[Freeipa-users] [FreeIPA 4.3.0] CentOS 6.8 sudo fails
Nathan Peters
Nathan.Peters at globalrelay.net
Wed Jun 8 18:14:04 UTC 2016
I'm pretty lost here. I tried following the directions on that page but the results still make no sense to me. From what I can see, the account is successfully authorized, and the groups that I am part of are found and some sudo rules are found, but then I am denied access for no reason. This is not working on any CentOS 6.8 server, and working properly on all previous versions of CentOS. I have tried several steps including deleting and re-creating the 6.8 hosts, and unjoining them and re-joining them to the domain. Nothing helps
========== /var/log/sudo_debug ======================
Jun 8 16:56:01 sudo[7277] <- sudo_pam_verify @ ./auth/pam.c:138 := 0
Jun 8 16:56:01 sudo[7277] <- verify_user @ ./auth/sudo_auth.c:282 := 1
Jun 8 16:56:01 sudo[7277] -> sudo_auth_cleanup @ ./auth/sudo_auth.c:160
Jun 8 16:56:01 sudo[7277] -> sudo_pam_cleanup @ ./auth/pam.c:185
Jun 8 16:56:01 sudo[7277] <- sudo_pam_cleanup @ ./auth/pam.c:189 := 0
Jun 8 16:56:01 sudo[7277] <- sudo_auth_cleanup @ ./auth/sudo_auth.c:177 := 0
Jun 8 16:56:01 sudo[7277] -> sudo_pw_delref @ ./pwutil.c:249
Jun 8 16:56:01 sudo[7277] -> sudo_pw_delref_item @ ./pwutil.c:238
Jun 8 16:56:01 sudo[7277] <- sudo_pw_delref_item @ ./pwutil.c:243
Jun 8 16:56:01 sudo[7277] <- sudo_pw_delref @ ./pwutil.c:251
Jun 8 16:56:01 sudo[7277] <- check_user @ ./check.c:189 := true
Jun 8 16:56:01 sudo[7277] -> log_failure @ ./logging.c:318
Jun 8 16:56:01 sudo[7277] -> log_denial @ ./logging.c:256
Jun 8 16:56:01 sudo[7277] -> audit_failure @ ./audit.c:68
Jun 8 16:56:01 sudo[7277] -> linux_audit_command @ ./linux_audit.c:70
Jun 8 16:56:01 sudo[7277] -> linux_audit_open @ ./linux_audit.c:49
Jun 8 16:56:01 sudo[7277] <- linux_audit_open @ ./linux_audit.c:61 := 15
Jun 8 16:56:01 sudo[7277] <- linux_audit_command @ ./linux_audit.c:97 := 3
Jun 8 16:56:01 sudo[7277] <- audit_failure @ ./audit.c:81
Jun 8 16:56:01 sudo[7277] -> new_logline @ ./logging.c:746
Jun 8 16:56:01 sudo[7277] <- new_logline @ ./logging.c:867 := user NOT authorized on host ; TTY=pts/1 ; PWD=/home/nathan.peters ; USER=root ; COMMAND=/bin/su -
Jun 8 16:56:01 sudo[7277] -> should_mail @ ./logging.c:712
Jun 8 16:56:01 sudo[7277] <- should_mail @ ./logging.c:717 := false
Jun 8 16:56:01 sudo[7277] -> do_syslog @ ./logging.c:138
Jun 8 16:56:01 sudo[7277] -> mysyslog @ ./logging.c:96
Jun 8 16:56:01 sudo[7277] <- mysyslog @ ./logging.c:119
Jun 8 16:56:01 sudo[7277] <- do_syslog @ ./logging.c:185
Jun 8 16:56:01 sudo[7277] <- log_denial @ ./logging.c:309
Jun 8 16:56:01 sudo[7277] <- log_failure @ ./logging.c:341
Jun 8 16:56:01 sudo[7277] -> rewind_perms @ ./set_perms.c:90
Jun 8 16:56:01 sudo[7277] -> restore_perms @ ./set_perms.c:363
Jun 8 16:56:01 sudo[7277] restore_perms: uid: [756600344, 0, 0] -> [756600344, 0, 0]
Jun 8 16:56:01 sudo[7277] restore_perms: gid: [756600344, 756600344, 756600344] -> [756600344, 756600344, 756600344]
Jun 8 16:56:01 sudo[7277] -> sudo_grlist_delref @ ./pwutil.c:816
Jun 8 16:56:01 sudo[7277] -> sudo_grlist_delref_item @ ./pwutil.c:805
Jun 8 16:56:01 sudo[7277] <- sudo_grlist_delref_item @ ./pwutil.c:810
Jun 8 16:56:01 sudo[7277] <- sudo_grlist_delref @ ./pwutil.c:818
Jun 8 16:56:01 sudo[7277] <- restore_perms @ ./set_perms.c:407
Jun 8 16:56:01 sudo[7277] -> sudo_grlist_delref @ ./pwutil.c:816
Jun 8 16:56:01 sudo[7277] -> sudo_grlist_delref_item @ ./pwutil.c:805
