[Freeipa-users] FreeIPA, version: 4.1.0 and sudo configuration
Jakub Hrozek
jhrozek at redhat.com
Wed Apr 8 08:35:18 UTC 2015
On Wed, Apr 08, 2015 at 10:17:59AM +0200, Chamambo Martin wrote:
> I have this log after doing a debug_level=6 in the sudo section and have
> attached a txt file for the ldbsearch -H /var/lib/sss/db/cache_ai.co.zw.ldb
>
> (Wed Apr 8 10:14:52 2015) [sssd[sudo]] [sudosrv_get_sudorules_query_cache]
> (0x0200): Searching sysdb with
> [(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=admin)(sud
> oUser=#1468200000)(sudoUser=%admins)(sudoUser=%trust
> admins)(sudoUser=%admins)(sudoUser=+*))(&(dataExpireTimestamp<=1428480892)))
> ]
> (Wed Apr 8 10:14:52 2015) [sssd[sudo]] [sudosrv_get_sudorules_query_cache]
> (0x0200): Searching sysdb with
> [(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=admin)(sudoUser=#14682000
> 00)(sudoUser=%admins)(sudoUser=%trust
> admins)(sudoUser=%admins)(sudoUser=+*)))]
The above are the cache searches sssd ran.
This is how the sudo rule looks in your cache:
# record 29
dn: name=file-commands,cn=sudorules,cn=custom,cn=ai.co.zw,cn=sysdb
cn: file-commands
dataExpireTimestamp: 1428486013
entryUSN: 28714
name: file-commands
objectClass: sudoRule
originalDN: cn=file-commands,ou=sudoers,dc=ai,dc=co,dc=zw
sudoCommand: /usr/bin/vim
sudoCommand: /usr/bin/less
sudoHost: +mailservers
sudoRunAsGroup: ALL
sudoRunAsUser: admin
sudoRunAsUser: chamambom
sudoRunAsUser: kamoyob
sudoRunAsUser: kumalop
sudoRunAsUser: machangeteb
sudoRunAsUser: masaitit
sudoRunAsUser: masvivic
sudoRunAsUser: matangiraa
sudoRunAsUser: nyahumap
sudoRunAsUser: pedzisail
sudoRunAsUser: tayengwaj
sudoUser: ALL
distinguishedName: name=file-commands,cn=sudorules,cn=custom,cn=ai.co.zw,cn=sy
sdb
> (Wed Apr 8 10:14:52 2015) [sssd[sudo]] [sudosrv_get_sudorules_from_cache]
> (0x0400): Returning 1 rules for [admin at ai.co.zw]
And here we see that the sudo rule was returned from SSSD to sudo. But
then in sudo, it didn't match for some reason. I expect it's because of
the netgroup, can you check if nisdomainname is really set correctly and
getent netgroup mailservers reports the FQDN of your client?
Also, you can enable debugging in sudo itself. See man sudo.conf and search
for the option "Debug". That will show you how exactly sudo matches the rules.
> (Wed Apr 8 10:15:02 2015) [sssd[sudo]] [client_recv] (0x0200): Client
> disconnected!
More information about the Freeipa-users
mailing list