[Freeipa-users] AD users and IPA's sudo

Mon Mar 30 08:21:06 UTC 2015

On Mon, Mar 30, 2015 at 08:09:43AM +0000, Alexander Frolushkin wrote:
> Hello everyone.
> We have a IPA 3 and AD domain trust.
> Users from AD successfully logs on to linux servers via ssh and hbac rules works fine with external groups. But not a sudo rules.
> When rule defines as 'who' IPA users rule works well. If it is defines external group for corresponding AD group which is AD user member of, this user gets
> user at ad.com<mailto:user at ad.com> is not allowed to run sudo on host.com.  This incident will be reported.
> 
> In debug there is a strings
> (Mon Mar 30 13:54:00 2015) [sssd[sudo]] [sysdb_search_group_by_gid] (0x0400): No such entry
> (Mon Mar 30 13:54:00 2015) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=user at ad.com)(
> sudoUser=#xxxxxxxxxx)(sudoUser=%....cuted.......(sudoUser=%....cuted.....)(sudoUser=+*))(&(dataExpireTimestamp<=1427702040)))]
> (Mon Mar 30 13:54:00 2015) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0020): Error looking up SUDO rules(Mon Mar 30 13:54:00 2015) [sssd[sudo]] [sudosrv_get_rules] (0x0020): Unable to retr
> ieve expired sudo rules [5]: Input/output error

Looks suspicious. Is there an corresponding LDAP search in the back end
log as well? Look for sdap_get_generic perhaps..

> 
> I've seen a number of closed bugs with similar error message, but at last on this RHEL 6.6 server sssd is fully updated.
> 
> And sorry for the huge underlined message, it is generated automatically and I have no rights to avoid it in my mails :(
> 
> With best regards,
> Alexander Frolushkin,
> Senior engineer in system administration
> and database management
> MegaFon, Siberian branch
> http://english.corp.megafon.ru/
> Cell  +79232508764
> Phone +79232507764
> 
> 
> 
> ________________________________
> 
> Информация в этом сообщении предназначена исключительно для конкретных лиц, которым она адресована. В сообщении может содержаться конфиденциальная информация, которая не может быть раскрыта или использована кем-либо, кроме адресатов. Если вы не адресат этого сообщения, то использование, переадресация, копирование или распространение содержания сообщения или его части незаконно и запрещено. Если Вы получили это сообщение ошибочно, пожалуйста, незамедлительно сообщите отправителю об этом и удалите со всем содержимым само сообщение и любые возможные его копии и приложения.
> 
> The information contained in this communication is intended solely for the use of the individual or entity to whom it is addressed and others authorized to receive it. It may contain confidential or legally privileged information. The contents may not be disclosed or used by anyone other than the addressee. If you are not the intended recipient(s), any use, disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it is prohibited and may be unlawful. If you have received this communication in error please notify us immediately by responding to this email and then delete the e-mail and all attachments and any copies thereof.
> 
> (c)20mf50

> -- 
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project