[Freeipa-users] [FreeIPA 4.3.0] CentOS 6.8 sudo fails
Nathan Peters
Nathan.Peters at globalrelay.net
Fri Jun 10 21:05:59 UTC 2016
This is definitely an actual problem.
Can someone please take a look at this and confirm that it is a bug in CentOS 6.8?
In order to confirm that it was not our Katello installation that was causing this, I created a brand new centOS 6.8 installation by downloading the DVD from centos.org.
I selected a minimal installation, and upon install, I just ran the following 2 commands (nothing else has been done to this system) :
# yum -y install ipa-client
# ipa-client-install --enable-dns-updates --mkhomedir
Then I tried to login using a FreeIPA account that is a member of both hbac and sudo access to all rules and it succeeded.
Then I tried to sudo and it prompted me for a password and then claimed I was not allowed to run sudo.
login as: nathan.peters
nathan.peters at 10.178.17.15's password:
Creating home directory for nathan.peters.
[nathan.peters at centos68test ~]$ sudo su -
We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:
#1) Respect the privacy of others.
#2) Think before you type.
#3) With great power comes great responsibility.
[sudo] password for nathan.peters:
nathan.peters is not allowed to run sudo on centos68test. This incident will be reported.
[nathan.peters at centos68test ~]$
Has anyone actually gotten sudo working on CentOS 6.8? I'd love to hear how because I have 100% failure rate for this no matter what provisioning method I use...
-----Original Message-----
From: freeipa-users-bounces at redhat.com [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Nathan Peters
Sent: Wednesday, June 8, 2016 11:14 AM
To: Jakub Hrozek; freeipa-users at redhat.com
Subject: Re: [Freeipa-users] [FreeIPA 4.3.0] CentOS 6.8 sudo fails
I'm pretty lost here. I tried following the directions on that page but the results still make no sense to me. From what I can see, the account is successfully authorized, and the groups that I am part of are found and some sudo rules are found, but then I am denied access for no reason. This is not working on any CentOS 6.8 server, and working properly on all previous versions of CentOS. I have tried several steps including deleting and re-creating the 6.8 hosts, and unjoining them and re-joining them to the domain. Nothing helps
========== /var/log/sudo_debug ======================
Jun 8 16:56:01 sudo[7277] <- sudo_pam_verify @ ./auth/pam.c:138 := 0 Jun 8 16:56:01 sudo[7277] <- verify_user @ ./auth/sudo_auth.c:282 := 1 Jun 8 16:56:01 sudo[7277] -> sudo_auth_cleanup @ ./auth/sudo_auth.c:160 Jun 8 16:56:01 sudo[7277] -> sudo_pam_cleanup @ ./auth/pam.c:185 Jun 8 16:56:01 sudo[7277] <- sudo_pam_cleanup @ ./auth/pam.c:189 := 0 Jun 8 16:56:01 sudo[7277] <- sudo_auth_cleanup @ ./auth/sudo_auth.c:177 := 0 Jun 8 16:56:01 sudo[7277] -> sudo_pw_delref @ ./pwutil.c:249 Jun 8 16:56:01 sudo[7277] -> sudo_pw_delref_item @ ./pwutil.c:238 Jun 8 16:56:01 sudo[7277] <- sudo_pw_delref_item @ ./pwutil.c:243 Jun 8 16:56:01 sudo[7277] <- sudo_pw_delref @ ./pwutil.c:251 Jun 