[Freeipa-users] ubuntu 16.04 freeipa-client + sssd + sudo: "policy plugin returns 0"
Brian Candler
b.candler at pobox.com
Wed May 3 09:13:02 UTC 2017
> do you have 'sudo: files sss" or "sudoers: files sss"? The former
doesn't do anything, the latter is correct.
My mistake, I meant
sudoers: files sss
But oddly, out of the three 16.04 boxes I set up and enrolled, it was
missing on one of them - and this happened to be the one I was checking
logs on :-( (However, sudo fails in the same way on all three machines)
So after adding this I've rechecked logs.
/var/log/sudo-debug is the same, in particular it still shows "policy
plugin returns 0" and nothing after.
With sss_debuglevel 5, /var/log/sssd/sssd_IPA.EXAMPLE.COM.log has
...
(Wed May 3 08:50:37 2017) [sssd[be[IPA.EXAMPLE.COM]]] [pam_print_data]
(0x0100): ruser: brian.candler
(Wed May 3 08:50:37 2017) [sssd[be[IPA.EXAMPLE.COM]]] [pam_print_data]
(0x0100): rhost:
(Wed May 3 08:50:37 2017) [sssd[be[IPA.EXAMPLE.COM]]] [pam_print_data]
(0x0100): authtok type: 0
(Wed May 3 08:50:37 2017) [sssd[be[IPA.EXAMPLE.COM]]] [pam_print_data]
(0x0100): newauthtok type: 0
(Wed May 3 08:50:37 2017) [sssd[be[IPA.EXAMPLE.COM]]] [pam_print_data]
(0x0100): priv: 0
(Wed May 3 08:50:37 2017) [sssd[be[IPA.EXAMPLE.COM]]] [pam_print_data]
(0x0100): cli_pid: 22709
(Wed May 3 08:50:37 2017) [sssd[be[IPA.EXAMPLE.COM]]] [pam_print_data]
(0x0100): logon name: not set
(Wed May 3 08:50:37 2017) [sssd[be[IPA.EXAMPLE.COM]]]
[ipa_hostgroup_info_done] (0x0200): Dereferenced host group: normal_hosts
(Wed May 3 08:50:37 2017) [sssd[be[IPA.EXAMPLE.COM]]]
[ipa_hostgroup_info_done] (0x0200): Dereferenced host group:
development_hosts
(Wed May 3 08:50:37 2017) [sssd[be[IPA.EXAMPLE.COM]]]
[hbac_get_category] (0x0200): Category is set to 'all'.
(Wed May 3 08:50:37 2017) [sssd[be[IPA.EXAMPLE.COM]]]
[ipa_hbac_evaluate_rules] (0x0080): Access granted by HBAC rule
[allow_normal_hosts]
(Wed May 3 08:50:37 2017) [sssd[be[IPA.EXAMPLE.COM]]]
[be_pam_handler_callback] (0x0100): Backend returned: (0, 0, <NULL>)
[Success]
(Wed May 3 08:50:37 2017) [sssd[be[IPA.EXAMPLE.COM]]]
[be_pam_handler_callback] (0x0100): Backend returned: (0, 0, Success)
[Success]
(Wed May 3 08:50:37 2017) [sssd[be[IPA.EXAMPLE.COM]]]
[be_pam_handler_callback] (0x0100): Sending result [0][IPA.EXAMPLE.COM]
(Wed May 3 08:50:37 2017) [sssd[be[IPA.EXAMPLE.COM]]]
[be_pam_handler_callback] (0x0100): Sent result [0][IPA.EXAMPLE.COM]
("allow_normal_hosts" is indeed the name of the rule in FreeIPA database)
sssd.log has:
(Wed May 3 08:50:35 2017) [sssd[nss]] [sss_cmd_get_version] (0x0200):
Received client version [1].
(Wed May 3 08:50:35 2017) [sssd[nss]] [sss_cmd_get_version] (0x0200):
Offered version [1].
(Wed May 3 08:50:35 2017) [sssd[nss]] [sss_parse_name_for_domains]
(0x0200): name 'root' matched without domain, user is root
(Wed May 3 08:50:35 2017) [sssd[nss]] [nss_cmd_getbynam] (0x0100):
Requesting info for [root] from [<ALL>]
(Wed May 3 08:50:35 2017) [sssd[nss]] [nss_cmd_initgroups_search]
(0x0080): No matching domain found for [root], fail!
(Wed May 3 08:50:37 2017) [sssd[nss]] [client_recv] (0x0200): Client
disconnected!
