[Freeipa-users] [FreeIPA 4.3.0] CentOS 6.8 sudo fails
Nathan Peters
Nathan.Peters at globalrelay.net
Mon Jun 13 21:17:40 UTC 2016
There doesn't seem to be an option to add POSIX attributes to my sudo rules.
Which attributes should I be adding and how?
-----Original Message-----
From: Jakub Hrozek [mailto:jhrozek at redhat.com]
Sent: Monday, June 13, 2016 1:57 PM
To: Nathan Peters
Cc: freeipa-users at redhat.com
Subject: Re: [Freeipa-users] [FreeIPA 4.3.0] CentOS 6.8 sudo fails
On Mon, Jun 13, 2016 at 05:30:16PM +0000, Nathan Peters wrote:
> All group lists return correctly when using the ipa group-show command.
>
> Like I said, there is definitely something wrong with CentOS 6.8 because all group lists are correct. This was done on one of the CentOS 6.8 servers so we know that the server can retrieve the group lists properly.
We had a similar report (untriaged yet) where adding POSIX attributes made the difference. Could you test if also in your environment adding the POSIX attributes makes the rules work?
(It would be a bug nonetheless, but it's worth trying so that we pinpoint the issue)
>
> [nathan.peters at cass1 ~]$ klist
> Ticket cache: FILE:/tmp/krb5cc_756600344 Default principal:
> admin at DEV-MYDOMAIN.NET
>
> Valid starting Expires Service principal
> 06/13/16 17:21:56 06/14/16 17:21:41
> krbtgt/DEV-MYDOMAIN.NET at DEV-MYDOMAIN.NET
> [nathan.peters at cass1 ~]$ ipa group-show --all deployment_engineer ipa
> group-show --all sysadmins ipa group-show --raw deployment_engineer
> ipa group-show --raw sysadmins
> ipa: ERROR: command 'group_show' takes at most 1 argument
> [nathan.peters at cass1 ~]$ ipa group-show --all deployment_engineer
> dn: cn=deployment_engineer,cn=groups,cn=accounts,dc=dev-mydomain,dc=net
> Group name: deployment_engineer
> Description: deployment engineers
> Member users: nathan.peters, <other users - removed for privacy>
> Member of groups: admins
> Roles: DNS Administrator
> Member of Sudo rule: s_allow_deployment_engineer_to_all
> Member of HBAC rule: allow_deployment_engineer_to_all
> ipauniqueid: 8bba7068-04c8-11e5-931d-005056b71d17
> objectclass: top, ipaobject, groupofnames, ipausergroup, nestedgroup
> [nathan.peters at cass1 ~]$ ipa group-show --all sysadmins
> dn: cn=sysadmins,cn=groups,cn=accounts,dc=dev-mydomain,dc=net
> Group name: sysadmins
> Description: System Administrators
> Member users: nathan.peters, <other valid users removed for privacy>
> Member of groups: admins
> Member of Sudo rule: s_allow_sysadmins_to_all
> Member of HBAC rule: allow_sysadmins_to_all
> ipauniqueid: 828754c0-04c8-11e5-988f-005056b71d17
> objectclass: top, ipaobject, groupofnames, ipausergroup, nestedgroup
> [nathan.peters at cass1 ~]$ ipa group-show --raw deployment_engineer
> cn: deployment_engineer
> description: deployment engineers
> member: uid=nathan.peters,cn=users,cn=accounts,dc=dev-mydomain,dc=net
> <other valid member lines removed for privacy>
> [nathan.peters at cass1 ~]$ ipa group-show --raw sysadmins
