<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<p>Hello,<br>
</p>
<p>Could you increase the debug level to 9, restart sssd + clear
the cache and reproduce the problem then provide the
sssd_<domain>.log as well as the sssd_sudo.log ?</p>
<p>Also you may want to rule out HBAC issues with the below command:<br>
</p>
<p> # ipa hbactest --user 'jgoddard' --host $(hostname)
--service sudo</p>
<p>Kind regards,</p>
<p>Justin Stephenson<br>
</p>
<div class="moz-cite-prefix">On 08/11/2016 02:24 PM, Jeff Goddard
wrote:<br>
</div>
<blockquote
cite="mid:CA+No-6FdeLQJPjknv4-GaQ=QoVk8043yT2w+pVNpAUn4W8yEZA@mail.gmail.com"
type="cite">
<div dir="ltr">
<div>Here is relevant configuration files:<br>
<br>
<b>nsswitch.conf:</b><br>
<br>
passwd: compat sss<br>
group: compat sss<br>
shadow: compat sss<br>
gshadow: files<br>
<br>
hosts: files dns<br>
networks: files<br>
<br>
protocols: db files<br>
services: db files sss<br>
ethers: db files<br>
rpc: db files<br>
<br>
netgroup: nis sss<br>
sudoers: sss files<br>
<br>
</div>
<b>sssd.conf:</b><br>
<br>
[domain/<a moz-do-not-send="true"
href="http://internal.emerlyn.com">internal.emerlyn.com</a>]<br>
<br>
cache_credentials = True<br>
krb5_store_password_if_offline = True<br>
ipa_domain = <a moz-do-not-send="true"
href="http://internal.emerlyn.com">internal.emerlyn.com</a><br>
id_provider = ipa<br>
auth_provider = ipa<br>
access_provider = ipa<br>
ipa_hostname = <a moz-do-not-send="true"
href="http://docker-dev-01.internal.emerlyn.com">docker-dev-01.internal.emerlyn.com</a><br>
chpass_provider = ipa<br>
ipa_server = _srv_, <a moz-do-not-send="true"
href="http://id-management-1.internal.emerlyn.com">id-management-1.internal.emerlyn.com</a><br>
ldap_tls_cacert = /etc/ipa/ca.crt<br>
sudo_provider=ipa<br>
ldap_uri=<a class="moz-txt-link-freetext" href="ldap://">ldap://</a><a moz-do-not-send="true"
href="http://id-management-1.internal.emerlyn.com">id-management-1.internal.emerlyn.com</a><br>
ldap_sudo_search_base=ou=sudoers,dc=internal,dc=emerlyn,dc=com<br>
debug_level=7<br>
<br>
[sssd]<br>
services = nss, pam, sudo, ssh<br>
debug_level=7<br>
domains = <a moz-do-not-send="true"
href="http://internal.emerlyn.com">internal.emerlyn.com</a><br>
<br>
[nss]<br>
homedir_substring = /home<br>
<br>
[pam]<br>
<br>
[sudo]<br>
debug_level=7<br>
[autofs]<br>
<br>
[ssh]<br>
debug_level=7<br>
[pac]<br>
<br>
[ifp]<br>
<br>
<div><b>Log output - /var/log/sssd/sssd_sudo.log:<br>
<br>
</b>(Thu Aug 11 12:21:43 2016) [sssd[sudo]]
[accept_fd_handler] (0x0400): Client connected!<br>
(Thu Aug 11 12:21:43 2016) [sssd[sudo]] [sss_cmd_get_version]
(0x0200): Received client version [1].<br>
(Thu Aug 11 12:21:43 2016) [sssd[sudo]] [sss_cmd_get_version]
(0x0200): Offered version [1].<br>
(Thu Aug 11 12:21:43 2016) [sssd[sudo]]
[sss_parse_name_for_domains] (0x0200): name 'jgoddard' matched
without domain, user is jgoddard<br>
(Thu Aug 11 12:21:43 2016) [sssd[sudo]]
[sss_parse_name_for_domains] (0x0200): name 'jgoddard' matched
without domain, user is jgoddard<br>
(Thu Aug 11 12:21:43 2016) [sssd[sudo]]
[sudosrv_cmd_parse_query_done] (0x0200): Requesting default
options for [jgoddard] from [<ALL>]<br>
(Thu Aug 11 12:21:43 2016) [sssd[sudo]] [sudosrv_get_user]
(0x0200): Requesting info about [<a moz-do-not-send="true"
href="mailto:jgoddard@internal.emerlyn.com">jgoddard@internal.emerlyn.com</a>]<br>
(Thu Aug 11 12:21:43 2016) [sssd[sudo]] [sudosrv_get_user]
(0x0400): Returning info for user [<a moz-do-not-send="true"
href="mailto:jgoddard@internal.emerlyn.com">jgoddard@internal.emerlyn.com</a>]<br>
(Thu Aug 11 12:21:43 2016) [sssd[sudo]] [sudosrv_get_rules]
(0x0400): Retrieving default options for [jgoddard] from [<a
moz-do-not-send="true" href="http://internal.emerlyn.com">internal.emerlyn.com</a>]<br>
(Thu Aug 11 12:21:43 2016) [sssd[sudo]]
[sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb
with
[(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=jgoddard)(sudoUser=#320000001)(sudoUser=%developers)(sudoUser=%jira-administrators)(sudoUser=%admins)(sudoUser=%ipausers)(sudoUser=%jgoddard)(sudoUser=+*))(&(dataExpireTimestamp<=1470932503)))]<br>
(Thu Aug 11 12:21:43 2016) [sssd[sudo]]
[sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb
with [(&(objectClass=sudoRule)(|(name=defaults)))]<br>
(Thu Aug 11 12:21:43 2016) [sssd[sudo]]
[sudosrv_get_sudorules_from_cache] (0x0400): Returning 0 rules
for [<default options>@<a moz-do-not-send="true"
href="http://internal.emerlyn.com">internal.emerlyn.com</a>]<br>
(Thu Aug 11 12:21:43 2016) [sssd[sudo]]
[sss_parse_name_for_domains] (0x0200): name 'jgoddard' matched
without domain, user is jgoddard<b><br>
(</b>Thu Aug 11 12:21:43 2016) [sssd[sudo]]
[sss_parse_name_for_domains] (0x0200): name 'jgoddard' matched
without domain, user is jgoddard<br>
(Thu Aug 11 12:21:43 2016) [sssd[sudo]]
[sudosrv_cmd_parse_query_done] (0x0200): Requesting rules for
[jgoddard] from [<ALL>]<br>
(Thu Aug 11 12:21:43 2016) [sssd[sudo]] [sudosrv_get_user]
(0x0200): Requesting info about [<a moz-do-not-send="true"
href="mailto:jgoddard@internal.emerlyn.com">jgoddard@internal.emerlyn.com</a>]<br>
(Thu Aug 11 12:21:43 2016) [sssd[sudo]] [sudosrv_get_user]
(0x0400): Returning info for user [<a moz-do-not-send="true"
href="mailto:jgoddard@internal.emerlyn.com">jgoddard@internal.emerlyn.com</a>]<br>
(Thu Aug 11 12:21:43 2016) [sssd[sudo]] [sudosrv_get_rules]
(0x0400): Retrieving rules for [jgoddard] from [<a
moz-do-not-send="true" href="http://internal.emerlyn.com">internal.emerlyn.com</a>]<br>
(Thu Aug 11 12:21:43 2016) [sssd[sudo]]
[sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb
with
[(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=jgoddard)(sudoUser=#320000001)(sudoUser=%developers)(sudoUser=%jira-administrators)(sudoUser=%admins)(sudoUser=%ipausers)(sudoUser=%jgoddard)(sudoUser=+*))(&(dataExpireTimestamp<=1470932503)))]<br>
(Thu Aug 11 12:21:43 2016) [sssd[sudo]]
[sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb
with
[(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=jgoddard)(sudoUser=#320000001)(sudoUser=%developers)(sudoUser=%jira-administrators)(sudoUser=%admins)(sudoUser=%ipausers)(sudoUser=%jgoddard)(sudoUser=+*)))]<br>
(Thu Aug 11 12:21:43 2016) [sssd[sudo]] [sort_sudo_rules]
(0x0400): Sorting rules with higher-wins logic<br>
(Thu Aug 11 12:21:43 2016) [sssd[sudo]]
[sudosrv_get_sudorules_from_cache] (0x0400): Returning 1 rules
for [<a moz-do-not-send="true"
href="mailto:jgoddard@internal.emerlyn.com">jgoddard@internal.emerlyn.com</a>]<br>
(Thu Aug 11 12:21:47 2016) [sssd[sudo]] [client_recv]
(0x0200): Client disconnected!<br>