(Hmm, suspicious that error about "root" ??)
sssd_sudo.log has:
(Wed May 3 08:50:35 2017) [sssd[sudo]] [sss_cmd_get_version] (0x0200):
Received client version [1].
(Wed May 3 08:50:35 2017) [sssd[sudo]] [sss_cmd_get_version] (0x0200):
Offered version [1].
(Wed May 3 08:50:35 2017) [sssd[sudo]] [sss_parse_name_for_domains]
(0x0200): name 'brian.candler' matched without domain, user is brian.candler
(Wed May 3 08:50:35 2017) [sssd[sudo]] [sss_parse_name_for_domains]
(0x0200): name 'brian.candler' matched without domain, user is brian.candler
(Wed May 3 08:50:35 2017) [sssd[sudo]] [sudosrv_cmd_parse_query_done]
(0x0200): Requesting default options for [brian.candler] from [<ALL>]
(Wed May 3 08:50:35 2017) [sssd[sudo]] [sudosrv_get_user] (0x0200):
Requesting info about [brian.candler at IPA.EXAMPLE.COM]
(Wed May 3 08:50:35 2017) [sssd[sudo]]
[sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with
[(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=brian.candler)(sudoUser=#1211000003)(sudoUser=%security_administrators)(sudoUser=%admins)(sudoUser=%network_readonly)(sudoUser=%vpn)(sudoUser=%system_administrators)(sudoUser=%ipausers)(sudoUser=%staff)(sudoUser=%brian.candler)(sudoUser=+*))(&(dataExpireTimestamp<=1493801435)))]
(Wed May 3 08:50:35 2017) [sssd[sudo]]
[sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with
[(&(objectClass=sudoRule)(|(name=defaults)))]
(Wed May 3 08:50:35 2017) [sssd[sudo]] [sss_parse_name_for_domains]
(0x0200): name 'brian.candler' matched without domain, user is brian.candler
(Wed May 3 08:50:35 2017) [sssd[sudo]] [sss_parse_name_for_domains]
(0x0200): name 'brian.candler' matched without domain, user is brian.candler
(Wed May 3 08:50:35 2017) [sssd[sudo]] [sudosrv_cmd_parse_query_done]
(0x0200): Requesting rules for [brian.candler] from [<ALL>]
(Wed May 3 08:50:35 2017) [sssd[sudo]] [sudosrv_get_user] (0x0200):
Requesting info about [brian.candler at IPA.EXAMPLE.COM]
(Wed May 3 08:50:35 2017) [sssd[sudo]]
[sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with
[(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=brian.candler)(sudoUser=#1211000003)(sudoUser=%security_administrators)(sudoUser=%admins)(sudoUser=%network_readonly)(sudoUser=%vpn)(sudoUser=%system_administrators)(sudoUser=%ipausers)(sudoUser=%staff)(sudoUser=%brian.candler)(sudoUser=+*))(&(dataExpireTimestamp<=1493801435)))]
(Wed May 3 08:50:35 2017) [sssd[sudo]]
[sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with
[(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=brian.candler)(sudoUser=#1211000003)(sudoUser=%security_administrators)(sudoUser=%admins)(sudoUser=%network_readonly)(sudoUser=%vpn)(sudoUser=%system_administrators)(sudoUser=%ipausers)(sudoUser=%staff)(sudoUser=%brian.candler)(sudoUser=+*)))]
(Wed May 3 08:50:37 2017) [sssd[sudo]] [client_recv] (0x0200): Client
disconnected!
sssd_pam.log has:
(Wed May 3 08:50:37 2017) [sssd[pam]] [sss_cmd_get_version] (0x0200):
Received client version [3].
(Wed May 3 08:50:37 2017) [sssd[pam]] [sss_cmd_get_version] (0x0200):
Offered version [3].
