[Freeipa-users] AD users and IPA's sudo
Jakub Hrozek
jhrozek at redhat.com
Wed Apr 1 07:58:09 UTC 2015
On Mon, Mar 30, 2015 at 08:09:43AM +0000, Alexander Frolushkin wrote:
> Hello everyone.
> We have a IPA 3 and AD domain trust.
> Users from AD successfully logs on to linux servers via ssh and hbac rules works fine with external groups. But not a sudo rules.
> When rule defines as 'who' IPA users rule works well. If it is defines external group for corresponding AD group which is AD user member of, this user gets
> user at ad.com<mailto:user at ad.com> is not allowed to run sudo on host.com. This incident will be reported.
>
> In debug there is a strings
> (Mon Mar 30 13:54:00 2015) [sssd[sudo]] [sysdb_search_group_by_gid] (0x0400): No such entry
> (Mon Mar 30 13:54:00 2015) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=user at ad.com)(
> sudoUser=#xxxxxxxxxx)(sudoUser=%....cuted.......(sudoUser=%....cuted.....)(sudoUser=+*))(&(dataExpireTimestamp<=1427702040)))]
> (Mon Mar 30 13:54:00 2015) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0020): Error looking up SUDO rules(Mon Mar 30 13:54:00 2015) [sssd[sudo]] [sudosrv_get_rules] (0x0020): Unable to retr
> ieve expired sudo rules [5]: Input/output error
>
> I've seen a number of closed bugs with similar error message, but at last on this RHEL 6.6 server sssd is fully updated.
>
> And sorry for the huge underlined message, it is generated automatically and I have no rights to avoid it in my mails :(
>
Just to close this thread, we tracked the issue down into this SSSD bug
- https://fedorahosted.org/sssd/ticket/2613
More information about the Freeipa-users
mailing list