On Mon, Mar 30, 2015 at 08:09:43AM +0000, Alexander Frolushkin wrote: > Hello everyone. > We have a IPA 3 and AD domain trust. > Users from AD successfully logs on to linux servers via ssh and hbac rules > works fine with external groups. But not a sudo rules. > When rule defines as 'who' IPA users rule works well. If it is defines > external group for corresponding AD group which is AD user member of, this > user gets > [email protected]<mailto:[email protected]> is not allowed to run sudo on host.com. This > incident will be reported. > > In debug there is a strings > (Mon Mar 30 13:54:00 2015) [sssd[sudo]] [sysdb_search_group_by_gid] (0x0400): > No such entry > (Mon Mar 30 13:54:00 2015) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] > (0x0200): Searching sysdb with > [(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)([email protected])( > sudoUser=#xxxxxxxxxx)(sudoUser=%....cuted.......(sudoUser=%....cuted.....)(sudoUser=+*))(&(dataExpireTimestamp<=1427702040)))] > (Mon Mar 30 13:54:00 2015) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] > (0x0020): Error looking up SUDO rules(Mon Mar 30 13:54:00 2015) [sssd[sudo]] > [sudosrv_get_rules] (0x0020): Unable to retr > ieve expired sudo rules [5]: Input/output error
Looks suspicious. Is there an corresponding LDAP search in the back end log as well? Look for sdap_get_generic perhaps.. > > I've seen a number of closed bugs with similar error message, but at last on > this RHEL 6.6 server sssd is fully updated. > > And sorry for the huge underlined message, it is generated automatically and > I have no rights to avoid it in my mails :( > > With best regards, > Alexander Frolushkin, > Senior engineer in system administration > and database management > MegaFon, Siberian branch > http://english.corp.megafon.ru/ > Cell +79232508764 > Phone +79232507764 > > > > ________________________________ > > Информация в этом сообщении предназначена исключительно для конкретных лиц, > которым она адресована. В сообщении может содержаться конфиденциальная > информация, которая не может быть раскрыта или использована кем-либо, кроме > адресатов. Если вы не адресат этого сообщения, то использование, > переадресация, копирование или распространение содержания сообщения или его > части незаконно и запрещено. Если Вы получили это сообщение ошибочно, > пожалуйста, незамедлительно сообщите отправителю об этом и удалите со всем > содержимым само сообщение и любые возможные его копии и приложения. > > The information contained in this communication is intended solely for the > use of the individual or entity to whom it is addressed and others authorized > to receive it. It may contain confidential or legally privileged information. > The contents may not be disclosed or used by anyone other than the addressee. > If you are not the intended recipient(s), any use, disclosure, copying, > distribution or any action taken or omitted to be taken in reliance on it is > prohibited and may be unlawful. If you have received this communication in > error please notify us immediately by responding to this email and then > delete the e-mail and all attachments and any copies thereof. > > (c)20mf50 > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
