[Freeipa-users] sudo rules question on ubuntu 16.0.1
Jeff Goddard
jgoddard at emerlyn.com
Thu Aug 11 18:24:47 UTC 2016
Here is relevant configuration files:
*nsswitch.conf:*
passwd: compat sss
group: compat sss
shadow: compat sss
gshadow: files
hosts: files dns
networks: files
protocols: db files
services: db files sss
ethers: db files
rpc: db files
netgroup: nis sss
sudoers: sss files
*sssd.conf:*
[domain/internal.emerlyn.com]
cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = internal.emerlyn.com
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = docker-dev-01.internal.emerlyn.com
chpass_provider = ipa
ipa_server = _srv_, id-management-1.internal.emerlyn.com
ldap_tls_cacert = /etc/ipa/ca.crt
sudo_provider=ipa
ldap_uri=ldap://id-management-1.internal.emerlyn.com
ldap_sudo_search_base=ou=sudoers,dc=internal,dc=emerlyn,dc=com
debug_level=7
[sssd]
services = nss, pam, sudo, ssh
debug_level=7
domains = internal.emerlyn.com
[nss]
homedir_substring = /home
[pam]
[sudo]
debug_level=7
[autofs]
[ssh]
debug_level=7
[pac]
[ifp]
*Log output - /var/log/sssd/sssd_sudo.log:*(Thu Aug 11 12:21:43 2016)
[sssd[sudo]] [accept_fd_handler] (0x0400): Client connected!
(Thu Aug 11 12:21:43 2016) [sssd[sudo]] [sss_cmd_get_version] (0x0200):
Received client version [1].
(Thu Aug 11 12:21:43 2016) [sssd[sudo]] [sss_cmd_get_version] (0x0200):
Offered version [1].
(Thu Aug 11 12:21:43 2016) [sssd[sudo]] [sss_parse_name_for_domains]
(0x0200): name 'jgoddard' matched without domain, user is jgoddard
(Thu Aug 11 12:21:43 2016) [sssd[sudo]] [sss_parse_name_for_domains]
(0x0200): name 'jgoddard' matched without domain, user is jgoddard
(Thu Aug 11 12:21:43 2016) [sssd[sudo]] [sudosrv_cmd_parse_query_done]
(0x0200): Requesting default options for [jgoddard] from [<ALL>]
(Thu Aug 11 12:21:43 2016) [sssd[sudo]] [sudosrv_get_user] (0x0200):
Requesting info about [jgoddard at internal.emerlyn.com]
(Thu Aug 11 12:21:43 2016) [sssd[sudo]] [sudosrv_get_user] (0x0400):
Returning info for user [jgoddard at internal.emerlyn.com]
(Thu Aug 11 12:21:43 2016) [sssd[sudo]] [sudosrv_get_rules] (0x0400):
Retrieving default options for [jgoddard] from [internal.emerlyn.com]
(Thu Aug 11 12:21:43 2016) [sssd[sudo]] [sudosrv_get_sudorules_query_cache]
(0x0200): Searching sysdb with
[(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=jgoddard)(sudoUser=#320000001)(sudoUser=%developers)(sudoUser=%jira-administrators)(sudoUser=%admins)(sudoUser=%ipausers)(sudoUser=%jgoddard)(sudoUser=+*))(&(dataExpireTimestamp<=1470932503)))]
(Thu Aug 11 12:21:43 2016) [sssd[sudo]] [sudosrv_get_sudorules_query_cache]
(0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(name=defaults)))]
(Thu Aug 11 12:21:43 2016) [sssd[sudo]] [sudosrv_get_sudorules_from_cache]
(0x0400): Returning 0 rules for [<default options>@internal.emerlyn.com]
(Thu Aug 11 12:21:43 2016) [sssd[sudo]] [sss_parse_name_for_domains]
(0x0200): name 'jgoddard' matched without domain, user is jgoddard
*(*Thu Aug 11 12:21:43 2016) [sssd[sudo]] [sss_parse_name_for_domains]
(0x0200): name 'jgoddard' matched without domain, user is jgoddard
(Thu Aug 11 12:21:43 2016) [sssd[sudo]] [sudosrv_cmd_parse_query_done]