Jun 8 16:56:01 sudo[7277] <- sudo_grlist_delref_item @ ./pwutil.c:810
Jun 8 16:56:01 sudo[7277] <- sudo_grlist_delref @ ./pwutil.c:818
Jun 8 16:56:01 sudo[7277] <- rewind_perms @ ./set_perms.c:96
Jun 8 16:56:01 sudo[7277] -> sudo_endpwent @ ./pwutil.c:443
Jun 8 16:56:01 sudo[7277] -> sudo_freepwcache @ ./pwutil.c:426
Jun 8 16:56:01 sudo[7277] -> rbdestroy @ ./redblack.c:359
Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ ./redblack.c:341
Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ ./redblack.c:341
Jun 8 16:56:01 sudo[7277] <- _rbdestroy @ ./redblack.c:349
Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ ./redblack.c:341
Jun 8 16:56:01 sudo[7277] <- _rbdestroy @ ./redblack.c:349
Jun 8 16:56:01 sudo[7277] -> sudo_pw_delref_item @ ./pwutil.c:238
Jun 8 16:56:01 sudo[7277] <- sudo_pw_delref_item @ ./pwutil.c:243
Jun 8 16:56:01 sudo[7277] <- _rbdestroy @ ./redblack.c:349
Jun 8 16:56:01 sudo[7277] <- rbdestroy @ ./redblack.c:362
Jun 8 16:56:01 sudo[7277] -> rbdestroy @ ./redblack.c:359
Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ ./redblack.c:341
Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ ./redblack.c:341
Jun 8 16:56:01 sudo[7277] <- _rbdestroy @ ./redblack.c:349
Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ ./redblack.c:341
Jun 8 16:56:01 sudo[7277] <- _rbdestroy @ ./redblack.c:349
Jun 8 16:56:01 sudo[7277] -> sudo_pw_delref_item @ ./pwutil.c:238
Jun 8 16:56:01 sudo[7277] <- sudo_pw_delref_item @ ./pwutil.c:243
Jun 8 16:56:01 sudo[7277] <- _rbdestroy @ ./redblack.c:349
Jun 8 16:56:01 sudo[7277] <- rbdestroy @ ./redblack.c:362
Jun 8 16:56:01 sudo[7277] <- sudo_freepwcache @ ./pwutil.c:437
Jun 8 16:56:01 sudo[7277] <- sudo_endpwent @ ./pwutil.c:448
Jun 8 16:56:01 sudo[7277] -> sudo_endgrent @ ./pwutil.c:861
Jun 8 16:56:01 sudo[7277] -> sudo_freegrcache @ ./pwutil.c:840
Jun 8 16:56:01 sudo[7277] -> rbdestroy @ ./redblack.c:359
Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ ./redblack.c:341
Jun 8 16:56:01 sudo[7277] <- _rbdestroy @ ./redblack.c:349
Jun 8 16:56:01 sudo[7277] <- rbdestroy @ ./redblack.c:362
Jun 8 16:56:01 sudo[7277] -> rbdestroy @ ./redblack.c:359
Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ ./redblack.c:341
Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ ./redblack.c:341
Jun 8 16:56:01 sudo[7277] <- _rbdestroy @ ./redblack.c:349
Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ ./redblack.c:341
Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ ./redblack.c:341
Jun 8 16:56:01 sudo[7277] <- _rbdestroy @ ./redblack.c:349
Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ ./redblack.c:341
Jun 8 16:56:01 sudo[7277] <- _rbdestroy @ ./redblack.c:349
Jun 8 16:56:01 sudo[7277] -> sudo_gr_delref_item @ ./pwutil.c:657
Jun 8 16:56:01 sudo[7277] <- sudo_gr_delref_item @ ./pwutil.c:662
Jun 8 16:56:01 sudo[7277] <- _rbdestroy @ ./redblack.c:349
Jun 8 16:56:01 sudo[7277] -> sudo_gr_delref_item @ ./pwutil.c:657
Jun 8 16:56:01 sudo[7277] <- sudo_gr_delref_item @ ./pwutil.c:662
Jun 8 16:56:01 sudo[7277] <- _rbdestroy @ ./redblack.c:349
Jun 8 16:56:01 sudo[7277] <- rbdestroy @ ./redblack.c:362
Jun 8 16:56:01 sudo[7277] -> rbdestroy @ ./redblack.c:359
Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ ./redblack.c:341
Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ ./redblack.c:341
Jun 8 16:56:01 sudo[7277] <- _rbdestroy @ ./redblack.c:349
Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ ./redblack.c:341
Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ ./redblack.c:341
Jun 8 16:56:01 sudo[7277] <- _rbdestroy @ ./redblack.c:349
Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ ./redblack.c:341
Jun 8 16:56:01 sudo[7277] <- _rbdestroy @ ./redblack.c:349
Jun 8 16:56:01 sudo[7277] -> sudo_grlist_delref_item @ ./pwutil.c:805
Jun 8 16:56:01 sudo[7277] <- sudo_grlist_delref_item @ ./pwutil.c:810
Jun 8 16:56:01 sudo[7277] <- _rbdestroy @ ./redblack.c:349
Jun 8 16:56:01 sudo[7277] -> sudo_grlist_delref_item @ ./pwutil.c:805
Jun 8 16:56:01 sudo[7277] <- sudo_grlist_delref_item @ ./pwutil.c:810
Jun 8 16:56:01 sudo[7277] <- _rbdestroy @ ./redblack.c:349
Jun 8 16:56:01 sudo[7277] <- rbdestroy @ ./redblack.c:362
Jun 8 16:56:01 sudo[7277] <- sudo_freegrcache @ ./pwutil.c:855
Jun 8 16:56:01 sudo[7277] <- sudo_endgrent @ ./pwutil.c:866
Jun 8 16:56:01 sudo[7277] <- sudoers_policy_main @ ./sudoers.c:753 := false
Jun 8 16:56:01 sudo[7277] <- sudoers_policy_check @ ./sudoers.c:766 := false
Jun 8 16:56:01 sudo[7277] <- policy_check @ ./sudo.c:1204 := false
Jun 8 16:56:01 sudo[7277] policy plugin returns 0
============== /var/log/sssd/sssd_sudo.log =====================
(Wed Jun 8 17:39:12 2016) [sssd[sudo]] [accept_fd_handler] (0x0400): Client connected!
(Wed Jun 8 17:39:12 2016) [sssd[sudo]] [sss_cmd_get_version] (0x0200): Received client version [1].
(Wed Jun 8 17:39:12 2016) [sssd[sudo]] [sss_cmd_get_version] (0x0200): Offered version [1].
(Wed Jun 8 17:39:12 2016) [sssd[sudo]] [sudosrv_cmd] (0x2000): Using protocol version [1]
(Wed Jun 8 17:39:12 2016) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'nathan.peters' matched without domain, user is nathan.peters
(Wed Jun 8 17:39:12 2016) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'nathan.peters' matched without domain, user is nathan.peters
(Wed Jun 8 17:39:12 2016) [sssd[sudo]] [sudosrv_cmd_parse_query_done] (0x0200): Requesting default options for [nathan.peters] from [<ALL>]
(Wed Jun 8 17:39:12 2016) [sssd[sudo]] [sss_ncache_check_str] (0x2000): Checking negative cache for [NCE/USER/dev-mydomain.net/nathan.peters]
(Wed Jun 8 17:39:12 2016) [sssd[sudo]] [sudosrv_get_user] (0x0200): Requesting info about [nathan.peters at dev-mydomain.net]
(Wed Jun 8 17:39:12 2016) [sssd[sudo]] [sudosrv_get_user] (0x0400): Returning info for user [nathan.peters at dev-mydomain.net]
(Wed Jun 8 17:39:12 2016) [sssd[sudo]] [sudosrv_get_rules] (0x0400): Retrieving default options for [nathan.peters] from [dev-mydomain.net]
(Wed Jun 8 17:39:12 2016) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=nathan.peters)(sudoUser=#756600344)(sudoUser=%developers)(sudoUser=%admins)(sudoUser=%sysadmins)(sudoUser=%deployment_engineer)(sudoUser=%nathan.peters)(sudoUser=+*))(&(dataExpireTimestamp<=1465407552)))]
(Wed Jun 8 17:39:12 2016) [sssd[sudo]] [sudosrv_get_rules] (0x2000): About to get sudo rules from cache
(Wed Jun 8 17:39:12 2016) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(name=defaults)))]
(Wed Jun 8 17:39:12 2016) [sssd[sudo]] [sudosrv_get_sudorules_from_cache] (0x0400): Returning 0 rules for [<default options>@dev-mydomain.net]
(Wed Jun 8 17:39:12 2016) [sssd[sudo]] [sudosrv_cmd] (0x2000): Using protocol version [1]
(Wed Jun 8 17:39:12 2016) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'nathan.peters' matched without domain, user is nathan.peters
