[Freeipa-users] sudo rules question on ubuntu 16.0.1
Justin Stephenson
jstephen at redhat.com
Thu Aug 11 18:40:09 UTC 2016
Hello,
Could you increase the debug level to 9, restart sssd + clear the cache
and reproduce the problem then provide the sssd_<domain>.log as well as
the sssd_sudo.log ?
Also you may want to rule out HBAC issues with the below command:
# ipa hbactest --user 'jgoddard' --host $(hostname) --service sudo
Kind regards,
Justin Stephenson
On 08/11/2016 02:24 PM, Jeff Goddard wrote:
> Here is relevant configuration files:
>
> *nsswitch.conf:*
>
> passwd: compat sss
> group: compat sss
> shadow: compat sss
> gshadow: files
>
> hosts: files dns
> networks: files
>
> protocols: db files
> services: db files sss
> ethers: db files
> rpc: db files
>
> netgroup: nis sss
> sudoers: sss files
>
> *sssd.conf:*
>
> [domain/internal.emerlyn.com <http://internal.emerlyn.com>]
>
> cache_credentials = True
> krb5_store_password_if_offline = True
> ipa_domain = internal.emerlyn.com <http://internal.emerlyn.com>
> id_provider = ipa
> auth_provider = ipa
> access_provider = ipa
> ipa_hostname = docker-dev-01.internal.emerlyn.com
> <http://docker-dev-01.internal.emerlyn.com>
> chpass_provider = ipa
> ipa_server = _srv_, id-management-1.internal.emerlyn.com
> <http://id-management-1.internal.emerlyn.com>
> ldap_tls_cacert = /etc/ipa/ca.crt
> sudo_provider=ipa
> ldap_uri=ldap://id-management-1.internal.emerlyn.com
> <http://id-management-1.internal.emerlyn.com>
> ldap_sudo_search_base=ou=sudoers,dc=internal,dc=emerlyn,dc=com
> debug_level=7
>
> [sssd]
> services = nss, pam, sudo, ssh
> debug_level=7
> domains = internal.emerlyn.com <http://internal.emerlyn.com>
>
> [nss]
> homedir_substring = /home
>
> [pam]
>
> [sudo]
> debug_level=7
> [autofs]
>
> [ssh]
> debug_level=7
> [pac]
>
> [ifp]
>
> *Log output - /var/log/sssd/sssd_sudo.log:
>
> *(Thu Aug 11 12:21:43 2016) [sssd[sudo]] [accept_fd_handler] (0x0400):
> Client connected!
> (Thu Aug 11 12:21:43 2016) [sssd[sudo]] [sss_cmd_get_version]
> (0x0200): Received client version [1].
> (Thu Aug 11 12:21:43 2016) [sssd[sudo]] [sss_cmd_get_version]
> (0x0200): Offered version [1].
> (Thu Aug 11 12:21:43 2016) [sssd[sudo]] [sss_parse_name_for_domains]
> (0x0200): name 'jgoddard' matched without domain, user is jgoddard
> (Thu Aug 11 12:21:43 2016) [sssd[sudo]] [sss_parse_name_for_domains]
> (0x0200): name 'jgoddard' matched without domain, user is jgoddard
> (Thu Aug 11 12:21:43 2016) [sssd[sudo]] [sudosrv_cmd_parse_query_done]
> (0x0200): Requesting default options for [jgoddard] from [<ALL>]
> (Thu Aug 11 12:21:43 2016) [sssd[sudo]] [sudosrv_get_user] (0x0200):
> Requesting info about [jgoddard at internal.emerlyn.com
> <mailto:jgoddard at internal.emerlyn.com>]
> (Thu Aug 11 12:21:43 2016) [sssd[sudo]] [sudosrv_get_user] (0x0400):
> Returning info for user [jgoddard at internal.emerlyn.com
> <mailto:jgoddard at internal.emerlyn.com>]
> (Thu Aug 11 12:21:43 2016) [sssd[sudo]] [sudosrv_get_rules] (0x0400):
> Retrieving default options for [jgoddard] from [internal.emerlyn.com
> <http://internal.emerlyn.com>]
> (Thu Aug 11 12:21:43 2016) [sssd[sudo]]
> [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with
> [(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=jgoddard)(sudoUser=#320000001)(sudoUser=%developers)(sudoUser=%jira-administrators)(sudoUser=%admins)(sudoUser=%ipausers)(sudoUser=%jgoddard)(sudoUser=+*))(&(dataExpireTimestamp<=1470932503)))]
> (Thu Aug 11 12:21:43 2016) [sssd[sudo]]
> [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with
> [(&(objectClass=sudoRule)(|(name=defaults)))]
> (Thu Aug 11 12:21:43 2016) [sssd[sudo]]
> [sudosrv_get_sudorules_from_cache] (0x0400): Returning 0 rules for
> [<default options>@internal.emerlyn.com <http://internal.emerlyn.com>]