> cn: sysadmins
> description: System Administrators
> member: uid=nathan.peters,cn=users,cn=accounts,dc=dev-mydomain,dc=net
> <other users removed for privacy>
> [nathan.peters at cass1 ~]$
>
> -----Original Message-----
> From: Lukas Slebodnik [mailto:lslebodn at redhat.com]
> Sent: Saturday, June 11, 2016 2:02 AM
> To: Nathan Peters
> Cc: Jakub Hrozek; freeipa-users at redhat.com
> Subject: Re: [Freeipa-users] [FreeIPA 4.3.0] CentOS 6.8 sudo fails
>
> On (08/06/16 18:14), Nathan Peters wrote:
> >I'm pretty lost here. I tried following the directions on that page
> >but the results still make no sense to me. From what I can see, the
> >account is successfully authorized, and the groups that I am part of
> >are found and some sudo rules are found, but then I am denied access
> >for no reason. This is not working on any CentOS 6.8 server, and
> >working properly on all previous versions of CentOS. I have tried
> >several steps including deleting and re-creating the 6.8 hosts, and
> >unjoining them and re-joining them to the domain. Nothing helps
> >
> >========== /var/log/sudo_debug ======================
> >
> >Jun 8 16:56:01 sudo[7277] <- sudo_pam_verify @ ./auth/pam.c:138 := 0
> >Jun 8 16:56:01 sudo[7277] <- verify_user @ ./auth/sudo_auth.c:282 :=
> >1 Jun 8 16:56:01 sudo[7277] -> sudo_auth_cleanup @
> >./auth/sudo_auth.c:160 Jun 8 16:56:01 sudo[7277] -> sudo_pam_cleanup
> >@
> >./auth/pam.c:185 Jun 8 16:56:01 sudo[7277] <- sudo_pam_cleanup @
> >./auth/pam.c:189 := 0 Jun 8 16:56:01 sudo[7277] <- sudo_auth_cleanup
> >@
> >./auth/sudo_auth.c:177 := 0 Jun 8 16:56:01 sudo[7277] ->
> >sudo_pw_delref @ ./pwutil.c:249 Jun 8 16:56:01 sudo[7277] ->
> >sudo_pw_delref_item @ ./pwutil.c:238 Jun 8 16:56:01 sudo[7277] <-
> >sudo_pw_delref_item @ ./pwutil.c:243 Jun 8 16:56:01 sudo[7277] <-
> >sudo_pw_delref @ ./pwutil.c:251 Jun 8 16:56:01 sudo[7277] <-
> >check_user @ ./check.c:189 := true Jun 8 16:56:01 sudo[7277] ->
> >log_failure @ ./logging.c:318 Jun 8 16:56:01 sudo[7277] ->
> >log_denial @ ./logging.c:256 Jun 8 16:56:01 sudo[7277] ->
> >audit_failure @
> >./audit.c:68 Jun 8 16:56:01 sudo[7277] -> linux_audit_command @
> >./linux_audit.c:70 Jun 8 16:56:01 sudo[7277] -> linux_audit_open @
> >./linux_audit.c:49 Jun 8 16:56:01 sudo[7277] <- linux_audit_open @
> >./linux_audit.c:61 := 15 Jun 8 16:56:01 sudo[7277] <-
> >linux_audit_command @ ./linux_audit.c:97 := 3 Jun 8 16:56:01
> >sudo[7277] <- audit_failure @ ./audit.c:81 Jun 8 16:56:01 sudo[7277]
> >-> new_logline @ ./logging.c:746 Jun 8 16:56:01 sudo[7277] <-
> >new_logline @ ./logging.c:867 := user NOT authorized on host ;
> >TTY=pts/1 ; PWD=/home/nathan.peters ; USER=root ; COMMAND=/bin/su -
> >Jun
> >8 16:56:01 sudo[7277] -> should_mail @ ./logging.c:712 Jun 8
> >16:56:01 sudo[7277] <- should_mail @ ./logging.c:717 := false Jun 8
> >16:56:01 sudo[7277] -> do_syslog @ ./logging.c:138 Jun 8 16:56:01
> >sudo[7277] -> mysyslog @ ./logging.c:96 Jun 8 16:56:01 sudo[7277] <-
> >mysyslog @