8 16:56:01 sudo[7277] <- check_user @ ./check.c:189 := true Jun 8 16:56:01 sudo[7277] -> log_failure @ ./logging.c:318 Jun 8 16:56:01 sudo[7277] -> log_denial @ ./logging.c:256 Jun 8 16:56:01 sudo[7277] -> audit_failure @ ./audit.c:68 Jun 8 16:56:01 sudo[7277] -> linux_audit_command @ ./linux_audit.c:70 Jun 8 16:56:01 sudo[7277] -> linux_audit_open @ ./linux_audit.c:49 Jun 8 16:56:01 sudo[7277] <- linux_audit_open @ ./linux_audit.c:61 := 15 Jun 8 16:56:01 sudo[7277] <- linux_audit_command @ ./linux_audit.c:97 := 3 Jun 8 16:56:01 sudo[7277] <- audit_failure @ ./audit.c:81 Jun 8 16:56:01 sudo[7277] -> new_logline @ ./logging.c:746 Jun 8 16:56:01 sudo[7277] <- new_logline @ ./logging.c:867 := user NOT authorized on host ; TTY=pts/1 ; PWD=/home/nathan.peters ; USER=root ; COMMAND=/bin/su - Jun 8 16:56:01 sudo[7277] -> should_mail @ ./logging.c:712 Jun 8 16:56:01 sudo[7277] <- should_mail @ ./logging.c:717 := false Jun 8 16:56:01 sudo[7277] -> do_syslog @ ./logging.c:138 Jun 8 16:56:01 sudo[7277] -> mysyslog @ ./logging.c:96 Jun 8 16:56:01 sudo[7277] <- mysyslog @ ./logging.c:119 Jun 8 16:56:01 sudo[7277] <- do_syslog @ ./logging.c:185 Jun 8 16:56:01 sudo[7277] <- log_denial @ ./logging.c:309 Jun 8 16:56:01 sudo[7277] <- log_failure @ ./logging.c:341 Jun 8 16:56:01 sudo[7277] -> rewind_perms @ ./set_perms.c:90 Jun 8 16:56:01 sudo[7277] -> restore_perms @ ./set_perms.c:363 Jun 8 16:56:01 sudo[7277] restore_perms: uid: [756600344, 0, 0] -> [756600344, 0, 0] Jun 8 16:56:01 sudo[7277] restore_perms: gid: [756600344, 756600344, 756600344] -> [756600344, 756600344, 756600344] Jun 8 16:56:01 sudo[7277] -> sudo_grlist_delref @ ./pwutil.c:816 Jun 8 16:56:01 sudo[7277] -> sudo_grlist_delref_item @ ./pwutil.c:805 Jun 8 16:56:01 sudo[7277] <- sudo_grlist_delref_item @ ./pwutil.c:810 Jun 8 16:56:01 sudo[7277] <- sudo_grlist_delref @ ./pwutil.c:818 Jun 8 16:56:01 sudo[7277] <- restore_perms @ ./set_perms.c:407 Jun 8 16:56:01 sudo[7277] -> sudo_grlist_delref @ ./pwutil.c:816 Jun 8 16:56:01 sudo[7277] -> sudo_grlist_delref_item @ ./pwutil.c:805 Jun 8 16:56:01 sudo[7277] <- sudo_grlist_delref_item @ ./pwutil.c:810 Jun 8 16:56:01 sudo[7277] <- sudo_grlist_delref @ ./pwutil.c:818 Jun 8 16:56:01 sudo[7277] <- rewind_perms @ ./set_perms.c:96 Jun 8 16:56:01 sudo[7277] -> sudo_endpwent @ ./pwutil.c:443 Jun 8 16:56:01 sudo[7277] -> sudo_freepwcache @ ./pwutil.c:426 Jun 8 16:56:01 sudo[7277] -> rbdestroy @ ./redblack.c:359 Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ ./redblack.c:341 Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ ./redblack.c:341 Jun 8 16:56:01 sudo[7277] <- _rbdestroy @ ./redblack.c:349 Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ ./redblack.c:341 Jun 8 16:56:01 sudo[7277] <- _rbdestroy @ ./redblack.c:349 Jun 8 16:56:01 sudo[7277] -> sudo_pw_delref_item @ ./pwutil.c:238 Jun 8 16:56:01 sudo[7277] <- sudo_pw_delref_item @ ./pwutil.c:243 Jun 8 16:56:01 sudo[7277] <- _rbdestroy @ ./redblack.c:349 Jun 8 16:56:01 sudo[7277] <- rbdestroy @ ./redblack.c:362 Jun 8 16:56:01 sudo[7277] -> rbdestroy @ ./redblack.c:359 Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ ./redblack.c:341 Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ ./redblack.c:341 Jun 8 16:56:01 sudo[7277] <- _rbdestroy @ ./redblack.c:349 Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ ./redblack.c:341 Jun 8 16:56:01 sudo[7277] <- _rbdestroy @ ./redblack.c:349 Jun 8 16:56:01 sudo[7277] -> sudo_pw_delref_item @ ./pwutil.c:238 Jun 8 16:56:01 sudo[7277] <- sudo_pw_delref_item @ ./pwutil.c:243 Jun 8 16:56:01 sudo[7277] <- _rbdestroy @ ./redblack.c:349 Jun 8 16:56:01 sudo[7277] <- rbdestroy @ ./redblack.c:362 Jun 8 16:56:01 sudo[7277] <- sudo_freepwcache @ ./pwutil.c:437 Jun 8 16:56:01 sudo[7277] <- sudo_endpwent @ ./pwutil.c:448 Jun 8 16:56:01 sudo[7277] -> sudo_endgrent @ ./pwutil.c:861 Jun 8 16:56:01 sudo[7277] -> sudo_freegrcache @ ./pwutil.c:840 Jun 8 16:56:01 sudo[7277] -> rbdestroy @ ./redblack.c:359 Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ ./redblack.c:341 Jun 8 16:56:01 sudo[7277] <- _rbdestroy @ ./redblack.c:349 Jun 8 16:56:01 sudo[7277] <- rbdestroy @ ./redblack.c:362 Jun 8 16:56:01 sudo[7277] -> rbdestroy @ ./redblack.c:359 Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ ./redblack.c:341 Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ ./redblack.c:341 Jun 8 16:56:01 sudo[7277] <- _rbdestroy @ ./redblack.c:349 Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ ./redblack.c:341 Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ ./redblack.c:341 Jun 8 16:56:01 sudo[7277] <- _rbdestroy @ ./redblack.c:349 Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ ./redblack.c:341 Jun 8 16:56:01 sudo[7277] <- _rbdestroy @ ./redblack.c:349 Jun 8 16:56:01 sudo[7277] -> sudo_gr_delref_item @ ./pwutil.c:657 Jun 8 16:56:01 sudo[7277] <- sudo_gr_delref_item @ ./pwutil.c:662 Jun 8 16:56:01 sudo[7277] <- _rbdestroy @ ./redblack.c:349 Jun 8 16:56:01 sudo[7277] -> sudo_gr_delref_item @ ./pwutil.c:657 Jun 8 16:56:01 sudo[7277] <- sudo_gr_delref_item @ ./pwutil.c:662 Jun 8 16:56:01 sudo[7277] <- _rbdestroy @ ./redblack.c:349 Jun 8 16:56:01 sudo[7277] <- rbdestroy @ ./redblack.c:362 Jun 8 16:56:01 sudo[7277] -> rbdestroy @ ./redblack.c:359 Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ ./redblack.c:341 Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ ./redblack.c:341 Jun 8 16:56:01 sudo[7277] <- _rbdestroy @ ./redblack.c:349 Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ ./redblack.c:341 Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ ./redblack.c:341 Jun 8 16:56:01 sudo[7277] <- _rbdestroy @ ./redblack.c:349 Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ ./redblack.c:341 Jun 8 16:56:01 sudo[7277] <- _rbdestroy @ ./redblack.c:349 Jun 8 16:56:01 sudo[7277] -> sudo_grlist_delref_item @ ./pwutil.c:805 Jun 8 16:56:01 sudo[7277] <- sudo_grlist_delref_item @ ./pwutil.c:810 Jun 8 16:56:01 sudo[7277] <- _rbdestroy @ ./redblack.c:349 Jun 8 16:56:01 sudo[7277] -> sudo_grlist_delref_item @ ./pwutil.c:805 Jun 8 16:56:01 sudo[7277] <- sudo_grlist_delref_item @ ./pwutil.c:810 Jun 8 16:56:01 sudo[7277] <- _rbdestroy @ ./redblack.c:349 Jun 8 16:56:01 sudo[7277] <- rbdestroy @ ./redblack.c:362 Jun 8 16:56:01 sudo[7277] <- sudo_freegrcache @ ./pwutil.c:855 Jun 8 16:56:01 sudo[7277] <- sudo_endgrent @ ./pwutil.c:866 Jun 8 16:56:01 sudo[7277] <- sudoers_policy_main @ ./sudoers.c:753 := false Jun 8 16:56:01 sudo[7277] <- sudoers_policy_check @ ./sudoers.c:766 := false Jun 8 16:56:01 sudo[7277] <- policy_check @ ./sudo.c:1204 := false Jun 8 16:56:01 sudo[7277] policy plugin returns 0
============== /var/log/sssd/sssd_sudo.log =====================
(Wed Jun 8 17:39:12 2016) [sssd[sudo]] [accept_fd_handler] (0x0400): Client connected!
(Wed Jun 8 17:39:12 2016) [sssd[sudo]] [sss_cmd_get_version] (0x0200): Received client version [1].
(Wed Jun 8 17:39:12 2016) [sssd[sudo]] [sss_cmd_get_version] (0x0200): Offered version [1].
(Wed Jun 8 17:39:12 2016) [sssd[sudo]] [sudosrv_cmd] (0x2000): Using protocol version [1] (Wed Jun 8 17:39:12 2016) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'nathan.peters' matched without domain, user is nathan.peters (Wed Jun 8 17:39:12 2016) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'nathan.peters' matched without domain, user is nathan.peters (Wed Jun 8 17:39:12 2016) [sssd[sudo]] [sudosrv_cmd_parse_query_done] (0x0200): Requesting default options for [nathan.peters] from [<ALL>] (Wed Jun 8 17:39:12 2016) [sssd[sudo]] [sss_ncache_check_str] (0x2000): Checking negative cache for [NCE/USER/dev-mydomain.net/nathan.peters]
(Wed Jun 8 17:39:12 2016) [sssd[sudo]] [sudosrv_get_user] (0x0200): Requesting info about [nathan.peters at dev-mydomain.net] (Wed Jun 8 17:39:12 2016) [sssd[sudo]] [sudosrv_get_user] (0x0400): Returning info for user [nathan.peters at dev-mydomain.net] (Wed Jun 8 17:39:12 2016) [sssd[sudo]] [sudosrv_get_rules] (0x0400): Retrieving default options for [nathan.peters] from [dev-mydomain.net] (Wed Jun 8 17:39:12 2016) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=nathan.peters)(sudoUser=#756600344)(sudoUser=%developers)(sudoUser=%admins)(sudoUser=%sysadmins)(sudoUser=%deployment_engineer)(sudoUser=%nathan.peters)(sudoUser=+*))(&(dataExpireTimestamp<=1465407552)))]
(Wed Jun 8 17:39:12 2016) [sssd[sudo]] [sudosrv_get_rules] (0x2000): About to get sudo rules from cache (Wed Jun 8 17:39:12 2016) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(name=defaults)))]
(Wed Jun 8 17:39:12 2016) [sssd[sudo]] [sudosrv_get_sudorules_from_cache] (0x0400): Returning 0 rules for [<default options>@dev-mydomain.net] (Wed Jun 8 17:39:12 2016) [sssd[sudo]] [sudosrv_cmd] (0x2000): Using protocol version [1] (Wed Jun 8 17:39:12 2016) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'nathan.peters' matched without domain, user is nathan.peters (Wed Jun 8 17:39:12 2016) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'nathan.peters' matched without domain, user is nathan.peters (Wed Jun 8 17:39:12 2016) [sssd[sudo]] [sudosrv_cmd_parse_query_done] (0x0200): Requesting rules for [nathan.peters] from [<ALL>] (Wed Jun 8 17:39:12 2016) [sssd[sudo]] [sss_ncache_check_str] (0x2000): Checking negative cache for [NCE/USER/dev-mydomain.net/nathan.peters]
