[Freeipa-users] Sudo entry not found by sssd in the cache db
Pavel Březina
pbrezina at redhat.com
Mon Sep 14 13:08:11 UTC 2015
On 09/11/2015 02:40 PM, Molnár Domokos wrote:
> Full log attached.
> "Molnár Domokos" <kretebe at freemail.hu> írta:
>
>
> "Pavel Březina" <pbrezina at redhat.com> írta:
>
> On 09/09/2015 09:31 PM, Molnár Domokos wrote:
> > I have a working IPA server and a working client config on an OpenSuse
> > 13.2 with the following versions:
> > nappali:~ # rpm -qa |grep sssd
> > sssd-tools-1.12.2-3.4.1.i586
> > sssd-krb5-1.12.2-3.4.1.i586
> > python-sssd-config-1.12.2-3.4.1.i586
> > sssd-ipa-1.12.2-3.4.1.i586
> > sssd-1.12.2-3.4.1.i586
> > sssd-dbus-1.12.2-3.4.1.i586
> > sssd-krb5-common-1.12.2-3.4.1.i586
> > sssd-ldap-1.12.2-3.4.1.i586
> > sssd is confihured for nss, pam, sudo
> > There is a test sudo rule defined in the ipa server, which applies to
> > user "doma". However when the user tries to use sudo the rule does not
> > work.
> > doma at nappali:/home/doma> sudo ls
> > doma's password:
> > doma is not allowed to run sudo on nappali. This incident will be reported.
> > The corresponding log in the sssd_sudo.log is this:
> > (Wed Sep 9 21:25:25 2015) [sssd[sudo]] [sss_cmd_get_version] (0x0200):
> > Received client version [1].
> > (Wed Sep 9 21:25:25 2015) [sssd[sudo]] [sss_cmd_get_version] (0x0200):
> > Offered version [1].
> > (Wed Sep 9 21:25:25 2015) [sssd[sudo]] [sss_parse_name_for_domains]
> > (0x0200): name 'doma' matched without domain, user is doma
> > (Wed Sep 9 21:25:25 2015) [sssd[sudo]] [sss_parse_name_for_domains]
> > (0x0200): name 'doma' matched without domain, user is doma
> > (Wed Sep 9 21:25:25 2015) [sssd[sudo]] [sudosrv_cmd_parse_query_done]
> > (0x0200): Requesting default options for [doma] from [<ALL>]
> > (Wed Sep 9 21:25:25 2015) [sssd[sudo]] [sudosrv_get_user] (0x0200):
> > Requesting info about [doma at szilva]
> > (Wed Sep 9 21:25:25 2015) [sssd[sudo]]
> > [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with
> > [(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=doma)(sudoUser=#1816400003)(sudoUser=%ipausers)(sudoUser=%picture_access)(sudoUser=%doma)(sudoUser=+*))(&(dataExpireTimestamp<=1441826725)))]
> > (Wed Sep 9 21:25:25 2015) [sssd[sudo]]
> > [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with
> > [(&(objectClass=sudoRule)(|(name=defaults)))]
> > (Wed Sep 9 21:25:25 2015) [sssd[sudo]] [sss_parse_name_for_domains]
> > (0x0200): name 'doma' matched without domain, user is doma
> > (Wed Sep 9 21:25:25 2015) [sssd[sudo]] [sss_parse_name_for_domains]
> > (0x0200): name 'doma' matched without domain, user is doma
> > (Wed Sep 9 21:25:25 2015) [sssd[sudo]] [sudosrv_cmd_parse_query_done]
> > (0x0200): Requesting rules for [doma] from [<ALL>]
> > (Wed Sep 9 21:25:25 2015) [sssd[sudo]] [sudosrv_get_user] (0x0200):
> > Requesting info about [doma at szilva]
> > (Wed Sep 9 21:25:25 2015) [sssd[sudo]]
> > [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with
> > [(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=doma)(sudoUser=#1816400003)(sudoUser=%ipausers)(sudoUser=%picture_access)(sudoUser=%doma)(sudoUser=+*))(&(dataExpireTimestamp<=1441826725)))]
> > (Wed Sep 9 21:25:25 2015) [sssd[sudo]]
> > [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with
> > [(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=doma)(sudoUser=#1816400003)(sudoUser=%ipausers)(sudoUser=%picture_access)(sudoUser=%doma)(sudoUser=+*)))]
> > (Wed Sep 9 21:25:30 2015) [sssd[sudo]] [client_recv] (0x0200): Client
> > disconnected!
> > This seems perfectly OK with one exception. The query against the sysdb
> > does not find the entry. This is strange because the entry is there.
> > Log in sssd.log:
> > (Wed Sep 2 08:52:13 2015) [sssd] [sysdb_domain_init_internal] (0x0200):
> > DB File for szilva: /var/lib/sss/db/cache_szilva.ldb
> > So we know that the sysdb is /var/lib/sss/db/cache_szilva.ldb
> > Running the exact same query seen above in the sssd_sudo.log against the
> > db returns:
> > ldbsearch -H /var/lib/sss/db/cache_szilva.ldb
> > "(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=doma)(sudoUser=#1816400003)(sudoUser=%ipausers)(sudoUser=%picture_access)(sudoUser=%doma)(sudoUser=+*)))"
> > asq: Unable to register control with rootdse!
> > # record 1
> > dn: name=Doma_ls,cn=sudorules,cn=custom,cn=szilva,cn=sysdb
> > cn: Doma_ls
> > dataExpireTimestamp: 1441830262
> > entryUSN: 20521
> > name: Doma_ls
> > objectClass: sudoRule
> > originalDN: cn=Doma_ls,ou=sudoers,dc=szilva
> > sudoCommand: ls
> > sudoHost: nappali.szilva
> > sudoRunAsGroup: ALL
> > sudoRunAsUser: ALL
> > sudoUser: doma
> > distinguishedName: name=Doma_ls,cn=sudorules,cn=custom,cn=szilva,cn=sysdb
> > # returned 1 records
> > # 1 entries
> > # 0 referrals
> > This confirms that the entry is indeed there in the db. Why is it found
> > with ldbsearch and why does sssd_sudo not find it?
> > I am pretty much stuck with this one. Anyone has an idea?
> >
> >
> Hi,
> this is strange. Can you provide the logs with debug level set to 0x3ff0
>
> please? Can you also send it as an attachment? Thanks!
>
> Sure. Here it is. Now I can see that the rule is returned. The
> question is why the rule does not match. Anyway much better :)
Hi, thanks for the logs. Since the rule is returned, we will get more
information from sudo logs. Can you please enable sudo logging by
putting the following line into /etc/sudo.conf?
Debug sudo /var/log/sudo_debug all at trace
Run sudo and send us /var/log/sudo_debug? Thanks!
More information about the Freeipa-users
mailing list