[Freeipa-users] Re: ipausers unable to sudo

[Pavel Březina via FreeIPA-users]

On 9/6/19 11:04 AM, Albert Szostkiewicz via FreeIPA-users wrote:

Hi!

I've reinstalled ipa-client on a workstation and for some reason now ipa users 
are not part of sudoers
File `/etc/nsswitch.conf` contains `sudoers:    files sss`
File '/etc/sssd/sssd.conf' contains `[sssd] services = nss, pam, ssh, sudo, 
autofs`
There is no 'sudo_provider' within sssd.conf


I've tried to go through provided troubleshooting guide but even seeing 
discrepancies, I am not sure what should i do about it.

Here are snippets of what troubleshooting was suggesting to look for:

[sssd[sudo]] [sudosrv_fetch_rules] (0x0400): Returning 0 default options for 
[myipau...@home.mydomain.com@home.mydomain.com]
[sssd[sudo]] [sudosrv_fetch_rules] (0x0400): Returning 0 rules for 
[myipau...@home.mydomain.com@home.mydomain.com]

[sssd[sudo]] [sudosrv_query_cache] (0x0200): Searching sysdb with 
[(&(objectClass=sudoRule)(sudoUser=+*)(!(|(sudoUser=ALL)(sudoUser=myipau...@home.mydomain.com)(sudoUser=#1907400001)(sudoUser=%edit...@home.mydomain.com)(sudoUser=%trust\20adm...@home.mydomain.com)(sudoUser=%adm...@home.mydomain.com)(sudoUser=%ipaus...@home.mydomain.com)(sudoUser=%mymaingr...@home.mydomain.com)(sudoUser=%gogs_us...@home.mydomain.com)(sudoUser=%adm...@home.mydomain.com))))]

# record 28
dn: name=su,cn=hbac_services,cn=custom,cn=home.mydomain.com,cn=sysdb
# record 29
dn: name=myipau...@home.mydomain.com,cn=users,cn=home.mydomain.com,cn=sysdb

[sdap_search_bases_ex_done] (0x0400): Receiving data from base 
[cn=sudo,dc=home,dc=mydomain,dc=com]
[sssd[be[home.mydomain.com]]] [ipa_sudo_fetch_rules_done] (0x0040): Received 1 
sudo rules
[sysdb_sudo_store_rule] (0x0400): Adding sudo rule All
[sssd[be[home.mydomain.com]]] [sdap_get_generic_ext_step] (0x0400): calling 
ldap_search_ext with 
[(&(objectClass=ipasudocmdgrp)(entryUSN>=24976))][cn=sudo,dc=home,dc=mydomain,dc=com].

I do not have '[sdap_sudo_refresh_load_done]' within sssd_$domain.log

ldapsearch -x -H ldap://ipaserver.home.mydomain.com -b 
dc=ipaserver,dc=home,dc=mydomain,dc=com '$filter'

# extended LDIF
#
# LDAPv3
# base <dc=ipaserver,dc=home,dc=mydomain,dc=com> with scope subtree
# filter: (objectclass=*)
# requesting: $filter
#
# search result
search: 2
result: 0 Success
# numResponses: 1

ldapsearch -x -D "cn=Directory Manager" -w "$password" -H 
ldap://ipaserver.home.mydomain.com -b dc=ipaserver,dc=home,dc=mydomain,dc=com '$filter'

ldap_bind: Server is unwilling to perform (53)
        additional info: Unauthenticated binds are not allowed

ldapsearch -Y GSSAPI -H ldap://ipaserver.home.mydomain.com -b 
dc=ipaserver,dc=home,dc=mydomain,dc=com '$filter'

SASL/GSSAPI authentication started
SASL username: host/myworkstation.home.mydomain....@home.mydomain.com
SASL SSF: 256
SASL data security layer installed.
# extended LDIF
#
# LDAPv3
# base <dc=ipaserver,dc=home,dc=mydomain,dc=com> with scope subtree
# filter: (objectclass=*)
# requesting: $filter
#
# search result
search: 4
result: 0 Success
# numResponses: 1

sudo[411] -> sudo_parseln_v2 @ ./parseln.c:59
sudo[411] <- sudo_parseln_v2 @ ./parseln.c:129 := 0
sudo[411] <- sudo_sss_open @ ./sssd.c:628 := 0
sudo[411] Looking for cn=default
sudo[411] Received 0 rule(s)

Any help would be appreciated!
Cheers!
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

Hi, can you share sanitized sssd_$domain.log please?
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org