[Freeipa-users] FreeIPA sudo not working on ububtu xenial sssd version 1.13.4-1ubuntu1.1
Lukas Slebodnik
lslebodn at redhat.com
Sat Jan 7 15:34:00 UTC 2017
On (06/01/17 17:15), James Harrison wrote:
>Any ideas?
> From: James Harrison <jamesaharrisonuk at yahoo.co.uk>
> To: "freeipa-users at redhat.com" <freeipa-users at redhat.com>
> Sent: Thursday, 5 January 2017, 13:36
> Subject: FreeIPA sudo not working on ububtu xenial sssd version 1.13.4-1ubuntu1.1
>
>Hi all,I having problems with a FreeIPA client running Ububtu Xenial.
>I can authenticate OK, I get a kerberos ticket, but cannot run sudo.
>I get 1 rule returned, which I expect.
>Many thanks,James Harrison
>
>
>(Thu Jan 5 12:09:57 2017) [sssd[sudo]] [sudosrv_get_user] (0x0400): Returning info for user [x_james.harrison at domain.com]
>(Thu Jan 5 12:09:57 2017) [sssd[sudo]] [sudosrv_get_rules] (0x0400): Retrieving rules for [x_james.harrison] from [domain.com]
>(Thu Jan 5 12:09:57 2017) [sssd[sudo]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x1c11d70
>(Thu Jan 5 12:09:57 2017) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=x_james.harrison)(sudoUser=#1082600012)(sudoUser=%admins)(sudoUser=%ipausers)(sudoUser=%x_james.harrison)(sudoUser=+*))(&(dataExpireTimestamp<=1483618197)))]
>(Thu Jan 5 12:09:57 2017) [sssd[sudo]] [sudosrv_get_rules] (0x2000): About to get sudo rules from cache
>(Thu Jan 5 12:09:57 2017) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=x_james.harrison)(sudoUser=#1082600012)(sudoUser=%admins)(sudoUser=%ipausers)(sudoUser=%x_james.harrison)(sudoUser=+*)))]
>(Thu Jan 5 12:09:57 2017) [sssd[sudo]] [sort_sudo_rules] (0x0400): Sorting rules with higher-wins logic
>(Thu Jan 5 12:09:57 2017) [sssd[sudo]] [sudosrv_get_sudorules_from_cache] (0x0400): Returning 1 rules for [x_james.harrison at domain.com]
>(Thu Jan 5 12:09:57 2017) [sssd[sudo]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0x1c0e770][18]
>
Yes, 1 rule was returned for user x_james.harrison.
Can you see something in output of "sudo -l"
>==> sssd/sssd_pam.log <==
>(Thu Jan 5 12:10:17 2017) [sssd[pam]] [get_client_cred] (0x4000): Client creds: euid[0] egid[1082600012] pid[5470].
>(Thu Jan 5 12:10:17 2017) [sssd[pam]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0x2466e50][19]
>(Thu Jan 5 12:10:17 2017) [sssd[pam]] [accept_fd_handler] (0x0400): Client connected!
>(Thu Jan 5 12:10:17 2017) [sssd[pam]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0x2466e50][19]
>(Thu Jan 5 12:10:17 2017) [sssd[pam]] [sss_cmd_get_version] (0x0200): Received client version [3].
>(Thu Jan 5 12:10:17 2017) [sssd[pam]] [sss_cmd_get_version] (0x0200): Offered version [3].
>(Thu Jan 5 12:10:17 2017) [sssd[pam]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0x2466e50][19]
>
>==> auth.log <==
>Jan 5 12:10:17 pul-lp-sql-00 sudo: pam_unix(sudo:auth): authentication failure; logname=x_james.harrison uid=1082600012 euid=0 tty=/dev/pts/1 ruser=x_james.harrison rhost= user=x_james.harrison
>
I do not understand a reason why there is a failure in auth.log;
because there isn't sssd_pam.log @see above.
