so looking at the logs it find a rule:
(Wed Nov  8 14:23:29 2017) [sssd[sudo]] [sudosrv_cached_rules_by_user] 
(0x0400): Replacing sudoUser attribute with sudoUser: #1154600003(Wed Nov  8 
14:23:29 2017) [sssd[sudo]] [sudosrv_query_cache] (0x0200): Searching sysdb 
with 
[(&(objectClass=sudoRule)(sudoUser=+*)(!(|(sudoUser=ALL)(sudoUser=andrew.me...@mgt.stl.gatewayblend.net)(sudoUser=#1154600003)(sudoUser=%answers\20jira\20engine...@mgt.stl.example.net)(sudoUser=%answers\20jira\20adm...@mgt.stl.example.net)(sudoUser=%example-adm...@mgt.stl.example.net)(sudoUser=%answers\20jira\20us...@mgt.stl.example.net)(sudoUser=%ipaus...@mgt.stl.example.net)(sudoUser=%adm...@mgt.stl.example.net)(sudoUser=%wh...@mgt.stl.example.net)(sudoUser=%ops_sudo...@mgt.stl.example.net)(sudoUser=%o...@mgt.stl.example.net)(sudoUser=%adm...@mgt.stl.example.net))))](Wed
 Nov  8 14:23:29 2017) [sssd[sudo]] [sort_sudo_rules] (0x0400): Sorting rules 
with higher-wins logic(Wed Nov  8 14:23:29 2017) [sssd[sudo]] 
[sudosrv_fetch_rules] (0x0400): Returning 1 rules for 
[andrew.me...@mgt.stl.example.net@mgt.stl.example.net](Wed Nov  8 14:23:29 
2017) [sssd[sudo]] [sudosrv_build_response] (0x2000): error: [0](Wed Nov  8 
14:23:29 2017) [sssd[sudo]] [sudosrv_build_response] (0x2000): rules_num: 
[0](Wed Nov  8 14:23:29 2017) [sssd[sudo]] [sudosrv_build_response] (0x2000): 
rule [1]/[1](Wed Nov  8 14:23:29 2017) [sssd[sudo]] 
[sudosrv_response_append_attr] (0x2000): cn:All(Wed Nov  8 14:23:29 2017) 
[sssd[sudo]] [sudosrv_response_append_attr] (0x2000): objectClass:sudoRule(Wed 
Nov  8 14:23:29 2017) [sssd[sudo]] [sudosrv_response_append_attr] (0x2000): 
sudoCommand:ALL(Wed Nov  8 14:23:29 2017) [sssd[sudo]] 
[sudosrv_response_append_attr] (0x2000): sudoHost:ALL(Wed Nov  8 14:23:29 2017) 
[sssd[sudo]] [sudosrv_response_append_attr] (0x2000): 
sudoOption:!authenticate(Wed Nov  8 14:23:29 2017) [sssd[sudo]] 
[sudosrv_response_append_attr] (0x2000): sudoRunAsUser:process(Wed Nov  8 
14:23:29 2017) [sssd[sudo]] [sudosrv_response_append_attr] (0x2000): 
sudoUser:#1154600003(Wed Nov  8 14:23:40 2017) [sssd[sudo]] [client_recv] 
(0x0200): Client disconnected!(Wed Nov  8 14:23:40 2017) [sssd[sudo]] 
[client_close_fn] (0x2000): Terminated client [0x55fce3abe990][18]
the sssd_hostname log is complaining about no SELinux maps... 

    On Wednesday, November 8, 2017 1:43 PM, Rob Crittenden via FreeIPA-users 
<freeipa-users@lists.fedorahosted.org> wrote:
 

 Andrew Meyer via FreeIPA-users wrote:
> Hello, i'm having some trouble getting sudoers to work.  
> 
> I have 5 machines joined to the FreeIPA domain and I have a user group
> called ops and ops_sudoers.  Both have permission to full sudo.  
> 
> 
> [andrew.meyer@jira02 ~]$ ipa sudorule-find ALL
> -------------------
> 1 Sudo Rule matched
> -------------------
>  Rule name: All
>  Enabled: TRUE
>  Host category: all
>  Command category: all
>  Sudo Option: !authenticate
> ----------------------------
> Number of entries returned 1
> ----------------------------
> 
> [andrew.meyer@jira02 ~]$ ipa sudorule-show ALL
>  Rule name: All
>  Enabled: TRUE
>  Host category: all
>  Command category: all
>  Users: brian.keithly, andrew.meyer
>  User Groups: ops_sudoers, ops
>  RunAs Users: process
>  Sudo Option: !authenticate
> 
> [andrew.meyer@jira02 ~]$ sudo su -
> [sudo] password for andrew.meyer:
> Sorry, user andrew.meyer is not allowed to execute '/bin/su -' as root
> on jira02.mgt.example.net.
> [andrew.meyer@jira02 ~]$
> 
> My HBAC is set to allow_all.
> 
> [root@jira02 log]# cat /etc/sssd/sssd.conf
> [domain/mgt.example.net]
> 
> cache_credentials = True
> krb5_store_password_if_offline = True
> krb5_realm = EXAMPLE.NET
> ipa_domain = mgt.example.net
> id_provider = ipa
> auth_provider = ipa
> access_provider = ipa
> ipa_hostname = jira02.mgt.example.net
> chpass_provider = ipa
> dyndns_update = True
> ipa_server = _srv_, infra-test-ipa.example.net
> dyndns_iface = ens160
> ldap_tls_cacert = /etc/ipa/ca.crt
> [sssd]
> services = nss, pam, ssh, sudo
> 
> domains = mgt.example.net
> [nss]
> homedir_substring = /home
> 
> [pam]
> 
> [sudo]
> 
> [autofs]
> 
> [ssh]
> 
> [pac]
> 
> [ifp]
> 
> [secrets]
> 
> [root@jira02 log]#

Start here:
https://docs.pagure.org/SSSD.sssd/users/sudo_troubleshooting.html

rob
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org


   
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to