[Freeipa-users] Sudo entry not found by sssd in the cache db

Fri Sep 11 12:26:24 UTC 2015

 
"Pavel Březina" <pbrezina at redhat.com> írta:
>On 09/09/2015 09:31 PM, Molnár Domokos wrote:
>> I have a working IPA server and a working client config on an OpenSuse
>> 13.2 with the following versions:
>> nappali:~ # rpm -qa |grep sssd
>> sssd-tools-1.12.2-3.4.1.i586
>> sssd-krb5-1.12.2-3.4.1.i586
>> python-sssd-config-1.12.2-3.4.1.i586
>> sssd-ipa-1.12.2-3.4.1.i586
>> sssd-1.12.2-3.4.1.i586
>> sssd-dbus-1.12.2-3.4.1.i586
>> sssd-krb5-common-1.12.2-3.4.1.i586
>> sssd-ldap-1.12.2-3.4.1.i586
>> sssd is confihured for nss, pam, sudo
>> There is a test sudo rule defined in the ipa server, which applies to
>> user "doma".  However when the user tries to use sudo the rule does not
>> work.
>> doma at nappali:/home/doma> sudo ls
>> doma's password:
>> doma is not allowed to run sudo on nappali.  This incident will be reported.
>> The corresponding log in the sssd_sudo.log is this:
>> (Wed Sep  9 21:25:25 2015) [sssd[sudo]] [sss_cmd_get_version] (0x0200):
>> Received client version [1].
>> (Wed Sep  9 21:25:25 2015) [sssd[sudo]] [sss_cmd_get_version] (0x0200):
>> Offered version [1].
>> (Wed Sep  9 21:25:25 2015) [sssd[sudo]] [sss_parse_name_for_domains]
>> (0x0200): name 'doma' matched without domain, user is doma
>> (Wed Sep  9 21:25:25 2015) [sssd[sudo]] [sss_parse_name_for_domains]
>> (0x0200): name 'doma' matched without domain, user is doma
>> (Wed Sep  9 21:25:25 2015) [sssd[sudo]] [sudosrv_cmd_parse_query_done]
>> (0x0200): Requesting default options for [doma] from [<ALL>]
>> (Wed Sep  9 21:25:25 2015) [sssd[sudo]] [sudosrv_get_user] (0x0200):
>> Requesting info about [doma at szilva]
>> (Wed Sep  9 21:25:25 2015) [sssd[sudo]]
>> [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with
>> [(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=doma)(sudoUser=#1816400003)(sudoUser=%ipausers)(sudoUser=%picture_access)(sudoUser=%doma)(sudoUser=+*))(&(dataExpireTimestamp<=1441826725)))]
>> (Wed Sep  9 21:25:25 2015) [sssd[sudo]]
>> [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with
>> [(&(objectClass=sudoRule)(|(name=defaults)))]
>> (Wed Sep  9 21:25:25 2015) [sssd[sudo]] [sss_parse_name_for_domains]
>> (0x0200): name 'doma' matched without domain, user is doma
>> (Wed Sep  9 21:25:25 2015) [sssd[sudo]] [sss_parse_name_for_domains]
>> (0x0200): name 'doma' matched without domain, user is doma
>> (Wed Sep  9 21:25:25 2015) [sssd[sudo]] [sudosrv_cmd_parse_query_done]
>> (0x0200): Requesting rules for [doma] from [<ALL>]
>> (Wed Sep  9 21:25:25 2015) [sssd[sudo]] [sudosrv_get_user] (0x0200):
>> Requesting info about [doma at szilva]
>> (Wed Sep  9 21:25:25 2015) [sssd[sudo]]
>> [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with
>> [(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=doma)(sudoUser=#1816400003)(sudoUser=%ipausers)(sudoUser=%picture_access)(sudoUser=%doma)(sudoUser=+*))(&(dataExpireTimestamp<=1441826725)))]
>> (Wed Sep  9 21:25:25 2015) [sssd[sudo]]
>> [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with
>> [(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=doma)(sudoUser=#1816400003)(sudoUser=%ipausers)(sudoUser=%picture_access)(sudoUser=%doma)(sudoUser=+*)))]
>> (Wed Sep  9 21:25:30 2015) [sssd[sudo]] [client_recv] (0x0200): Client
>> disconnected!
>> This seems perfectly OK with one exception. The query against the sysdb
>> does not find the entry. This is strange because the entry is there.
>> Log in sssd.log:
>> (Wed Sep  2 08:52:13 2015) [sssd] [sysdb_domain_init_internal] (0x0200):
>> DB File for szilva: /var/lib/sss/db/cache_szilva.ldb
>> So we know that the sysdb is /var/lib/sss/db/cache_szilva.ldb
>> Running the exact same query seen above in the sssd_sudo.log against the
>> db returns:
>> ldbsearch -H /var/lib/sss/db/cache_szilva.ldb
>> "(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=doma)(sudoUser=#1816400003)(sudoUser=%ipausers)(sudoUser=%picture_access)(sudoUser=%doma)(sudoUser=+*)))"
>> asq: Unable to register control with rootdse!
