sudoers file syntax error when running sudo commands
Zhrnutie: After configuring a role, you are unable to run sudo commands and are presented with a syntax error in the sudoers file.
Symptómy
When running a "sudo" command, it may fail on one or multiple nodes, for example:
cluster-1# isi_for_array -s sudo date
cluster-1: Fri Sep 12 16:58:29 CDT 2014
cluster-2: Fri Sep 12 16:58:30 CDT 2014
cluster-3: sudo: >>> /usr/local/etc/sudoers: syntax error near line 124 <<<
cluster-3: sudo: parse error in /usr/local/etc/sudoers near line 124
cluster-3: sudo: no valid sudoers sources found, quitting
cluster-3: sudo: unable to initialize policy pluginPríčina
This can occur for various reasons:
1. The user or group added to a role is unresolvable on affected nodes:
On the nodes that exhibit the issue, you may see that the user or group that was added, is unresolveable:
cluster-1# isi_for_array -n3 'isi auth users view domain\\group'
cluster-3: Failed to find group for 'GROUP:domain\group': No such groupAs the user or group is unresolvable, the node is unable to locate a GID/UID for the sudoers file, and looking at the /usr/local/etc/sudoers file:
cluster-1# isi_for_array -s "egrep -i 'user_alias.*newrole' /usr/local/etc/sudoers"
cluster-1: User_Alias NEWROLE = %#1000010
cluster-2: User_Alias NEWROLE = %#1000010
cluster-3: User_Alias NEWROLE =Notice that the UID/GID has not been populated, and this results in a syntactical error.
2. The role that was created contains a hyphen in the name:
cluster-1# isi auth roles view test-role
Name: test-role
Description: -
Members: DOMAIN\user
Privileges
ID : ISI_PRIV_LOGIN_SSH
Read Only : True
ID : ISI_PRIV_AUTH
Read Only : False
cluster-1% sudo date
sudo: >>> /usr/local/etc/sudoers: syntax error near line 124 <<<
sudo: parse error in /usr/local/etc/sudoers near line 124
sudo: no valid sudoers sources found, quitting
sudo: unable to initialize policy pluginFor example, this error exists on line 124:
cluster-1# grep -n '' /usr/local/etc/sudoers | grep ^124
124:User_Alias TEST-ROLE = #10000033. The user or group does not have an associated UID or GID.
Riešenie
1. If nodes are unable to translate a user or group name to a UID/GID, we must add the user/group as specified by the UID/GID instead.
Remove the user or group name from the role configuration:
cluster-1# isi auth roles modify --role=newrole --remove-group=domain\\group
cluster-1# isi auth roles view newrole
Name: newrole
Description: -
Members: -
Privileges
ID : ISI_PRIV_LOGIN_SSH
Read Only : True
ID : ISI_PRIV_SMB
Read Only : False
Obtain the proper UID/GID for the user from a node that can perform the operation:
cluster-1# isi auth groups view domain\\group
Name: DOMAIN\group
DN: CN=group,CN=Users,DC=domain,DC=com
SID: S-1-5-21-463481935-3723234361-2963677383-1144
GID: 1000010
Domain: DOMAIN
Sam Account Name: group
Provider: lsa-activedirectory-provider:DOMAIN.COM
Generated GID: YesApply the UID/GID rather than the group name:
cluster-1# isi auth roles modify --role=newrole --add-gid=1000010
cluster-1# isi auth roles view newrole
Name: newrole
Description: -
Members: DOMAIN\group
Privileges
ID : ISI_PRIV_LOGIN_SSH
Read Only : True
ID : ISI_PRIV_SMB
Read Only : FalseNote: The same can be done for a user, replacing "add-gid" with "add-uid".
The sudoers file configuration should now properly reflect the uid/gid:
cluster-1# isi_for_array -s "egrep -i 'alias.*newrole' /usr/local/etc/sudoers"
cluster-1: User_Alias NEWROLE = %#1000010
cluster-2: User_Alias NEWROLE = %#1000010
cluster-3: User_Alias NEWROLE = %#1000010Also, sudo commands should work properly:
cluster-1# isi_for_array -s sudo date
cluster-1: Fri Sep 12 17:20:14 CDT 2014
cluster-2: Fri Sep 12 17:20:14 CDT 2014
cluster-3: Fri Sep 12 17:20:14 CDT 2014
2. Rename the role so that it does not contain a '-'.
Rename the role so that it does not contain a hyphen:
cluster-1# isi auth roles modify --role=test-role --name=test_role
Notice, there is no longer a syntax error:
cluster-1% % sudo date
Password:
3. The sudoers file requires a UID or GID to identify users and groups, assure that all users and groups have an associated UID or GID.