运行 sudo 命令时出现 sudoers 文件语法错误
Summary: 配置角色后,您无法运行 sudo 命令,并且在 sudoers 文件中显示语法错误。
This article applies to
This article does not apply to
This article is not tied to any specific product.
Not all product versions are identified in this article.
Symptoms
运行 ”sudo命令,则可能会在一个或多个节点上失败,例如:
cluster-1# isi_for_array -s sudo date
cluster-1: Fri Sep 12 16:58:29 CDT 2014
cluster-2: Fri Sep 12 16:58:30 CDT 2014
cluster-3: sudo: >>> /usr/local/etc/sudoers: syntax error near line 124 <<<
cluster-3: sudo: parse error in /usr/local/etc/sudoers near line 124
cluster-3: sudo: no valid sudoers sources found, quitting
cluster-3: sudo: unable to initialize policy pluginCause
发生这种情况的原因有多种:
1.在受影响的节点上,无法解析添加到角色的用户或组:
在出现此问题的节点上,您可能会看到添加的用户或组无法解决:
cluster-1# isi_for_array -n3 'isi auth users view domain\\group'
cluster-3: Failed to find group for 'GROUP:domain\group': No such group由于用户或组不可解析,因此节点无法找到 sudoers 文件,然后查看 /usr/local/etc/sudoers 文件中:
cluster-1# isi_for_array -s "egrep -i 'user_alias.*newrole' /usr/local/etc/sudoers"
cluster-1: User_Alias NEWROLE = %#1000010
cluster-2: User_Alias NEWROLE = %#1000010
cluster-3: User_Alias NEWROLE =请注意,UID/GID 尚未填充,这会导致语法错误。
2.创建的角色在名称中包含连字符:
cluster-1# isi auth roles view test-role
Name: test-role
Description: -
Members: DOMAIN\user
Privileges
ID : ISI_PRIV_LOGIN_SSH
Read Only : True
ID : ISI_PRIV_AUTH
Read Only : False
cluster-1% sudo date
sudo: >>> /usr/local/etc/sudoers: syntax error near line 124 <<<
sudo: parse error in /usr/local/etc/sudoers near line 124
sudo: no valid sudoers sources found, quitting
sudo: unable to initialize policy plugin例如,第 124 行存在以下错误:
cluster-1# grep -n '' /usr/local/etc/sudoers | grep ^124
124:User_Alias TEST-ROLE = #10000033.用户或组没有关联的 UID 或 GID。
Resolution
1.如果节点无法将用户或组名称转换为 UID/GID,我们必须改为添加 UID/GID 指定的用户/组。
从角色配置中删除用户或组名称:
cluster-1# isi auth roles modify --role=newrole --remove-group=domain\\group
cluster-1# isi auth roles view newrole
Name: newrole
Description: -
Members: -
Privileges
ID : ISI_PRIV_LOGIN_SSH
Read Only : True
ID : ISI_PRIV_SMB
Read Only : False
从可执行作的节点获取用户的正确 UID/GID:
cluster-1# isi auth groups view domain\\group
Name: DOMAIN\group
DN: CN=group,CN=Users,DC=domain,DC=com
SID: S-1-5-21-463481935-3723234361-2963677383-1144
GID: 1000010
Domain: DOMAIN
Sam Account Name: group
Provider: lsa-activedirectory-provider:DOMAIN.COM
Generated GID: Yes
提醒:也可以对用户执行相同的作,将“groups”替换为“users”,而不是 GID、UID。
应用 UID/GID,而不是组名称:
cluster-1# isi auth roles modify --role=newrole --add-gid=1000010
cluster-1# isi auth roles view newrole
Name: newrole
Description: -
Members: DOMAIN\group
Privileges
ID : ISI_PRIV_LOGIN_SSH
Read Only : True
ID : ISI_PRIV_SMB
Read Only : False提醒:也可以为用户执行相同的作,将“add-gid”替换为“add-uid”。
sudoers 文件配置现在应正确反映 uid/gid:
cluster-1# isi_for_array -s "egrep -i 'alias.*newrole' /usr/local/etc/sudoers"
cluster-1: User_Alias NEWROLE = %#1000010
cluster-2: User_Alias NEWROLE = %#1000010
cluster-3: User_Alias NEWROLE = %#1000010此外,sudo 命令应该可以正常工作:
cluster-1# isi_for_array -s sudo date
cluster-1: Fri Sep 12 17:20:14 CDT 2014
cluster-2: Fri Sep 12 17:20:14 CDT 2014
cluster-3: Fri Sep 12 17:20:14 CDT 2014
2.重命名角色,使其不包含“-”。
重命名角色,使其不包含连字符:
cluster-1# isi auth roles modify --role=test-role --name=test_role
请注意,不再有语法错误:
cluster-1% % sudo date
Password:
3.sudoers 文件需要 UID 或 GID 来标识用户和组,确保所有用户和组都有关联的 UID 或 GID。
Affected Products
PowerScale OneFSArticle Properties
Article Number: 000102433
Article Type: Solution
Last Modified: 22 Dec 2025
Version: 5
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.