> >./logging.c:119 Jun 8 16:56:01 sudo[7277] <- do_syslog @
> >./logging.c:185 Jun 8 16:56:01 sudo[7277] <- log_denial @
> >./logging.c:309 Jun 8 16:56:01 sudo[7277] <- log_failure @
> >./logging.c:341 Jun 8 16:56:01 sudo[7277] -> rewind_perms @
> >./set_perms.c:90 Jun 8 16:56:01 sudo[7277] -> restore_perms @
> >./set_perms.c:363 Jun 8 16:56:01 sudo[7277] restore_perms: uid:
> >[756600344, 0, 0] -> [756600344, 0, 0] Jun 8 16:56:01 sudo[7277]
> >restore_perms: gid: [756600344, 756600344, 756600344] -> [756600344,
> >756600344, 756600344] Jun 8 16:56:01 sudo[7277] ->
> >sudo_grlist_delref @ ./pwutil.c:816 Jun 8 16:56:01 sudo[7277] ->
> >sudo_grlist_delref_item @ ./pwutil.c:805 Jun 8 16:56:01 sudo[7277]
> ><- sudo_grlist_delref_item @ ./pwutil.c:810 Jun 8 16:56:01
> >sudo[7277] <- sudo_grlist_delref @
> >./pwutil.c:818 Jun 8 16:56:01 sudo[7277] <- restore_perms @
> >./set_perms.c:407 Jun 8 16:56:01 sudo[7277] -> sudo_grlist_delref @
> >./pwutil.c:816 Jun 8 16:56:01 sudo[7277] -> sudo_grlist_delref_item
> >@
> >./pwutil.c:805 Jun 8 16:56:01 sudo[7277] <- sudo_grlist_delref_item
> >@
> >./pwutil.c:810 Jun 8 16:56:01 sudo[7277] <- sudo_grlist_delref @
> >./pwutil.c:818 Jun 8 16:56:01 sudo[7277] <- rewind_perms @
> >./set_perms.c:96 Jun 8 16:56:01 sudo[7277] -> sudo_endpwent @
> >./pwutil.c:443 Jun 8 16:56:01 sudo[7277] -> sudo_freepwcache @
> >./pwutil.c:426 Jun 8 16:56:01 sudo[7277] -> rbdestroy @
> >./redblack.c:359 Jun 8 16:56:01 sudo[7277] -> _rbdestroy @
> >./redblack.c:341 Jun 8 16:56:01 sudo[7277] -> _rbdestroy @
> >./redblack.c:341 Jun 8 16:56:01 sudo[7277] <- _rbdestroy @
> >./redblack.c:349 Jun 8 16:56:01 sudo[7277] -> _rbdestroy @
> >./redblack.c:341 Jun 8 16:56:01 sudo[7277] <- _rbdestroy @
> >./redblack.c:349 Jun 8 16:56:01 sudo[7277] -> sudo_pw_delref_item @
> >./pwutil.c:238 Jun 8 16:56:01 sudo[7277] <- sudo_pw_delref_item @
> >./pwutil.c:243 Jun 8 16:56:01 sudo[7277] <- _rbdestroy @
> >./redblack.c:349 Jun 8 16:56:01 sudo[7277] <- rbdestroy @
> >./redblack.c:362 Jun 8 16:56:01 sudo[7277] -> rbdestroy @
> >./redblack.c:359 Jun 8 16:56:01 sudo[7277] -> _rbdestroy @
> >./redblack.c:341 Jun 8 16:56:01 sudo[7277] -> _rbdestroy @
> >./redblack.c:341 Jun 8 16:56:01 sudo[7277] <- _rbdestroy @
> >./redblack.c:349 Jun 8 16:56:01 sudo[7277] -> _rbdestroy @
> >./redblack.c:341 Jun 8 16:56:01 sudo[7277] <- _rbdestroy @
> >./redblack.c:349 Jun 8 16:56:01 sudo[7277] -> sudo_pw_delref_item @
> >./pwutil.c:238 Jun 8 16:56:01 sudo[7277] <- sudo_pw_delref_item @
> >./pwutil.c:243 Jun 8 16:56:01 sudo[7277] <- _rbdestroy @
> >./redblack.c:349 Jun 8 16:56:01 sudo[7277] <- rbdestroy @
> >./redblack.c:362 Jun 8 16:56:01 sudo[7277] <- sudo_freepwcache @
> >./pwutil.c:437 Jun 8 16:56:01 sudo[7277] <- sudo_endpwent @
> >./pwutil.c:448 Jun 8 16:56:01 sudo[7277] -> sudo_endgrent @
> >./pwutil.c:861 Jun 8 16:56:01 sudo[7277] -> sudo_freegrcache @
> >./pwutil.c:840 Jun 8 16:56:01 sudo[7277] -> rbdestroy @
> >./redblack.c:359 Jun 8 16:56:01 sudo[7277] -> _rbdestroy @
