This is definitely an actual problem.

Can someone please take a look at this and confirm that it is a bug in CentOS 
6.8?

In order to confirm that it was not our Katello installation that was causing 
this, I created a brand new centOS 6.8 installation by downloading the DVD from 
centos.org.

I selected a minimal installation, and upon install, I just ran the following 2 
commands (nothing else has been done to this system) :
# yum -y install ipa-client
# ipa-client-install --enable-dns-updates --mkhomedir

Then I tried to login using a FreeIPA account that is a member of both hbac and 
sudo access to all rules and it succeeded.

Then I tried to sudo and it prompted me for a password and then claimed I was 
not allowed to run sudo.

login as: nathan.peters
nathan.peters@10.178.17.15's password:
Creating home directory for nathan.peters.
[nathan.peters@centos68test ~]$ sudo su -

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.

[sudo] password for nathan.peters:
nathan.peters is not allowed to run sudo on centos68test.  This incident will 
be reported.
[nathan.peters@centos68test ~]$

Has anyone actually gotten sudo working on CentOS 6.8?  I'd love to hear how 
because I have 100% failure rate for this no matter what provisioning method I 
use...


-----Original Message-----
From: freeipa-users-boun...@redhat.com 
[mailto:freeipa-users-boun...@redhat.com] On Behalf Of Nathan Peters
Sent: Wednesday, June 8, 2016 11:14 AM
To: Jakub Hrozek; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] [FreeIPA 4.3.0] CentOS 6.8 sudo fails

I'm pretty lost here.  I tried following the directions on that page but the 
results still make no sense to me.  From what I can see, the account is 
successfully authorized, and the groups that I am part of are found and some 
sudo rules are found, but then I am denied access for no reason.  This is not 
working on any CentOS 6.8 server, and working properly on all previous versions 
of CentOS.  I have tried several steps including deleting and re-creating the 
6.8 hosts, and unjoining them and re-joining them to the domain.  Nothing helps

========== /var/log/sudo_debug ======================

Jun  8 16:56:01 sudo[7277] <- sudo_pam_verify @ ./auth/pam.c:138 := 0 Jun  8 
16:56:01 sudo[7277] <- verify_user @ ./auth/sudo_auth.c:282 := 1 Jun  8 
16:56:01 sudo[7277] -> sudo_auth_cleanup @ ./auth/sudo_auth.c:160 Jun  8 
16:56:01 sudo[7277] -> sudo_pam_cleanup @ ./auth/pam.c:185 Jun  8 16:56:01 
sudo[7277] <- sudo_pam_cleanup @ ./auth/pam.c:189 := 0 Jun  8 16:56:01 
sudo[7277] <- sudo_auth_cleanup @ ./auth/sudo_auth.c:177 := 0 Jun  8 16:56:01 
sudo[7277] -> sudo_pw_delref @ ./pwutil.c:249 Jun  8 16:56:01 sudo[7277] -> 
sudo_pw_delref_item @ ./pwutil.c:238 Jun  8 16:56:01 sudo[7277] <- 
sudo_pw_delref_item @ ./pwutil.c:243 Jun  8 16:56:01 sudo[7277] <- 
sudo_pw_delref @ ./pwutil.c:251 Jun  8 16:56:01 sudo[7277] <- check_user @ 
./check.c:189 := true Jun  8 16:56:01 sudo[7277] -> log_failure @ 
./logging.c:318 Jun  8 16:56:01 sudo[7277] -> log_denial @ ./logging.c:256 Jun  
8 16:56:01 sudo[7277] -> audit_failure @ ./audit.c:68 Jun  8 16:56:01 
sudo[7277] -> linux_audit_command @ ./linu!
 x_audit.c:70 Jun  8 16:56:01 sudo[7277] -> linux_audit_open @ 
./linux_audit.c:49 Jun  8 16:56:01 sudo[7277] <- linux_audit_open @ 
./linux_audit.c:61 := 15 Jun  8 16:56:01 sudo[7277] <- linux_audit_command @ 
./linux_audit.c:97 := 3 Jun  8 16:56:01 sudo[7277] <- audit_failure @ 
./audit.c:81 Jun  8 16:56:01 sudo[7277] -> new_logline @ ./logging.c:746 Jun  8 
16:56:01 sudo[7277] <- new_logline @ ./logging.c:867 := user NOT authorized on 
host ; TTY=pts/1 ; PWD=/home/nathan.peters ; USER=root ; COMMAND=/bin/su - Jun  
8 16:56:01 sudo[7277] -> should_mail @ ./logging.c:712 Jun  8 16:56:01 
sudo[7277] <- should_mail @ ./logging.c:717 := false Jun  8 16:56:01 sudo[7277] 
-> do_syslog @ ./logging.c:138 Jun  8 16:56:01 sudo[7277] -> mysyslog @ 
./logging.c:96 Jun  8 16:56:01 sudo[7277] <- mysyslog @ ./logging.c:119 Jun  8 
16:56:01 sudo[7277] <- do_syslog @ ./logging.c:185 Jun  8 16:56:01 sudo[7277] 
<- log_denial @ ./logging.c:309 Jun  8 16:56:01 sudo[7277] <- log_failure @ 
./logging.c:341 !
 Jun  8 16:56:01 sudo[7277] -> rewind_perms @ ./set_perms.c:90 Jun  8 16:56:01 
sudo[7277] -> restore_perms @ ./set_perms.c:363 Jun  8 16:56:01 sudo[7277] 
restore_perms: uid: [756600344, 0, 0] -> [756600344, 0, 0] Jun  8 16:56:01 
sudo[7277] restore_perms: gid: [756600344, 756600344, 756600344] -> [756600344, 
756600344, 756600344] Jun  8 16:56:01 sudo[7277] -> sudo_grlist_delref @ 
./pwutil.c:816 Jun  8 16:56:01 sudo[7277] -> sudo_grlist_delref_item @ 
./pwutil.c:805 Jun  8 16:56:01 sudo[7277] <- sudo_grlist_delref_item @ 
./pwutil.c:810 Jun  8 16:56:01 sudo[7277] <- sudo_grlist_delref @ 
./pwutil.c:818 Jun  8 16:56:01 sudo[7277] <- restore_perms @ ./set_perms.c:407 
Jun  8 16:56:01 sudo[7277] -> sudo_grlist_delref @ ./pwutil.c:816 Jun  8 
16:56:01 sudo[7277] -> sudo_grlist_delref_item @ ./pwutil.c:805 Jun  8 16:56:01 
sudo[7277] <- sudo_grlist_delref_item @ ./pwutil.c:810 Jun  8 16:56:01 
sudo[7277] <- sudo_grlist_delref @ ./pwutil.c:818 Jun  8 16:56:01 sudo[7277] <- 
rewind_perms @ ./set_perm
 s.c:96 Jun  8 16:56:01 sudo[7277] -> sudo_endpwent @ ./pwutil.!
 c:443 Jun  8 16:56:01 sudo[7277] -> sudo_freepwcache @ ./pwutil.c:426 Jun  8 
16:56:01 sudo[7277] -> rbdestroy @ ./redblack.c:359 Jun  8 16:56:01 sudo[7277] 
-> _rbdestroy @ ./redblack.c:341 Jun  8 16:56:01 sudo[7277] -> _rbdestroy @ 
./redblack.c:341 Jun  8 16:56:01 sudo[7277] <- _rbdestroy @ ./redblack.c:349 
Jun  8 16:56:01 sudo[7277] -> _rbdestroy @ ./redblack.c:341 Jun  8 16:56:01 
sudo[7277] <- _rbdestroy @ ./redblack.c:349 Jun  8 16:56:01 sudo[7277] -> 
sudo_pw_delref_item @ ./pwutil.c:238 Jun  8 16:56:01 sudo[7277] <- 
sudo_pw_delref_item @ ./pwutil.c:243 Jun  8 16:56:01 sudo[7277] <- _rbdestroy @ 
./redblack.c:349 Jun  8 16:56:01 sudo[7277] <- rbdestroy @ ./redblack.c:362 Jun 
 8 16:56:01 sudo[7277] -> rbdestroy @ ./redblack.c:359 Jun  8 16:56:01 
sudo[7277] -> _rbdestroy @ ./redblack.c:341 Jun  8 16:56:01 sudo[7277] -> 
_rbdestroy @ ./redblack.c:341 Jun  8 16:56:01 sudo[7277] <- _rbdestroy @ 
./redblack.c:349 Jun  8 16:56:01 sudo[7277] -> _rbdestroy @ ./redblack.c:341 
Jun  8 !
 16:56:01 sudo[7277] <- _rbdestroy @ ./redblack.c:349 Jun  8 16:56:01 
sudo[7277] -> sudo_pw_delref_item @ ./pwutil.c:238 Jun  8 16:56:01 sudo[7277] 
<- sudo_pw_delref_item @ ./pwutil.c:243 Jun  8 16:56:01 sudo[7277] <- 
_rbdestroy @ ./redblack.c:349 Jun  8 16:56:01 sudo[7277] <- rbdestroy @ 
./redblack.c:362 Jun  8 16:56:01 sudo[7277] <- sudo_freepwcache @ 
./pwutil.c:437 Jun  8 16:56:01 sudo[7277] <- sudo_endpwent @ ./pwutil.c:448 Jun 
 8 16:56:01 sudo[7277] -> sudo_endgrent @ ./pwutil.c:861 Jun  8 16:56:01 
sudo[7277] -> sudo_freegrcache @ ./pwutil.c:840 Jun  8 16:56:01 sudo[7277] -> 
rbdestroy @ ./redblack.c:359 Jun  8 16:56:01 sudo[7277] -> _rbdestroy @ 
./redblack.c:341 Jun  8 16:56:01 sudo[7277] <- _rbdestroy @ ./redblack.c:349 
Jun  8 16:56:01 sudo[7277] <- rbdestroy @ ./redblack.c:362 Jun  8 16:56:01 