>==> sssd/sssd_pam.log <==
>(Thu Jan 5 12:10:17 2017) [sssd[pam]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0x2466e50][19]
>(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_cmd_authenticate] (0x0100): entering pam_cmd_authenticate
>(Thu Jan 5 12:10:17 2017) [sssd[pam]] [sss_parse_name_for_domains] (0x0200): name 'x_james.harrison' matched without domain, user is x_james.harrison
>(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): command: SSS_PAM_AUTHENTICATE
>(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): domain: not set
>(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): user: x_james.harrison
>(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): service: sudo
>(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): tty: /dev/pts/1
>(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): ruser: x_james.harrison
>(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): rhost: not set
>(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): authtok type: 1
>(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): newauthtok type: 0
>(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): priv: 0
>(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): cli_pid: 5470
>(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): logon name: x_james.harrison
>(Thu Jan 5 12:10:17 2017) [sssd[pam]] [sss_ncache_check_str] (0x2000): Checking negative cache for [NCE/USER/domain.com/x_james.harrison]
>(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_initgr_check_timeout] (0x4000): User [x_james.harrison] not found in PAM cache.
>(Thu Jan 5 12:10:17 2017) [sssd[pam]] [sss_dp_issue_request] (0x0400): Issuing request for [0x410090:3:x_james.harrison at domain.com]
>(Thu Jan 5 12:10:17 2017) [sssd[pam]] [sss_dp_get_account_msg] (0x0400): Creating request for [domain.com][0x3][BE_REQ_INITGROUPS][1][name=x_james.harrison]
>(Thu Jan 5 12:10:17 2017) [sssd[pam]] [sbus_add_timeout] (0x2000): 0x2469f20
>(Thu Jan 5 12:10:17 2017) [sssd[pam]] [sss_dp_internal_get_send] (0x0400): Entering request [0x410090:3:x_james.harrison at domain.com]
>(Thu Jan 5 12:10:17 2017) [sssd[pam]] [sbus_remove_timeout] (0x2000): 0x2469f20
>(Thu Jan 5 12:10:17 2017) [sssd[pam]] [sbus_dispatch] (0x4000): dbus conn: 0x2467e60
>(Thu Jan 5 12:10:17 2017) [sssd[pam]] [sbus_dispatch] (0x4000): Dispatching.
>(Thu Jan 5 12:10:17 2017) [sssd[pam]] [sss_dp_get_reply] (0x1000): Got reply from Data Provider - DP error code: 0 errno: 0 error message: Success
>(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_check_user_search] (0x0100): Requesting info for [x_james.harrison at domain.com]
>(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_check_user_search] (0x0400): Returning info for user [x_james.harrison at domain.com]
>(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_initgr_cache_set] (0x2000): [x_james.harrison] added to PAM initgroup cache
>(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_dp_send_req] (0x0100): Sending request with the following data:
>(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): command: SSS_PAM_AUTHENTICATE
>(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): domain: domain.com
>(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): user: x_james.harrison
>(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): service: sudo
>(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): tty: /dev/pts/1
>(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): ruser: x_james.harrison
>(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): rhost: not set
>(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): authtok type: 1
>(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): newauthtok type: 0
>(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): priv: 0
>(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): cli_pid: 5470
>(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): logon name: x_james.harrison
>(Thu Jan 5 12:10:17 2017) [sssd[pam]] [sbus_add_timeout] (0x2000): 0x2470c00
>(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_dom_forwarder] (0x0100): pam_dp_send_req returned 0
>(Thu Jan 5 12:10:17 2017) [sssd[pam]] [sss_dp_req_destructor] (0x0400): Deleting request: [0x410090:3:x_james.harrison at domain.com]
>
>==> syslog <==
>Jan 5 12:10:17 pul-lp-sql-00 kernel: [ 1272.582518] audit: type=1400 audit(1483618217.180:43): apparmor="ALLOWED" operation="open" profile="/usr/sbin/sssd" name="/run/systemd/users/1082600012" pid=5570 comm="krb5_child" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
>
>==> sssd/sssd_pam.log <==
>(Thu Jan 5 12:10:17 2017) [sssd[pam]] [sbus_remove_timeout] (0x2000): 0x2470c00
>(Thu Jan 5 12:10:17 2017) [sssd[pam]] [sbus_dispatch] (0x4000): dbus conn: 0x2467e60
>(Thu Jan 5 12:10:17 2017) [sssd[pam]] [sbus_dispatch] (0x4000): Dispatching.
>(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_dp_process_reply] (0x0200): received: [0 (Success)][domain.com]
Authentication was succesfull for sudo service.
>(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_reply] (0x0200): pam_reply called with result [0]: Success.
>(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_reply] (0x0200): pam_reply called with result [0]: Success.
