运行 sudo 命令时出现 sudoers 文件语法错误

运行 ”sudo命令，则可能会在一个或多个节点上失败，例如：

cluster-1# isi_for_array -s sudo date
cluster-1: Fri Sep 12 16:58:29 CDT 2014
cluster-2: Fri Sep 12 16:58:30 CDT 2014
cluster-3: sudo: >>> /usr/local/etc/sudoers: syntax error near line 124 <<<
cluster-3: sudo: parse error in /usr/local/etc/sudoers near line 124
cluster-3: sudo: no valid sudoers sources found, quitting
cluster-3: sudo: unable to initialize policy plugin

发生这种情况的原因有多种：
 

1.在受影响的节点上，无法解析添加到角色的用户或组：

在出现此问题的节点上，您可能会看到添加的用户或组无法解决：

cluster-1# isi_for_array -n3 'isi auth users view domain\\group'
cluster-3: Failed to find group for 'GROUP:domain\group': No such group

由于用户或组不可解析，因此节点无法找到 sudoers 文件，然后查看 /usr/local/etc/sudoers 文件中：

cluster-1# isi_for_array -s "egrep -i 'user_alias.*newrole' /usr/local/etc/sudoers"
cluster-1: User_Alias NEWROLE = %#1000010
cluster-2: User_Alias NEWROLE = %#1000010
cluster-3: User_Alias NEWROLE =

请注意，UID/GID 尚未填充，这会导致语法错误。
 

2.创建的角色在名称中包含连字符：

cluster-1# isi auth roles view test-role                                                               
       Name: test-role
Description: -
    Members: DOMAIN\user
 Privileges
             ID : ISI_PRIV_LOGIN_SSH
      Read Only : True

             ID : ISI_PRIV_AUTH
      Read Only : False

cluster-1% sudo date
sudo: >>> /usr/local/etc/sudoers: syntax error near line 124 <<<
sudo: parse error in /usr/local/etc/sudoers near line 124
sudo: no valid sudoers sources found, quitting
sudo: unable to initialize policy plugin

例如，第 124 行存在以下错误：

cluster-1# grep -n '' /usr/local/etc/sudoers | grep ^124
124:User_Alias TEST-ROLE = #1000003

 3.用户或组没有关联的 UID 或 GID。

1.如果节点无法将用户或组名称转换为 UID/GID，我们必须改为添加 UID/GID 指定的用户/组。

从角色配置中删除用户或组名称：

cluster-1# isi auth roles modify --role=newrole --remove-group=domain\\group
cluster-1# isi auth roles view newrole                                                          
       Name: newrole
Description: -
    Members: -
 Privileges
             ID : ISI_PRIV_LOGIN_SSH
      Read Only : True

             ID : ISI_PRIV_SMB
      Read Only : False

从可执行作的节点获取用户的正确 UID/GID：

cluster-1# isi auth groups view domain\\group
            Name: DOMAIN\group
              DN: CN=group,CN=Users,DC=domain,DC=com
             SID: S-1-5-21-463481935-3723234361-2963677383-1144
             GID: 1000010
          Domain: DOMAIN
Sam Account Name: group
        Provider: lsa-activedirectory-provider:DOMAIN.COM
   Generated GID: Yes

应用 UID/GID，而不是组名称：

cluster-1# isi auth roles modify --role=newrole --add-gid=1000010
cluster-1# isi auth roles view newrole                                                          
       Name: newrole
Description: -
    Members: DOMAIN\group
 Privileges
             ID : ISI_PRIV_LOGIN_SSH
      Read Only : True

             ID : ISI_PRIV_SMB
      Read Only : False

 提醒：也可以为用户执行相同的作，将“add-gid”替换为“add-uid”。

sudoers 文件配置现在应正确反映 uid/gid：

cluster-1# isi_for_array -s "egrep -i 'alias.*newrole' /usr/local/etc/sudoers"
cluster-1: User_Alias NEWROLE = %#1000010
cluster-2: User_Alias NEWROLE = %#1000010
cluster-3: User_Alias NEWROLE = %#1000010

此外，sudo 命令应该可以正常工作：

cluster-1# isi_for_array -s sudo date                                                      
cluster-1: Fri Sep 12 17:20:14 CDT 2014
cluster-2: Fri Sep 12 17:20:14 CDT 2014
cluster-3: Fri Sep 12 17:20:14 CDT 2014

2.重命名角色，使其不包含“-”。
 

重命名角色，使其不包含连字符：

cluster-1# isi auth roles modify --role=test-role --name=test_role

请注意，不再有语法错误：

cluster-1% % sudo date
Password:

3.sudoers 文件需要 UID 或 GID 来标识用户和组，确保所有用户和组都有关联的 UID 或 GID。