(Thu Aug 11 12:22:12 2016) [sssd[sudo]] [accept_fd_handler]
(0x0400): Client connected!<br>
(Thu Aug 11 12:22:12 2016) [sssd[sudo]] [sss_cmd_get_version]
(0x0200): Received client version [1].<br>
(Thu Aug 11 12:22:12 2016) [sssd[sudo]] [sss_cmd_get_version]
(0x0200): Offered version [1].<br>
(Thu Aug 11 12:22:12 2016) [sssd[sudo]]
[sss_parse_name_for_domains] (0x0200): name 'jgoddard' matched
without domain, user is jgoddard<br>
(Thu Aug 11 12:22:12 2016) [sssd[sudo]]
[sss_parse_name_for_domains] (0x0200): name 'jgoddard' matched
without domain, user is jgoddard<br>
(Thu Aug 11 12:22:12 2016) [sssd[sudo]]
[sudosrv_cmd_parse_query_done] (0x0200): Requesting default
options for [jgoddard] from [<ALL>]<br>
(Thu Aug 11 12:22:12 2016) [sssd[sudo]] [sudosrv_get_user]
(0x0200): Requesting info about [<a moz-do-not-send="true"
href="mailto:jgoddard@internal.emerlyn.com">jgoddard@internal.emerlyn.com</a>]<br>
(Thu Aug 11 12:22:12 2016) [sssd[sudo]] [sudosrv_get_user]
(0x0400): Returning info for user [<a moz-do-not-send="true"
href="mailto:jgoddard@internal.emerlyn.com">jgoddard@internal.emerlyn.com</a>]<br>
(Thu Aug 11 12:22:12 2016) [sssd[sudo]] [sudosrv_get_rules]
(0x0400): Retrieving default options for [jgoddard] from [<a
moz-do-not-send="true" href="http://internal.emerlyn.com">internal.emerlyn.com</a>]<br>
(Thu Aug 11 12:22:12 2016) [sssd[sudo]]
[sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb
with
[(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=jgoddard)(sudoUser=#320000001)(sudoUser=%developers)(sudoUser=%jira-administrators)(sudoUser=%admins)(sudoUser=%ipausers)(sudoUser=%jgoddard)(sudoUser=+*))(&(dataExpireTimestamp<=1470932532)))]<br>
(Thu Aug 11 12:22:12 2016) [sssd[sudo]]
[sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb
with [(&(objectClass=sudoRule)(|(name=defaults)))]<br>
(Thu Aug 11 12:22:12 2016) [sssd[sudo]]
[sudosrv_get_sudorules_from_cache] (0x0400): Returning 0 rules
for [<default options>@<a moz-do-not-send="true"
href="http://internal.emerlyn.com">internal.emerlyn.com</a>]<br>
(Thu Aug 11 12:22:12 2016) [sssd[sudo]]
[sss_parse_name_for_domains] (0x0200): name 'jgoddard' matched
without domain, user is jgoddard<br>
(Thu Aug 11 12:22:12 2016) [sssd[sudo]]
[sss_parse_name_for_domains] (0x0200): name 'jgoddard' matched
without domain, user is jgoddard<br>
(Thu Aug 11 12:22:12 2016) [sssd[sudo]]
[sudosrv_cmd_parse_query_done] (0x0200): Requesting rules for
[jgoddard] from [<ALL>]<br>
(Thu Aug 11 12:22:12 2016) [sssd[sudo]] [sudosrv_get_user]
(0x0200): Requesting info about [<a moz-do-not-send="true"
href="mailto:jgoddard@internal.emerlyn.com">jgoddard@internal.emerlyn.com</a>]<br>
(Thu Aug 11 12:22:12 2016) [sssd[sudo]] [sudosrv_get_user]
(0x0400): Returning info for user [<a moz-do-not-send="true"
href="mailto:jgoddard@internal.emerlyn.com">jgoddard@internal.emerlyn.com</a>]<br>
(Thu Aug 11 12:22:12 2016) [sssd[sudo]] [sudosrv_get_rules]
(0x0400): Retrieving rules for [jgoddard] from [<a
moz-do-not-send="true" href="http://internal.emerlyn.com">internal.emerlyn.com</a>]<br>
(Thu Aug 11 12:22:12 2016) [sssd[sudo]]
[sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb
with
[(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=jgoddard)(sudoUser=#320000001)(sudoUser=%developers)(sudoUser=%jira-administrators)(sudoUser=%admins)(sudoUser=%ipausers)(sudoUser=%jgoddard)(sudoUser=+*))(&(dataExpireTimestamp<=1470932532)))]<br>