> >./redblack.c:341 Jun 8 16:56:01 sudo[7277] <- _rbdestroy @
> >./redblack.c:349 Jun 8 16:56:01 sudo[7277] <- rbdestroy @
> >./redblack.c:362 Jun 8 16:56:01 sudo[7277] -> rbdestroy @
> >./redblack.c:359 Jun 8 16:56:01 sudo[7277] -> _rbdestroy @
> >./redblack.c:341 Jun 8 16:56:01 sudo[7277] -> _rbdestroy @
> >./redblack.c:341 Jun 8 16:56:01 sudo[7277] <- _rbdestroy @
> >./redblack.c:349 Jun 8 16:56:01 sudo[7277] -> _rbdestroy @
> >./redblack.c:341 Jun 8 16:56:01 sudo[7277] -> _rbdestroy @
> >./redblack.c:341 Jun 8 16:56:01 sudo[7277] <- _rbdestroy @
> >./redblack.c:349 Jun 8 16:56:01 sudo[7277] -> _rbdestroy @
> >./redblack.c:341 Jun 8 16:56:01 sudo[7277] <- _rbdestroy @
> >./redblack.c:349 Jun 8 16:56:01 sudo[7277] -> sudo_gr_delref_item @
> >./pwutil.c:657 Jun 8 16:56:01 sudo[7277] <- sudo_gr_delref_item @
> >./pwutil.c:662 Jun 8 16:56:01 sudo[7277] <- _rbdestroy @
> >./redblack.c:349 Jun 8 16:56:01 sudo[7277] -> sudo_gr_delref_item @
> >./pwutil.c:657 Jun 8 16:56:01 sudo[7277] <- sudo_gr_delref_item @
> >./pwutil.c:662 Jun 8 16:56:01 sudo[7277] <- _rbdestroy @
> >./redblack.c:349 Jun 8 16:56:01 sudo[7277] <- rbdestroy @
> >./redblack.c:362 Jun 8 16:56:01 sudo[7277] -> rbdestroy @
> >./redblack.c:359 Jun 8 16:56:01 sudo[7277] -> _rbdestroy @
> >./redblack.c:341 Jun 8 16:56:01 sudo[7277] -> _rbdestroy @
> >./redblack.c:341 Jun 8 16:56:01 sudo[7277] <- _rbdestroy @
> >./redblack.c:349 Jun 8 16:56:01 sudo[7277] -> _rbdestroy @
> >./redblack.c:341 Jun 8 16:56:01 sudo[7277] -> _rbdestroy @
> >./redblack.c:341 Jun 8 16:56:01 sudo[7277] <- _rbdestroy @
> >./redblack.c:349 Jun 8 16:56:01 sudo[7277] -> _rbdestroy @
> >./redblack.c:341 Jun 8 16:56:01 sudo[7277] <- _rbdestroy @
> >./redblack.c:349 Jun 8 16:56:01 sudo[7277] ->
> >sudo_grlist_delref_item @ ./pwutil.c:805 Jun 8 16:56:01 sudo[7277]
> ><- sudo_grlist_delref_item @ ./pwutil.c:810 Jun 8 16:56:01
> >sudo[7277] <- _rbdestroy @
> >./redblack.c:349 Jun 8 16:56:01 sudo[7277] ->
> >sudo_grlist_delref_item @ ./pwutil.c:805 Jun 8 16:56:01 sudo[7277]
> ><- sudo_grlist_delref_item @ ./pwutil.c:810 Jun 8 16:56:01
> >sudo[7277] <- _rbdestroy @
> >./redblack.c:349 Jun 8 16:56:01 sudo[7277] <- rbdestroy @
> >./redblack.c:362 Jun 8 16:56:01 sudo[7277] <- sudo_freegrcache @
> >./pwutil.c:855 Jun 8 16:56:01 sudo[7277] <- sudo_endgrent @
> >./pwutil.c:866 Jun 8 16:56:01 sudo[7277] <- sudoers_policy_main @
> >./sudoers.c:753 := false Jun 8 16:56:01 sudo[7277] <-
> >sudoers_policy_check @ ./sudoers.c:766 := false Jun 8 16:56:01
> >sudo[7277] <- policy_check @ ./sudo.c:1204 := false Jun 8 16:56:01
> >sudo[7277] policy plugin returns 0
> >
> >============== /var/log/sssd/sssd_sudo.log =====================
> >
> >(Wed Jun 8 17:39:12 2016) [sssd[sudo]] [accept_fd_handler] (0x0400): Client connected!
> >(Wed Jun 8 17:39:12 2016) [sssd[sudo]] [sss_cmd_get_version] (0x0200): Received client version [1].
> >(Wed Jun 8 17:39:12 2016) [sssd[sudo]] [sss_cmd_get_version] (0x0200): Offered version [1].