sudo[7277] -> rbdestroy @ ./redblack.c:359 Jun  8 16:56:01 sudo[7277] -> 
_rbdestroy @ ./redblack.c:341 Jun  8 16:56:01 sudo[7277] -> _rbdestroy @ 
./redblack.c:341 Jun  8 16:56:01 sudo[727
 7] <- _rbdestroy @ ./redblack.c:349 Jun  8 16:56:01 sudo[7277]!
  -> _rbdestroy @ ./redblack.c:341 Jun  8 16:56:01 sudo[7277] -> _rbdestroy @ 
./redblack.c:341 Jun  8 16:56:01 sudo[7277] <- _rbdestroy @ ./redblack.c:349 
Jun  8 16:56:01 sudo[7277] -> _rbdestroy @ ./redblack.c:341 Jun  8 16:56:01 
sudo[7277] <- _rbdestroy @ ./redblack.c:349 Jun  8 16:56:01 sudo[7277] -> 
sudo_gr_delref_item @ ./pwutil.c:657 Jun  8 16:56:01 sudo[7277] <- 
sudo_gr_delref_item @ ./pwutil.c:662 Jun  8 16:56:01 sudo[7277] <- _rbdestroy @ 
./redblack.c:349 Jun  8 16:56:01 sudo[7277] -> sudo_gr_delref_item @ 
./pwutil.c:657 Jun  8 16:56:01 sudo[7277] <- sudo_gr_delref_item @ 
./pwutil.c:662 Jun  8 16:56:01 sudo[7277] <- _rbdestroy @ ./redblack.c:349 Jun  
8 16:56:01 sudo[7277] <- rbdestroy @ ./redblack.c:362 Jun  8 16:56:01 
sudo[7277] -> rbdestroy @ ./redblack.c:359 Jun  8 16:56:01 sudo[7277] -> 
_rbdestroy @ ./redblack.c:341 Jun  8 16:56:01 sudo[7277] -> _rbdestroy @ 
./redblack.c:341 Jun  8 16:56:01 sudo[7277] <- _rbdestroy @ ./redblack.c:349 
Jun  8 16:56:01 sudo[7277] -!
 > _rbdestroy @ ./redblack.c:341 Jun  8 16:56:01 sudo[7277] -> _rbdestroy @ 
 > ./redblack.c:341 Jun  8 16:56:01 sudo[7277] <- _rbdestroy @ ./redblack.c:349 
 > Jun  8 16:56:01 sudo[7277] -> _rbdestroy @ ./redblack.c:341 Jun  8 16:56:01 
 > sudo[7277] <- _rbdestroy @ ./redblack.c:349 Jun  8 16:56:01 sudo[7277] -> 
 > sudo_grlist_delref_item @ ./pwutil.c:805 Jun  8 16:56:01 sudo[7277] <- 
 > sudo_grlist_delref_item @ ./pwutil.c:810 Jun  8 16:56:01 sudo[7277] <- 
 > _rbdestroy @ ./redblack.c:349 Jun  8 16:56:01 sudo[7277] -> 
 > sudo_grlist_delref_item @ ./pwutil.c:805 Jun  8 16:56:01 sudo[7277] <- 
 > sudo_grlist_delref_item @ ./pwutil.c:810 Jun  8 16:56:01 sudo[7277] <- 
 > _rbdestroy @ ./redblack.c:349 Jun  8 16:56:01 sudo[7277] <- rbdestroy @ 
 > ./redblack.c:362 Jun  8 16:56:01 sudo[7277] <- sudo_freegrcache @ 
 > ./pwutil.c:855 Jun  8 16:56:01 sudo[7277] <- sudo_endgrent @ ./pwutil.c:866 
 > Jun  8 16:56:01 sudo[7277] <- sudoers_policy_main @ ./sudoers.c:753 := false 
 > Jun  8 16:56:01 sudo[7277] <- sudoers_policy_check @ ./sudoe
 rs.c:766 := false Jun  8 16:56:01 sudo[7277] <- policy_check @!
  ./sudo.c:1204 := false Jun  8 16:56:01 sudo[7277] policy plugin returns 0

============== /var/log/sssd/sssd_sudo.log =====================

(Wed Jun  8 17:39:12 2016) [sssd[sudo]] [accept_fd_handler] (0x0400): Client 
connected!
(Wed Jun  8 17:39:12 2016) [sssd[sudo]] [sss_cmd_get_version] (0x0200): 
Received client version [1].
(Wed Jun  8 17:39:12 2016) [sssd[sudo]] [sss_cmd_get_version] (0x0200): Offered 
version [1].
(Wed Jun  8 17:39:12 2016) [sssd[sudo]] [sudosrv_cmd] (0x2000): Using protocol 
version [1] (Wed Jun  8 17:39:12 2016) [sssd[sudo]] 
[sss_parse_name_for_domains] (0x0200): name 'nathan.peters' matched without 
domain, user is nathan.peters (Wed Jun  8 17:39:12 2016) [sssd[sudo]] 
[sss_parse_name_for_domains] (0x0200): name 'nathan.peters' matched without 
domain, user is nathan.peters (Wed Jun  8 17:39:12 2016) [sssd[sudo]] 
[sudosrv_cmd_parse_query_done] (0x0200): Requesting default options for 
[nathan.peters] from [<ALL>] (Wed Jun  8 17:39:12 2016) [sssd[sudo]] 
[sss_ncache_check_str] (0x2000): Checking negative cache for 
[NCE/USER/dev-mydomain.net/nathan.peters]
(Wed Jun  8 17:39:12 2016) [sssd[sudo]] [sudosrv_get_user] (0x0200): Requesting 
info about [nathan.pet...@dev-mydomain.net] (Wed Jun  8 17:39:12 2016) 
[sssd[sudo]] [sudosrv_get_user] (0x0400): Returning info for user 
[nathan.pet...@dev-mydomain.net] (Wed Jun  8 17:39:12 2016) [sssd[sudo]] 
[sudosrv_get_rules] (0x0400): Retrieving default options for [nathan.peters] 
from [dev-mydomain.net] (Wed Jun  8 17:39:12 2016) [sssd[sudo]] 
[sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with 
[(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=nathan.peters)(sudoUser=#756600344)(sudoUser=%developers)(sudoUser=%admins)(sudoUser=%sysadmins)(sudoUser=%deployment_engineer)(sudoUser=%nathan.peters)(sudoUser=+*))(&(dataExpireTimestamp<=1465407552)))]
(Wed Jun  8 17:39:12 2016) [sssd[sudo]] [sudosrv_get_rules] (0x2000): About to 
get sudo rules from cache (Wed Jun  8 17:39:12 2016) [sssd[sudo]] 
[sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with 
[(&(objectClass=sudoRule)(|(name=defaults)))]
(Wed Jun  8 17:39:12 2016) [sssd[sudo]] [sudosrv_get_sudorules_from_cache] 
(0x0400): Returning 0 rules for [<default options>@dev-mydomain.net] (Wed Jun  
8 17:39:12 2016) [sssd[sudo]] [sudosrv_cmd] (0x2000): Using protocol version 
[1] (Wed Jun  8 17:39:12 2016) [sssd[sudo]] [sss_parse_name_for_domains] 
(0x0200): name 'nathan.peters' matched without domain, user is nathan.peters 
(Wed Jun  8 17:39:12 2016) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): 
name 'nathan.peters' matched without domain, user is nathan.peters (Wed Jun  8 
17:39:12 2016) [sssd[sudo]] [sudosrv_cmd_parse_query_done] (0x0200): Requesting 
rules for [nathan.peters] from [<ALL>] (Wed Jun  8 17:39:12 2016) [sssd[sudo]] 
[sss_ncache_check_str] (0x2000): Checking negative cache for 
[NCE/USER/dev-mydomain.net/nathan.peters]
(Wed Jun  8 17:39:12 2016) [sssd[sudo]] [sudosrv_get_user] (0x0200): Requesting 
info about [nathan.pet...@dev-mydomain.net] (Wed Jun  8 17:39:12 2016) 
[sssd[sudo]] [sudosrv_get_user] (0x0400): Returning info for user 
[nathan.pet...@dev-mydomain.net] (Wed Jun  8 17:39:12 2016) [sssd[sudo]] 
[sudosrv_get_rules] (0x0400): Retrieving rules for [nathan.peters] from 
[dev-mydomain.net] (Wed Jun  8 17:39:12 2016) [sssd[sudo]] 
[sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with 
[(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=nathan.peters)(sudoUser=#756600344)(sudoUser=%developers)(sudoUser=%admins)(sudoUser=%sysadmins)(sudoUser=%deployment_engineer)(sudoUser=%nathan.peters)(sudoUser=+*))(&(dataExpireTimestamp<=1465407552)))]
(Wed Jun  8 17:39:12 2016) [sssd[sudo]] [sudosrv_get_rules] (0x2000): About to 
get sudo rules from cache (Wed Jun  8 17:39:12 2016) [sssd[sudo]] 
[sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with 
[(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=nathan.peters)(sudoUser=#756600344)(sudoUser=%developers)(sudoUser=%admins)(sudoUser=%sysadmins)(sudoUser=%deployment_engineer)(sudoUser=%nathan.peters)(sudoUser=+*)))]
(Wed Jun  8 17:39:12 2016) [sssd[sudo]] [sort_sudo_rules] (0x0400): Sorting 
rules with higher-wins logic (Wed Jun  8 17:39:12 2016) [sssd[sudo]] 
[sudosrv_get_sudorules_from_cache] (0x0400): Returning 2 rules for 
[nathan.pet...@dev-mydomain.net] (Wed Jun  8 17:39:16 2016) [sssd[sudo]] 
[sbus_message_handler] (0x2000): Received SBUS method 
org.freedesktop.sssd.service.ping on path /org/freedesktop/sssd/service (Wed 
Jun  8 17:39:16 2016) [sssd[sudo]] [sbus_get_sender_id_send] (0x2000): Not a 
sysbus message, quit (Wed Jun  8 17:39:17 2016) [sssd[sudo]] [client_recv] 
(0x0200): Client disconnected!
(Wed Jun  8 17:39:17 2016) [sssd[sudo]] [client_destructor] (0x2000): 
Terminated client [0x1091360][17] (Wed Jun  8 17:39:26 2016) [sssd[sudo]] 
[sbus_message_handler] (0x2000): Received SBUS method 
org.freedesktop.sssd.service.ping on path /org/freedesktop/sssd/service (Wed 
Jun  8 17:39:26 2016) [sssd[sudo]] [sbus_get_sender_id_send] (0x2000): Not a 
sysbus message, quit

