On Wed, Apr 08, 2015 at 10:17:59AM +0200, Chamambo Martin wrote:
> I have this log after doing a debug_level=6 in the sudo section and have
> attached a txt file for the ldbsearch -H /var/lib/sss/db/cache_ai.co.zw.ldb 

> (Wed Apr  8 10:14:52 2015) [sssd[sudo]] [sudosrv_get_sudorules_query_cache]
> (0x0200): Searching sysdb with
> [(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=admin)(sud
> oUser=#1468200000)(sudoUser=%admins)(sudoUser=%trust
> admins)(sudoUser=%admins)(sudoUser=+*))(&(dataExpireTimestamp<=1428480892)))
> ]
> (Wed Apr  8 10:14:52 2015) [sssd[sudo]] [sudosrv_get_sudorules_query_cache]
> (0x0200): Searching sysdb with
> [(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=admin)(sudoUser=#14682000
> 00)(sudoUser=%admins)(sudoUser=%trust
> admins)(sudoUser=%admins)(sudoUser=+*)))]

The above are the cache searches sssd ran.

This is how the sudo rule looks in your cache:
# record 29                                                                     
dn: name=file-commands,cn=sudorules,cn=custom,cn=ai.co.zw,cn=sysdb              
cn: file-commands                                                               
dataExpireTimestamp: 1428486013                                                 
entryUSN: 28714                                                                 
name: file-commands                                                             
objectClass: sudoRule                                                           
originalDN: cn=file-commands,ou=sudoers,dc=ai,dc=co,dc=zw                       
sudoCommand: /usr/bin/vim                                                       
sudoCommand: /usr/bin/less                                                      
sudoHost: +mailservers                                                          
sudoRunAsGroup: ALL                                                             
sudoRunAsUser: admin                                                            
sudoRunAsUser: chamambom                                                        
sudoRunAsUser: kamoyob                                                          
sudoRunAsUser: kumalop                                                          
sudoRunAsUser: machangeteb                                                      
sudoRunAsUser: masaitit                                                         
sudoRunAsUser: masvivic                                                         
sudoRunAsUser: matangiraa                                                       
sudoRunAsUser: nyahumap                                                         
sudoRunAsUser: pedzisail                                                        
sudoRunAsUser: tayengwaj                                                        
sudoUser: ALL                                                                   
distinguishedName: name=file-commands,cn=sudorules,cn=custom,cn=ai.co.zw,cn=sy  

> (Wed Apr  8 10:14:52 2015) [sssd[sudo]] [sudosrv_get_sudorules_from_cache]
> (0x0400): Returning 1 rules for [ad...@ai.co.zw]

And here we see that the sudo rule was returned from SSSD to sudo. But
then in sudo, it didn't match for some reason. I expect it's because of
the netgroup, can you check if nisdomainname is really set correctly and
getent netgroup mailservers reports the FQDN of your client?

Also, you can enable debugging in sudo itself. See man sudo.conf and search
for the option "Debug". That will show you how exactly sudo matches the rules.

> (Wed Apr  8 10:15:02 2015) [sssd[sudo]] [client_recv] (0x0200): Client
> disconnected!

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to