> >(Wed Jun 8 17:39:12 2016) [sssd[sudo]] [sudosrv_cmd] (0x2000): Using
> >protocol version [1] (Wed Jun 8 17:39:12 2016) [sssd[sudo]]
> >[sss_parse_name_for_domains] (0x0200): name 'nathan.peters' matched
> >without domain, user is nathan.peters (Wed Jun 8 17:39:12 2016)
> >[sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name
> >'nathan.peters' matched without domain, user is nathan.peters (Wed
> >Jun
> >8 17:39:12 2016) [sssd[sudo]] [sudosrv_cmd_parse_query_done] (0x0200):
> >Requesting default options for [nathan.peters] from [<ALL>] (Wed Jun
> >8
> >17:39:12 2016) [sssd[sudo]] [sss_ncache_check_str] (0x2000): Checking
> >negative cache for [NCE/USER/dev-mydomain.net/nathan.peters]
> >(Wed Jun 8 17:39:12 2016) [sssd[sudo]] [sudosrv_get_user] (0x0200):
> >Requesting info about [nathan.peters at dev-mydomain.net] (Wed Jun 8
> >17:39:12 2016) [sssd[sudo]] [sudosrv_get_user] (0x0400): Returning
> >info for user [nathan.peters at dev-mydomain.net] (Wed Jun 8 17:39:12
> >2016) [sssd[sudo]] [sudosrv_get_rules] (0x0400): Retrieving default
> >options for [nathan.peters] from [dev-mydomain.net] (Wed Jun 8
> >17:39:12 2016) [sssd[sudo]] [sudosrv_get_sudorules_query_cache]
> >(0x0200): Searching sysdb with
> >[(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=nat
> >ha
> >n.peters)(sudoUser=#756600344)(sudoUser=%developers)(sudoUser=%admins
> >)(
> >sudoUser=%sysadmins)(sudoUser=%deployment_engineer)(sudoUser=%nathan.
> >pe ters)(sudoUser=+*))(&(dataExpireTimestamp<=1465407552)))]
> >(Wed Jun 8 17:39:12 2016) [sssd[sudo]] [sudosrv_get_rules] (0x2000):
> >About to get sudo rules from cache (Wed Jun 8 17:39:12 2016)
> >[sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching
> >sysdb with [(&(objectClass=sudoRule)(|(name=defaults)))]
> >(Wed Jun 8 17:39:12 2016) [sssd[sudo]]
> >[sudosrv_get_sudorules_from_cache] (0x0400): Returning 0 rules for
> >[<default options>@dev-mydomain.net] (Wed Jun 8 17:39:12 2016)
> >[sssd[sudo]] [sudosrv_cmd] (0x2000): Using protocol version [1] (Wed
> >Jun 8 17:39:12 2016) [sssd[sudo]] [sss_parse_name_for_domains]
> >(0x0200): name 'nathan.peters' matched without domain, user is
> >nathan.peters (Wed Jun 8 17:39:12 2016) [sssd[sudo]]
> >[sss_parse_name_for_domains] (0x0200): name 'nathan.peters' matched
> >without domain, user is nathan.peters (Wed Jun 8 17:39:12 2016)
> >[sssd[sudo]] [sudosrv_cmd_parse_query_done] (0x0200): Requesting
> >rules for [nathan.peters] from [<ALL>] (Wed Jun 8 17:39:12 2016)
> >[sssd[sudo]] [sss_ncache_check_str] (0x2000): Checking negative cache
> >for [NCE/USER/dev-mydomain.net/nathan.peters]
> >(Wed Jun 8 17:39:12 2016) [sssd[sudo]] [sudosrv_get_user] (0x0200):
> >Requesting info about [nathan.peters at dev-mydomain.net] (Wed Jun 8
> >17:39:12 2016) [sssd[sudo]] [sudosrv_get_user] (0x0400): Returning
> >info for user [nathan.peters at dev-mydomain.net] (Wed Jun 8 17:39:12
> >2016) [sssd[sudo]] [sudosrv_get_rules] (0x0400): Retrieving rules for
> >[nathan.peters] from [dev-mydomain.net] (Wed Jun 8 17:39:12 2016)
> >[sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching
> >sysdb with
> >[(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=nat
> >ha
> >n.peters)(sudoUser=#756600344)(sudoUser=%developers)(sudoUser=%admins
> >)(
> >sudoUser=%sysadmins)(sudoUser=%deployment_engineer)(sudoUser=%nathan.