(Wed Jun 8 17:39:12 2016) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'nathan.peters' matched without domain, user is nathan.peters
(Wed Jun 8 17:39:12 2016) [sssd[sudo]] [sudosrv_cmd_parse_query_done] (0x0200): Requesting rules for [nathan.peters] from [<ALL>]
(Wed Jun 8 17:39:12 2016) [sssd[sudo]] [sss_ncache_check_str] (0x2000): Checking negative cache for [NCE/USER/dev-mydomain.net/nathan.peters]
(Wed Jun 8 17:39:12 2016) [sssd[sudo]] [sudosrv_get_user] (0x0200): Requesting info about [nathan.peters at dev-mydomain.net]
(Wed Jun 8 17:39:12 2016) [sssd[sudo]] [sudosrv_get_user] (0x0400): Returning info for user [nathan.peters at dev-mydomain.net]
(Wed Jun 8 17:39:12 2016) [sssd[sudo]] [sudosrv_get_rules] (0x0400): Retrieving rules for [nathan.peters] from [dev-mydomain.net]
(Wed Jun 8 17:39:12 2016) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=nathan.peters)(sudoUser=#756600344)(sudoUser=%developers)(sudoUser=%admins)(sudoUser=%sysadmins)(sudoUser=%deployment_engineer)(sudoUser=%nathan.peters)(sudoUser=+*))(&(dataExpireTimestamp<=1465407552)))]
(Wed Jun 8 17:39:12 2016) [sssd[sudo]] [sudosrv_get_rules] (0x2000): About to get sudo rules from cache
(Wed Jun 8 17:39:12 2016) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=nathan.peters)(sudoUser=#756600344)(sudoUser=%developers)(sudoUser=%admins)(sudoUser=%sysadmins)(sudoUser=%deployment_engineer)(sudoUser=%nathan.peters)(sudoUser=+*)))]
(Wed Jun 8 17:39:12 2016) [sssd[sudo]] [sort_sudo_rules] (0x0400): Sorting rules with higher-wins logic
(Wed Jun 8 17:39:12 2016) [sssd[sudo]] [sudosrv_get_sudorules_from_cache] (0x0400): Returning 2 rules for [nathan.peters at dev-mydomain.net]
(Wed Jun 8 17:39:16 2016) [sssd[sudo]] [sbus_message_handler] (0x2000): Received SBUS method org.freedesktop.sssd.service.ping on path /org/freedesktop/sssd/service
(Wed Jun 8 17:39:16 2016) [sssd[sudo]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit
(Wed Jun 8 17:39:17 2016) [sssd[sudo]] [client_recv] (0x0200): Client disconnected!
(Wed Jun 8 17:39:17 2016) [sssd[sudo]] [client_destructor] (0x2000): Terminated client [0x1091360][17]
(Wed Jun 8 17:39:26 2016) [sssd[sudo]] [sbus_message_handler] (0x2000): Received SBUS method org.freedesktop.sssd.service.ping on path /org/freedesktop/sssd/service
(Wed Jun 8 17:39:26 2016) [sssd[sudo]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit
============= /var/log/sssd/sssd_mydomain.log ==============
(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sbus_message_handler] (0x2000): Received SBUS method org.freedesktop.sssd.dataprovider.getAccountInfo on path /org/freedesktop/sssd/dataprovider
(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit
(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [be_get_account_info] (0x0200): Got request for [0x1002][FAST BE_REQ_GROUP][1][name=deployment_engineer]
(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [be_req_set_domain] (0x0400): Changing request domain from [dev-mydomain.net] to [dev-mydomain.net]
(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_get_groups_next_base] (0x0400): Searching for groups with base [cn=accounts,dc=dev-mydomain,dc=net]
(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_print_server] (0x2000): Searching 10.178.0.98
(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(cn=deployment_engineer)(|(objectClass=ipaUserGroup)(objectClass=posixGroup))(cn=*)(&(gidNumber=*)(!(gidNumber=0))))][cn=accounts,dc=dev-mydomain,dc=net].