>(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_reply] (0x0200): blen: 84
>(Thu Jan 5 12:10:17 2017) [sssd[pam]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0x2466e50][19]
>
>==> auth.log <==
>Jan 5 12:10:17 pul-lp-sql-00 sudo: pam_sss(sudo:auth): authentication success; logname=x_james.harrison uid=1082600012 euid=0 tty=/dev/pts/1 ruser=x_james.harrison rhost= user=x_james.harrison
>
>==> sssd/sssd_pam.log <==
>(Thu Jan 5 12:10:17 2017) [sssd[pam]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0x2466e50][19]
>(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_cmd_acct_mgmt] (0x0100): entering pam_cmd_acct_mgmt
>(Thu Jan 5 12:10:17 2017) [sssd[pam]] [sss_parse_name_for_domains] (0x0200): name 'x_james.harrison' matched without domain, user is x_james.harrison
>(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): command: SSS_PAM_ACCT_MGMT
>(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): domain: not set
>(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): user: x_james.harrison
>(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): service: sudo
>(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): tty: /dev/pts/1
>(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): ruser: x_james.harrison
>(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): rhost: not set
>(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): authtok type: 0
>(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): newauthtok type: 0
>(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): priv: 0
>(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): cli_pid: 5470
>(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): logon name: x_james.harrison
>(Thu Jan 5 12:10:17 2017) [sssd[pam]] [sss_ncache_check_str] (0x2000): Checking negative cache for [NCE/USER/domain.com/x_james.harrison]
>(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_initgr_check_timeout] (0x2000): User [x_james.harrison] found in PAM cache.
>(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_check_user_search] (0x0100): Requesting info for [x_james.harrison at domain.com]
>(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_check_user_search] (0x0400): Returning info for user [x_james.harrison at domain.com]
>(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_dp_send_req] (0x0100): Sending request with the following data:
>(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): command: SSS_PAM_ACCT_MGMT
>(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): domain: domain.com
>(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): user: x_james.harrison
>(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): service: sudo
>(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): tty: /dev/pts/1
>(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): ruser: x_james.harrison
>(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): rhost: not set
>(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): authtok type: 0
>(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): newauthtok type: 0
>(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): priv: 0
>(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): cli_pid: 5470
>(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): logon name: x_james.harrison
>(Thu Jan 5 12:10:17 2017) [sssd[pam]] [sbus_add_timeout] (0x2000): 0x246dd70
>(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_dom_forwarder] (0x0100): pam_dp_send_req returned 0
>(Thu Jan 5 12:10:17 2017) [sssd[pam]] [sbus_remove_timeout] (0x2000): 0x246dd70
>(Thu Jan 5 12:10:17 2017) [sssd[pam]] [sbus_dispatch] (0x4000): dbus conn: 0x2467e60
>(Thu Jan 5 12:10:17 2017) [sssd[pam]] [sbus_dispatch] (0x4000): Dispatching.
>(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_dp_process_reply] (0x0200): received: [0 (Success)][domain.com]
Authorisation was successful for sudo
>(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_reply] (0x0200): pam_reply called with result [0]: Success.
>(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_reply] (0x0200): blen: 35
>(Thu Jan 5 12:10:17 2017) [sssd[pam]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0x2466e50][19]
>
>==> auth.log <==
>Jan 5 12:10:17 pul-lp-sql-00 sudo: x_james.harrison : user NOT authorized on host ; TTY=pts/1 ; PWD=/home/x_james.harrison ; USER=root ; COMMAND=/bin/bash
>
auth.log says something different the sssd_pam.log
I suspect some problem with sudo itself.
https://www.redhat.com/archives/freeipa-users/2016-August/msg00489.html
And here is importnatn message from the mail:
>unfortunately sudo 1.8.16 introduced a bug in sssd plugin. 1.8.16 contains
> a new option called netgroup_tuple, which tells whether a full netgroup
> tuply is check or only the host/user part in host/user check. However,
> the patch didn't make the sssd plugin to obey this option and it always
> check both hostname and username.
>
>It is fixed in 1.8.17 by this patch:
>https://www.sudo.ws/repos/sudo/rev/2eab4070dcf7
>
Please, report bug against Ubuntu sudo to backport this patch or rebase sudo.
Workaround mught be to install newer package from debian 1.8.19-1
https://packages.debian.org/stretch/sudo
LS
More information about the Freeipa-users
mailing list