[Freeipa-users] SSSD does not fetch Sudo Rules anymore
Zoske, Fabian
f.zoske at euroimmun.de
Mon Mar 7 10:12:00 UTC 2016
Hi,
I looked in the sudo_debug log and found the following line:
Mar 7 11:00:08 sudo[31293] <- new_logline @ ./logging.c:867 := user NOT authorized on host ; TTY=pts/1 ; PWD=/home/<DOMAIN>/f.zoske ; USER=root ; COMMAND=/bin/bash
On our IPA-Server I have following rules:
HBAC:
Name: allow_all_admins
Who: Group: admins
Accessing: Any Host
Via Service: Any Service
SUDO:
Name: allow_all_all
Who: Group: admins
Access this host: Any Host
Run Commands: Any Command
As Whom: Anyone
In our setup I have AD-Trust established to a multi domain forest and in our sssd.conf I had to adjust the UPN via the following lines (suggested by Jakub):
subdomain_inherit = ldap_user_principal
ldap_user_principal = nosuchattr
Is anything of this related to the problem?
Shall I send you the log files of sssd and sudo?
Best regards,
Fabian
-----Ursprüngliche Nachricht-----
Von: Alexander Bokovoy [mailto:abokovoy at redhat.com]
Gesendet: Montag, 7. März 2016 09:55
An: Zoske, Fabian
Cc: freeipa-users at redhat.com
Betreff: Re: [Freeipa-users] SSSD does not fetch Sudo Rules anymore
On Mon, 07 Mar 2016, Zoske, Fabian wrote:
>Thank you for your explanation.
>
>I looked in the sssd_<DOMAIN>.log and found the actual LDAP-Filter.
>The problem seems to be the first part again: (&(objectclass=sudoRole)(entryUSN>=485025)(!(entryUSN=485025))).
>In the LDAP-Tree I can't see any attribute named entryUSN.
>
>Is this related to the problem?
No, it is not. entryUSN is an attribute that is not stored in the entry, it is a feature that adds a monotonically increased value to any update of an entry. It is used to check whether entries were changed since last search.
--
/ Alexander Bokovoy
More information about the Freeipa-users
mailing list