(Wed Jun 8 17:39:12 2016) [sssd[sudo]] [sudosrv_get_user] (0x0200): Requesting info about [nathan.peters at dev-mydomain.net] (Wed Jun 8 17:39:12 2016) [sssd[sudo]] [sudosrv_get_user] (0x0400): Returning info for user [nathan.peters at dev-mydomain.net] (Wed Jun 8 17:39:12 2016) [sssd[sudo]] [sudosrv_get_rules] (0x0400): Retrieving rules for [nathan.peters] from [dev-mydomain.net] (Wed Jun 8 17:39:12 2016) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=nathan.peters)(sudoUser=#756600344)(sudoUser=%developers)(sudoUser=%admins)(sudoUser=%sysadmins)(sudoUser=%deployment_engineer)(sudoUser=%nathan.peters)(sudoUser=+*))(&(dataExpireTimestamp<=1465407552)))]
(Wed Jun 8 17:39:12 2016) [sssd[sudo]] [sudosrv_get_rules] (0x2000): About to get sudo rules from cache (Wed Jun 8 17:39:12 2016) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=nathan.peters)(sudoUser=#756600344)(sudoUser=%developers)(sudoUser=%admins)(sudoUser=%sysadmins)(sudoUser=%deployment_engineer)(sudoUser=%nathan.peters)(sudoUser=+*)))]
(Wed Jun 8 17:39:12 2016) [sssd[sudo]] [sort_sudo_rules] (0x0400): Sorting rules with higher-wins logic (Wed Jun 8 17:39:12 2016) [sssd[sudo]] [sudosrv_get_sudorules_from_cache] (0x0400): Returning 2 rules for [nathan.peters at dev-mydomain.net] (Wed Jun 8 17:39:16 2016) [sssd[sudo]] [sbus_message_handler] (0x2000): Received SBUS method org.freedesktop.sssd.service.ping on path /org/freedesktop/sssd/service (Wed Jun 8 17:39:16 2016) [sssd[sudo]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Wed Jun 8 17:39:17 2016) [sssd[sudo]] [client_recv] (0x0200): Client disconnected!
(Wed Jun 8 17:39:17 2016) [sssd[sudo]] [client_destructor] (0x2000): Terminated client [0x1091360][17] (Wed Jun 8 17:39:26 2016) [sssd[sudo]] [sbus_message_handler] (0x2000): Received SBUS method org.freedesktop.sssd.service.ping on path /org/freedesktop/sssd/service (Wed Jun 8 17:39:26 2016) [sssd[sudo]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit
============= /var/log/sssd/sssd_mydomain.log ==============
(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sbus_message_handler] (0x2000): Received SBUS method org.freedesktop.sssd.dataprovider.getAccountInfo on path /org/freedesktop/sssd/dataprovider
(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [be_get_account_info] (0x0200): Got request for [0x1002][FAST BE_REQ_GROUP][1][name=deployment_engineer]
(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [be_req_set_domain] (0x0400): Changing request domain from [dev-mydomain.net] to [dev-mydomain.net] (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_get_groups_next_base] (0x0400): Searching for groups with base [cn=accounts,dc=dev-mydomain,dc=net]
(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_print_server] (0x2000): Searching 10.178.0.98 (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(cn=deployment_engineer)(|(objectClass=ipaUserGroup)(objectClass=posixGroup))(cn=*)(&(gidNumber=*)(!(gidNumber=0))))][cn=accounts,dc=dev-mydomain,dc=net].
