On 09/11/2015 02:40 PM, Molnár Domokos wrote:
Full log attached.
"Molnár Domokos" <kret...@freemail.hu> írta:


    "Pavel Březina" <pbrez...@redhat.com> írta:

        On 09/09/2015 09:31 PM, Molnár Domokos wrote:
         > I have a working IPA server and a working client config on an 
OpenSuse
         > 13.2 with the following versions:
         > nappali:~ # rpm -qa |grep sssd
         > sssd-tools-1.12.2-3.4.1.i586
         > sssd-krb5-1.12.2-3.4.1.i586
         > python-sssd-config-1.12.2-3.4.1.i586
         > sssd-ipa-1.12.2-3.4.1.i586
         > sssd-1.12.2-3.4.1.i586
         > sssd-dbus-1.12.2-3.4.1.i586
         > sssd-krb5-common-1.12.2-3.4.1.i586
         > sssd-ldap-1.12.2-3.4.1.i586
         > sssd is confihured for nss, pam, sudo
         > There is a test sudo rule defined in the ipa server, which applies to
         > user "doma".  However when the user tries to use sudo the rule does 
not
         > work.
         > doma@nappali:/home/doma> sudo ls
         > doma's password:
         > doma is not allowed to run sudo on nappali.  This incident will be 
reported.
         > The corresponding log in the sssd_sudo.log is this:
         > (Wed Sep  9 21:25:25 2015) [sssd[sudo]] [sss_cmd_get_version] 
(0x0200):
         > Received client version [1].
         > (Wed Sep  9 21:25:25 2015) [sssd[sudo]] [sss_cmd_get_version] 
(0x0200):
         > Offered version [1].
         > (Wed Sep  9 21:25:25 2015) [sssd[sudo]] [sss_parse_name_for_domains]
         > (0x0200): name 'doma' matched without domain, user is doma
         > (Wed Sep  9 21:25:25 2015) [sssd[sudo]] [sss_parse_name_for_domains]
         > (0x0200): name 'doma' matched without domain, user is doma
         > (Wed Sep  9 21:25:25 2015) [sssd[sudo]] 
[sudosrv_cmd_parse_query_done]
         > (0x0200): Requesting default options for [doma] from [<ALL>]
         > (Wed Sep  9 21:25:25 2015) [sssd[sudo]] [sudosrv_get_user] (0x0200):
         > Requesting info about [doma@szilva]
         > (Wed Sep  9 21:25:25 2015) [sssd[sudo]]
         > [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with
         > 
[(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=doma)(sudoUser=#1816400003)(sudoUser=%ipausers)(sudoUser=%picture_access)(sudoUser=%doma)(sudoUser=+*))(&(dataExpireTimestamp<=1441826725)))]
         > (Wed Sep  9 21:25:25 2015) [sssd[sudo]]
         > [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with
         > [(&(objectClass=sudoRule)(|(name=defaults)))]
         > (Wed Sep  9 21:25:25 2015) [sssd[sudo]] [sss_parse_name_for_domains]
         > (0x0200): name 'doma' matched without domain, user is doma
         > (Wed Sep  9 21:25:25 2015) [sssd[sudo]] [sss_parse_name_for_domains]
         > (0x0200): name 'doma' matched without domain, user is doma
         > (Wed Sep  9 21:25:25 2015) [sssd[sudo]] 
[sudosrv_cmd_parse_query_done]
         > (0x0200): Requesting rules for [doma] from [<ALL>]
         > (Wed Sep  9 21:25:25 2015) [sssd[sudo]] [sudosrv_get_user] (0x0200):
         > Requesting info about [doma@szilva]
         > (Wed Sep  9 21:25:25 2015) [sssd[sudo]]
         > [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with
         > 
[(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=doma)(sudoUser=#1816400003)(sudoUser=%ipausers)(sudoUser=%picture_access)(sudoUser=%doma)(sudoUser=+*))(&(dataExpireTimestamp<=1441826725)))]
         > (Wed Sep  9 21:25:25 2015) [sssd[sudo]]
         > [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with
         > 
[(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=doma)(sudoUser=#1816400003)(sudoUser=%ipausers)(sudoUser=%picture_access)(sudoUser=%doma)(sudoUser=+*)))]
         > (Wed Sep  9 21:25:30 2015) [sssd[sudo]] [client_recv] (0x0200): 
Client
         > disconnected!
         > This seems perfectly OK with one exception. The query against the 
sysdb
         > does not find the entry. This is strange because the entry is there.
         > Log in sssd.log:
         > (Wed Sep  2 08:52:13 2015) [sssd] [sysdb_domain_init_internal] 
(0x0200):
         > DB File for szilva: /var/lib/sss/db/cache_szilva.ldb
         > So we know that the sysdb is /var/lib/sss/db/cache_szilva.ldb
         > Running the exact same query seen above in the sssd_sudo.log against 
the
         > db returns:
         > ldbsearch -H /var/lib/sss/db/cache_szilva.ldb
         > 
"(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=doma)(sudoUser=#1816400003)(sudoUser=%ipausers)(sudoUser=%picture_access)(sudoUser=%doma)(sudoUser=+*)))"
         > asq: Unable to register control with rootdse!
         > # record 1
         > dn: name=Doma_ls,cn=sudorules,cn=custom,cn=szilva,cn=sysdb
         > cn: Doma_ls
         > dataExpireTimestamp: 1441830262
         > entryUSN: 20521
         > name: Doma_ls
         > objectClass: sudoRule
         > originalDN: cn=Doma_ls,ou=sudoers,dc=szilva
         > sudoCommand: ls
         > sudoHost: nappali.szilva
         > sudoRunAsGroup: ALL
         > sudoRunAsUser: ALL
         > sudoUser: doma
         > distinguishedName: 
name=Doma_ls,cn=sudorules,cn=custom,cn=szilva,cn=sysdb
         > # returned 1 records
         > # 1 entries
         > # 0 referrals
         > This confirms that the entry is indeed there in the db. Why is it 
found
         > with ldbsearch and why does sssd_sudo not find it?
         > I am pretty much stuck with this one. Anyone has an idea?
         >
         >
        Hi,
        this is strange. Can you provide the logs with debug level set to 0x3ff0

        please? Can you also send it as an attachment? Thanks!

    Sure. Here it is. Now I can see that the rule is returned. The
    question is why the rule does not match. Anyway much better :)

Hi, thanks for the logs. Since the rule is returned, we will get more information from sudo logs. Can you please enable sudo logging by putting the following line into /etc/sudo.conf?

Debug sudo /var/log/sudo_debug all@trace

Run sudo and send us /var/log/sudo_debug? Thanks!


--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to