sudoers file syntax error when running sudo commands

Summary: After configuring a role, you are unable to run sudo commands and are presented with a syntax error in the sudoers file.

This article applies to This article does not apply to This article is not tied to any specific product. Not all product versions are identified in this article.
Check out other resources

Symptoms

When running a "sudo" command, it may fail on one or multiple nodes, for example:

cluster-1# isi_for_array -s sudo date
cluster-1: Fri Sep 12 16:58:29 CDT 2014
cluster-2: Fri Sep 12 16:58:30 CDT 2014
cluster-3: sudo: >>> /usr/local/etc/sudoers: syntax error near line 124 <<<
cluster-3: sudo: parse error in /usr/local/etc/sudoers near line 124
cluster-3: sudo: no valid sudoers sources found, quitting
cluster-3: sudo: unable to initialize policy plugin

Cause

This can occur for various reasons:
 

1. The user or group added to a role is unresolvable on affected nodes:

On the nodes that exhibit the issue, you may see that the user or group that was added, is unresolveable:

cluster-1# isi_for_array -n3 'isi auth users view domain\\group'
cluster-3: Failed to find group for 'GROUP:domain\group': No such group

As the user or group is unresolvable, the node is unable to locate a GID/UID for the sudoers file, and looking at the /usr/local/etc/sudoers file:

cluster-1# isi_for_array -s "egrep -i 'user_alias.*newrole' /usr/local/etc/sudoers"
cluster-1: User_Alias NEWROLE = %#1000010
cluster-2: User_Alias NEWROLE = %#1000010
cluster-3: User_Alias NEWROLE =

Notice that the UID/GID has not been populated, and this results in a syntactical error.
 

2. The role that was created contains a hyphen in the name:

cluster-1# isi auth roles view test-role                                                               
       Name: test-role
Description: -
    Members: DOMAIN\user
 Privileges
             ID : ISI_PRIV_LOGIN_SSH
      Read Only : True

             ID : ISI_PRIV_AUTH
      Read Only : False

cluster-1% sudo date
sudo: >>> /usr/local/etc/sudoers: syntax error near line 124 <<<
sudo: parse error in /usr/local/etc/sudoers near line 124
sudo: no valid sudoers sources found, quitting
sudo: unable to initialize policy plugin

For example, this error exists on line 124:

cluster-1# grep -n '' /usr/local/etc/sudoers | grep ^124
124:User_Alias TEST-ROLE = #1000003

 3. The user or group does not have an associated UID or GID.

Resolution

1. If nodes are unable to translate a user or group name to a UID/GID, we must add the user/group as specified by the UID/GID instead.


Remove the user or group name from the role configuration:

cluster-1# isi auth roles modify --role=newrole --remove-group=domain\\group
cluster-1# isi auth roles view newrole                                                          
       Name: newrole
Description: -
    Members: -
 Privileges
             ID : ISI_PRIV_LOGIN_SSH
      Read Only : True

             ID : ISI_PRIV_SMB
      Read Only : False


Obtain the proper UID/GID for the user from a node that can perform the operation:

cluster-1# isi auth groups view domain\\group
            Name: DOMAIN\group
              DN: CN=group,CN=Users,DC=domain,DC=com
             SID: S-1-5-21-463481935-3723234361-2963677383-1144
             GID: 1000010
          Domain: DOMAIN
Sam Account Name: group
        Provider: lsa-activedirectory-provider:DOMAIN.COM
   Generated GID: Yes
Note: The same can be done for a user, replacing "groups" with "users" instead of GID, UID.

Apply the UID/GID rather than the group name:

cluster-1# isi auth roles modify --role=newrole --add-gid=1000010
cluster-1# isi auth roles view newrole                                                          
       Name: newrole
Description: -
    Members: DOMAIN\group
 Privileges
             ID : ISI_PRIV_LOGIN_SSH
      Read Only : True

             ID : ISI_PRIV_SMB
      Read Only : False

 Note: The same can be done for a user, replacing "add-gid" with "add-uid".

The sudoers file configuration should now properly reflect the uid/gid:

cluster-1# isi_for_array -s "egrep -i 'alias.*newrole' /usr/local/etc/sudoers"
cluster-1: User_Alias NEWROLE = %#1000010
cluster-2: User_Alias NEWROLE = %#1000010
cluster-3: User_Alias NEWROLE = %#1000010

Also, sudo commands should work properly:

cluster-1# isi_for_array -s sudo date                                                      
cluster-1: Fri Sep 12 17:20:14 CDT 2014
cluster-2: Fri Sep 12 17:20:14 CDT 2014
cluster-3: Fri Sep 12 17:20:14 CDT 2014

 

2. Rename the role so that it does not contain a '-'.
 

Rename the role so that it does not contain a hyphen:

cluster-1# isi auth roles modify --role=test-role --name=test_role

 

Notice, there is no longer a syntax error:

cluster-1% % sudo date
Password:

 

3. The sudoers file requires a UID or GID to identify users and groups, assure that all users and groups have an associated UID or GID.

Affected Products

PowerScale OneFS
Article Properties
Article Number: 000102433
Article Type: Solution
Last Modified: 22 Dec 2025
Version:  5
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.