(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [posixGroup] (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPassword] (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber] (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [member] (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUniqueID] (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaNTSecurityIdentifier] (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp] (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [entryUSN] (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 14 (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_op_add] (0x2000): New operation 14 timeout 6 (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_process_result] (0x2000): Trace: sh[0xea9a60], connected[1], ops[0xebb690], ldap[0xea8500] (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_op_destructor] (0x2000): Operation 14 finished (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_get_groups_process] (0x0400): Search for groups, returned 0 results.
(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sysdb_search_by_name] (0x0400): No such entry (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [ipa_id_get_account_info_orig_done] (0x0080): Object not found, ending request (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [acctinfo_callback] (0x0100): Request processed. Returned 3,0,Account info lookup failed (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_process_result] (0x2000): Trace: sh[0xea9a60], connected[1], ops[(nil)], ldap[0xea8500] (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing!
(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sbus_message_handler] (0x2000): Received SBUS method org.freedesktop.sssd.dataprovider.getAccountInfo on path /org/freedesktop/sssd/dataprovider
(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [be_get_account_info] (0x0200): Got request for [0x1002][FAST BE_REQ_GROUP][1][name=sysadmins] (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [be_req_set_domain] (0x0400): Changing request domain from [dev-mydomain.net] to [dev-mydomain.net] (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_get_groups_next_base] (0x0400): Searching for groups with base [cn=accounts,dc=dev-mydomain,dc=net]
(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_print_server] (0x2000): Searching 10.178.0.98 (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(cn=sysadmins)(|(objectClass=ipaUserGroup)(objectClass=posixGroup))(cn=*)(&(gidNumber=*)(!(gidNumber=0))))][cn=accounts,dc=dev-mydomain,dc=net].
(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [posixGroup] (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPassword] (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber] (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [member] (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUniqueID] (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaNTSecurityIdentifier] (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp] (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [entryUSN] (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 15 (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_op_add] (0x2000): New operation 15 timeout 6 (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_process_result] (0x2000): Trace: sh[0xea9a60], connected[1], ops[0xeaaf30], ldap[0xea8500] (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_op_destructor] (0x2000): Operation 15 finished (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_get_groups_process] (0x0400): Search for groups, returned 0 results.
(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sysdb_search_by_name] (0x0400): No such entry (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [ipa_id_get_account_info_orig_done] (0x0080): Object not found, ending request (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [acctinfo_callback] (0x0100): Request processed. Returned 3,0,Account info lookup failed (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_process_result] (0x2000): Trace: sh[0xea9a60], connected[1], ops[(nil)], ldap[0xea8500] (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing!
===== output of ldap query manually copied from the sssd_sudo.log first search returns nothing second search returns 2 rules ==================
[root at cass1-msg-cpqa1-nvan sssd]# ldbsearch -H /var/lib/sss/db/cache_dev-mydomain.net.ldb -b cn=sysdb '(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=nathan.peters)(sudoUser=#756600344)(sudoUser=%developers)(sudoUser=%admins)(sudoUser=%sysadmins)(sudoUser=%deployment_engineer)(sudoUser=%nathan.peters)(sudoUser=+*))(&(dataExpireTimestamp<=1465407552)))'
asq: Unable to register control with rootdse!
# returned 0 records
# 0 entries
# 0 referrals
[root at cass1-msg-cpqa1-nvan sssd]# ldbsearch -H /var/lib/sss/db/cache_dev-mydomain.net.ldb -b cn=sysdb '(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=nathan.peters)(sudoUser=#756600344)(sudoUser=%developers)(sudoUser=%admins)(sudoUser=%sysadmins)(sudoUser=%deployment_engineer)(sudoUser=%nathan.peters)(sudoUser=+*)))'
asq: Unable to register control with rootdse!
