[ovirt-users] Re: Unable to attach ISO domain to Datacenter
On Tuesday, December 3, 2019, Ivan Apolonio
<ivan(a)apolonio.com.br> wrote:
This line shuts logging, worth to comment it out during check. Plus, do you
have an #includedir setting in your /etc/sudoers file?
The vdsm.log snippet seems later than the error in the engine.log, could
you provide one covering the failing attempt?
Hello, Amit.
It looks that commenting out that last line (Defaults:vdsm !syslog) did the trick to help
identify the problem. According to /var/log/secure log file, vdsm uid is being blocked to
sudo due to pam requirements:
Dec 4 10:53:36 Rosinha sudo: pam_unix(sudo:auth): authentication failure; logname=root
uid=36 euid=0 tty=/dev/pts/0 ruser=vdsm rhost= user=vdsm
Dec 4 10:53:36 Rosinha sudo: pam_succeed_if(sudo:auth): requirement "uid >=
1000" not met by user "vdsm"
Dec 4 10:58:38 Rosinha sudo: pam_unix(sudo:auth): conversation failed
Dec 4 10:58:38 Rosinha sudo: pam_unix(sudo:auth): auth could not identify password for
[vdsm]
Dec 4 10:58:38 Rosinha sudo: pam_succeed_if(sudo:auth): requirement "uid >=
1000" not met by user "vdsm"
This "uid >= 1000" requirement is the CentOS 7 default. What is the best way
to work around it? I'm asking that because if I just comment this rule on pam
configuration files, it is going to allow other system users to sudo, which would lead to
security issues.
Thanks,
Ivan