Fixing syntax errors in the access & alias configuration files
Following errors may be discovered using the syntax checker.
Empty definitions
Add members to the @admin_team
alias in the alias
file or comment it out.
Incorrect number of fields
Replace:
By:
Non-resolving aliases
Check the @acme_db
alias is present in the alias
file and that it has members.
Common copy/update errors
This is a non-exhaustive list of potential update problems
WARN: [10503]: could not lookup host host1, skipping
The client system’s name does not resolve correctly (DNS or locally on the SUDO master). Make sure you add all possible domains to the /etc/resolv.conf
for searching since SUDO Controls may also use short host names:
WARN: failed to transfer ./manage_sudo.sh to host1:/etc/sudo_controls/holding
The SFTP copy of the file to client failed. This can be due to:
- ownership/permission errors on the files/parent directory on the target (see FAQ: DAC considerations)
- filesystem/network problems
- SSH related errors
WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!
This warning indicates that the client host key has been changed/updated since the last time you performed a logon to the system. Host keys are cached in the known_hosts
file on the source host (where you are connecting from). To troubleshoot the problem, first connect manually to the problematic host to get the full warning message:
Then remove the offending fingerprint from your local known_hosts
file (deleting the corresponding line completely). Alternatively, you can use SSH host key discovery feature to refresh your known_hosts
file.
sudo: sorry, a password is required to run sudo
This error indicates that SUDO Controls may not execute its operations with super-user privileges. Most likely the default SUDO rules for SUDO Controls are missing in the SUDO configuration (see: Configuring a client host)
sudo: sorry, you must have a tty to run sudo
This error is most likely caused due to:
a. missing SUDO rules for the SUDO Controls on the client host. If SUDO Controls cannot execute an apply or update as user root, then sudo will try to prompt for a password. Since the apply/update job is running in the background, no terminal (tty) can be opened for it.
Check the SUDO rules on the client host, fix and try again.
b. Having requiretty set in your sudoers file(s):
Disable by:
Or by removing the former line.
ERROR: authentication refused: bad ownership or modes for directory
This probably indicates that the /etc
or /
directory has the wrong ownership or permissions. Fix with:
If this does not fix the problem then run the affected sshd in debug mode and check the log files for more information.
manage_sudo.sh
hangs on background jobs when syncing or updating clients
The script divides its operations into batches of clients ($MAX_BACKGROUND_JOBS
) and will wait for all of its current background jobs to finish before starting a new batch of clients. You may see a hanging job if no output is generated for a longer while:
A background job could be hanging on password prompt for example. In such case you should kill the client copy/update job on the SUDO master:
Identify the hanging job based on the timestamp (should be older):
And kill the job:
Fix the problem and re-try your operation.
Leave a comment