On Mon, Mar 30, 2015 at 08:09:43AM +0000, Alexander Frolushkin wrote:
> Hello everyone.
> We have a IPA 3 and AD domain trust.
> Users from AD successfully logs on to linux servers via ssh and hbac rules 
> works fine with external groups. But not a sudo rules.
> When rule defines as 'who' IPA users rule works well. If it is defines 
> external group for corresponding AD group which is AD user member of, this 
> user gets
> u...@ad.com<mailto:u...@ad.com> is not allowed to run sudo on host.com.  This 
> incident will be reported.
> 
> In debug there is a strings
> (Mon Mar 30 13:54:00 2015) [sssd[sudo]] [sysdb_search_group_by_gid] (0x0400): 
> No such entry
> (Mon Mar 30 13:54:00 2015) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] 
> (0x0200): Searching sysdb with 
> [(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=u...@ad.com)(
> sudoUser=#xxxxxxxxxx)(sudoUser=%....cuted.......(sudoUser=%....cuted.....)(sudoUser=+*))(&(dataExpireTimestamp<=1427702040)))]
> (Mon Mar 30 13:54:00 2015) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] 
> (0x0020): Error looking up SUDO rules(Mon Mar 30 13:54:00 2015) [sssd[sudo]] 
> [sudosrv_get_rules] (0x0020): Unable to retr
> ieve expired sudo rules [5]: Input/output error

Looks suspicious. Is there an corresponding LDAP search in the back end
log as well? Look for sdap_get_generic perhaps..

> 
> I've seen a number of closed bugs with similar error message, but at last on 
> this RHEL 6.6 server sssd is fully updated.
> 
> And sorry for the huge underlined message, it is generated automatically and 
> I have no rights to avoid it in my mails :(
> 
> With best regards,
> Alexander Frolushkin,
> Senior engineer in system administration
> and database management
> MegaFon, Siberian branch
> http://english.corp.megafon.ru/
> Cell  +79232508764
> Phone +79232507764
> 
> 
> 
> ________________________________
> 
> Информация в этом сообщении предназначена исключительно для конкретных лиц, 
> которым она адресована. В сообщении может содержаться конфиденциальная 
> информация, которая не может быть раскрыта или использована кем-либо, кроме 
> адресатов. Если вы не адресат этого сообщения, то использование, 
> переадресация, копирование или распространение содержания сообщения или его 
> части незаконно и запрещено. Если Вы получили это сообщение ошибочно, 
> пожалуйста, незамедлительно сообщите отправителю об этом и удалите со всем 
> содержимым само сообщение и любые возможные его копии и приложения.
> 
> The information contained in this communication is intended solely for the 
> use of the individual or entity to whom it is addressed and others authorized 
> to receive it. It may contain confidential or legally privileged information. 
> The contents may not be disclosed or used by anyone other than the addressee. 
> If you are not the intended recipient(s), any use, disclosure, copying, 
> distribution or any action taken or omitted to be taken in reliance on it is 
> prohibited and may be unlawful. If you have received this communication in 
> error please notify us immediately by responding to this email and then 
> delete the e-mail and all attachments and any copies thereof.
> 
> (c)20mf50

> -- 
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project


-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to