(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass]
(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [posixGroup]
(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn]
(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPassword]
(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber]
(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [member]
(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUniqueID]
(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaNTSecurityIdentifier]
(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp]
(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [entryUSN]
(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 14
(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_op_add] (0x2000): New operation 14 timeout 6
(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_process_result] (0x2000): Trace: sh[0xea9a60], connected[1], ops[0xebb690], ldap[0xea8500]
(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set
(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_op_destructor] (0x2000): Operation 14 finished
(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_get_groups_process] (0x0400): Search for groups, returned 0 results.
(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sysdb_search_by_name] (0x0400): No such entry
(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [ipa_id_get_account_info_orig_done] (0x0080): Object not found, ending request
(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [acctinfo_callback] (0x0100): Request processed. Returned 3,0,Account info lookup failed
(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_process_result] (0x2000): Trace: sh[0xea9a60], connected[1], ops[(nil)], ldap[0xea8500]
(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing!
(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sbus_message_handler] (0x2000): Received SBUS method org.freedesktop.sssd.dataprovider.getAccountInfo on path /org/freedesktop/sssd/dataprovider
(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit
(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [be_get_account_info] (0x0200): Got request for [0x1002][FAST BE_REQ_GROUP][1][name=sysadmins]
(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [be_req_set_domain] (0x0400): Changing request domain from [dev-mydomain.net] to [dev-mydomain.net]
(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_get_groups_next_base] (0x0400): Searching for groups with base [cn=accounts,dc=dev-mydomain,dc=net]
(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_print_server] (0x2000): Searching 10.178.0.98
(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(cn=sysadmins)(|(objectClass=ipaUserGroup)(objectClass=posixGroup))(cn=*)(&(gidNumber=*)(!(gidNumber=0))))][cn=accounts,dc=dev-mydomain,dc=net].
(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass]
(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [posixGroup]
(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn]
(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPassword]
(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber]
(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [member]
(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUniqueID]
(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaNTSecurityIdentifier]
(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp]
(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [entryUSN]
(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 15
(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_op_add] (0x2000): New operation 15 timeout 6
(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_process_result] (0x2000): Trace: sh[0xea9a60], connected[1], ops[0xeaaf30], ldap[0xea8500]
(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set
(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_op_destructor] (0x2000): Operation 15 finished
(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_get_groups_process] (0x0400): Search for groups, returned 0 results.
(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sysdb_search_by_name] (0x0400): No such entry
(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [ipa_id_get_account_info_orig_done] (0x0080): Object not found, ending request
(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [acctinfo_callback] (0x0100): Request processed. Returned 3,0,Account info lookup failed
(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_process_result] (0x2000): Trace: sh[0xea9a60], connected[1], ops[(nil)], ldap[0xea8500]
(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing!
===== output of ldap query manually copied from the sssd_sudo.log first search returns nothing second search returns 2 rules ==================
[root at cass1-msg-cpqa1-nvan sssd]# ldbsearch -H /var/lib/sss/db/cache_dev-mydomain.net.ldb -b cn=sysdb '(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=nathan.peters)(sudoUser=#756600344)(sudoUser=%developers)(sudoUser=%admins)(sudoUser=%sysadmins)(sudoUser=%deployment_engineer)(sudoUser=%nathan.peters)(sudoUser=+*))(&(dataExpireTimestamp<=1465407552)))'
asq: Unable to register control with rootdse!
# returned 0 records
# 0 entries
# 0 referrals
[root at cass1-msg-cpqa1-nvan sssd]# ldbsearch -H /var/lib/sss/db/cache_dev-mydomain.net.ldb -b cn=sysdb '(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=nathan.peters)(sudoUser=#756600344)(sudoUser=%developers)(sudoUser=%admins)(sudoUser=%sysadmins)(sudoUser=%deployment_engineer)(sudoUser=%nathan.peters)(sudoUser=+*)))'
asq: Unable to register control with rootdse!
