[Freeipa-users] Sudo entry not found by sssd in the cache db

Pavel Březina pbrezina at redhat.com
Fri Sep 11 10:32:43 UTC 2015 

On 09/09/2015 09:31 PM, Molnár Domokos wrote:
> I have a working IPA server and a working client config on an OpenSuse
> 13.2 with the following versions:
> nappali:~ # rpm -qa |grep sssd
> sssd-tools-1.12.2-3.4.1.i586
> sssd-krb5-1.12.2-3.4.1.i586
> python-sssd-config-1.12.2-3.4.1.i586
> sssd-ipa-1.12.2-3.4.1.i586
> sssd-1.12.2-3.4.1.i586
> sssd-dbus-1.12.2-3.4.1.i586
> sssd-krb5-common-1.12.2-3.4.1.i586
> sssd-ldap-1.12.2-3.4.1.i586
> sssd is confihured for nss, pam, sudo
> There is a test sudo rule defined in the ipa server, which applies to
> user "doma".  However when the user tries to use sudo the rule does not
> work.
> doma at nappali:/home/doma> sudo ls
> doma's password:
> doma is not allowed to run sudo on nappali.  This incident will be reported.
> The corresponding log in the sssd_sudo.log is this:
> (Wed Sep  9 21:25:25 2015) [sssd[sudo]] [sss_cmd_get_version] (0x0200):
> Received client version [1].
> (Wed Sep  9 21:25:25 2015) [sssd[sudo]] [sss_cmd_get_version] (0x0200):
> Offered version [1].
> (Wed Sep  9 21:25:25 2015) [sssd[sudo]] [sss_parse_name_for_domains]
> (0x0200): name 'doma' matched without domain, user is doma
> (Wed Sep  9 21:25:25 2015) [sssd[sudo]] [sss_parse_name_for_domains]
> (0x0200): name 'doma' matched without domain, user is doma
> (Wed Sep  9 21:25:25 2015) [sssd[sudo]] [sudosrv_cmd_parse_query_done]
> (0x0200): Requesting default options for [doma] from [<ALL>]
> (Wed Sep  9 21:25:25 2015) [sssd[sudo]] [sudosrv_get_user] (0x0200):
> Requesting info about [doma at szilva]
> (Wed Sep  9 21:25:25 2015) [sssd[sudo]]
> [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with
> [(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=doma)(sudoUser=#1816400003)(sudoUser=%ipausers)(sudoUser=%picture_access)(sudoUser=%doma)(sudoUser=+*))(&(dataExpireTimestamp<=1441826725)))]
> (Wed Sep  9 21:25:25 2015) [sssd[sudo]]
> [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with
> [(&(objectClass=sudoRule)(|(name=defaults)))]
> (Wed Sep  9 21:25:25 2015) [sssd[sudo]] [sss_parse_name_for_domains]
> (0x0200): name 'doma' matched without domain, user is doma
> (Wed Sep  9 21:25:25 2015) [sssd[sudo]] [sss_parse_name_for_domains]
> (0x0200): name 'doma' matched without domain, user is doma
> (Wed Sep  9 21:25:25 2015) [sssd[sudo]] [sudosrv_cmd_parse_query_done]
> (0x0200): Requesting rules for [doma] from [<ALL>]
> (Wed Sep  9 21:25:25 2015) [sssd[sudo]] [sudosrv_get_user] (0x0200):
> Requesting info about [doma at szilva]
> (Wed Sep  9 21:25:25 2015) [sssd[sudo]]
> [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with
> [(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=doma)(sudoUser=#1816400003)(sudoUser=%ipausers)(sudoUser=%picture_access)(sudoUser=%doma)(sudoUser=+*))(&(dataExpireTimestamp<=1441826725)))]
> (Wed Sep  9 21:25:25 2015) [sssd[sudo]]
> [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with
> [(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=doma)(sudoUser=#1816400003)(sudoUser=%ipausers)(sudoUser=%picture_access)(sudoUser=%doma)(sudoUser=+*)))]
> (Wed Sep  9 21:25:30 2015) [sssd[sudo]] [client_recv] (0x0200): Client
> disconnected!
> This seems perfectly OK with one exception. The query against the sysdb
> does not find the entry. This is strange because the entry is there.
> Log in sssd.log:
> (Wed Sep  2 08:52:13 2015) [sssd] [sysdb_domain_init_internal] (0x0200):
> DB File for szilva: /var/lib/sss/db/cache_szilva.ldb
> So we know that the sysdb is /var/lib/sss/db/cache_szilva.ldb
> Running the exact same query seen above in the sssd_sudo.log against the
> db returns:
> ldbsearch -H /var/lib/sss/db/cache_szilva.ldb
> "(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=doma)(sudoUser=#1816400003)(sudoUser=%ipausers)(sudoUser=%picture_access)(sudoUser=%doma)(sudoUser=+*)))"
> asq: Unable to register control with rootdse!
> # record 1
> dn: name=Doma_ls,cn=sudorules,cn=custom,cn=szilva,cn=sysdb
> cn: Doma_ls
> dataExpireTimestamp: 1441830262
> entryUSN: 20521
> name: Doma_ls
> objectClass: sudoRule
> originalDN: cn=Doma_ls,ou=sudoers,dc=szilva
> sudoCommand: ls
> sudoHost: nappali.szilva
> sudoRunAsGroup: ALL
> sudoRunAsUser: ALL
> sudoUser: doma
> distinguishedName: name=Doma_ls,cn=sudorules,cn=custom,cn=szilva,cn=sysdb
> # returned 1 records
> # 1 entries
> # 0 referrals
> This confirms that the entry is indeed there in the db. Why is it found
> with ldbsearch and why does sssd_sudo not find it?
> I am pretty much stuck with this one. Anyone has an idea?
>
>
Hi,
this is strange. Can you provide the logs with debug level set to 0x3ff0 
please? Can you also send it as an attachment? Thanks!

More information about the Freeipa-users mailing list