============= /var/log/sssd/sssd_mydomain.log ==============

(Wed Jun  8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sbus_message_handler] 
(0x2000): Received SBUS method org.freedesktop.sssd.dataprovider.getAccountInfo 
on path /org/freedesktop/sssd/dataprovider
(Wed Jun  8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] 
[sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Wed Jun  8 
17:39:12 2016) [sssd[be[dev-mydomain.net]]] [be_get_account_info] (0x0200): Got 
request for [0x1002][FAST BE_REQ_GROUP][1][name=deployment_engineer]
(Wed Jun  8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [be_req_set_domain] 
(0x0400): Changing request domain from [dev-mydomain.net] to [dev-mydomain.net] 
(Wed Jun  8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] 
[sdap_get_groups_next_base] (0x0400): Searching for groups with base 
[cn=accounts,dc=dev-mydomain,dc=net]
(Wed Jun  8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_print_server] 
(0x2000): Searching 10.178.0.98 (Wed Jun  8 17:39:12 2016) 
[sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x0400): calling 
ldap_search_ext with 
[(&(cn=deployment_engineer)(|(objectClass=ipaUserGroup)(objectClass=posixGroup))(cn=*)(&(gidNumber=*)(!(gidNumber=0))))][cn=accounts,dc=dev-mydomain,dc=net].
(Wed Jun  8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] 
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Wed Jun  
8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] 
(0x1000): Requesting attrs: [posixGroup] (Wed Jun  8 17:39:12 2016) 
[sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x1000): Requesting 
attrs: [cn] (Wed Jun  8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] 
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPassword] (Wed Jun 
 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] 
(0x1000): Requesting attrs: [gidNumber] (Wed Jun  8 17:39:12 2016) 
[sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x1000): Requesting 
attrs: [member] (Wed Jun  8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] 
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUniqueID] (Wed Jun  
8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] 
(0x1000): Requesting attrs: [ipaNTSecur!
 ityIdentifier] (Wed Jun  8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] 
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp] (Wed 
Jun  8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] 
(0x1000): Requesting attrs: [entryUSN] (Wed Jun  8 17:39:12 2016) 
[sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x2000): 
ldap_search_ext called, msgid = 14 (Wed Jun  8 17:39:12 2016) 
[sssd[be[dev-mydomain.net]]] [sdap_op_add] (0x2000): New operation 14 timeout 6 
(Wed Jun  8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_process_result] 
(0x2000): Trace: sh[0xea9a60], connected[1], ops[0xebb690], ldap[0xea8500] (Wed 
Jun  8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] 
[sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg 
set (Wed Jun  8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] 
[sdap_op_destructor] (0x2000): Operation 14 finished (Wed Jun  8 17:39:12 2016) 
[sssd[be[dev-mydomain.net]]] [sdap_get_groups_process] (0!
 x0400): Search for groups, returned 0 results.
(Wed Jun  8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sysdb_search_by_name] 
(0x0400): No such entry (Wed Jun  8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] 
[ipa_id_get_account_info_orig_done] (0x0080): Object not found, ending request 
(Wed Jun  8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [acctinfo_callback] 
(0x0100): Request processed. Returned 3,0,Account info lookup failed (Wed Jun  
8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_process_result] (0x2000): 
Trace: sh[0xea9a60], connected[1], ops[(nil)], ldap[0xea8500] (Wed Jun  8 
17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_process_result] (0x2000): 
Trace: ldap_result found nothing!
(Wed Jun  8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sbus_message_handler] 
(0x2000): Received SBUS method org.freedesktop.sssd.dataprovider.getAccountInfo 
on path /org/freedesktop/sssd/dataprovider
(Wed Jun  8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] 
[sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Wed Jun  8 
17:39:12 2016) [sssd[be[dev-mydomain.net]]] [be_get_account_info] (0x0200): Got 
request for [0x1002][FAST BE_REQ_GROUP][1][name=sysadmins] (Wed Jun  8 17:39:12 
2016) [sssd[be[dev-mydomain.net]]] [be_req_set_domain] (0x0400): Changing 
request domain from [dev-mydomain.net] to [dev-mydomain.net] (Wed Jun  8 
17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_get_groups_next_base] 
(0x0400): Searching for groups with base [cn=accounts,dc=dev-mydomain,dc=net]
(Wed Jun  8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_print_server] 
(0x2000): Searching 10.178.0.98 (Wed Jun  8 17:39:12 2016) 
[sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x0400): calling 
ldap_search_ext with 
[(&(cn=sysadmins)(|(objectClass=ipaUserGroup)(objectClass=posixGroup))(cn=*)(&(gidNumber=*)(!(gidNumber=0))))][cn=accounts,dc=dev-mydomain,dc=net].
(Wed Jun  8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] 
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Wed Jun  
8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] 
(0x1000): Requesting attrs: [posixGroup] (Wed Jun  8 17:39:12 2016) 
[sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x1000): Requesting 
attrs: [cn] (Wed Jun  8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] 
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPassword] (Wed Jun 
 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] 
(0x1000): Requesting attrs: [gidNumber] (Wed Jun  8 17:39:12 2016) 
[sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x1000): Requesting 
attrs: [member] (Wed Jun  8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] 
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUniqueID] (Wed Jun  
8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] 
(0x1000): Requesting attrs: [ipaNTSecur!
 ityIdentifier] (Wed Jun  8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] 
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp] (Wed 
Jun  8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] 
(0x1000): Requesting attrs: [entryUSN] (Wed Jun  8 17:39:12 2016) 
[sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x2000): 
ldap_search_ext called, msgid = 15 (Wed Jun  8 17:39:12 2016) 
[sssd[be[dev-mydomain.net]]] [sdap_op_add] (0x2000): New operation 15 timeout 6 
(Wed Jun  8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_process_result] 
(0x2000): Trace: sh[0xea9a60], connected[1], ops[0xeaaf30], ldap[0xea8500] (Wed 
Jun  8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] 
[sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg 
set (Wed Jun  8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] 
[sdap_op_destructor] (0x2000): Operation 15 finished (Wed Jun  8 17:39:12 2016) 
[sssd[be[dev-mydomain.net]]] [sdap_get_groups_process] (0!
 x0400): Search for groups, returned 0 results.
(Wed Jun  8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sysdb_search_by_name] 
(0x0400): No such entry (Wed Jun  8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] 
[ipa_id_get_account_info_orig_done] (0x0080): Object not found, ending request 
(Wed Jun  8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [acctinfo_callback] 
(0x0100): Request processed. Returned 3,0,Account info lookup failed (Wed Jun  
8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_process_result] (0x2000): 
Trace: sh[0xea9a60], connected[1], ops[(nil)], ldap[0xea8500] (Wed Jun  8 
17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_process_result] (0x2000): 
Trace: ldap_result found nothing!

===== output of ldap query manually copied from the sssd_sudo.log  first search 
returns nothing second search returns 2 rules ==================

[root@cass1-msg-cpqa1-nvan sssd]# ldbsearch -H 
/var/lib/sss/db/cache_dev-mydomain.net.ldb -b cn=sysdb 
'(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=nathan.peters)(sudoUser=#756600344)(sudoUser=%developers)(sudoUser=%admins)(sudoUser=%sysadmins)(sudoUser=%deployment_engineer)(sudoUser=%nathan.peters)(sudoUser=+*))(&(dataExpireTimestamp<=1465407552)))'
asq: Unable to register control with rootdse!
# returned 0 records
# 0 entries
# 0 referrals


[root@cass1-msg-cpqa1-nvan sssd]# ldbsearch -H 
/var/lib/sss/db/cache_dev-mydomain.net.ldb -b cn=sysdb 
'(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=nathan.peters)(sudoUser=#756600344)(sudoUser=%developers)(sudoUser=%admins)(sudoUser=%sysadmins)(sudoUser=%deployment_engineer)(sudoUser=%nathan.peters)(sudoUser=+*)))'
asq: Unable to register control with rootdse!
# record 1
dn: 
name=s_allow_deployment_engineer_to_all,cn=sudorules,cn=custom,cn=dev-mydomain.net,cn=sysdb
cn: s_allow_deployment_engineer_to_all
dataExpireTimestamp: 1465412946
name: s_allow_deployment_engineer_to_all
objectClass: sudoRule
sudoCommand: ALL
sudoHost: ALL
sudoOption: !authenticate
sudoRunAsGroup: ALL
sudoRunAsUser: ALL
sudoUser: %deployment_engineer
distinguishedName: name=s_allow_deployment_engineer_to_all,cn=sudorules,cn=cus
 tom,cn=dev-mydomain.net,cn=sysdb

# record 2
dn: 
name=s_allow_sysadmins_to_all,cn=sudorules,cn=custom,cn=dev-mydomain.net,cn=sysdb
cn: s_allow_sysadmins_to_all
dataExpireTimestamp: 1465412946
name: s_allow_sysadmins_to_all
objectClass: sudoRule
sudoCommand: ALL
sudoHost: ALL
sudoOption: !authenticate
sudoRunAsGroup: ALL
sudoRunAsUser: ALL
sudoUser: %sysadmins
distinguishedName: name=s_allow_sysadmins_to_all,cn=sudorules,cn=custom,cn=dev
 -mydomain.net,cn=sysdb

# returned 2 records
# 2 entries
# 0 referrals

====== output of ldap query against directory for search used in the 
sssd_domain.log ===========

[root@cass1-msg-cpqa1-nvan sssd]# ldapsearch -x -H ldap://10.178.0.98 -b 
cn=accounts,dc=dev-mydomain,dc=net 
'(&(cn=deployment_engineer)(|(objectClass=ipaUserGroup)(objectClass=posixGroup))(cn=*)(&(gidNumber=*)(!(gidNumber=0))))'
# extended LDIF
#
# LDAPv3
# base <cn=accounts,dc=dev-mydomain,dc=net> with scope subtree # filter: 
(&(cn=deployment_engineer)(|(objectClass=ipaUserGroup)(objectClass=posixGroup))(cn=*)(&(gidNumber=*)(!(gidNumber=0))))
# requesting: ALL
#

# search result
search: 2
result: 0 Success

# numResponses: 1

[root@cass1-msg-cpqa1-nvan sssd]# ldapsearch -x -H ldap://10.178.0.98 -b 
cn=accounts,dc=dev-mydomain,dc=net 
'(&(cn=sysadmins)(|(objectClass=ipaUserGroup)(objectClass=posixGroup))(cn=*)(&(gidNumber=*)(!(gidNumber=0))))'
# extended LDIF
#
# LDAPv3
# base <cn=accounts,dc=dev-mydomain,dc=net> with scope subtree # filter: 
(&(cn=sysadmins)(|(objectClass=ipaUserGroup)(objectClass=posixGroup))(cn=*)(&(gidNumber=*)(!(gidNumber=0))))
# requesting: ALL
#

# search result
search: 2
result: 0 Success

# numResponses: 1



-----Original Message-----
From: freeipa-users-boun...@redhat.com 
[mailto:freeipa-users-boun...@redhat.com] On Behalf Of Jakub Hrozek
Sent: Tuesday, June 7, 2016 1:43 PM
To: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] [FreeIPA 4.3.0] CentOS 6.8 sudo fails

On Tue, Jun 07, 2016 at 08:21:21PM +0000, Nathan Peters wrote:
> I have a fresh installation of CentOS 6.8 joined to a FreeIPA 4.3.0 domain on 
> Fedora 23.
> 
> When I try to sudo on this host, it fails.  Here are the log entries from 
> /var/log/secure.  Note that we have several hundred CentOS 6.5-6.7 machines 
> where this works fine.
> 
> Is this a new bug in CentOS 6.8?

It's true that in 6.8, the sudo part was changed quite a bit, but we haven't 
heard about any bugs so far. Could you please follow:
    https://fedorahosted.org/sssd/wiki/HOWTO_Troubleshoot_SUDO
and also:
    https://fedorahosted.org/sssd/wiki/Troubleshooting
to inspect SSSD logs? For authentication failed you'll probably want to take a 
look at the domain logs and maybe the krb5_child.log

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to