(Thu Aug 11 12:22:12 2016) [sssd[sudo]]
[sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb
with
[(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=jgoddard)(sudoUser=#320000001)(sudoUser=%developers)(sudoUser=%jira-administrators)(sudoUser=%admins)(sudoUser=%ipausers)(sudoUser=%jgoddard)(sudoUser=+*)))]<br>
(Thu Aug 11 12:22:12 2016) [sssd[sudo]] [sort_sudo_rules]
(0x0400): Sorting rules with higher-wins logic<br>
(Thu Aug 11 12:22:12 2016) [sssd[sudo]]
[sudosrv_get_sudorules_from_cache] (0x0400): Returning 1 rules
for [<a moz-do-not-send="true"
href="mailto:jgoddard@internal.emerlyn.com">jgoddard@internal.emerlyn.com</a>]<b><br>
<br>
</b></div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Thu, Aug 11, 2016 at 2:15 PM, Rob
Crittenden <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:rcritten@redhat.com" target="_blank">rcritten@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">Jeff
Goddard wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
I've looked though these but not found anything helpful.
It appears as<br>
though my previous statement about the 1 group being found
was<br>
misleading as the sssd.$mydomain.com.log file reports that
no sudo rules<br>
are found. Does this mean that the LDAP tree being
searched is different<br>
on ubuntu vs centos?<br>
</blockquote>
<br>
I find that extremely unlikely.<br>
<br>
You may want to outline more what you've already checked.<br>
<br>
For example, is sss in sudoers in /etc/nsswitch.conf?<br>
<br>
You can check the 389-ds access log to see what, if any
queries are being made. I'd clean the sssd cache in advance.<br>
<br>
rob<br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<br>
Jeff<br>
<br>
On Wed, Aug 10, 2016 at 2:13 PM, Rob Crittenden <<a
moz-do-not-send="true" href="mailto:rcritten@redhat.com"
target="_blank">rcritten@redhat.com</a><br>
<mailto:<a moz-do-not-send="true"
href="mailto:rcritten@redhat.com" target="_blank">rcritten@redhat.com</a>>>
wrote:<br>
<br>
Jeff Goddard wrote:<br>
<br>
Sean,<br>
<br>
Thanks for the reply. I don't think that's my
problem but I'm<br>
posting a<br>
redacted copy of the sssd.conf file for review
below.<br>
<br>
<br>
I'd start here:<br>
<a moz-do-not-send="true"
href="https://fedorahosted.org/sssd/wiki/HOWTO_Troubleshoot_SUDO"
rel="noreferrer" target="_blank">https://fedorahosted.org/sssd/<wbr>wiki/HOWTO_Troubleshoot_SUDO</a><br>
<<a moz-do-not-send="true"
href="https://fedorahosted.org/sssd/wiki/HOWTO_Troubleshoot_SUDO"
rel="noreferrer" target="_blank">https://fedorahosted.org/sssd<wbr>/wiki/HOWTO_Troubleshoot_SUDO</a>><br>
<br>
rob<br>
<br>
<br>
<br>
<br>
<br>
</blockquote>
<br>
</blockquote>
</div>
<br>
<br clear="all">
<br>
-- <br>
<div class="gmail_signature" data-smartmail="gmail_signature">
<div dir="ltr">
<div>
<div>
<div>Jeff Goddard<br>
</div>
Director of Information Technology<br>
</div>
Emerlyn Technology<br>
<br>
Email: <a moz-do-not-send="true"
href="mailto:jgoddard@emerlyn.com" target="_blank">jgoddard@emerlyn.com</a><br>
Telephone: (603) 447-8571<br>
Toll free: (888) 363-7596 ext. 108<br>
Fax: (603) 356-3346<br>
</div>
<br>
</div>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
</blockquote>
<br>
</body>
</html>