> (Thu Aug 11 12:21:43 2016) [sssd[sudo]] [sss_parse_name_for_domains]
> (0x0200): name 'jgoddard' matched without domain, user is jgoddard*
> (*Thu Aug 11 12:21:43 2016) [sssd[sudo]] [sss_parse_name_for_domains]
> (0x0200): name 'jgoddard' matched without domain, user is jgoddard
> (Thu Aug 11 12:21:43 2016) [sssd[sudo]] [sudosrv_cmd_parse_query_done]
> (0x0200): Requesting rules for [jgoddard] from [<ALL>]
> (Thu Aug 11 12:21:43 2016) [sssd[sudo]] [sudosrv_get_user] (0x0200):
> Requesting info about [jgoddard at internal.emerlyn.com
> <mailto:jgoddard at internal.emerlyn.com>]
> (Thu Aug 11 12:21:43 2016) [sssd[sudo]] [sudosrv_get_user] (0x0400):
> Returning info for user [jgoddard at internal.emerlyn.com
> <mailto:jgoddard at internal.emerlyn.com>]
> (Thu Aug 11 12:21:43 2016) [sssd[sudo]] [sudosrv_get_rules] (0x0400):
> Retrieving rules for [jgoddard] from [internal.emerlyn.com
> <http://internal.emerlyn.com>]
> (Thu Aug 11 12:21:43 2016) [sssd[sudo]]
> [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with
> [(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=jgoddard)(sudoUser=#320000001)(sudoUser=%developers)(sudoUser=%jira-administrators)(sudoUser=%admins)(sudoUser=%ipausers)(sudoUser=%jgoddard)(sudoUser=+*))(&(dataExpireTimestamp<=1470932503)))]
> (Thu Aug 11 12:21:43 2016) [sssd[sudo]]
> [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with
> [(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=jgoddard)(sudoUser=#320000001)(sudoUser=%developers)(sudoUser=%jira-administrators)(sudoUser=%admins)(sudoUser=%ipausers)(sudoUser=%jgoddard)(sudoUser=+*)))]
> (Thu Aug 11 12:21:43 2016) [sssd[sudo]] [sort_sudo_rules] (0x0400):
> Sorting rules with higher-wins logic
> (Thu Aug 11 12:21:43 2016) [sssd[sudo]]
> [sudosrv_get_sudorules_from_cache] (0x0400): Returning 1 rules for
> [jgoddard at internal.emerlyn.com <mailto:jgoddard at internal.emerlyn.com>]
> (Thu Aug 11 12:21:47 2016) [sssd[sudo]] [client_recv] (0x0200): Client
> disconnected!
> (Thu Aug 11 12:22:12 2016) [sssd[sudo]] [accept_fd_handler] (0x0400):
> Client connected!
> (Thu Aug 11 12:22:12 2016) [sssd[sudo]] [sss_cmd_get_version]
> (0x0200): Received client version [1].
> (Thu Aug 11 12:22:12 2016) [sssd[sudo]] [sss_cmd_get_version]
> (0x0200): Offered version [1].
> (Thu Aug 11 12:22:12 2016) [sssd[sudo]] [sss_parse_name_for_domains]
> (0x0200): name 'jgoddard' matched without domain, user is jgoddard
> (Thu Aug 11 12:22:12 2016) [sssd[sudo]] [sss_parse_name_for_domains]
> (0x0200): name 'jgoddard' matched without domain, user is jgoddard
> (Thu Aug 11 12:22:12 2016) [sssd[sudo]] [sudosrv_cmd_parse_query_done]
> (0x0200): Requesting default options for [jgoddard] from [<ALL>]
> (Thu Aug 11 12:22:12 2016) [sssd[sudo]] [sudosrv_get_user] (0x0200):
> Requesting info about [jgoddard at internal.emerlyn.com
> <mailto:jgoddard at internal.emerlyn.com>]
> (Thu Aug 11 12:22:12 2016) [sssd[sudo]] [sudosrv_get_user] (0x0400):
> Returning info for user [jgoddard at internal.emerlyn.com
> <mailto:jgoddard at internal.emerlyn.com>]
> (Thu Aug 11 12:22:12 2016) [sssd[sudo]] [sudosrv_get_rules] (0x0400):
> Retrieving default options for [jgoddard] from [internal.emerlyn.com
> <http://internal.emerlyn.com>]
> (Thu Aug 11 12:22:12 2016) [sssd[sudo]]
> [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with
> [(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=jgoddard)(sudoUser=#320000001)(sudoUser=%developers)(sudoUser=%jira-administrators)(sudoUser=%admins)(sudoUser=%ipausers)(sudoUser=%jgoddard)(sudoUser=+*))(&(dataExpireTimestamp<=1470932532)))]
> (Thu Aug 11 12:22:12 2016) [sssd[sudo]]
> [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with
> [(&(objectClass=sudoRule)(|(name=defaults)))]
> (Thu Aug 11 12:22:12 2016) [sssd[sudo]]