(Wed May 3 08:50:37 2017) [sssd[pam]] [pam_cmd_authenticate] (0x0100):
entering pam_cmd_authenticate
(Wed May 3 08:50:37 2017) [sssd[pam]] [sss_parse_name_for_domains]
(0x0200): name 'brian.candler' matched without domain, user is brian.candler
(Wed May 3 08:50:37 2017) [sssd[pam]] [pam_print_data] (0x0100):
command: SSS_PAM_AUTHENTICATE
(Wed May 3 08:50:37 2017) [sssd[pam]] [pam_print_data] (0x0100):
domain: not set
(Wed May 3 08:50:37 2017) [sssd[pam]] [pam_print_data] (0x0100): user:
brian.candler
(Wed May 3 08:50:37 2017) [sssd[pam]] [pam_print_data] (0x0100):
service: sudo
(Wed May 3 08:50:37 2017) [sssd[pam]] [pam_print_data] (0x0100): tty:
/dev/pts/1
(Wed May 3 08:50:37 2017) [sssd[pam]] [pam_print_data] (0x0100): ruser:
brian.candler
(Wed May 3 08:50:37 2017) [sssd[pam]] [pam_print_data] (0x0100): rhost:
not set
(Wed May 3 08:50:37 2017) [sssd[pam]] [pam_print_data] (0x0100):
authtok type: 1
(Wed May 3 08:50:37 2017) [sssd[pam]] [pam_print_data] (0x0100):
newauthtok type: 0
(Wed May 3 08:50:37 2017) [sssd[pam]] [pam_print_data] (0x0100): priv: 0
(Wed May 3 08:50:37 2017) [sssd[pam]] [pam_print_data] (0x0100):
cli_pid: 22709
(Wed May 3 08:50:37 2017) [sssd[pam]] [pam_print_data] (0x0100): logon
name: brian.candler
(Wed May 3 08:50:37 2017) [sssd[pam]] [pam_check_user_search] (0x0100):
Requesting info for [brian.candler at IPA.EXAMPLE.COM]
(Wed May 3 08:50:37 2017) [sssd[pam]] [pam_dp_send_req] (0x0100):
Sending request with the following data:
(Wed May 3 08:50:37 2017) [sssd[pam]] [pam_print_data] (0x0100):
command: SSS_PAM_AUTHENTICATE
(Wed May 3 08:50:37 2017) [sssd[pam]] [pam_print_data] (0x0100):
domain: IPA.EXAMPLE.COM
(Wed May 3 08:50:37 2017) [sssd[pam]] [pam_print_data] (0x0100): user:
brian.candler
(Wed May 3 08:50:37 2017) [sssd[pam]] [pam_print_data] (0x0100):
service: sudo
(Wed May 3 08:50:37 2017) [sssd[pam]] [pam_print_data] (0x0100): tty:
/dev/pts/1
(Wed May 3 08:50:37 2017) [sssd[pam]] [pam_print_data] (0x0100): ruser:
brian.candler
(Wed May 3 08:50:37 2017) [sssd[pam]] [pam_print_data] (0x0100): rhost:
not set
(Wed May 3 08:50:37 2017) [sssd[pam]] [pam_print_data] (0x0100):
authtok type: 1
(Wed May 3 08:50:37 2017) [sssd[pam]] [pam_print_data] (0x0100):
newauthtok type: 0
(Wed May 3 08:50:37 2017) [sssd[pam]] [pam_print_data] (0x0100): priv: 0
(Wed May 3 08:50:37 2017) [sssd[pam]] [pam_print_data] (0x0100):
cli_pid: 22709
(Wed May 3 08:50:37 2017) [sssd[pam]] [pam_print_data] (0x0100): logon
name: brian.candler
(Wed May 3 08:50:37 2017) [sssd[pam]] [pam_dom_forwarder] (0x0100):
pam_dp_send_req returned 0
(Wed May 3 08:50:37 2017) [sssd[pam]] [pam_dp_process_reply] (0x0200):
received: [0 (Success)][IPA.EXAMPLE.COM]
(Wed May 3 08:50:37 2017) [sssd[pam]] [pam_reply] (0x0200): pam_reply
called with result [0]: Success.
(Wed May 3 08:50:37 2017) [sssd[pam]] [pam_reply] (0x0200): pam_reply
called with result [0]: Success.
