Submitted by factoryfouroh on Tue, 02/05/2019 - 12:27
I just spent two days trying to understand what is going on with the sudo user. I installed Cloudmin on GCE, AWS, Linode with the same results. Anyone can explain why is this? The sudo user needs nearly all groups added - maybe a few like audio maybe skipped, but adding sudo is not enough. When I add ALL the groups it works, but I do not want to add all the groups.
Any way to make the sudo user able to log into Cloudmin on Debian 9, so I can stop using root?
Status:
Closed (works as designed)
Comments
Submitted by JamieCameron on Wed, 02/06/2019 - 00:19 Comment #1
Cloudmin will allow a sudo user to login, but only if they have permissions to run all commands.
If you SSH in as that user and run
sudo -l -S
, what does it output?Submitted by factoryfouroh on Wed, 02/06/2019 - 06:56 Comment #2
I am so embarrassed, I keep missing the obvious:
secureadm---sudo__tmp@zonemaster:~$ sudo -l -S
Matching Defaults entries for secureadm---sudo__tmp on zonemaster:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User secureadm---sudo__tmp may run the following commands on zonemaster:
(ALL : ALL) ALL
This one logged me into Cloudmin but none of the webmin modules have access... and that was my clue: Webmin logins are connected to LDAP: LDAP Users and Groups, and LDAP Client are all configured. When I create the user via the shell the user or its groups do not make it into LDAP: when I create it from Webmin via the standard Users and Groups the user makes it into LDAP users - but sudo is not assigned.. so on and on, it all depends how the user was created.
This is becoming really complex so sorry about the confusion. Now I konw to create all new users via the Webmin Users first so it makes it into LDAP... then update for the UNIX db by hand, as needed. That is how I defined the search order in the LDAP Client:
Services Using LDAP
Service Data sources
Unix users ................ NIS & Files, LDAP
Unix groups ............... NIS & Files, LDAP
Unix shadow passwords ..... NIS & Files, LDAP
Unix group passwords ...... Files, LDAP
Host addresses ............ Files, DNS, LDAP
Network addresses ......... Files, LDAP
Network protocols ......... DB Files, Files, LDAP
Network services .......... DB Files, Files, LDAP
Ethernet addresses ........ DB Files, Files, LDAP
RPC programs .............. DB Files, Files, LDAP
Netgroups ................. NIS, LDAP
I need to test for each case and see what to adjust by hand. And for the Cloudmin service clients I might need to bump LDAP before the NIS & Files.. Thank you for replying!
Submitted by JamieCameron on Thu, 02/07/2019 - 00:03 Comment #3
Ok, so is it all working now?
Submitted by factoryfouroh on Thu, 02/07/2019 - 07:35 Comment #4
I am going to close this and opening another with the proper focus. This is resolved as me creating logins inconsistently was the problem.
Thank you!