> [sudosrv_get_sudorules_from_cache] (0x0400): Returning 0 rules for
> [<default options>@internal.emerlyn.com <http://internal.emerlyn.com>]
> (Thu Aug 11 12:22:12 2016) [sssd[sudo]] [sss_parse_name_for_domains]
> (0x0200): name 'jgoddard' matched without domain, user is jgoddard
> (Thu Aug 11 12:22:12 2016) [sssd[sudo]] [sss_parse_name_for_domains]
> (0x0200): name 'jgoddard' matched without domain, user is jgoddard
> (Thu Aug 11 12:22:12 2016) [sssd[sudo]] [sudosrv_cmd_parse_query_done]
> (0x0200): Requesting rules for [jgoddard] from [<ALL>]
> (Thu Aug 11 12:22:12 2016) [sssd[sudo]] [sudosrv_get_user] (0x0200):
> Requesting info about [jgoddard at internal.emerlyn.com
> <mailto:jgoddard at internal.emerlyn.com>]
> (Thu Aug 11 12:22:12 2016) [sssd[sudo]] [sudosrv_get_user] (0x0400):
> Returning info for user [jgoddard at internal.emerlyn.com
> <mailto:jgoddard at internal.emerlyn.com>]
> (Thu Aug 11 12:22:12 2016) [sssd[sudo]] [sudosrv_get_rules] (0x0400):
> Retrieving rules for [jgoddard] from [internal.emerlyn.com
> <http://internal.emerlyn.com>]
> (Thu Aug 11 12:22:12 2016) [sssd[sudo]]
> [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with
> [(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=jgoddard)(sudoUser=#320000001)(sudoUser=%developers)(sudoUser=%jira-administrators)(sudoUser=%admins)(sudoUser=%ipausers)(sudoUser=%jgoddard)(sudoUser=+*))(&(dataExpireTimestamp<=1470932532)))]
> (Thu Aug 11 12:22:12 2016) [sssd[sudo]]
> [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with
> [(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=jgoddard)(sudoUser=#320000001)(sudoUser=%developers)(sudoUser=%jira-administrators)(sudoUser=%admins)(sudoUser=%ipausers)(sudoUser=%jgoddard)(sudoUser=+*)))]
> (Thu Aug 11 12:22:12 2016) [sssd[sudo]] [sort_sudo_rules] (0x0400):
> Sorting rules with higher-wins logic
> (Thu Aug 11 12:22:12 2016) [sssd[sudo]]
> [sudosrv_get_sudorules_from_cache] (0x0400): Returning 1 rules for
> [jgoddard at internal.emerlyn.com <mailto:jgoddard at internal.emerlyn.com>]*
>
> *
>
> On Thu, Aug 11, 2016 at 2:15 PM, Rob Crittenden <rcritten at redhat.com
> <mailto:rcritten at redhat.com>> wrote:
>
> Jeff Goddard wrote:
>
> I've looked though these but not found anything helpful. It
> appears as
> though my previous statement about the 1 group being found was
> misleading as the sssd.$mydomain.com.log file reports that no
> sudo rules
> are found. Does this mean that the LDAP tree being searched is
> different
> on ubuntu vs centos?
>
>
> I find that extremely unlikely.
>
> You may want to outline more what you've already checked.
>
> For example, is sss in sudoers in /etc/nsswitch.conf?
>
> You can check the 389-ds access log to see what, if any queries
> are being made. I'd clean the sssd cache in advance.
>
> rob
>
>
> Jeff
>
> On Wed, Aug 10, 2016 at 2:13 PM, Rob Crittenden
> <rcritten at redhat.com <mailto:rcritten at redhat.com>
> <mailto:rcritten at redhat.com <mailto:rcritten at redhat.com>>> wrote:
>
> Jeff Goddard wrote:
>
> Sean,
>
> Thanks for the reply. I don't think that's my problem
> but I'm
> posting a
> redacted copy of the sssd.conf file for review below.
>
>
> I'd start here:
> https://fedorahosted.org/sssd/wiki/HOWTO_Troubleshoot_SUDO
> <https://fedorahosted.org/sssd/wiki/HOWTO_Troubleshoot_SUDO>
>
> <https://fedorahosted.org/sssd/wiki/HOWTO_Troubleshoot_SUDO
> <https://fedorahosted.org/sssd/wiki/HOWTO_Troubleshoot_SUDO>>
>
> rob
>
>
>
>
>
>
>
>
>
> --
> Jeff Goddard
> Director of Information Technology
> Emerlyn Technology
>
> Email: jgoddard at emerlyn.com <mailto:jgoddard at emerlyn.com>
> Telephone: (603) 447-8571
> Toll free: (888) 363-7596 ext. 108
> Fax: (603) 356-3346
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160811/35355bed/attachment.htm>
More information about the Freeipa-users
mailing list