# record 1
dn: name=s_allow_deployment_engineer_to_all,cn=sudorules,cn=custom,cn=dev-mydomain.net,cn=sysdb
cn: s_allow_deployment_engineer_to_all
dataExpireTimestamp: 1465412946
name: s_allow_deployment_engineer_to_all
objectClass: sudoRule
sudoCommand: ALL
sudoHost: ALL
sudoOption: !authenticate
sudoRunAsGroup: ALL
sudoRunAsUser: ALL
sudoUser: %deployment_engineer
distinguishedName: name=s_allow_deployment_engineer_to_all,cn=sudorules,cn=cus
tom,cn=dev-mydomain.net,cn=sysdb
# record 2
dn: name=s_allow_sysadmins_to_all,cn=sudorules,cn=custom,cn=dev-mydomain.net,cn=sysdb
cn: s_allow_sysadmins_to_all
dataExpireTimestamp: 1465412946
name: s_allow_sysadmins_to_all
objectClass: sudoRule
sudoCommand: ALL
sudoHost: ALL
sudoOption: !authenticate
sudoRunAsGroup: ALL
sudoRunAsUser: ALL
sudoUser: %sysadmins
distinguishedName: name=s_allow_sysadmins_to_all,cn=sudorules,cn=custom,cn=dev
-mydomain.net,cn=sysdb
# returned 2 records
# 2 entries
# 0 referrals
====== output of ldap query against directory for search used in the sssd_domain.log ===========
[root at cass1-msg-cpqa1-nvan sssd]# ldapsearch -x -H ldap://10.178.0.98 -b cn=accounts,dc=dev-mydomain,dc=net '(&(cn=deployment_engineer)(|(objectClass=ipaUserGroup)(objectClass=posixGroup))(cn=*)(&(gidNumber=*)(!(gidNumber=0))))'
# extended LDIF
#
# LDAPv3
# base <cn=accounts,dc=dev-mydomain,dc=net> with scope subtree
# filter: (&(cn=deployment_engineer)(|(objectClass=ipaUserGroup)(objectClass=posixGroup))(cn=*)(&(gidNumber=*)(!(gidNumber=0))))
# requesting: ALL
#
# search result
search: 2
result: 0 Success
# numResponses: 1
[root at cass1-msg-cpqa1-nvan sssd]# ldapsearch -x -H ldap://10.178.0.98 -b cn=accounts,dc=dev-mydomain,dc=net '(&(cn=sysadmins)(|(objectClass=ipaUserGroup)(objectClass=posixGroup))(cn=*)(&(gidNumber=*)(!(gidNumber=0))))'
# extended LDIF
#
# LDAPv3
# base <cn=accounts,dc=dev-mydomain,dc=net> with scope subtree
# filter: (&(cn=sysadmins)(|(objectClass=ipaUserGroup)(objectClass=posixGroup))(cn=*)(&(gidNumber=*)(!(gidNumber=0))))
# requesting: ALL
#
# search result
search: 2
result: 0 Success
# numResponses: 1
-----Original Message-----
From: freeipa-users-bounces at redhat.com [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Jakub Hrozek
Sent: Tuesday, June 7, 2016 1:43 PM
To: freeipa-users at redhat.com
Subject: Re: [Freeipa-users] [FreeIPA 4.3.0] CentOS 6.8 sudo fails
On Tue, Jun 07, 2016 at 08:21:21PM +0000, Nathan Peters wrote:
> I have a fresh installation of CentOS 6.8 joined to a FreeIPA 4.3.0 domain on Fedora 23.
>
> When I try to sudo on this host, it fails. Here are the log entries from /var/log/secure. Note that we have several hundred CentOS 6.5-6.7 machines where this works fine.
>
> Is this a new bug in CentOS 6.8?
It's true that in 6.8, the sudo part was changed quite a bit, but we haven't heard about any bugs so far. Could you please follow:
https://fedorahosted.org/sssd/wiki/HOWTO_Troubleshoot_SUDO
and also:
https://fedorahosted.org/sssd/wiki/Troubleshooting
to inspect SSSD logs? For authentication failed you'll probably want to take a look at the domain logs and maybe the krb5_child.log
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
More information about the Freeipa-users
mailing list