Loading...
Loading...
Updating the sudoers file with isi_visudo command will appear to save successfully. However, running sudo commands as the user will fail silently or report an error. For example: vl8220-1# isi_run -l Bill sudo isi auth status Password: Sorry, user Bill is not allowed to execute '/usr/bin/isi auth status' as root on vl8220-1. or "<user> is not in the sudoers file. This incident will be reported." Verify if the following error is present on the node where the command was ran. For example: vl8220-1# grep "sudoers.py.* does not have a gid defined" /var/log/messages 2021-03-19T07:35:00-06:00 <1.3> vl8220-1 sudoers.py: Traceback (most recent call last): File "/etc/mcp/scripts/sudoers.py", line 227, in <module> exitcode = main() File "/etc/mcp/scripts/sudoers.py", line 203, in main os.write(out_fd, get_role_user_alias_line(role, names.get(role.name, ""))) File "/etc/mcp/scripts/sudoers.py", line 70, in get_role_user_alias_line member_ids = map(get_member_id, role.members) File "/etc/mcp/scripts/sudoers.py", line 55, in get_member_id return '%#' + str(grp.gid) Error: EXAMPLE\superna does not have a gid defined
The group specified in the error does not have a GID defined and is configured in a role-based access control (RBAC) role. Verify the group by running the following command: # isi auth groups view <domain>\\<group name> For example: vl8220-1# isi auth groups view example\\superna Name: EXAMPLE\superna DN: CN=superna,CN=Users,DC=example,DC=com SID: S-1-5-21-2171369398-269580091-234124463-1134 GID: EXAMPLE\superna <<<---NO GID defined due to allocate GID's is turned OFF in this case with the active directory provider Domain: EXAMPLE Sam Account Name: superna Provider: lsa-activedirectory-provider:EXAMPLE.COM Generated GID: - If no GID is defined, verify Allocate GIDs is set to "No" # isi auth ads view <domain.com> -v | grep GID For example: vl8220-1# isi auth ads view example.com -v | grep GID Allocate GIDs: No
Based on the desired configuration, define a GID via one of the following methods: Set Allocate GIDs to "Yes" for the Active Directory provider. For example: vl8220-1# isi auth ads modify example.com --allocate-gids=yes vl8220-1# isi auth ads view example.com -v | grep GID Allocate GIDs: Yes Use rfc2307 with Active Directory to define Unix attributes for all domain users and groups. If the group has a GID defined in another authentication provider, add the provider to the System access zone. Verify isi auth groups view <group name> shows the expected GID. If so, move to verification. The below example shows the GID is configured in the LDAP provider. The LDAP, however, needs to be added as an authentication provider in the System access zone: vl8220-1# isi auth groups view example\\superna Name: EXAMPLE\superna DN: CN=superna,CN=Users,DC=example,DC=com SID: S-1-5-21-2171369398-269580091-234124463-1134 GID: EXAMPLE\superna Domain: EXAMPLE Sam Account Name: superna Provider: lsa-activedirectory-provider:EXAMPLE.COM Generated GID: - vl8220-1# isi zone zones modify System --add-auth-providers=lsa-ldap-provider:example-ldap vl8220-1# isi auth groups view example\\superna Name: EXAMPLE\superna DN: CN=superna,CN=Users,DC=example,DC=com SID: S-1-5-21-2171369398-269580091-234124463-1134 GID: 12345678 Domain: EXAMPLE Sam Account Name: superna Provider: lsa-activedirectory-provider:EXAMPLE.COM Generated GID: No Create an explicit mapping rule for the SID to GID. For example: vl8220-1# isi auth mapping create --2way --source-sid S-1-5-21-2171369398-269580091-234124463-1134 --target-gid 12345678 <<<<< one option would be to create a manual GID mapping just for the problematic group vl8220-1# isi auth groups view example\\superna Name: EXAMPLE\superna DN: CN=superna,CN=Users,DC=example,DC=com SID: S-1-5-21-2171369398-269580091-234124463-1134 >>>>> GID: 12345678 <<<<< Domain: EXAMPLE Sam Account Name: superna Provider: lsa-activedirectory-provider:EXAMPLE.COM Generated GID: Yes VERIFICATION: Run isi_visudo again and save the file to propagate the changes. Then, verify that the sudo commands are working as expected.
Click on a version to see all relevant bugs
Dell Integration
Learn more about where this data comes from
BugZero Plan
Streamline upgrades with automated vendor bug scrubs
BugZero Prevent
Wish you caught this bug sooner? Get proactive today.