-r--r--+ root root system_u:object_r:etc_runtime_t:s0 aaa
-rwxr--r--. root root system_u:object_r:etc_runtime_t:s0 ca_qa_base64.cer
-rw-r--r--. root root system_u:object_r:etc_runtime_t:s0 ca_qa_base64.pem
-r--------. root root system_u:object_r:etc_runtime_t:s0 centosDecCRC.keytab
-rw-r--r--. root root system_u:object_r:etc_runtime_t:s0 centosDecMd5.keytab
-rw-r--r--. root root system_u:object_r:etc_runtime_t:s0 dumper.bat
drwxr-xr-x. root root system_u:object_r:etc_t:s0       etc
-rw-r--r--. root root system_u:object_r:etc_runtime_t:s0 krb5.conf
-rw-r-xr--+ root root system_u:object_r:etc_runtime_t:s0 ll
-rw-r--r--+ root root system_u:object_r:etc_runtime_t:s0 lll
-rw-r--r--. root root system_u:object_r:etc_runtime_t:s0 network
-rw-r--r--. root root system_u:object_r:etc_runtime_t:s0 qaDer.pem
-rw-r--r--. root root system_u:object_r:etc_runtime_t:s0 smb4DecMd5.keytab
-rw-r--r--. root root system_u:object_r:etc_runtime_t:s0 sss
-rw-r--r--. root root system_u:object_r:etc_runtime_t:s0 sssd.conf.redhat

[root@ark-centos-smb4 /]# ls -laZ /etc | grep sudoer
-r--r-----. root root   unconfined_u:object_r:etc_t:s0   sudoers
drwxr-x---. root root   system_u:object_r:etc_t:s0       sudoers.d
Quote:
If you look in /var/log/secure does it show any more detail about the failure?
i ran sudo with local user usera and captured /var/log/secure, /var/log/messages content

Code:
[usera@ark-centos-smb4 ~]$ sudo ls
[sudo] password for usera:
usera is not in the sudoers file.  This incident will be reported.

/var/log/secure message:
Aug 21 01:03:17 ark-centos-smb4 sudo:   usera : user NOT in sudoers ; TTY=pts/1 ; PWD=/home/usera ; USER=root ; COMMAND=/usr/bin/ls

/var/log/messages result:
Aug 21 01:05:21 ark-centos-smb4 nslcd[988]: [b2491e] <group/member="root"> ldap_result() failed: Operations error: 000004DC: LdapErr: DSID-0C090A22, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v3839
Aug 21 01:05:21 ark-centos-smb4 nslcd[988]: [b2491e] <group/member="root"> ldap_result() failed: Operations error: 000004DC: LdapErr: DSID-0C090A22, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v3839
Aug 21 01:05:26 ark-centos-smb4 nslcd[988]: [68239f] <group/member="postfix"> ldap_result() failed: Operations error: 000004DC: LdapErr: DSID-0C090A22, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v3839
Aug 21 01:05:26 ark-centos-smb4 nslcd[988]: [68239f] <group/member="postfix"> ldap_result() failed: Operations error: 000004DC: LdapErr: DSID-0C090A22, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v3839
Aug 21 01:05:26 ark-centos-smb4 nslcd[988]: [8049f8] <group/member="postfix"> ldap_result() failed: Operations error: 000004DC: LdapErr: DSID-0C090A22, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v3839
Aug 21 01:05:26 ark-centos-smb4 nslcd[988]: [8049f8] <group/member="postfix"> ldap_result() failed: Operations error: 000004DC: LdapErr: DSID-0C090A22, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v3839
 
Old 08-21-2017, 03:21 AM   #14
xq10907
LQ Newbie
 
Registered: Aug 2017
Posts: 15

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by MensaWater View Post
In your sudoers file can you verify the following are actually each a single line rather than two lines as appears when I viewed your attachment:









That is when I go to, for example, the line that appears to end in "LINGUAS _XKB_CHARSET" the "XAUTHORITY" appears to me to be a separate line. It should in fact be the end of the first line. The other things I quoted appear the same way to me.
i checked the /etc/sudoers with notepad++ it shows these Defaults* lines are single line instead of two lines
 
Old 08-21-2017, 03:25 AM   #15
xq10907
LQ Newbie
 
Registered: Aug 2017
Posts: 15

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by pan64 View Post
see post #5, it was parsed. I don't know why, but visudo -c processed that.
And the sudoers file has a relatively strange behaviour: the rules are order dependent, and probably the users are disabled somewhere....

probably need to set logging to catch it.
by referring other posts, just want members of group arkgrp could run sudo as well
Code:
[root@ark-centos-smb4 /]# more /etc/sudoers.d/arkgrp-users
%arkgrp ALL=(ALL) ALL
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
VNC not working with CentOS7 BhushanPathak Linux - Newbie 5 06-09-2017 01:38 AM
centos7 Apache/2.4.6 - mod_remoteip Not working athreyavc Linux - Server 3 04-04-2017 11:16 AM
javac not working on my centos7 install sigint-ninja Linux - Newbie 2 07-10-2016 12:14 PM
usb speakers not working on centos7 sigint-ninja Linux - Newbie 2 07-09-2016 10:52 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > CentOS

All times are GMT -5. The time now is 01:26 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration