Troubleshooting Sudoers Policy Plugin

[Minh Chương Phạm Huỳnh]

Hi all,

I'm running WebADM Freeware Edition v2.0.0 RC4, my client : CentOS Linux release 7.3.1611 (Core) , disabled selinux , firewall

I follow "SpanKey SSH Key Management Quick Start" , everything works fine until 4.2.7 Sudoers Policy Plugin , on my client :

sudo -V

Sudo version 1.8.6p7
Configure options: --build=x86_64-redhat-linux-gnu --host=x86_64-redhat-linux-gnu --program-prefix= --disable-dependency-tracking --prefix=/usr --exec-prefix=/usr --bindir=/usr/bin --sbindir=/usr/sbin --sysconfdir=/etc --datadir=/usr/share --includedir=/usr/include --libdir=/usr/lib64 --libexecdir=/usr/libexec --localstatedir=/var --sharedstatedir=/var/lib --mandir=/usr/share/man --infodir=/usr/share/info --prefix=/usr --sbindir=/usr/sbin --libdir=/usr/lib64 --docdir=/usr/share/doc/sudo-1.8.6p7 --with-logging=syslog --with-logfac=authpriv --with-pam --with-pam-login --with-editor=/bin/vi --with-env-editor --with-ignore-dot --with-tty-tickets --with-ldap --with-ldap-conf-file=/etc/sudo-ldap.conf --with-selinux --with-passprompt=[sudo] password for %p:  --with-linux-audit --with-sssd --with-gcrypt
Sudoers policy plugin version 1.8.6p7
Sudoers file grammar version 42

Sudoers path: /etc/sudoers
nsswitch path: /etc/nsswitch.conf
ldap.conf path: /etc/sudo-ldap.conf
ldap.secret path: /etc/ldap.secret
Authentication methods: 'pam'
Syslog facility if syslog is being used for logging: authpriv
Syslog priority to use when user authenticates successfully: notice
Syslog priority to use when user authenticates unsuccessfully: alert
Ignore '.' in $PATH
Send mail if the user is not in sudoers
Use a separate timestamp for each user/tty combo
Lecture user the first time they run sudo
Require users to authenticate by default
Root may run sudo
Always set $HOME to the target user's home directory
Allow some information gathering to give useful error messages
Visudo will honor the EDITOR environment variable
Set the LOGNAME and USER environment variables
Length at which to wrap log file lines (0 for no wrap): 80
Authentication timestamp timeout: 5.0 minutes
Password prompt timeout: 5.0 minutes
Number of tries to enter a password: 3
Umask to use or 0777 to use user's: 022
Path to mail program: /usr/sbin/sendmail
Flags for mail program: -t
Address to send mail to: root
Subject line for mail messages: *** SECURITY information for %h ***
Incorrect password message: Sorry, try again.
Path to authentication timestamp dir: /var/db/sudo
Default password prompt: [sudo] password for %p:
Default user to run commands as: root
Value to override user's $PATH with: /sbin:/bin:/usr/sbin:/usr/bin
Path to the editor for use by visudo: /bin/vi
When to require a password for 'list' pseudocommand: any
When to require a password for 'verify' pseudocommand: all
File descriptors >= 3 will be closed before executing a command
Reset the environment to a default set of variables
Environment variables to check for sanity:
        TZ
        TERM
        LINGUAS
        LC_*
        LANGUAGE
        LANG
        COLORTERM
Environment variables to remove:
        RUBYOPT
        RUBYLIB
        PYTHONUSERBASE
        PYTHONINSPECT
        PYTHONPATH
        PYTHONHOME
        TMPPREFIX
        ZDOTDIR
        READNULLCMD
        NULLCMD
        FPATH
        PERL5DB
        PERL5OPT
        PERL5LIB
        PERLLIB
        PERLIO_DEBUG
        JAVA_TOOL_OPTIONS
        SHELLOPTS
        GLOBIGNORE
        PS4
        BASH_ENV
        ENV
        TERMCAP
        TERMPATH
        TERMINFO_DIRS
        TERMINFO
        _RLD*
        LD_*
        PATH_LOCALE
        NLSPATH
        HOSTALIASES
        RES_OPTIONS
        LOCALDOMAIN
        CDPATH
        IFS
Environment variables to preserve:
        XAUTHORITY
        _XKB_CHARSET
        LINGUAS
        LANGUAGE
        LC_ALL
        LC_TIME
        LC_TELEPHONE
        LC_PAPER
        LC_NUMERIC
        LC_NAME
        LC_MONETARY
        LC_MESSAGES
        LC_MEASUREMENT
        LC_IDENTIFICATION
        LC_COLLATE
        LC_CTYPE
        LC_ADDRESS
        LANG
        USERNAME
        QTDIR
        PS2
        PS1
        MAIL
        LS_COLORS
        KDEDIR
        HISTSIZE
        HOSTNAME
        DISPLAY
        COLORS
Locale to use while parsing sudoers: C
Compress I/O logs using zlib
Directory in which to store input/output logs: /var/log/sudo-io
File in which to store the input/output log: %{seq}
Add an entry to the utmp/utmpx file when allocating a pty
Don't pre-resolve all group names
PAM service name to use
PAM service name to use for login shells

Local IP address and netmask pairs:
        192.168.7.119/255.255.255.0
        fe80::1eea:52f2:4e1d:8200/ffff:ffff:ffff:ffff::

Sudoers I/O plugin version 1.8.6p7

There is no "SpanKey sudoers policy plugin" in result so I guess SpanKey sudoers policy plugin has not been successfully loaded ?

How can I make it work ?

Is there any document about how to write sudo commands in "Privilege Elevation" ? what if I want my domain user "chuongpm" can do "sudo su root" , or config sudo as "chuongpm    ALL=(ALL)       ALL" ?

1 more thing, my license is Free for 40 users. SpanKey Server completely Free for 5 hosts , how can I count number of hosts/clients managed by SpanKey SSH server ? It is not counted in "Software License Details" (attached picture)

[Minh Chương Phạm Huỳnh]

This is my client Centos 7 /etc/pam.d/sudo

#%PAM-1.0
auth       include      system-auth
account    include      system-auth
password   include      system-auth
session    optional     pam_keyinit.so revoke
session    required     pam_limits.so

When I tried /var/log/secure when I try sudo :

Aug  4 12:14:56 localhost sudo: chuongpm : 3 incorrect password attempts ; TTY=pts/0 ; PWD=/ ; USER=root ; COMMAND=/bin/su

Command "sudo -l" not works also

Aug  4 13:43:30 localhost sudo: chuongpm : 1 incorrect password attempt ; TTY=pts/0 ; PWD=/ ; USER=root ; COMMAND=list

[Benoît Jager]

Hello,

did you do the sudo -V command when you are connected as SSH using SpanKey account?

Best regards

[Minh Chương Phạm Huỳnh]

Hi Benoit Jager,

This is result when I connected as SSH using Spankey user chuongpm (Active Directory) to my Centos7 client

sudo -V
Sudo version 1.8.23
Sudoers policy plugin version 1.8.23
Sudoers file grammar version 46
Sudoers I/O plugin version 1.8.23

sudo -l

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.

[sudo] password for chuongpm:
Sorry, try again.
[sudo] password for chuongpm:
Sorry, try again.

This is when I use a local Centos7 account

sudo -V
Sudo version 1.8.23
Sudoers policy plugin version 1.8.23
Sudoers file grammar version 46
Sudoers I/O plugin version 1.8.23

sudo -l

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.

[sudo] password for chuong:
Matching Defaults entries for chuong on localhost:
    !visiblepw, always_set_home, env_reset, env_keep="COLORS DISPLAY HOSTNAME
    HISTSIZE KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG
    LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION
    LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC
    LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS
    _XKB_CHARSET XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin

User chuong may run the following commands on localhost:
    (ALL) ALL

I guess because SpanKey sudoers policy plugin has not been successfully loaded ?

[Benoît Jager]

Can you do again a sudo -V when connected through SSH, and provide the following log files:

from spankey client machine:

- authorized_keys.log

- libnss_spankey.so.log

- libspankey_wrapper.log

- spankeyd.log

from webadm server:

- webadm.log

Can you also provide the output of the following command:

getent passwd

[Benoît Jager]

Can you also install before the last RC4 from yesterday using this link:

https://www.rcdevs.com/files/rcdevs/Enterprise/webadm-2.0.0RC4-x64.sh.gz

[Minh Chương Phạm Huỳnh]

I'm using webadm_all_in_one-2.0.0RC4-x64.sh, do I have to download and install again from your link ?

This is getent passwd on my Centos7 spankey client

getent passwd
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
systemd-bus-proxy:x:999:998:systemd Bus Proxy:/:/sbin/nologin
systemd-network:x:192:192:systemd Network Management:/:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin
polkitd:x:998:997:User for polkitd:/:/sbin/nologin
tss:x:59:59:Account used by the trousers package to sandbox the tcsd daemon:/dev/null:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
postfix:x:89:89::/var/spool/postfix:/sbin/nologin
nscd:x:28:28:NSCD Daemon:/:/sbin/nologin
chuong:x:1000:1000::/home/chuong:/bin/bash (local user , sudo work fine)
thanhnx:x:1101:101:Nguyen Xuan Thanh:/home/nguyen xuan thanh:/bin/bash (AD user, sudo not work)
chuongpm:x:1100:100:Pham Minh Chuong:/home/pham minh chuong:/bin/bash (AD user, sudo not work)

This is /opt/spankey/logs on my Centos7 spankey client

ls -lht
total 0
-rw-r----- 1 root root 0 Jul 31 10:41 libspankey_wrapper.log
-rw-r----- 1 root root 0 Jul 31 10:05 authorized_keys.log
-rw-r----- 1 root root 0 Jul 31 09:57 audisp_plugin.log
-rw-r----- 1 root root 0 Jul 30 15:07 libnss_spankey.so.log
-rw-r----- 1 root root 0 Jul 30 15:07 spankeyd.log
I don't know why there is no log entry at all.

This is webadm.log from webadm server : from start ssh login till sudo -V

[Wed Aug 05 16:11:18.723107 2020] [192.168.7.119] [OpenOTP:986XT8Q1] New openotpSimpleLogin SOAP request
[Wed Aug 05 16:11:18.723145 2020] [192.168.7.119] [OpenOTP:986XT8Q1] > Username: chuongpm
[Wed Aug 05 16:11:18.723163 2020] [192.168.7.119] [OpenOTP:986XT8Q1] > Password: xxxxxxxx
[Wed Aug 05 16:11:18.723178 2020] [192.168.7.119] [OpenOTP:986XT8Q1] > Client ID: Linux
[Wed Aug 05 16:11:18.723186 2020] [192.168.7.119] [OpenOTP:986XT8Q1] > Source IP: 192.168.14.154
[Wed Aug 05 16:11:18.723194 2020] [192.168.7.119] [OpenOTP:986XT8Q1] > Options: -U2F
[Wed Aug 05 16:11:18.723260 2020] [192.168.7.119] [OpenOTP:986XT8Q1] Registered openotpSimpleLogin request
[Wed Aug 05 16:11:18.732691 2020] [192.168.7.119] [OpenOTP:986XT8Q1] Ignoring 1 memberof values for user 'CN=Pham Minh Chuong,OU=Users,OU=ICT,OU=Central Management,DC=xxxxxxxx,DC=xxxxxxxx' (out of domain group search base)
[Wed Aug 05 16:11:18.733393 2020] [192.168.7.119] [OpenOTP:986XT8Q1] Resolved LDAP user: CN=Pham Minh Chuong,OU=Users,OU=ICT,OU=Central Management,DC=xxxxxxxx,DC=xxxxxxxx
[Wed Aug 05 16:11:18.733449 2020] [192.168.7.119] [OpenOTP:986XT8Q1] Resolved LDAP groups: ict
[Wed Aug 05 16:11:18.750357 2020] [192.168.7.119] [OpenOTP:986XT8Q1] Using Session server 'Session Server'
[Wed Aug 05 16:11:18.750558 2020] [192.168.7.119] [OpenOTP:986XT8Q1] Started transaction lock for user
[Wed Aug 05 16:11:18.750650 2020] [192.168.7.119] [OpenOTP:986XT8Q1] Found user fullname: Pham Minh Chuong
[Wed Aug 05 16:11:18.750671 2020] [192.168.7.119] [OpenOTP:986XT8Q1] Found 1 user mobiles: +xxxxxxxx
[Wed Aug 05 16:11:18.750681 2020] [192.168.7.119] [OpenOTP:986XT8Q1] Found 1 user emails: phamhuynh...@gmail.com
[Wed Aug 05 16:11:18.751542 2020] [192.168.7.119] [OpenOTP:986XT8Q1] Found 48 user settings: LoginMode=LDAPOTP,OTPType=TOKEN,PushLogin=Yes,ChallengeMode=Yes,ChallengeTimeout=90,OTPLength=6,MobileTimeout=30,EnableLogin=Yes,HOTPLookAheadWindow=25,TOTPTimeStep=30,TOTPTimeOffsetWindow=120,OCRASuite=OCRA-1:HOTP-SHA1-6:QN06-T1M,DeviceType=FIDO2,SMSType=Normal,SMSMode=Ondemand,MailMode=Ondemand,PrefetchExpire=10,LastOTPTime=300,ListChallengeMode=ShowID
[Wed Aug 05 16:11:18.752411 2020] [192.168.7.119] [OpenOTP:986XT8Q1] Found 8 user data: LastOTP,NowaitState,TokenType,TokenKey,TokenState,TokenID,TokenExpire,TokenSerial
[Wed Aug 05 16:11:18.752502 2020] [192.168.7.119] [OpenOTP:986XT8Q1] Last OTP expired 2020-08-05 08:33:57
[Wed Aug 05 16:11:18.752539 2020] [192.168.7.119] [OpenOTP:986XT8Q1] SimplePush nowait state present (expiring 2020-08-06 08:28:57)
[Wed Aug 05 16:11:18.752646 2020] [192.168.7.119] [OpenOTP:986XT8Q1] Found 1 registered OTP token (TOTP)
[Wed Aug 05 16:11:18.752690 2020] [192.168.7.119] [OpenOTP:986XT8Q1] Requested login factors: LDAP & OTP
[Wed Aug 05 16:11:18.758237 2020] [192.168.7.119] [OpenOTP:986XT8Q1] LDAP password Ok
[Wed Aug 05 16:11:18.758476 2020] [192.168.7.119] [OpenOTP:986XT8Q1] Authentication challenge required
[Wed Aug 05 16:11:20.846588 2020] [192.168.7.119] [OpenOTP:986XT8Q1] Cloud authentication success on cloud.rcdevs.com
[Wed Aug 05 16:11:21.390066 2020] [192.168.7.119] [OpenOTP:986XT8Q1] Sent push notification for token #1
[Wed Aug 05 16:11:21.425690 2020] [192.168.7.119] [OpenOTP:986XT8Q1] Updated user data
[Wed Aug 05 16:11:21.450199 2020] [192.168.7.119] [OpenOTP:986XT8Q1] Started OTP authentication session of ID bHZtK4OqA4PkBKNI valid for 90 seconds
[Wed Aug 05 16:11:21.450869 2020] [192.168.7.119] [OpenOTP:986XT8Q1] Sent login challenge response
[Wed Aug 05 16:11:38.472597 2020] [192.168.7.119] [OpenOTP:986XT8Q1] New openotpChallenge SOAP request
[Wed Aug 05 16:11:38.472631 2020] [192.168.7.119] [OpenOTP:986XT8Q1] > Username: chuongpm
[Wed Aug 05 16:11:38.472642 2020] [192.168.7.119] [OpenOTP:986XT8Q1] > Session: bHZtK4OqA4PkBKNI
[Wed Aug 05 16:11:38.472650 2020] [192.168.7.119] [OpenOTP:986XT8Q1] > OTP Password: xxxxxx
[Wed Aug 05 16:11:38.472659 2020] [192.168.7.119] [OpenOTP:986XT8Q1] Registered openotpChallenge request
[Wed Aug 05 16:11:38.472667 2020] [192.168.7.119] [OpenOTP:986XT8Q1] Found authentication session started 2020-08-05 16:11:18
[Wed Aug 05 16:11:38.495198 2020] [192.168.7.119] [OpenOTP:986XT8Q1] Started transaction lock for user
[Wed Aug 05 16:11:38.495614 2020] [192.168.7.119] [OpenOTP:986XT8Q1] PUSH password Ok (token #1)
[Wed Aug 05 16:11:38.515372 2020] [192.168.7.119] [OpenOTP:986XT8Q1] Updated user data
[Wed Aug 05 16:11:38.897478 2020] [192.168.7.119] [OpenOTP:986XT8Q1] Sent terminate notification for token #1
[Wed Aug 05 16:11:38.898269 2020] [192.168.7.119] [OpenOTP:986XT8Q1] Sent login success response

[Benoît Jager]

Yes, you can apply the update, this is an updated RC4 file.

You can In order to get logs for spankey, change the configuration of spankey (/opt/spankey/conf/spankey.conf) and switch this setting to Verbose:

                log_level            Verbose

Then restart spankey: /opt/spankey/bin/spankey restart

[Minh Chương Phạm Huỳnh]

I applied the update from your link and reboot webadm server

cat /opt/webadm/VERSION | head -1
RCDevs WebADM Server v2.0.0RC4 for Linux 64bit

I changed /opt/spankey/conf/spankey.conf log_level to Verbose and restart Spankey service (twice) on my Centos7 client , it doesn't log anything when I do "sudo -V" when connected through SSH , there are events when service restart but nothing else.

ls -lht
total 176K
-rw-r----- 1 root root 80K Aug  6 08:44 spankeyd.log
-rw-r----- 1 root root 46K Aug  6 08:44 libnss_spankey.so.log
-rw-r----- 1 root root   0 Jul 31 10:41 libspankey_wrapper.log

[Benoît Jager]

Hello,

Can you do again a ssh and sudo -V command and provide us (you can send to _sup...@rcdevs.com) the following files and the time of command execution:

from webadm server:

- webadm.log

from client machine:

- spankeyd.log

- libnss_spankey.so.log

- /var/log/auth 

Can you also provide the version of spankey-client you have installed? 

And what sudo command is executed? (whereis sudo)

Best regards

[Minh Chương Phạm Huỳnh]

Hi Benoit,

Can you also provide the version of spankey-client you have installed?

spankey_client-2.2.1-1.x86_64

And what sudo command is executed? (whereis sudo)

whereis sudo
sudo: /usr/bin/sudo /etc/sudo.conf /usr/libexec/sudo /usr/share/man/man8/sudo.8.gz

From the beginning of SSH till sudo -V

login as: chuongpm (simple push login only approve/deny so I don't enter OTP here)
Using keyboard-interactive authentication.
Password:
Last login: Thu Aug  6 08:45:34 2020 from 192.168.14.154
Could not chdir to home directory /home/pham minh chuong: No such file or direct                                                                                        ory
-bash: [: too many arguments
-bash-4.2$ sudo -V

Sudo version 1.8.23
Sudoers policy plugin version 1.8.23
Sudoers file grammar version 46
Sudoers I/O plugin version 1.8.23

-bash-4.2$ whereis sudo
sudo: /usr/bin/sudo /etc/sudo.conf /usr/libexec/sudo /usr/share/man/man8/sudo.8.gz

from webadm server:

- webadm.log

[Thu Aug 06 16:08:58.934247 2020] [192.168.7.119] [OpenOTP:DEG45VG4] New openotpSimpleLogin SOAP request
[Thu Aug 06 16:08:58.934295 2020] [192.168.7.119] [OpenOTP:DEG45VG4] > Username: chuongpm
[Thu Aug 06 16:08:58.934310 2020] [192.168.7.119] [OpenOTP:DEG45VG4] > Password: xxxxxxxx
[Thu Aug 06 16:08:58.934322 2020] [192.168.7.119] [OpenOTP:DEG45VG4] > Client ID: Linux
[Thu Aug 06 16:08:58.934331 2020] [192.168.7.119] [OpenOTP:DEG45VG4] > Source IP: 192.168.14.154
[Thu Aug 06 16:08:58.934339 2020] [192.168.7.119] [OpenOTP:DEG45VG4] > Options: -U2F
[Thu Aug 06 16:08:58.934397 2020] [192.168.7.119] [OpenOTP:DEG45VG4] Registered openotpSimpleLogin request
[Thu Aug 06 16:08:58.957187 2020] [192.168.7.119] [OpenOTP:DEG45VG4] Ignoring 1 memberof values for user 'CN=Pham Minh Chuong,OU=Users,OU=ICT,OU=Central Management,DC=xxxxxxxx,DC=xxxxxxxx' (out of domain group search base)
[Thu Aug 06 16:08:58.968170 2020] [192.168.7.119] [OpenOTP:DEG45VG4] Resolved LDAP user: CN=Pham Minh Chuong,OU=Users,OU=ICT,OU=Central Management,DC=xxxxxxxx,DC=xxxxxxxx
[Thu Aug 06 16:08:58.968282 2020] [192.168.7.119] [OpenOTP:DEG45VG4] Resolved LDAP groups: ict
[Thu Aug 06 16:08:58.990653 2020] [192.168.7.119] [OpenOTP:DEG45VG4] Using Session server 'Session Server'
[Thu Aug 06 16:08:58.990941 2020] [192.168.7.119] [OpenOTP:DEG45VG4] Started transaction lock for user
[Thu Aug 06 16:08:58.991106 2020] [192.168.7.119] [OpenOTP:DEG45VG4] Found user fullname: Pham Minh Chuong
[Thu Aug 06 16:08:58.991200 2020] [192.168.7.119] [OpenOTP:DEG45VG4] Found 1 user mobiles: +xxxxxxxx
[Thu Aug 06 16:08:58.991217 2020] [192.168.7.119] [OpenOTP:DEG45VG4] Found 1 user emails: phamhuynh...@gmail.com
[Thu Aug 06 16:08:58.992680 2020] [192.168.7.119] [OpenOTP:DEG45VG4] Found 48 user settings: LoginMode=LDAPOTP,OTPType=TOKEN,PushLogin=Yes,ChallengeMode=Yes,ChallengeTimeout=90,OTPLength=6,MobileTimeout=30,EnableLogin=Yes,HOTPLookAheadWindow=25,TOTPTimeStep=30,TOTPTimeOffsetWindow=120,OCRASuite=OCRA-1:HOTP-SHA1-6:QN06-T1M,DeviceType=FIDO2,SMSType=Normal,SMSMode=Ondemand,MailMode=Ondemand,PrefetchExpire=10,LastOTPTime=300,ListChallengeMode=ShowID
[Thu Aug 06 16:08:58.994453 2020] [192.168.7.119] [OpenOTP:DEG45VG4] Found 7 user data: LastOTP,TokenType,TokenKey,TokenState,TokenID,TokenExpire,TokenSerial
[Thu Aug 06 16:08:58.994582 2020] [192.168.7.119] [OpenOTP:DEG45VG4] Last OTP expired 2020-08-06 08:50:06
[Thu Aug 06 16:08:58.994707 2020] [192.168.7.119] [OpenOTP:DEG45VG4] Found 1 registered OTP token (TOTP)
[Thu Aug 06 16:08:58.994774 2020] [192.168.7.119] [OpenOTP:DEG45VG4] Requested login factors: LDAP & OTP
[Thu Aug 06 16:08:59.002368 2020] [192.168.7.119] [OpenOTP:DEG45VG4] LDAP password Ok
[Thu Aug 06 16:08:59.002655 2020] [192.168.7.119] [OpenOTP:DEG45VG4] Authentication challenge required
[Thu Aug 06 16:09:01.415922 2020] [192.168.7.119] [OpenOTP:DEG45VG4] Cloud authentication success on cloud.rcdevs.com
[Thu Aug 06 16:09:01.974615 2020] [192.168.7.119] [OpenOTP:DEG45VG4] Sent push notification for token #1
[Thu Aug 06 16:09:01.974678 2020] [192.168.7.119] [OpenOTP:DEG45VG4] Waiting 25 seconds for mobile response
[Thu Aug 06 16:09:07.959024 2020] [10.16.10.47] [OpenOTP:DEG45VG4] Received mobile authentication response from 10.16.10.47
[Thu Aug 06 16:09:07.959067 2020] [10.16.10.47] [OpenOTP:DEG45VG4] > Session: 3P2xBtzNHm5AKcbX
[Thu Aug 06 16:09:07.959078 2020] [10.16.10.47] [OpenOTP:DEG45VG4] > Password: 16 Bytes
[Thu Aug 06 16:09:07.959086 2020] [10.16.10.47] [OpenOTP:DEG45VG4] Found authentication session started 2020-08-06 16:08:59
[Thu Aug 06 16:09:07.959168 2020] [10.16.10.47] [OpenOTP:DEG45VG4] PUSH password Ok (token #1)
[Thu Aug 06 16:09:07.983675 2020] [192.168.7.119] [OpenOTP:DEG45VG4] Updated user data
[Thu Aug 06 16:09:07.999154 2020] [192.168.7.119] [OpenOTP:DEG45VG4] Sent login success response

from client machine: There is no new entry in spankeyd.log libnss_spankey.so.log at all so I don't have anything to send to you , below are my spankey client /var/log/secure when I do ssh

Aug  6 16:09:35 localhost sshd[24333]: Accepted keyboard-interactive/pam for chuongpm from 192.168.14.154 port 62696 ssh2
Aug  6 16:09:35 localhost sshd[24333]: pam_unix(sshd:session): session opened for user chuongpm by (uid=0)

[Benoît Jager]

The problem could be because you are not using the right sudo command. This should be this one: /opt/spankey/libexec/usrbin/sudo

When you do the ssh connection, do you get such information from the terminal:

Connected in your SSH session,  can you give us the output of these commands:

- ps faux

- printenv

Also, did you enabled local user account in settings of spankey?

Do you have any user chuongpm in the /etc/passwd file of the machine you connect using SSH?

[Minh Chương Phạm Huỳnh]

When you do the ssh connection, do you get such information from the terminal:

--> I don't get it for now, but I remember I used to before.

Connected in chuongpm SSH session, the output of these commands:

- ps faux

USER        PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
root          2  0.0  0.0      0     0 ?        S    Jul29   0:00 [kthreadd]
root          3  0.0  0.0      0     0 ?        S    Jul29   0:02  \_ [ksoftirqd/0]
root          7  0.0  0.0      0     0 ?        S    Jul29   0:00  \_ [migration/0]
root          8  0.0  0.0      0     0 ?        S    Jul29   0:00  \_ [rcu_bh]
root          9  0.0  0.0      0     0 ?        S    Jul29   1:07  \_ [rcu_sched]
root         10  0.0  0.0      0     0 ?        S    Jul29   0:02  \_ [watchdog/0]
root         11  0.0  0.0      0     0 ?        S    Jul29   0:02  \_ [watchdog/1]
root         12  0.0  0.0      0     0 ?        S    Jul29   0:00  \_ [migration/1]
root         13  0.0  0.0      0     0 ?        S    Jul29   0:03  \_ [ksoftirqd/1]
root         15  0.0  0.0      0     0 ?        S<   Jul29   0:00  \_ [kworker/1:0H]
root         17  0.0  0.0      0     0 ?        S<   Jul29   0:00  \_ [khelper]
root         18  0.0  0.0      0     0 ?        S    Jul29   0:00  \_ [kdevtmpfs]
root         19  0.0  0.0      0     0 ?        S<   Jul29   0:00  \_ [netns]
root         20  0.0  0.0      0     0 ?        S    Jul29   0:00  \_ [khungtaskd]
root         21  0.0  0.0      0     0 ?        S<   Jul29   0:00  \_ [writeback]
root         22  0.0  0.0      0     0 ?        S<   Jul29   0:00  \_ [kintegrityd]
root         23  0.0  0.0      0     0 ?        S<   Jul29   0:00  \_ [bioset]
root         24  0.0  0.0      0     0 ?        S<   Jul29   0:00  \_ [kblockd]
root         25  0.0  0.0      0     0 ?        S<   Jul29   0:00  \_ [md]
root         31  0.0  0.0      0     0 ?        S    Jul29   0:00  \_ [kswapd0]
root         32  0.0  0.0      0     0 ?        SN   Jul29   0:00  \_ [ksmd]
root         33  0.0  0.0      0     0 ?        SN   Jul29   0:01  \_ [khugepaged]
root         34  0.0  0.0      0     0 ?        S    Jul29   0:00  \_ [fsnotify_mark]
root         35  0.0  0.0      0     0 ?        S<   Jul29   0:00  \_ [crypto]
root         43  0.0  0.0      0     0 ?        S<   Jul29   0:00  \_ [kthrotld]
root         45  0.0  0.0      0     0 ?        S<   Jul29   0:00  \_ [kmpath_rdacd]
root         46  0.0  0.0      0     0 ?        S<   Jul29   0:00  \_ [kpsmoused]
root         48  0.0  0.0      0     0 ?        S<   Jul29   0:00  \_ [ipv6_addrconf]
root         68  0.0  0.0      0     0 ?        S<   Jul29   0:00  \_ [deferwq]
root        100  0.0  0.0      0     0 ?        S    Jul29   0:00  \_ [kauditd]
root        283  0.0  0.0      0     0 ?        S<   Jul29   0:00  \_ [ata_sff]
root        284  0.0  0.0      0     0 ?        S    Jul29   0:00  \_ [scsi_eh_0]
root        285  0.0  0.0      0     0 ?        S<   Jul29   0:00  \_ [scsi_tmf_0]
root        286  0.0  0.0      0     0 ?        S    Jul29   0:00  \_ [scsi_eh_1]
root        287  0.0  0.0      0     0 ?        S<   Jul29   0:00  \_ [scsi_tmf_1]
root        290  0.0  0.0      0     0 ?        S<   Jul29   0:00  \_ [mpt_poll_0]
root        291  0.0  0.0      0     0 ?        S<   Jul29   0:00  \_ [mpt/0]
root        300  0.0  0.0      0     0 ?        S    Jul29   0:00  \_ [scsi_eh_2]
root        301  0.0  0.0      0     0 ?        S<   Jul29   0:00  \_ [scsi_tmf_2]
root        303  0.0  0.0      0     0 ?        S<   Jul29   0:00  \_ [ttm_swap]
root        376  0.0  0.0      0     0 ?        S<   Jul29   0:00  \_ [kdmflush]
root        377  0.0  0.0      0     0 ?        S<   Jul29   0:00  \_ [bioset]
root        387  0.0  0.0      0     0 ?        S<   Jul29   0:00  \_ [kdmflush]
root        389  0.0  0.0      0     0 ?        S<   Jul29   0:00  \_ [bioset]
root        402  0.0  0.0      0     0 ?        S<   Jul29   0:00  \_ [xfsalloc]
root        403  0.0  0.0      0     0 ?        S<   Jul29   0:00  \_ [xfs_mru_cache]
root        404  0.0  0.0      0     0 ?        S<   Jul29   0:00  \_ [xfs-buf/dm-0]
root        405  0.0  0.0      0     0 ?        S<   Jul29   0:00  \_ [xfs-data/dm-0]
root        406  0.0  0.0      0     0 ?        S<   Jul29   0:00  \_ [xfs-conv/dm-0]
root        407  0.0  0.0      0     0 ?        S<   Jul29   0:00  \_ [xfs-cil/dm-0]
root        408  0.0  0.0      0     0 ?        S<   Jul29   0:00  \_ [xfs-reclaim/dm-]
root        409  0.0  0.0      0     0 ?        S<   Jul29   0:00  \_ [xfs-log/dm-0]
root        410  0.0  0.0      0     0 ?        S<   Jul29   0:00  \_ [xfs-eofblocks/d]
root        411  0.0  0.0      0     0 ?        S    Jul29   0:17  \_ [xfsaild/dm-0]
root        535  0.0  0.0      0     0 ?        S<   Jul29   0:00  \_ [nfit]
root        582  0.0  0.0      0     0 ?        S<   Jul29   0:00  \_ [xfs-buf/sda1]
root        583  0.0  0.0      0     0 ?        S<   Jul29   0:00  \_ [xfs-data/sda1]
root        584  0.0  0.0      0     0 ?        S<   Jul29   0:00  \_ [xfs-conv/sda1]
root        585  0.0  0.0      0     0 ?        S<   Jul29   0:00  \_ [xfs-cil/sda1]
root        586  0.0  0.0      0     0 ?        S<   Jul29   0:00  \_ [xfs-reclaim/sda]
root        587  0.0  0.0      0     0 ?        S<   Jul29   0:00  \_ [xfs-log/sda1]
root        588  0.0  0.0      0     0 ?        S<   Jul29   0:00  \_ [xfs-eofblocks/s]
root        589  0.0  0.0      0     0 ?        S    Jul29   0:00  \_ [xfsaild/sda1]
root        648  0.0  0.0      0     0 ?        S<   Jul29   0:01  \_ [kworker/1:1H]
root      22787  0.0  0.0      0     0 ?        S    Aug05   0:13  \_ [kworker/1:1]
root      24377  0.0  0.0      0     0 ?        S    Aug06   0:02  \_ [kworker/u256:0]
root      25458  0.0  0.0      0     0 ?        S    03:24   0:03  \_ [kworker/0:1]
root      25486  0.0  0.0      0     0 ?        S    04:05   0:00  \_ [kworker/u256:1]
root      25607  0.0  0.0      0     0 ?        S<   08:22   0:00  \_ [kworker/0:0H]
root      25609  0.0  0.0      0     0 ?        S    08:30   0:00  \_ [kworker/1:2]
root      25610  0.0  0.0      0     0 ?        S<   08:33   0:00  \_ [kworker/0:1H]
root      25637  0.0  0.0      0     0 ?        S    08:34   0:00  \_ [kworker/0:2]
root      25665  0.0  0.0      0     0 ?        S    08:35   0:00  \_ [kworker/1:0]
root      25692  0.0  0.0      0     0 ?        S<   08:38   0:00  \_ [kworker/0:2H]
root          1  0.0  0.0 125152  3764 ?        Ss   Jul29   0:04 /usr/lib/systemd/systemd --switched-root --system --deserialize 21
root        481  0.0  0.1  36816  7276 ?        Ss   Jul29   0:01 /usr/lib/systemd/systemd-journald
root        501  0.0  0.0 192624  1384 ?        Ss   Jul29   0:00 /usr/sbin/lvmetad -f
root        505  0.0  0.0  43860  2152 ?        Ss   Jul29   0:00 /usr/lib/systemd/systemd-udevd
root        602  0.0  0.0 129148  1880 ?        S<sl Jul29   0:00 /sbin/auditd -n
root      16019  0.0  0.0  84552   880 ?        S<sl Jul31   0:00  \_ /sbin/audispd
root      16021  0.1  0.0  11088   696 ?        S<   Jul31  12:25      \_ /opt/spankey/libexec/audisp_plugin
root        619  0.0  0.0  19312  1264 ?        Ss   Jul29   0:43 /usr/sbin/irqbalance --foreground
polkitd     620  0.0  0.3 527620 13064 ?        Ssl  Jul29   0:00 /usr/lib/polkit-1/polkitd --no-debug
root        622  0.0  0.0  24192  1744 ?        Ss   Jul29   0:01 /usr/lib/systemd/systemd-logind
dbus        624  0.0  0.0  24536  1828 ?        Ss   Jul29   0:01 /bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation
root        632  0.0  0.2 513316  8204 ?        Ssl  Jul29   0:00 /usr/sbin/NetworkManager --no-daemon
root        851  0.0  0.1 219776  7640 ?        Ssl  Jul29   0:00 /usr/sbin/rsyslogd -n
root        853  0.0  0.5 553148 22552 ?        Ssl  Jul29   1:00 /usr/bin/python -Es /usr/sbin/tuned -l -P
root       1980  0.0  0.0  88980  2192 ?        Ss   Jul29   0:02 /usr/libexec/postfix/master -w
postfix    1988  0.0  0.1  89260  4168 ?        S    Jul29   0:00  \_ qmgr -l -t unix -u
postfix   25601  0.0  0.0  87660  3796 ?        S    08:03   0:00  \_ pickup -l -t unix -u
root       2195  0.0  0.0 126276  1604 ?        Ss   Jul29   0:01 /usr/sbin/crond -n
root      14565  0.0  0.0 108288   780 tty1     Ss+  Jul31   0:00 /sbin/agetty --noclear tty1 linux
root      17487  0.0  0.0  81044  1320 ?        Ss   Jul31   0:00 /usr/sbin/sshd
root      25669  0.0  0.1 146204  5960 ?        Ss   08:36   0:00  \_ sshd: root@pts/0
root      25672  0.0  0.0 113636  1944 pts/0    Ss+  08:36   0:00  |   \_ -bash
root      25693  0.0  0.1 146204  5964 ?        Ss   08:38   0:00  \_ sshd: chuongpm [priv]
chuongpm  25696  0.0  0.0 146204  2368 ?        S    08:38   0:00      \_ sshd: chuongpm@pts/1
chuongpm  25697  0.0  0.0 113632  1976 pts/1    Ss   08:38   0:00          \_ -bash
chuongpm  25719  0.0  0.0 149440  1736 pts/1    R+   08:42   0:00              \_ ps faux
nscd      17509  0.0  0.0 994132  2232 ?        Ssl  Jul31   0:02 /usr/sbin/nscd
root      24005  0.0  0.0  21660   980 ?        S    Aug06   0:19 /opt/spankey/libexec/rcdevs-spankeyd
root      24006  0.0  0.0 171396  3852 ?        Sl   Aug06   0:03  \_ spankeyd-worker

- printenv

XDG_SESSION_ID=294
HOSTNAME=localhost.localdomain
TERM=xterm
SHELL=/bin/bash
HISTSIZE=1000
SSH_CLIENT=192.168.14.154 52898 22
SSH_TTY=/dev/pts/1
USER=chuongpm
LS_COLORS=rs=0:di=01;34:ln=01;36:mh=00:pi=40;33:so=01;35:do=01;35:bd=40;33;01:cd=40;33;01:or=40;31;01:mi=01;05;37;41:su=37;41:sg=30;43:ca=30;41:tw=30;42:ow=34;42:st=37;44:ex=01;32:*.tar=01;31:*.tgz=01;31:*.arc=01;31:*.arj=01;31:*.taz=01;31:*.lha=01;31:*.lz4=01;31:*.lzh=01;31:*.lzma=01;31:*.tlz=01;31:*.txz=01;31:*.tzo=01;31:*.t7z=01;31:*.zip=01;31:*.z=01;31:*.Z=01;31:*.dz=01;31:*.gz=01;31:*.lrz=01;31:*.lz=01;31:*.lzo=01;31:*.xz=01;31:*.bz2=01;31:*.bz=01;31:*.tbz=01;31:*.tbz2=01;31:*.tz=01;31:*.deb=01;31:*.rpm=01;31:*.jar=01;31:*.war=01;31:*.ear=01;31:*.sar=01;31:*.rar=01;31:*.alz=01;31:*.ace=01;31:*.zoo=01;31:*.cpio=01;31:*.7z=01;31:*.rz=01;31:*.cab=01;31:*.jpg=01;35:*.jpeg=01;35:*.gif=01;35:*.bmp=01;35:*.pbm=01;35:*.pgm=01;35:*.ppm=01;35:*.tga=01;35:*.xbm=01;35:*.xpm=01;35:*.tif=01;35:*.tiff=01;35:*.png=01;35:*.svg=01;35:*.svgz=01;35:*.mng=01;35:*.pcx=01;35:*.mov=01;35:*.mpg=01;35:*.mpeg=01;35:*.m2v=01;35:*.mkv=01;35:*.webm=01;35:*.ogm=01;35:*.mp4=01;35:*.m4v=01;35:*.mp4v=01;35:*.vob=01;35:*.qt=01;35:*.nuv=01;35:*.wmv=01;35:*.asf=01;35:*.rm=01;35:*.rmvb=01;35:*.flc=01;35:*.avi=01;35:*.fli=01;35:*.flv=01;35:*.gl=01;35:*.dl=01;35:*.xcf=01;35:*.xwd=01;35:*.yuv=01;35:*.cgm=01;35:*.emf=01;35:*.axv=01;35:*.anx=01;35:*.ogv=01;35:*.ogx=01;35:*.aac=01;36:*.au=01;36:*.flac=01;36:*.mid=01;36:*.midi=01;36:*.mka=01;36:*.mp3=01;36:*.mpc=01;36:*.ogg=01;36:*.ra=01;36:*.wav=01;36:*.axa=01;36:*.oga=01;36:*.spx=01;36:*.xspf=01;36:
MAIL=/var/spool/mail/chuongpm
PATH=/usr/local/bin:/usr/bin:/usr/local/sbin:/usr/sbin
PWD=/
LANG=en_US.UTF-8
HISTCONTROL=ignoredups
SHLVL=1
HOME=/home/pham minh chuong
LOGNAME=chuongpm
SSH_CONNECTION=192.168.14.154 52898 192.168.7.119 22
LESSOPEN=||/usr/bin/lesspipe.sh %s
XDG_RUNTIME_DIR=/run/user/1100
_=/usr/bin/printenv

Also, did you enabled local user account in settings of spankey? --> yes

Do you have any user chuongpm in the /etc/passwd file of the machine you connect using SSH?

--> I did (it's gone now), before install and setup spankey client , I created a local user chuongpm (different password with my AD chuongpm account) on my Cenos7 client to see how it behaves because I don't see this mention in the documentation. It seems override my local account by AD account , then I don't pay attention to it anymore since sudo does not work with another AD user also (which are not created as local user)

The problem could be because you are not using the right sudo command. This should be this one: /opt/spankey/libexec/usrbin/sudo

--> Yes, as I said above , I follow "SpanKey SSH Key Management Quick Start" , at 4.2.7 Sudoers Policy Plugin , on my client when I run sudo -V to check if SpanKey sudoers policy plugin has been successfully loaded , I didn't find "SpanKey sudoers policy plugin version 2.3.0" or anything like that in result. Are there any other documents about it that I can read ?

[Benoît Jager]

Hello,

It seems you are not connected to SSH through Spankey:

- you don't get the welcome message

- your bash session is directly managed by SSH, and not through the spankey wrapper:

root      25693  0.0  0.1 146204  5964 ?        Ss   08:38   0:00  \_ sshd: chuongpm [priv]
chuongpm  25696  0.0  0.0 146204  2368 ?        S    08:38   0:00      \_ sshd: chuongpm@pts/1
chuongpm  25697  0.0  0.0 113632  1976 pts/1    Ss   08:38   0:00          \_ -bash

chuongpm  25719  0.0  0.0 149440  1736 pts/1    R+   08:42   0:00              \_ ps faux 

Could you disable the two settings related to local user accounts, and try again authentication and sudo command?

Best regards

[Minh Chương Phạm Huỳnh]

It seems you are not connected to SSH through Spankey:

- you don't get the welcome message

- your bash session is directly managed by SSH, and not through the spankey wrapper:

Yeah but I used my AD username and password for SSH ^^.
I tried disable the two settings related to local user accounts, and try again authentication (successful) and sudo command (fail also)

[mar...@rcdevs.com]

Hello,

Could you check whether nscd daemon is running?

#systemctl status nscd

Also, please, post the nsswitch file content (uncommented):

#grep -v ^# /etc/nsswitch.conf

Also, in sshd.conf, please check if you can find this configuration:

AuthorizedKeysCommand /opt/spankey/libexec/authorized_keys
AuthorizedKeysCommandUser root

PermitUserEnvironment yes

Regards,

Marcus Duarte

[Minh Chương Phạm Huỳnh]

Hi all,

I have some updates : I setup a new environment , implement "SpanKey SSH Key Management Quick Start" and it works now .

 sudo -V
Sudo version 1.8.27

SpanKey sudoers policy plugin version 2.3.1
Copyright 2010-2020 RCDevs SA, All rights reserved.

Sudoers file grammar version 46

Sudoers I/O plugin version 2.3.1
 sudo -l
User user1 may run the following commands on localhost:
    (ALL) ALL

Last time I want to use a combination of "SpanKey SSH Key Management" and "PAM OpenOTP Plugin" , and to see how it behaves if client has a local user same as AD, now I would test "SpanKey SSH Key Management" only and will try to combine them later.

Are there any documentation about "SpanKey SSH" and "Sudoers Policy Plugin" that I can read ? Because this part in document is to short .

Then, the rules coming from Spankey policies (global, user, and client policy) will be appended. So the priority order of the rules are:

1. Client policy
2. User policy
3. Global policy
4. Rules from the advanced section

How do I try 2 and 3 ? How can I  design that :

- user1 can do sudo command "sudo su" on host1.

- user2 can do sudo command "sudo su" on host2.

Sudo file on client does not work with SpanKey SSH users ?

[mar...@rcdevs.com]

Hello,

That's great it is working now.

In order to know how policies work in Webadm server, you may check the link below:

https://www.rcdevs.com/docs/howtos/client_policy/clientpolicy/

Regarding the sudo commands, the first option ("Sudo commands") is intended for basic usage. There you should put the command you want to be allowed for users under sudo.

If you want something more advanced, you should use the second option ("Sudo advanced"), this box uses the same syntax as sudoers linux file.

How do I try 2 and 3 ? How can I  design that :

- user1 can do sudo command "sudo su" on host1.

- user2 can do sudo command "sudo su" on host2.

For that, you have two options. You can use different client_id in host1 and host2, then create a client policy triggering each client_ID. Afterwards, you configure the authorized sudo users inside each policy (this option will become clearer after you read the link above).

Another option is to use sudoers' own resources. The sudoers file allows you to set a host for the permission.

Here is an example:

user1  host1=/sbin/tcpdump

user2  host2=/sbin/tcpdump

Same example without requiring a password:

user1  host1=(root)    NOPASSWD: /usr/bin/su

user2  host2=(root)    NOPASSWD: /usr/bin/su

Sudo file on client does not work with SpanKey SSH users ?

Yes, it works, however, if a user wants to use Linux sudoers resources, it should execute the full sudo path.

Like this:

#sudo command --> use spankey permissions

#/usr/bin/sudo command --> use system's permission

Regards,

Marcus Duarte

[phamhuynh...@gmail.com]

Thank you for "how policies work in Webadm server" link.

I used the second option ("Sudo advanced") and it worked .

ssh -i user1.pem us...@192.168.7.120
Enter passphrase for key 'user1.pem':
Could not chdir to home directory /home/user1: No such file or directory

Welcome, Spankey Tester

Session recording is enabled.
Audit logs recording is enabled.
Session lock idle time is 10 minutes.
Session's max duration is 60 minutes.

sudo su

[root@localhost /]#

secure.log

Aug 14 09:41:33 localhost sudo:   user1 : TTY=pts/2 ; PWD=/ ; USER=root ; COMMAND=/usr/bin/su
Aug 14 09:41:33 localhost su: pam_unix(su:session): session opened for user root by (uid=0)

webadm.log

[Fri Aug 14 09:47:31.236626 2020] [192.168.7.120] [SpanKey:WWP32W5P] New spankeySudoers SOAP request
[Fri Aug 14 09:47:31.236691 2020] [192.168.7.120] [SpanKey:WWP32W5P] > Name: user1
[Fri Aug 14 09:47:31.236703 2020] [192.168.7.120] [SpanKey:WWP32W5P] > Client ID: SpanKey
[Fri Aug 14 09:47:31.236711 2020] [192.168.7.120] [SpanKey:WWP32W5P] > Source IP: 192.168.7.4
[Fri Aug 14 09:47:31.236791 2020] [192.168.7.120] [SpanKey:WWP32W5P] Registered spankeySudoers request
[Fri Aug 14 09:47:31.340383 2020] [192.168.7.120] [SpanKey:WWP32W5P] Resolved LDAP user: CN=user1,CN=Users,DC=xxxxxxx,DC=xxxxxxx
[Fri Aug 14 09:47:31.340675 2020] [192.168.7.120] [SpanKey:WWP32W5P] Found 2 user settings: SudoAdvanced=[28 Bytes]
[Fri Aug 14 09:47:31.340728 2020] [192.168.7.120] [SpanKey:WWP32W5P] Returning sudo configuration
[Fri Aug 14 09:47:31.340818 2020] [192.168.7.120] [SpanKey:WWP32W5P] Sent success response

However the part "use Linux sudoers resources, it should execute the full sudo path " didn't work , on my client sudoer file "user1    ALL=(ALL)       ALL" already

ssh -i user1.pem us...@192.168.7.120
Enter passphrase for key 'user1.pem':
Could not chdir to home directory /home/user1: No such file or directory

Welcome, Spankey Tester

Session recording is enabled.
Audit logs recording is enabled.
Session lock idle time is 10 minutes.
Session's max duration is 60 minutes.

bash-4.2$ whereis sudo
sudo: /usr/bin/sudo /etc/sudo.conf /opt/spankey/libexec/usrbin/sudo /usr/share/man/man8/sudo.8.gz
bash-4.2$ /usr/bin/sudo su
[sudo] password for user1: (this should be AD password , right ?)
Sorry, try again.
[sudo] password for user1:
Sorry, try again.
[sudo] password for user1:
sudo: 2 incorrect password attempts

secure.log

Aug 14 09:51:54 localhost sudo: pam_unix(sudo:auth): conversation failed
Aug 14 09:51:54 localhost sudo: pam_unix(sudo:auth): auth could not identify password for [user1]
Aug 14 09:51:54 localhost sudo:   user1 : 2 incorrect password attempts ; TTY=pts/2 ; PWD=/ ; USER=root ; COMMAND=/bin/su

no webadm.log

[mar...@rcdevs.com]

Hello,

Sorry, in my previous comment I didn't tell you that, in order to use local sudoers with AD users, you have to configure it without password.

Below one example:

user1   ALL=(ALL)       NOPASSWD: ALL

I saw you got the following message when you logged in:

Could not chdir to home directory /home/user1: No such file or directory

If you want to change that behaviour, you could configure that in spankey:

Best regards,

Marcus Duarte

[phamhuynh...@gmail.com]

Thank you very much, I can  use local sudoers with AD users now.