(0x0200): Requesting rules for [jgoddard] from [<ALL>]
(Thu Aug 11 12:21:43 2016) [sssd[sudo]] [sudosrv_get_user] (0x0200):
Requesting info about [jgoddard at internal.emerlyn.com]
(Thu Aug 11 12:21:43 2016) [sssd[sudo]] [sudosrv_get_user] (0x0400):
Returning info for user [jgoddard at internal.emerlyn.com]
(Thu Aug 11 12:21:43 2016) [sssd[sudo]] [sudosrv_get_rules] (0x0400):
Retrieving rules for [jgoddard] from [internal.emerlyn.com]
(Thu Aug 11 12:21:43 2016) [sssd[sudo]] [sudosrv_get_sudorules_query_cache]
(0x0200): Searching sysdb with
[(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=jgoddard)(sudoUser=#320000001)(sudoUser=%developers)(sudoUser=%jira-administrators)(sudoUser=%admins)(sudoUser=%ipausers)(sudoUser=%jgoddard)(sudoUser=+*))(&(dataExpireTimestamp<=1470932503)))]
(Thu Aug 11 12:21:43 2016) [sssd[sudo]] [sudosrv_get_sudorules_query_cache]
(0x0200): Searching sysdb with
[(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=jgoddard)(sudoUser=#320000001)(sudoUser=%developers)(sudoUser=%jira-administrators)(sudoUser=%admins)(sudoUser=%ipausers)(sudoUser=%jgoddard)(sudoUser=+*)))]
(Thu Aug 11 12:21:43 2016) [sssd[sudo]] [sort_sudo_rules] (0x0400): Sorting
rules with higher-wins logic
(Thu Aug 11 12:21:43 2016) [sssd[sudo]] [sudosrv_get_sudorules_from_cache]
(0x0400): Returning 1 rules for [jgoddard at internal.emerlyn.com]
(Thu Aug 11 12:21:47 2016) [sssd[sudo]] [client_recv] (0x0200): Client
disconnected!
(Thu Aug 11 12:22:12 2016) [sssd[sudo]] [accept_fd_handler] (0x0400):
Client connected!
(Thu Aug 11 12:22:12 2016) [sssd[sudo]] [sss_cmd_get_version] (0x0200):
Received client version [1].
(Thu Aug 11 12:22:12 2016) [sssd[sudo]] [sss_cmd_get_version] (0x0200):
Offered version [1].
(Thu Aug 11 12:22:12 2016) [sssd[sudo]] [sss_parse_name_for_domains]
(0x0200): name 'jgoddard' matched without domain, user is jgoddard
(Thu Aug 11 12:22:12 2016) [sssd[sudo]] [sss_parse_name_for_domains]
(0x0200): name 'jgoddard' matched without domain, user is jgoddard
(Thu Aug 11 12:22:12 2016) [sssd[sudo]] [sudosrv_cmd_parse_query_done]
(0x0200): Requesting default options for [jgoddard] from [<ALL>]
(Thu Aug 11 12:22:12 2016) [sssd[sudo]] [sudosrv_get_user] (0x0200):
Requesting info about [jgoddard at internal.emerlyn.com]
(Thu Aug 11 12:22:12 2016) [sssd[sudo]] [sudosrv_get_user] (0x0400):
Returning info for user [jgoddard at internal.emerlyn.com]
(Thu Aug 11 12:22:12 2016) [sssd[sudo]] [sudosrv_get_rules] (0x0400):
Retrieving default options for [jgoddard] from [internal.emerlyn.com]
(Thu Aug 11 12:22:12 2016) [sssd[sudo]] [sudosrv_get_sudorules_query_cache]
(0x0200): Searching sysdb with
[(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=jgoddard)(sudoUser=#320000001)(sudoUser=%developers)(sudoUser=%jira-administrators)(sudoUser=%admins)(sudoUser=%ipausers)(sudoUser=%jgoddard)(sudoUser=+*))(&(dataExpireTimestamp<=1470932532)))]
(Thu Aug 11 12:22:12 2016) [sssd[sudo]] [sudosrv_get_sudorules_query_cache]
(0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(name=defaults)))]
(Thu Aug 11 12:22:12 2016) [sssd[sudo]] [sudosrv_get_sudorules_from_cache]
(0x0400): Returning 0 rules for [<default options>@internal.emerlyn.com]