(Wed May 3 08:50:37 2017) [sssd[pam]] [pam_reply] (0x0200): blen: 83
(Wed May 3 08:50:37 2017) [sssd[pam]] [pam_cmd_acct_mgmt] (0x0100):
entering pam_cmd_acct_mgmt
(Wed May 3 08:50:37 2017) [sssd[pam]] [sss_parse_name_for_domains]
(0x0200): name 'brian.candler' matched without domain, user is brian.candler
(Wed May 3 08:50:37 2017) [sssd[pam]] [pam_print_data] (0x0100):
command: SSS_PAM_ACCT_MGMT
(Wed May 3 08:50:37 2017) [sssd[pam]] [pam_print_data] (0x0100):
domain: not set
(Wed May 3 08:50:37 2017) [sssd[pam]] [pam_print_data] (0x0100): user:
brian.candler
(Wed May 3 08:50:37 2017) [sssd[pam]] [pam_print_data] (0x0100):
service: sudo
(Wed May 3 08:50:37 2017) [sssd[pam]] [pam_print_data] (0x0100): tty:
/dev/pts/1
(Wed May 3 08:50:37 2017) [sssd[pam]] [pam_print_data] (0x0100): ruser:
brian.candler
(Wed May 3 08:50:37 2017) [sssd[pam]] [pam_print_data] (0x0100): rhost:
not set
(Wed May 3 08:50:37 2017) [sssd[pam]] [pam_print_data] (0x0100):
authtok type: 0
(Wed May 3 08:50:37 2017) [sssd[pam]] [pam_print_data] (0x0100):
newauthtok type: 0
(Wed May 3 08:50:37 2017) [sssd[pam]] [pam_print_data] (0x0100): priv: 0
(Wed May 3 08:50:37 2017) [sssd[pam]] [pam_print_data] (0x0100):
cli_pid: 22709
(Wed May 3 08:50:37 2017) [sssd[pam]] [pam_print_data] (0x0100): logon
name: brian.candler
(Wed May 3 08:50:37 2017) [sssd[pam]] [pam_check_user_search] (0x0100):
Requesting info for [brian.candler at IPA.EXAMPLE.COM]
(Wed May 3 08:50:37 2017) [sssd[pam]] [pam_dp_send_req] (0x0100):
Sending request with the following data:
(Wed May 3 08:50:37 2017) [sssd[pam]] [pam_print_data] (0x0100):
command: SSS_PAM_ACCT_MGMT
(Wed May 3 08:50:37 2017) [sssd[pam]] [pam_print_data] (0x0100):
domain: IPA.EXAMPLE.COM
(Wed May 3 08:50:37 2017) [sssd[pam]] [pam_print_data] (0x0100): user:
brian.candler
(Wed May 3 08:50:37 2017) [sssd[pam]] [pam_print_data] (0x0100):
service: sudo
(Wed May 3 08:50:37 2017) [sssd[pam]] [pam_print_data] (0x0100): tty:
/dev/pts/1
(Wed May 3 08:50:37 2017) [sssd[pam]] [pam_print_data] (0x0100): ruser:
brian.candler
(Wed May 3 08:50:37 2017) [sssd[pam]] [pam_print_data] (0x0100): rhost:
not set
(Wed May 3 08:50:37 2017) [sssd[pam]] [pam_print_data] (0x0100):
authtok type: 0
(Wed May 3 08:50:37 2017) [sssd[pam]] [pam_print_data] (0x0100):
newauthtok type: 0
(Wed May 3 08:50:37 2017) [sssd[pam]] [pam_print_data] (0x0100): priv: 0
(Wed May 3 08:50:37 2017) [sssd[pam]] [pam_print_data] (0x0100):
cli_pid: 22709
(Wed May 3 08:50:37 2017) [sssd[pam]] [pam_print_data] (0x0100): logon
name: brian.candler
(Wed May 3 08:50:37 2017) [sssd[pam]] [pam_dom_forwarder] (0x0100):
pam_dp_send_req returned 0
(Wed May 3 08:50:37 2017) [sssd[pam]] [pam_dp_process_reply] (0x0200):
received: [0 (Success)][IPA.EXAMPLE.COM]
(Wed May 3 08:50:37 2017) [sssd[pam]] [pam_reply] (0x0200): pam_reply
called with result [0]: Success.
(Wed May 3 08:50:37 2017) [sssd[pam]] [pam_reply] (0x0200): blen: 34
(Wed May 3 08:50:37 2017) [sssd[pam]] [client_recv] (0x0200): Client
disconnected!
I probably should have said: logging into the machine with an IPA
account works fine, and "id brian.candler" works fine. It's just sudo
which is failing.
> if you crank up debugging in the sudo section in sssd.conf do you see
any activity at all? do you have '/usr/lib64/libsss_sudo.so' installed?
On fedora/rhel, this is provided by libsss_sudo, I don't know what
provides it on Debian.
Yes it's there, in this package:
ii libsss-sudo 1.13.4-1ubuntu1.2 amd64
Communicator library for sudo
# ls -l /usr/lib/x86_64-linux-gnu/libsss_sudo.so
-rw-r--r-- 1 root root 19048 Feb 23 17:53
/usr/lib/x86_64-linux-gnu/libsss_sudo.so
# file /usr/lib/x86_64-linux-gnu/libsss_sudo.so
/usr/lib/x86_64-linux-gnu/libsss_sudo.so: ELF 64-bit LSB shared object,
x86-64, version 1 (SYSV), dynamically linked,
BuildID[sha1]=7eb72ec85bdd76aca8d82e03a3fad9aa12abc0ba, stripped
Regards,
Brian.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20170503/2f2c1d6a/attachment.htm>
More information about the Freeipa-users
mailing list