>> # record 1
>> dn: name=Doma_ls,cn=sudorules,cn=custom,cn=szilva,cn=sysdb
>> cn: Doma_ls
>> dataExpireTimestamp: 1441830262
>> entryUSN: 20521
>> name: Doma_ls
>> objectClass: sudoRule
>> originalDN: cn=Doma_ls,ou=sudoers,dc=szilva
>> sudoCommand: ls
>> sudoHost: nappali.szilva
>> sudoRunAsGroup: ALL
>> sudoRunAsUser: ALL
>> sudoUser: doma
>> distinguishedName: name=Doma_ls,cn=sudorules,cn=custom,cn=szilva,cn=sysdb
>> # returned 1 records
>> # 1 entries
>> # 0 referrals
>> This confirms that the entry is indeed there in the db. Why is it found
>> with ldbsearch and why does sssd_sudo not find it?
>> I am pretty much stuck with this one. Anyone has an idea?
>>
>>
>Hi,
>this is strange. Can you provide the logs with debug level set to 0x3ff0 
>please? Can you also send it as an attachment? Thanks!
 Sure. Here it is. Now I can see that the rule is returned. The question is why the rule does not match. Anyway much better :) (Fri Sep 11 14:19:57 2015) [sssd[sudo]] [sudosrv_get_user] (0x0200): Requesting info about [doma at szilva]
(Fri Sep 11 14:19:57 2015) [sssd[sudo]] [sudosrv_get_user] (0x0400): Returning info for user [doma at szilva]
(Fri Sep 11 14:19:57 2015) [sssd[sudo]] [sudosrv_get_rules] (0x0400): Retrieving default options for [doma] from [szilva]
(Fri Sep 11 14:19:57 2015) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=doma)(sudoUser=#1816400003)(sudoUser=%ipausers)(sudoUser=%picture_access)(sudoUser=%doma)(sudoUser=+*))(&(dataExpireTimestamp<=1441973997)))]
(Fri Sep 11 14:19:57 2015) [sssd[sudo]] [sudosrv_get_rules] (0x2000): About to get sudo rules from cache
(Fri Sep 11 14:19:57 2015) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(name=defaults)))]
(Fri Sep 11 14:19:57 2015) [sssd[sudo]] [sudosrv_get_sudorules_from_cache] (0x0400): Returning 0 rules for [<default options>@szilva]
(Fri Sep 11 14:19:57 2015) [sssd[sudo]] [sudosrv_cmd] (0x2000): Using protocol version [1]
(Fri Sep 11 14:19:57 2015) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'doma' matched without domain, user is doma
(Fri Sep 11 14:19:57 2015) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'doma' matched without domain, user is doma
(Fri Sep 11 14:19:57 2015) [sssd[sudo]] [sudosrv_cmd_parse_query_done] (0x0200): Requesting rules for [doma] from [<ALL>]
(Fri Sep 11 14:19:57 2015) [sssd[sudo]] [sudosrv_get_user] (0x0200): Requesting info about [doma at szilva]
(Fri Sep 11 14:19:57 2015) [sssd[sudo]] [sudosrv_get_user] (0x0400): Returning info for user [doma at szilva]
(Fri Sep 11 14:19:57 2015) [sssd[sudo]] [sudosrv_get_rules] (0x0400): Retrieving rules for [doma] from [szilva]
(Fri Sep 11 14:19:57 2015) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=doma)(sudoUser=#1816400003)(sudoUser=%ipausers)(sudoUser=%picture_access)(sudoUser=%doma)(sudoUser=+*))(&(dataExpireTimestamp<=1441973997)))]
(Fri Sep 11 14:19:57 2015) [sssd[sudo]] [sudosrv_get_rules] (0x2000): About to get sudo rules from cache
(Fri Sep 11 14:19:57 2015) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=doma)(sudoUser=#1816400003)(sudoUser=%ipausers)(sudoUser=%picture_access)(sudoUser=%doma)(sudoUser=+*)))]
(Fri Sep 11 14:19:57 2015) [sssd[sudo]] [sudosrv_get_sudorules_from_cache] (0x0400): Returning 1 rules for [doma at szilva]
(Fri Sep 11 14:20:00 2015) [sssd[sudo]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit
(Fri Sep 11 14:20:00 2015) [sssd[sudo]] [client_recv] (0x0200): Client disconnected!
(Fri Sep 11 14:20:00 2015) [sssd[sudo]] [client_destructor] (0x2000): Terminated client [0x8f6abd0][17]
(Fri Sep 11 14:20:10 2015) [sssd[sudo]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit as doma: doma at nappali:/home/doma> id
uid=1816400003(doma) gid=1816400003(doma) groups=1816400003(doma),16(dialout),33(video),112(vboxusers),1000(burning),1816400006(picture_access)
doma at nappali:/home/doma> hostname --fqdn
nappali.szilva
doma at nappali:/home/doma> domainname
szilva
doma at nappali:/home/doma> nisdomainname
szilva
doma at nappali:/home/doma> dnsdomainname
szilva
doma at nappali:/home/doma> sudo ls
doma's password:
doma is not allowed to run sudo on nappali.  This incident will be reported.
doma at nappali:/home/doma> as root: nappali:~ # ntpq -p
     remote           refid      st t when poll reach   delay   offset  jitter
==============================================================================
*helios.szilva   193.6.222.47     3 u   56   64  377    0.779    1.365   0.420
 LOCAL(0)        .LOCL.          10 l  535   64    0    0.000    0.000   0.000
nappali:~ # helios.szilva is the standalone IPA server.  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150911/8d68956c/attachment.htm>