> >pe ters)(sudoUser=+*))(&(dataExpireTimestamp<=1465407552)))]
> >(Wed Jun 8 17:39:12 2016) [sssd[sudo]] [sudosrv_get_rules] (0x2000):
> >About to get sudo rules from cache (Wed Jun 8 17:39:12 2016)
> >[sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching
> >sysdb with
> >[(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=nathan.peters)(sud
> >oU
> >ser=#756600344)(sudoUser=%developers)(sudoUser=%admins)(sudoUser=%sys
> >ad
> >mins)(sudoUser=%deployment_engineer)(sudoUser=%nathan.peters)(sudoUse
> >r=
> >+*)))] (Wed Jun 8 17:39:12 2016) [sssd[sudo]] [sort_sudo_rules]
> >(0x0400): Sorting rules with higher-wins logic (Wed Jun 8 17:39:12
> >2016) [sssd[sudo]] [sudosrv_get_sudorules_from_cache] (0x0400):
> >Returning 2 rules for [nathan.peters at dev-mydomain.net] (Wed Jun 8
> >17:39:16 2016) [sssd[sudo]] [sbus_message_handler] (0x2000): Received
> >SBUS method org.freedesktop.sssd.service.ping on path /org/freedesktop/sssd/service (Wed Jun 8 17:39:16 2016) [sssd[sudo]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Wed Jun 8 17:39:17 2016) [sssd[sudo]] [client_recv] (0x0200): Client disconnected!
> >(Wed Jun 8 17:39:17 2016) [sssd[sudo]] [client_destructor] (0x2000):
> >Terminated client [0x1091360][17] (Wed Jun 8 17:39:26 2016)
> >[sssd[sudo]] [sbus_message_handler] (0x2000): Received SBUS method
> >org.freedesktop.sssd.service.ping on path
> >/org/freedesktop/sssd/service (Wed Jun 8 17:39:26 2016) [sssd[sudo]]
> >[sbus_get_sender_id_send]
> >(0x2000): Not a sysbus message, quit
> >
> >============= /var/log/sssd/sssd_mydomain.log ==============
> >
> >(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]]
> >[sbus_message_handler] (0x2000): Received SBUS method
> >org.freedesktop.sssd.dataprovider.getAccountInfo on path
> >/org/freedesktop/sssd/dataprovider
> >(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]]
> >[sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Wed
> >Jun
> >8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [be_get_account_info]
> >(0x0200): Got request for [0x1002][FAST
> >BE_REQ_GROUP][1][name=deployment_engineer]
> >(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]]
> >[be_req_set_domain] (0x0400): Changing request domain from
> >[dev-mydomain.net] to [dev-mydomain.net] (Wed Jun 8 17:39:12 2016)
> >[sssd[be[dev-mydomain.net]]] [sdap_get_groups_next_base] (0x0400):
> >Searching for groups with base [cn=accounts,dc=dev-mydomain,dc=net]
> >(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]]
> >[sdap_print_server] (0x2000): Searching 10.178.0.98 (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(cn=deployment_engineer)(|(objectClass=ipaUserGroup)(objectClass=posixGroup))(cn=*)(&(gidNumber=*)(!(gidNumber=0))))][cn=accounts,dc=dev-mydomain,dc=net].
> >(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]]
> >[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass]
> >(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]]
> >[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [posixGroup]
> >(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]]
> >[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Wed Jun
> >8 17:39:12 2016) [sssd[be[dev-mydomain.net]]]
> >[sdap_get_generic_ext_step] (0x1000): Requesting attrs:
> >[userPassword] (Wed Jun 8 17:39:12 2016)
> >[sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x1000):
> >Requesting attrs: [gidNumber] (Wed Jun 8 17:39:12 2016)
> >[sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x1000):
> >Requesting attrs: [member] (Wed Jun 8 17:39:12 2016)
> >[sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x1000):
> >Requesting attrs: [ipaUniqueID] (Wed Jun 8 17:39:12 2016)
> >[sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaNTSecurityIdentifier] (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp] (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [entryUSN] (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 14 (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_op_add] (0x2000): New operation 14 timeout 6 (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_process_result] (0x2000): Trace: sh[0xea9a60], connected[1], ops[0xebb690], ldap[0xea8500] (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_op_destructor] (0x2000): Operation 14 finished (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_get_groups_process] (0x0400): Search for groups, returned 0 results.
> It looks like group deployment_engineer cannot be find in IPA.
>
> >(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]]
> >[sysdb_search_by_name] (0x0400): No such entry (Wed Jun 8 17:39:12
> >2016) [sssd[be[dev-mydomain.net]]]
> >[ipa_id_get_account_info_orig_done]
> >(0x0080): Object not found, ending request (Wed Jun 8 17:39:12 2016)
> >[sssd[be[dev-mydomain.net]]] [acctinfo_callback] (0x0100): Request processed. Returned 3,0,Account info lookup failed (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_process_result] (0x2000): Trace: sh[0xea9a60], connected[1], ops[(nil)], ldap[0xea8500] (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing!
> >(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]]
> >[sbus_message_handler] (0x2000): Received SBUS method
> >org.freedesktop.sssd.dataprovider.getAccountInfo on path
> >/org/freedesktop/sssd/dataprovider
> >(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]]
> >[sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Wed
> >Jun
> >8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [be_get_account_info]
> >(0x0200): Got request for [0x1002][FAST
> >BE_REQ_GROUP][1][name=sysadmins] (Wed Jun 8 17:39:12 2016)
> >[sssd[be[dev-mydomain.net]]] [be_req_set_domain] (0x0400): Changing
> >request domain from [dev-mydomain.net] to [dev-mydomain.net] (Wed Jun
> >8 17:39:12 2016) [sssd[be[dev-mydomain.net]]]
> >[sdap_get_groups_next_base] (0x0400): Searching for groups with base
> >[cn=accounts,dc=dev-mydomain,dc=net]
> >(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]]
> >[sdap_print_server] (0x2000): Searching 10.178.0.98 (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(cn=sysadmins)(|(objectClass=ipaUserGroup)(objectClass=posixGroup))(cn=*)(&(gidNumber=*)(!(gidNumber=0))))][cn=accounts,dc=dev-mydomain,dc=net].
> >(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]]
> >[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass]
> >(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]]
> >[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [posixGroup]
> >(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]]
> >[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Wed Jun
> >8 17:39:12 2016) [sssd[be[dev-mydomain.net]]]
> >[sdap_get_generic_ext_step] (0x1000): Requesting attrs:
> >[userPassword] (Wed Jun 8 17:39:12 2016)
> >[sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x1000):
> >Requesting attrs: [gidNumber] (Wed Jun 8 17:39:12 2016)
> >[sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x1000):
> >Requesting attrs: [member] (Wed Jun 8 17:39:12 2016)
> >[sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x1000):
> >Requesting attrs: [ipaUniqueID] (Wed Jun 8 17:39:12 2016)
> >[sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaNTSecurityIdentifier] (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp] (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [entryUSN] (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 15 (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_op_add] (0x2000): New operation 15 timeout 6 (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_process_result] (0x2000): Trace: sh[0xea9a60], connected[1], ops[0xeaaf30], ldap[0xea8500] (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_op_destructor] (0x2000): Operation 15 finished (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_get_groups_process] (0x0400): Search for groups, returned 0 results.
> It looks like group sysadmins cannot be find in IPA.
>
> >(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]]
> >[sysdb_search_by_name] (0x0400): No such entry (Wed Jun 8 17:39:12
> >2016) [sssd[be[dev-mydomain.net]]]
> >[ipa_id_get_account_info_orig_done]
> >(0x0080): Object not found, ending request (Wed Jun 8 17:39:12 2016)
> >[sssd[be[dev-mydomain.net]]] [acctinfo_callback] (0x0100): Request processed. Returned 3,0,Account info lookup failed (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_process_result] (0x2000): Trace: sh[0xea9a60], connected[1], ops[(nil)], ldap[0xea8500] (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing!
> >
> >===== output of ldap query manually copied from the sssd_sudo.log
> >first search returns nothing second search returns 2 rules
> >==================
> >
> >[root at cass1-msg-cpqa1-nvan sssd]# ldbsearch -H /var/lib/sss/db/cache_dev-mydomain.net.ldb -b cn=sysdb '(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=nathan.peters)(sudoUser=#756600344)(sudoUser=%developers)(sudoUser=%admins)(sudoUser=%sysadmins)(sudoUser=%deployment_engineer)(sudoUser=%nathan.peters)(sudoUser=+*))(&(dataExpireTimestamp<=1465407552)))'
> >asq: Unable to register control with rootdse!
