sudo to root failing

[gzcwnk]

Description of Issue/Question

I get a failure message when I try and salt-ssh,

=========== -bash-4.1# salt-ssh vuwunicopatch07.ods.vuw.ac.nz cmd.run 'ip a' vuwunicopatch07.ods.vuw.ac.nz:

retcode:
    1
stderr:
    sudo: no tty present and no askpass program specified
stdout:
    ERROR: sudo expected a password, NOPASSWD required

-bash-4.1#

secure log shows,

Jul 13 09:41:39 vuwunicopatch07 sshd[9783]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=vuwunicorhsat03.vuw.ac.nz user=svc_salt_ssh Jul 13 09:41:39 vuwunicopatch07 sshd[9779]: Accepted keyboard-interactive/pam for svc_salt_ssh from 10.100.32.10 port 24629 ssh2 Jul 13 09:41:40 vuwunicopatch07 sshd[9779]: pam_unix(sshd:session): session opened for user svc_salt_ssh by (uid=0) Jul 13 09:41:40 vuwunicopatch07 sudo: svc_salt_ssh : command not allowed ; TTY=unknown ; PWD=/home/svc_salt_ssh ; USER=root ; COMMAND=/usr/bin/python2.7 -c import Jul 13 09:41:40 vuwunicopatch07 sudo: svc_salt_ssh : (command continued)

8><---

ShPUFRJT05T Jul 13 09:41:40 vuwunicopatch07 sudo: svc_salt_ssh : (command continued)

8><---

Jul 13 09:41:40 vuwunicopatch07 sshd[9787]: Received disconnect from 10.100.32.10: 11: disconnected by user Jul 13 09:41:40 vuwunicopatch07 sshd[9779]: pam_unix(sshd:session): session closed for user svc_salt_ssh

Setup

(Please provide relevant configs and/or SLS files (Be sure to remove sensitive info).)

Steps to Reproduce Issue

(Include debug logs if possible and relevant.)

Versions Report

(Provided by running salt --versions-report. Please also mention any differences in master/minion versions.)

-bash-4.1# salt --versions-report Salt Version: Salt: 2016.11.6

Dependency Versions: cffi: Not Installed cherrypy: Not Installed dateutil: 1.4.1 docker-py: Not Installed gitdb: Not Installed gitpython: Not Installed ioflo: Not Installed Jinja2: 2.8.1 libgit2: Not Installed libnacl: Not Installed M2Crypto: 0.20.2 Mako: 0.3.4 msgpack-pure: Not Installed msgpack-python: 0.4.6 mysql-python: Not Installed pycparser: Not Installed pycrypto: 2.6.1 pycryptodome: 3.4.3 pygit2: Not Installed Python: 2.6.6 (r266:84292, Aug 9 2016, 06:11:56) python-gnupg: Not Installed PyYAML: 3.11 PyZMQ: 14.5.0 RAET: Not Installed smmap: Not Installed timelib: Not Installed Tornado: 4.2.1 ZMQ: 4.0.5

System Versions: dist: redhat 6.9 Santiago machine: x86_64 release: 2.6.32-696.3.2.el6.x86_64 system: Linux version: Red Hat Enterprise Linux Server 6.9 Santiago

-bash-4.1#

[gzcwnk]

I suspect its bad interaction between salt and Redhat's version of freeipa? ie the command salt is issueing to sudo isnt what sssd/ IPA expects? though maybe I am mis-configured?

roster file,

========= vuwunicopatch07.ods.vuw.ac.nz: host: 10.180.48.22 user: svc_salt_ssh passwd: 8><----------- sudo: true

[gzcwnk]

If I log in directly, and sudo su - it works fine.

========== -bash-4.1# ssh vuwunicopatch07.ods.vuw.ac.nz -l svc_salt_ssh Warning: the RSA host key for '[vuwunicopatch07.ods.vuw.ac.nz]:10' differs from the key for the IP address '[10.180.48.22]:10' Offending key for IP in /root/.ssh/known_hosts:12 Matching host key in /root/.ssh/known_hosts:21 Are you sure you want to continue connecting (yes/no)? yes Password: Last failed login: Thu Jul 13 10:02:35 NZST 2017 from vuwunicorhsat03.vuw.ac.nz on ssh:notty There was 1 failed login attempt since the last successful login. Last login: Thu Jul 13 09:29:10 2017 from vuwunicorhsat03.vuw.ac.nz Kickstarted on 2017-06-13 [svc_salt_ssh@vuwunicopatch07 ~]$ sudo su - Last login: Thu Jul 13 09:40:20 NZST 2017 on pts/1 [root@vuwunicopatch07 ~]#

[gtmanfred]

Make sure you do not have requiretty set in your sudoers... otherwise you might need to set tty: True in the roster.

if you run ssh vuwunicopatch07.ods.vuw.ac.nz -l svc_salt_ssh -- sudo su - Does it throw an error?

If you add ssh -t, it should be the equivalent of setting tty: True.

[gzcwnk]

No it seems to hang,

=========== -bash-4.1# ssh vuwunicopatch07.ods.vuw.ac.nz -l svc_salt_ssh -- sudo su - Warning: the RSA host key for '[vuwunicopatch07.ods.vuw.ac.nz]:10' differs from the key for the IP address '[10.180.48.22]:10' Offending key for IP in /root/.ssh/known_hosts:12 Matching host key in /root/.ssh/known_hosts:21 Are you sure you want to continue connecting (yes/no)? yes Password:

^CKilled by signal 2. -bash-4.1# ============

[gzcwnk]

Well that got me further but I get this error now,

========= salt-ssh vuwunicopatch07.ods.vuw.ac.nz cmd.run 'ip a' vuwunicopatch07.ods.vuw.ac.nz:

retcode:
    1
stderr:
    Connection to 10.180.48.22 closed.
stdout:
    Password: 
    [sudo] password for svc_salt_ssh: 
    Sorry, user svc_salt_ssh is not allowed to execute '/usr/bin/python2.7 -c import base64;
    exec(base64.b64decode("""IyBweWxpbnQ6IGRpc2FibGU9Vzk5MDMKJycnClRoaXMgaXMgYSBzaGltIHRoYXQ

8><----- luKHN5cy5hcmd2KSkK """).decode("utf-8"))' as root on vuwunicopatch07.ods.vuw.ac.nz. -bash-4.1#

[gzcwnk]

PS I added tty: true to the roster

[gtmanfred]

Can you provide your sudoers file? On Wed, Jul 12, 2017 at 4:22 PM gzcwnk notifications@github.com wrote:

PS I added tty: true to the roster

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/saltstack/salt/issues/42285#issuecomment-314914668, or mute the thread https://github.com/notifications/unsubscribe-auth/AAssoexoXbcuivnT3sp-nF0zS0cB7dAuks5sNUcmgaJpZM4OWP2B .

[gzcwnk]

I dont use a sudoers file, sudo is controlled via IPA,

https://www.freeipa.org/page/Main_Page

or specifically Red Hat's commercial offering of it.

[gtmanfred]

What commands do you allow that salt user to run through the freeipa sudoers command?

If python2.7 is not in the list you will need to add it On Wed, Jul 12, 2017 at 5:21 PM gzcwnk notifications@github.com wrote:

I dont use a sudoers file, sudo is controlled via IPA,

https://www.freeipa.org/page/Main_Page

or specifically Red Hat's commercial offering of it.

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/saltstack/salt/issues/42285#issuecomment-314925104, or mute the thread https://github.com/notifications/unsubscribe-auth/AAssockPL5j8yKOXbfgw65NxxglNCIabks5sNVTcgaJpZM4OWP2B .

[gzcwnk]

The salt user can run "sudo su -"

I tried adding the python command and that didnt work

[gtmanfred]

You will need to allow it to run whatever commands are run with SUDO in the shim script

https://github.com/saltstack/salt/blob/2016.11/salt/client/ssh/__init__.py#L125

On Wed, Jul 12, 2017 at 7:27 PM, gzcwnk notifications@github.com wrote:

The salt user can run "sudo su -"

I tried adding the python command and that didnt work

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/saltstack/salt/issues/42285#issuecomment-314943366, or mute the thread https://github.com/notifications/unsubscribe-auth/AAssoXT34S0a36x53MCoc7VEP2GjR9QCks5sNXKLgaJpZM4OWP2B .

[gzcwnk]

Sorry but I have no understanding up what init.py is I am not a programmer so I odnt understand what I am looking at in this file. I think we'll just assumes [free]ipa and Salt are incompatible and move on.

[gtmanfred]

You should just have to enable python2.7 or python3 to be able to run with sudo.

Any of these binaries. PYTHON_CMDS="python3 python27 python2.7 python26 python2.6 python2 python"

Whichever one would be the first one to be found by which

[stale[bot]]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

If this issue is closed prematurely, please leave a comment and we will gladly reopen the issue.