# record 1
dn: name=s_allow_deployment_engineer_to_all,cn=sudorules,cn=custom,cn=dev-mydomain.net,cn=sysdb
cn: s_allow_deployment_engineer_to_all
dataExpireTimestamp: 1465412946
name: s_allow_deployment_engineer_to_all
objectClass: sudoRule
sudoCommand: ALL
sudoHost: ALL
sudoOption: !authenticate
sudoRunAsGroup: ALL
sudoRunAsUser: ALL
sudoUser: %deployment_engineer
distinguishedName: name=s_allow_deployment_engineer_to_all,cn=sudorules,cn=cus
tom,cn=dev-mydomain.net,cn=sysdb
# record 2
dn: name=s_allow_sysadmins_to_all,cn=sudorules,cn=custom,cn=dev-mydomain.net,cn=sysdb
cn: s_allow_sysadmins_to_all
dataExpireTimestamp: 1465412946
name: s_allow_sysadmins_to_all
objectClass: sudoRule
sudoCommand: ALL
sudoHost: ALL
sudoOption: !authenticate
sudoRunAsGroup: ALL
sudoRunAsUser: ALL
sudoUser: %sysadmins
distinguishedName: name=s_allow_sysadmins_to_all,cn=sudorules,cn=custom,cn=dev
-mydomain.net,cn=sysdb
# returned 2 records
# 2 entries
# 0 referrals
====== output of ldap query against directory for search used in the sssd_domain.log ===========
[root at cass1-msg-cpqa1-nvan sssd]# ldapsearch -x -H ldap://10.178.0.98 -b cn=accounts,dc=dev-mydomain,dc=net '(&(cn=deployment_engineer)(|(objectClass=ipaUserGroup)(objectClass=posixGroup))(cn=*)(&(gidNumber=*)(!(gidNumber=0))))'
# extended LDIF
#
# LDAPv3
# base <cn=accounts,dc=dev-mydomain,dc=net> with scope subtree # filter: (&(cn=deployment_engineer)(|(objectClass=ipaUserGroup)(objectClass=posixGroup))(cn=*)(&(gidNumber=*)(!(gidNumber=0))))
# requesting: ALL
#
# search result
search: 2
result: 0 Success
# numResponses: 1
[root at cass1-msg-cpqa1-nvan sssd]# ldapsearch -x -H ldap://10.178.0.98 -b cn=accounts,dc=dev-mydomain,dc=net '(&(cn=sysadmins)(|(objectClass=ipaUserGroup)(objectClass=posixGroup))(cn=*)(&(gidNumber=*)(!(gidNumber=0))))'
# extended LDIF
#
# LDAPv3
# base <cn=accounts,dc=dev-mydomain,dc=net> with scope subtree # filter: (&(cn=sysadmins)(|(objectClass=ipaUserGroup)(objectClass=posixGroup))(cn=*)(&(gidNumber=*)(!(gidNumber=0))))
# requesting: ALL
#
# search result
search: 2
result: 0 Success
# numResponses: 1
-----Original Message-----
From: freeipa-users-bounces at redhat.com [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Jakub Hrozek
Sent: Tuesday, June 7, 2016 1:43 PM
To: freeipa-users at redhat.com
Subject: Re: [Freeipa-users] [FreeIPA 4.3.0] CentOS 6.8 sudo fails
On Tue, Jun 07, 2016 at 08:21:21PM +0000, Nathan Peters wrote:
> I have a fresh installation of CentOS 6.8 joined to a FreeIPA 4.3.0 domain on Fedora 23.
>
> When I try to sudo on this host, it fails. Here are the log entries from /var/log/secure. Note that we have several hundred CentOS 6.5-6.7 machines where this works fine.
>
> Is this a new bug in CentOS 6.8?
It's true that in 6.8, the sudo part was changed quite a bit, but we haven't heard about any bugs so far. Could you please follow:
https://fedorahosted.org/sssd/wiki/HOWTO_Troubleshoot_SUDO
and also:
https://fedorahosted.org/sssd/wiki/Troubleshooting
to inspect SSSD logs? For authentication failed you'll probably want to take a look at the domain logs and maybe the krb5_child.log
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
More information about the Freeipa-users
mailing list