(Thu Aug 11 12:22:12 2016) [sssd[sudo]] [sss_parse_name_for_domains]
(0x0200): name 'jgoddard' matched without domain, user is jgoddard
(Thu Aug 11 12:22:12 2016) [sssd[sudo]] [sss_parse_name_for_domains]
(0x0200): name 'jgoddard' matched without domain, user is jgoddard
(Thu Aug 11 12:22:12 2016) [sssd[sudo]] [sudosrv_cmd_parse_query_done]
(0x0200): Requesting rules for [jgoddard] from [<ALL>]
(Thu Aug 11 12:22:12 2016) [sssd[sudo]] [sudosrv_get_user] (0x0200):
Requesting info about [jgoddard at internal.emerlyn.com]
(Thu Aug 11 12:22:12 2016) [sssd[sudo]] [sudosrv_get_user] (0x0400):
Returning info for user [jgoddard at internal.emerlyn.com]
(Thu Aug 11 12:22:12 2016) [sssd[sudo]] [sudosrv_get_rules] (0x0400):
Retrieving rules for [jgoddard] from [internal.emerlyn.com]
(Thu Aug 11 12:22:12 2016) [sssd[sudo]] [sudosrv_get_sudorules_query_cache]
(0x0200): Searching sysdb with
[(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=jgoddard)(sudoUser=#320000001)(sudoUser=%developers)(sudoUser=%jira-administrators)(sudoUser=%admins)(sudoUser=%ipausers)(sudoUser=%jgoddard)(sudoUser=+*))(&(dataExpireTimestamp<=1470932532)))]
(Thu Aug 11 12:22:12 2016) [sssd[sudo]] [sudosrv_get_sudorules_query_cache]
(0x0200): Searching sysdb with
[(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=jgoddard)(sudoUser=#320000001)(sudoUser=%developers)(sudoUser=%jira-administrators)(sudoUser=%admins)(sudoUser=%ipausers)(sudoUser=%jgoddard)(sudoUser=+*)))]
(Thu Aug 11 12:22:12 2016) [sssd[sudo]] [sort_sudo_rules] (0x0400): Sorting
rules with higher-wins logic
(Thu Aug 11 12:22:12 2016) [sssd[sudo]] [sudosrv_get_sudorules_from_cache]
(0x0400): Returning 1 rules for [jgoddard at internal.emerlyn.com]
On Thu, Aug 11, 2016 at 2:15 PM, Rob Crittenden <rcritten at redhat.com> wrote:
> Jeff Goddard wrote:
>
>> I've looked though these but not found anything helpful. It appears as
>> though my previous statement about the 1 group being found was
>> misleading as the sssd.$mydomain.com.log file reports that no sudo rules
>> are found. Does this mean that the LDAP tree being searched is different
>> on ubuntu vs centos?
>>
>
> I find that extremely unlikely.
>
> You may want to outline more what you've already checked.
>
> For example, is sss in sudoers in /etc/nsswitch.conf?
>
> You can check the 389-ds access log to see what, if any queries are being
> made. I'd clean the sssd cache in advance.
>
> rob
>
>
>> Jeff
>>
>> On Wed, Aug 10, 2016 at 2:13 PM, Rob Crittenden <rcritten at redhat.com
>> <mailto:rcritten at redhat.com>> wrote:
>>
>> Jeff Goddard wrote:
>>
>> Sean,
>>
>> Thanks for the reply. I don't think that's my problem but I'm
>> posting a
>> redacted copy of the sssd.conf file for review below.
>>
>>
>> I'd start here:
>> https://fedorahosted.org/sssd/wiki/HOWTO_Troubleshoot_SUDO
>> <https://fedorahosted.org/sssd/wiki/HOWTO_Troubleshoot_SUDO>
>>
>> rob
>>
>>
>>
>>
>>
>>
>
--
Jeff Goddard
Director of Information Technology
Emerlyn Technology
Email: jgoddard at emerlyn.com
Telephone: (603) 447-8571
Toll free: (888) 363-7596 ext. 108
Fax: (603) 356-3346
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160811/50a4b748/attachment.htm>
More information about the Freeipa-users
mailing list