<html><head></head><body><div style="color:#000; background-color:#fff; font-family:verdana, helvetica, sans-serif;font-size:16px"><div id="yui_3_16_0_ym19_1_1483959579634_4162" dir="ltr">All,1.8.19-1 from Debian does not appear to work too.</div><div dir="ltr" id="yui_3_16_0_ym19_1_1483959579634_4236"> </div><div dir="ltr" id="yui_3_16_0_ym19_1_1483959579634_4268">James </div><div class="qtdSeparateBR" id="yui_3_16_0_ym19_1_1483959579634_4293"> </div><div class="yahoo_quoted" id="yui_3_16_0_ym19_1_1483959579634_4297" style="display: block;"> <div style="font-family: verdana, helvetica, sans-serif; font-size: 16px;" id="yui_3_16_0_ym19_1_1483959579634_4296"> <div style="font-family: HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, Sans-Serif; font-size: 16px;" id="yui_3_16_0_ym19_1_1483959579634_4295"> <div dir="ltr" id="yui_3_16_0_ym19_1_1483959579634_4294"> <hr size="1"> From: Lukas Slebodnik <lslebodn@redhat.com> To: James Harrison <jamesaharrisonuk@yahoo.co.uk> Cc: "freeipa-users@redhat.com" <freeipa-users@redhat.com> Sent: Saturday, 7 January 2017, 15:34 Subject: Re: [Freeipa-users] FreeIPA sudo not working on ububtu xenial sssd version 1.13.4-1ubuntu1.1 </div> <div class="y_msg_container" id="yui_3_16_0_ym19_1_1483959579634_4301"> On (06/01/17 17:15), James Harrison wrote: >Any ideas? > From: James Harrison <<a shape="rect" ymailto="mailto:jamesaharrisonuk@yahoo.co.uk" href="mailto:jamesaharrisonuk@yahoo.co.uk">jamesaharrisonuk@yahoo.co.uk</a>> > To: "<a shape="rect" ymailto="mailto:freeipa-users@redhat.com" href="mailto:freeipa-users@redhat.com">freeipa-users@redhat.com</a>" <<a shape="rect" ymailto="mailto:freeipa-users@redhat.com" href="mailto:freeipa-users@redhat.com">freeipa-users@redhat.com</a>> > Sent: Thursday, 5 January 2017, 13:36 > Subject: FreeIPA sudo not working on ububtu xenial sssd version 1.13.4-1ubuntu1.1 > >Hi all,I having problems with a FreeIPA client running Ububtu Xenial. >I can authenticate OK, I get a kerberos ticket, but cannot run sudo. >I get 1 rule returned, which I expect. >Many thanks,James Harrison > > >(Thu Jan 5 12:09:57 2017) [sssd[sudo]] [sudosrv_get_user] (0x0400): Returning info for user [<a shape="rect" ymailto="mailto:x_james.harrison@domain.com" href="mailto:x_james.harrison@domain.com">x_james.harrison@domain.com</a>] >(Thu Jan 5 12:09:57 2017) [sssd[sudo]] [sudosrv_get_rules] (0x0400): Retrieving rules for [x_james.harrison] from [domain.com] >(Thu Jan 5 12:09:57 2017) [sssd[sudo]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x1c11d70 >(Thu Jan 5 12:09:57 2017) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=x_james.harrison)(sudoUser=#1082600012)(sudoUser=%admins)(sudoUser=%ipausers)(sudoUser=%x_james.harrison)(sudoUser=+*))(&(dataExpireTimestamp<=1483618197)))] >(Thu Jan 5 12:09:57 2017) [sssd[sudo]] [sudosrv_get_rules] (0x2000): About to get sudo rules from cache >(Thu Jan 5 12:09:57 2017) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=x_james.harrison)(sudoUser=#1082600012)(sudoUser=%admins)(sudoUser=%ipausers)(sudoUser=%x_james.harrison)(sudoUser=+*)))] >(Thu Jan 5 12:09:57 2017) [sssd[sudo]] [sort_sudo_rules] (0x0400): Sorting rules with higher-wins logic >(Thu Jan 5 12:09:57 2017) [sssd[sudo]] [sudosrv_get_sudorules_from_cache] (0x0400): Returning 1 rules for [<a shape="rect" ymailto="mailto:x_james.harrison@domain.com" href="mailto:x_james.harrison@domain.com">x_james.harrison@domain.com</a>] >(Thu Jan 5 12:09:57 2017) [sssd[sudo]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0x1c0e770][18] > Yes, 1 rule was returned for user x_james.harrison. Can you see something in output of "sudo -l" >==> sssd/sssd_pam.log <== >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [get_client_cred] (0x4000): Client creds: euid[0] egid[1082600012] pid[5470]. >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0x2466e50][19] >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [accept_fd_handler] (0x0400): Client connected! >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0x2466e50][19] >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [sss_cmd_get_version] (0x0200): Received client version [3]. >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [sss_cmd_get_version] (0x0200): Offered version [3]. >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0x2466e50][19] > >==> auth.log <== >Jan 5 12:10:17 pul-lp-sql-00 sudo: pam_unix(sudo:auth): authentication failure; logname=x_james.harrison uid=1082600012 euid=0 tty=/dev/pts/1 ruser=x_james.harrison rhost= user=x_james.harrison > I do not understand a reason why there is a failure in auth.log; because there isn't sssd_pam.log @see above. >==> sssd/sssd_pam.log <== >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0x2466e50][19] >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_cmd_authenticate] (0x0100): entering pam_cmd_authenticate >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [sss_parse_name_for_domains] (0x0200): name 'x_james.harrison' matched without domain, user is x_james.harrison >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): command: SSS_PAM_AUTHENTICATE >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): domain: not set >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): user: x_james.harrison >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): service: sudo >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): tty: /dev/pts/1 >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): ruser: x_james.harrison >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): rhost: not set >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): authtok type: 1 >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): newauthtok type: 0 >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): priv: 0 >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): cli_pid: 5470 >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): logon name: x_james.harrison >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [sss_ncache_check_str] (0x2000): Checking negative cache for [NCE/USER/domain.com/x_james.harrison] >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_initgr_check_timeout] (0x4000): User [x_james.harrison] not found in PAM cache. >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [sss_dp_issue_request] (0x0400): Issuing request for [0x410090:3:<a shape="rect" ymailto="mailto:x_james.harrison@domain.com" href="mailto:x_james.harrison@domain.com">x_james.harrison@domain.com</a>] >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [sss_dp_get_account_msg] (0x0400): Creating request for [domain.com][0x3][BE_REQ_INITGROUPS][1][name=x_james.harrison] >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [sbus_add_timeout] (0x2000): 0x2469f20 >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [sss_dp_internal_get_send] (0x0400): Entering request [0x410090:3:<a shape="rect" ymailto="mailto:x_james.harrison@domain.com" href="mailto:x_james.harrison@domain.com">x_james.harrison@domain.com</a>] >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [sbus_remove_timeout] (0x2000): 0x2469f20 >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [sbus_dispatch] (0x4000): dbus conn: 0x2467e60 >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [sbus_dispatch] (0x4000): Dispatching. >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [sss_dp_get_reply] (0x1000): Got reply from Data Provider - DP error code: 0 errno: 0 error message: Success >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_check_user_search] (0x0100): Requesting info for [<a shape="rect" ymailto="mailto:x_james.harrison@domain.com" href="mailto:x_james.harrison@domain.com">x_james.harrison@domain.com</a>] >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_check_user_search] (0x0400): Returning info for user [<a shape="rect" ymailto="mailto:x_james.harrison@domain.com" href="mailto:x_james.harrison@domain.com">x_james.harrison@domain.com</a>] >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_initgr_cache_set] (0x2000): [x_james.harrison] added to PAM initgroup cache >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_dp_send_req] (0x0100): Sending request with the following data: >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): command: SSS_PAM_AUTHENTICATE >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): domain: domain.com >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): user: x_james.harrison >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): service: sudo >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): tty: /dev/pts/1 >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): ruser: x_james.harrison >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): rhost: not set >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): authtok type: 1 >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): newauthtok type: 0 >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): priv: 0 >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): cli_pid: 5470 >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): logon name: x_james.harrison >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [sbus_add_timeout] (0x2000): 0x2470c00 >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_dom_forwarder] (0x0100): pam_dp_send_req returned 0 >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [sss_dp_req_destructor] (0x0400): Deleting request: [0x410090:3:<a shape="rect" ymailto="mailto:x_james.harrison@domain.com" href="mailto:x_james.harrison@domain.com">x_james.harrison@domain.com</a>] > >==> syslog <== >Jan 5 12:10:17 pul-lp-sql-00 kernel: [ 1272.582518] audit: type=1400 audit(1483618217.180:43): apparmor="ALLOWED" operation="open" profile="/usr/sbin/sssd" name="/run/systemd/users/1082600012" pid=5570 comm="krb5_child" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 > >==> sssd/sssd_pam.log <== >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [sbus_remove_timeout] (0x2000): 0x2470c00 >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [sbus_dispatch] (0x4000): dbus conn: 0x2467e60 >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [sbus_dispatch] (0x4000): Dispatching. >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_dp_process_reply] (0x0200): received: [0 (Success)][domain.com] Authentication was succesfull for sudo service. >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_reply] (0x0200): pam_reply called with result [0]: Success. >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_reply] (0x0200): pam_reply called with result [0]: Success. >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_reply] (0x0200): blen: 84 >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0x2466e50][19] > >==> auth.log <== >Jan 5 12:10:17 pul-lp-sql-00 sudo: pam_sss(sudo:auth): authentication success; logname=x_james.harrison uid=1082600012 euid=0 tty=/dev/pts/1 ruser=x_james.harrison