> ># returned 0 records
> ># 0 entries
> ># 0 referrals
> >
> >
> >[root at cass1-msg-cpqa1-nvan sssd]# ldbsearch -H /var/lib/sss/db/cache_dev-mydomain.net.ldb -b cn=sysdb '(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=nathan.peters)(sudoUser=#756600344)(sudoUser=%developers)(sudoUser=%admins)(sudoUser=%sysadmins)(sudoUser=%deployment_engineer)(sudoUser=%nathan.peters)(sudoUser=+*)))'
> >asq: Unable to register control with rootdse!
> ># record 1
> >dn:
> >name=s_allow_deployment_engineer_to_all,cn=sudorules,cn=custom,cn=dev
> >-m
> >ydomain.net,cn=sysdb
> >cn: s_allow_deployment_engineer_to_all
> >dataExpireTimestamp: 1465412946
> >name: s_allow_deployment_engineer_to_all
> >objectClass: sudoRule
> >sudoCommand: ALL
> >sudoHost: ALL
> >sudoOption: !authenticate
> >sudoRunAsGroup: ALL
> >sudoRunAsUser: ALL
> >sudoUser: %deployment_engineer
> >distinguishedName:
> >name=s_allow_deployment_engineer_to_all,cn=sudorules,cn=cus
> > tom,cn=dev-mydomain.net,cn=sysdb
> >
> ># record 2
> >dn:
> >name=s_allow_sysadmins_to_all,cn=sudorules,cn=custom,cn=dev-mydomain.
> >ne
> >t,cn=sysdb
> >cn: s_allow_sysadmins_to_all
> >dataExpireTimestamp: 1465412946
> >name: s_allow_sysadmins_to_all
> >objectClass: sudoRule
> >sudoCommand: ALL
> >sudoHost: ALL
> >sudoOption: !authenticate
> >sudoRunAsGroup: ALL
> >sudoRunAsUser: ALL
> >sudoUser: %sysadmins
> >distinguishedName:
> >name=s_allow_sysadmins_to_all,cn=sudorules,cn=custom,cn=dev
> > -mydomain.net,cn=sysdb
> >
> ># returned 2 records
> ># 2 entries
> ># 0 referrals
> >
> >====== output of ldap query against directory for search used in the
> >sssd_domain.log ===========
> >
> >[root at cass1-msg-cpqa1-nvan sssd]# ldapsearch -x -H ldap://10.178.0.98 -b cn=accounts,dc=dev-mydomain,dc=net '(&(cn=deployment_engineer)(|(objectClass=ipaUserGroup)(objectClass=posixGroup))(cn=*)(&(gidNumber=*)(!(gidNumber=0))))'
> ># extended LDIF
> >#
> ># LDAPv3
> ># base <cn=accounts,dc=dev-mydomain,dc=net> with scope subtree #
> >filter:
> >(&(cn=deployment_engineer)(|(objectClass=ipaUserGroup)(objectClass=po
> >si
> >xGroup))(cn=*)(&(gidNumber=*)(!(gidNumber=0))))
> ># requesting: ALL
> >#
> >
> ># search result
> >search: 2
> >result: 0 Success
> >
> ># numResponses: 1
> >
> >[root at cass1-msg-cpqa1-nvan sssd]# ldapsearch -x -H ldap://10.178.0.98 -b cn=accounts,dc=dev-mydomain,dc=net '(&(cn=sysadmins)(|(objectClass=ipaUserGroup)(objectClass=posixGroup))(cn=*)(&(gidNumber=*)(!(gidNumber=0))))'
> ># extended LDIF
> >#
> ># LDAPv3
> ># base <cn=accounts,dc=dev-mydomain,dc=net> with scope subtree #
> >filter:
> >(&(cn=sysadmins)(|(objectClass=ipaUserGroup)(objectClass=posixGroup))
> >(c
> >n=*)(&(gidNumber=*)(!(gidNumber=0))))
> ># requesting: ALL
> >#
> >
> LDAP searches confirmed that it's not possible to find groups:
> deployment_engineer and sysadmins. But you used anonymous search.
>
> It would be good if you could provide an output of for groups using ipa command.
>
> e.g.
> kinit admin
> ipa group-show --all deployment_engineer ipa group-show --all
> sysadmins ipa group-show --raw deployment_engineer ipa group-show
> --raw sysadmins
>
> LS
More information about the Freeipa-users
mailing list