rhost= user=x_james.harrison > >==> sssd/sssd_pam.log <== >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0x2466e50][19] >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_cmd_acct_mgmt] (0x0100): entering pam_cmd_acct_mgmt >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [sss_parse_name_for_domains] (0x0200): name 'x_james.harrison' matched without domain, user is x_james.harrison >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): command: SSS_PAM_ACCT_MGMT >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): domain: not set >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): user: x_james.harrison >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): service: sudo >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): tty: /dev/pts/1 >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): ruser: x_james.harrison >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): rhost: not set >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): authtok type: 0 >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): newauthtok type: 0 >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): priv: 0 >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): cli_pid: 5470 >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): logon name: x_james.harrison >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [sss_ncache_check_str] (0x2000): Checking negative cache for [NCE/USER/domain.com/x_james.harrison] >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_initgr_check_timeout] (0x2000): User [x_james.harrison] found in PAM cache. >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_check_user_search] (0x0100): Requesting info for [<a shape="rect" ymailto="mailto:x_james.harrison@domain.com" href="mailto:x_james.harrison@domain.com">x_james.harrison@domain.com</a>] >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_check_user_search] (0x0400): Returning info for user [<a shape="rect" ymailto="mailto:x_james.harrison@domain.com" href="mailto:x_james.harrison@domain.com">x_james.harrison@domain.com</a>] >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_dp_send_req] (0x0100): Sending request with the following data: >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): command: SSS_PAM_ACCT_MGMT >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): domain: domain.com >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): user: x_james.harrison >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): service: sudo >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): tty: /dev/pts/1 >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): ruser: x_james.harrison >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): rhost: not set >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): authtok type: 0 >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): newauthtok type: 0 >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): priv: 0 >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): cli_pid: 5470 >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): logon name: x_james.harrison >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [sbus_add_timeout] (0x2000): 0x246dd70 >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_dom_forwarder] (0x0100): pam_dp_send_req returned 0 >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [sbus_remove_timeout] (0x2000): 0x246dd70 >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [sbus_dispatch] (0x4000): dbus conn: 0x2467e60 >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [sbus_dispatch] (0x4000): Dispatching. >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_dp_process_reply] (0x0200): received: [0 (Success)][domain.com] Authorisation was successful for sudo<div class="yqt4465783299" id="yqtfd30696"> >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_reply] (0x0200): pam_reply called with result [0]: Success. >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_reply] (0x0200): blen: 35 >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0x2466e50][19] > >==> auth.log <== >Jan 5 12:10:17 pul-lp-sql-00 sudo: x_james.harrison : user NOT authorized on host ; TTY=pts/1 ; PWD=/home/x_james.harrison ; USER=root ; COMMAND=/bin/bash</div> > auth.log says something different the sssd_pam.log I suspect some problem with sudo itself. <a shape="rect" href="https://www.redhat.com/archives/freeipa-users/2016-August/msg00489.html" target="_blank">https://www.redhat.com/archives/freeipa-users/2016-August/msg00489.html</a> And here is importnatn message from the mail: >unfortunately sudo 1.8.16 introduced a bug in sssd plugin. 1.8.16 contains > a new option called netgroup_tuple, which tells whether a full netgroup > tuply is check or only the host/user part in host/user check. However, > the patch didn't make the sssd plugin to obey this option and it always > check both hostname and username. > >It is fixed in 1.8.17 by this patch: ><a shape="rect" href="https://www.sudo.ws/repos/sudo/rev/2eab4070dcf7" target="_blank">https://www.sudo.ws/repos/sudo/rev/2eab4070dcf7</a> > Please, report bug against Ubuntu sudo to backport this patch or rebase sudo. Workaround mught be to install newer package from debian 1.8.19-1 <a shape="rect" href="https://packages.debian.org/stretch/sudo" target="_blank">https://packages.debian.org/stretch/sudo</a> LS<div class="yqt4465783299" id="yqtfd86226"> </div> </div> </div> </div> </div></div></body></html>