On (08/06/16 18:14), Nathan Peters wrote: >I'm pretty lost here. I tried following the directions on that page but the >results still make no sense to me. From what I can see, the account is >successfully authorized, and the groups that I am part of are found and some >sudo rules are found, but then I am denied access for no reason. This is not >working on any CentOS 6.8 server, and working properly on all previous >versions of CentOS. I have tried several steps including deleting and >re-creating the 6.8 hosts, and unjoining them and re-joining them to the >domain. Nothing helps > >========== /var/log/sudo_debug ====================== > >Jun 8 16:56:01 sudo[7277] <- sudo_pam_verify @ ./auth/pam.c:138 := 0 >Jun 8 16:56:01 sudo[7277] <- verify_user @ ./auth/sudo_auth.c:282 := 1 >Jun 8 16:56:01 sudo[7277] -> sudo_auth_cleanup @ ./auth/sudo_auth.c:160 >Jun 8 16:56:01 sudo[7277] -> sudo_pam_cleanup @ ./auth/pam.c:185 >Jun 8 16:56:01 sudo[7277] <- sudo_pam_cleanup @ ./auth/pam.c:189 := 0 >Jun 8 16:56:01 sudo[7277] <- sudo_auth_cleanup @ ./auth/sudo_auth.c:177 := 0 >Jun 8 16:56:01 sudo[7277] -> sudo_pw_delref @ ./pwutil.c:249 >Jun 8 16:56:01 sudo[7277] -> sudo_pw_delref_item @ ./pwutil.c:238 >Jun 8 16:56:01 sudo[7277] <- sudo_pw_delref_item @ ./pwutil.c:243 >Jun 8 16:56:01 sudo[7277] <- sudo_pw_delref @ ./pwutil.c:251 >Jun 8 16:56:01 sudo[7277] <- check_user @ ./check.c:189 := true >Jun 8 16:56:01 sudo[7277] -> log_failure @ ./logging.c:318 >Jun 8 16:56:01 sudo[7277] -> log_denial @ ./logging.c:256 >Jun 8 16:56:01 sudo[7277] -> audit_failure @ ./audit.c:68 >Jun 8 16:56:01 sudo[7277] -> linux_audit_command @ ./linux_audit.c:70 >Jun 8 16:56:01 sudo[7277] -> linux_audit_open @ ./linux_audit.c:49 >Jun 8 16:56:01 sudo[7277] <- linux_audit_open @ ./linux_audit.c:61 := 15 >Jun 8 16:56:01 sudo[7277] <- linux_audit_command @ ./linux_audit.c:97 := 3 >Jun 8 16:56:01 sudo[7277] <- audit_failure @ ./audit.c:81 >Jun 8 16:56:01 sudo[7277] -> new_logline @ ./logging.c:746 >Jun 8 16:56:01 sudo[7277] <- new_logline @ ./logging.c:867 := user NOT >authorized on host ; TTY=pts/1 ; PWD=/home/nathan.peters ; USER=root ; >COMMAND=/bin/su - >Jun 8 16:56:01 sudo[7277] -> should_mail @ ./logging.c:712 >Jun 8 16:56:01 sudo[7277] <- should_mail @ ./logging.c:717 := false >Jun 8 16:56:01 sudo[7277] -> do_syslog @ ./logging.c:138 >Jun 8 16:56:01 sudo[7277] -> mysyslog @ ./logging.c:96 >Jun 8 16:56:01 sudo[7277] <- mysyslog @ ./logging.c:119 >Jun 8 16:56:01 sudo[7277] <- do_syslog @ ./logging.c:185 >Jun 8 16:56:01 sudo[7277] <- log_denial @ ./logging.c:309 >Jun 8 16:56:01 sudo[7277] <- log_failure @ ./logging.c:341 >Jun 8 16:56:01 sudo[7277] -> rewind_perms @ ./set_perms.c:90 >Jun 8 16:56:01 sudo[7277] -> restore_perms @ ./set_perms.c:363 >Jun 8 16:56:01 sudo[7277] restore_perms: uid: [756600344, 0, 0] -> >[756600344, 0, 0] >Jun 8 16:56:01 sudo[7277] restore_perms: gid: [756600344, 756600344, >756600344] -> [756600344, 756600344, 756600344] >Jun 8 16:56:01 sudo[7277] -> sudo_grlist_delref @ ./pwutil.c:816 >Jun 8 16:56:01 sudo[7277] -> sudo_grlist_delref_item @ ./pwutil.c:805 >Jun 8 16:56:01 sudo[7277] <- sudo_grlist_delref_item @ ./pwutil.c:810 >Jun 8 16:56:01 sudo[7277] <- sudo_grlist_delref @ ./pwutil.c:818 >Jun 8 16:56:01 sudo[7277] <- restore_perms @ ./set_perms.c:407 >Jun 8 16:56:01 sudo[7277] -> sudo_grlist_delref @ ./pwutil.c:816 >Jun 8 16:56:01 sudo[7277] -> sudo_grlist_delref_item @ ./pwutil.c:805 >Jun 8 16:56:01 sudo[7277] <- sudo_grlist_delref_item @ ./pwutil.c:810 >Jun 8 16:56:01 sudo[7277] <- sudo_grlist_delref @ ./pwutil.c:818 >Jun 8 16:56:01 sudo[7277] <- rewind_perms @ ./set_perms.c:96 >Jun 8 16:56:01 sudo[7277] -> sudo_endpwent @ ./pwutil.c:443 >Jun 8 16:56:01 sudo[7277] -> sudo_freepwcache @ ./pwutil.c:426 >Jun 8 16:56:01 sudo[7277] -> rbdestroy @ ./redblack.c:359 >Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ ./redblack.c:341 >Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ ./redblack.c:341 >Jun 8 16:56:01 sudo[7277] <- _rbdestroy @ ./redblack.c:349 >Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ ./redblack.c:341 >Jun 8 16:56:01 sudo[7277] <- _rbdestroy @ ./redblack.c:349 >Jun 8 16:56:01 sudo[7277] -> sudo_pw_delref_item @ ./pwutil.c:238 >Jun 8 16:56:01 sudo[7277] <- sudo_pw_delref_item @ ./pwutil.c:243 >Jun 8 16:56:01 sudo[7277] <- _rbdestroy @ ./redblack.c:349 >Jun 8 16:56:01 sudo[7277] <- rbdestroy @ ./redblack.c:362 >Jun 8 16:56:01 sudo[7277] -> rbdestroy @ ./redblack.c:359 >Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ ./redblack.c:341 >Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ ./redblack.c:341 >Jun 8 16:56:01 sudo[7277] <- _rbdestroy @ ./redblack.c:349 >Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ ./redblack.c:341 >Jun 8 16:56:01 sudo[7277] <- _rbdestroy @ ./redblack.c:349 >Jun 8 16:56:01 sudo[7277] -> sudo_pw_delref_item @ ./pwutil.c:238 >Jun 8 16:56:01 sudo[7277] <- sudo_pw_delref_item @ ./pwutil.c:243 >Jun 8 16:56:01 sudo[7277] <- _rbdestroy @ ./redblack.c:349 >Jun 8 16:56:01 sudo[7277] <- rbdestroy @ ./redblack.c:362 >Jun 8 16:56:01 sudo[7277] <- sudo_freepwcache @ ./pwutil.c:437 >Jun 8 16:56:01 sudo[7277] <- sudo_endpwent @ ./pwutil.c:448 >Jun 8 16:56:01 sudo[7277] -> sudo_endgrent @ ./pwutil.c:861 >Jun 8 16:56:01 sudo[7277] -> sudo_freegrcache @ ./pwutil.c:840 >Jun 8 16:56:01 sudo[7277] -> rbdestroy @ ./redblack.c:359 >Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ ./redblack.c:341 >Jun 8 16:56:01 sudo[7277] <- _rbdestroy @ ./redblack.c:349 >Jun 8 16:56:01 sudo[7277] <- rbdestroy @ ./redblack.c:362 >Jun 8 16:56:01 sudo[7277] -> rbdestroy @ ./redblack.c:359 >Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ ./redblack.c:341 >Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ ./redblack.c:341 >Jun 8 16:56:01 sudo[7277] <- _rbdestroy @ ./redblack.c:349 >Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ ./redblack.c:341 >Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ ./redblack.c:341 >Jun 8 16:56:01 sudo[7277] <- _rbdestroy @ ./redblack.c:349 >Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ ./redblack.c:341 >Jun 8 16:56:01 sudo[7277] <- _rbdestroy @ ./redblack.c:349 >Jun 8 16:56:01 sudo[7277] -> sudo_gr_delref_item @ ./pwutil.c:657 >Jun 8 16:56:01 sudo[7277] <- sudo_gr_delref_item @ ./pwutil.c:662 >Jun 8 16:56:01 sudo[7277] <- _rbdestroy @ ./redblack.c:349 >Jun 8 16:56:01 sudo[7277] -> sudo_gr_delref_item @ ./pwutil.c:657 >Jun 8 16:56:01 sudo[7277] <- sudo_gr_delref_item @ ./pwutil.c:662 >Jun 8 16:56:01 sudo[7277] <- _rbdestroy @ ./redblack.c:349 >Jun 8 16:56:01 sudo[7277] <- rbdestroy @ ./redblack.c:362 >Jun 8 16:56:01 sudo[7277] -> rbdestroy @ ./redblack.c:359 >Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ ./redblack.c:341 >Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ ./redblack.c:341 >Jun 8 16:56:01 sudo[7277] <- _rbdestroy @ ./redblack.c:349 >Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ ./redblack.c:341 >Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ ./redblack.c:341 >Jun 8 16:56:01 sudo[7277] <- _rbdestroy @ ./redblack.c:349 >Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ ./redblack.c:341 >Jun 8 16:56:01 sudo[7277] <- _rbdestroy @ ./redblack.c:349 >Jun 8 16:56:01 sudo[7277] -> sudo_grlist_delref_item @ ./pwutil.c:805 >Jun 8 16:56:01 sudo[7277] <- sudo_grlist_delref_item @ ./pwutil.c:810 >Jun 8 16:56:01 sudo[7277] <- _rbdestroy @ ./redblack.c:349 >Jun 8 16:56:01 sudo[7277] -> sudo_grlist_delref_item @ ./pwutil.c:805 >Jun 8 16:56:01 sudo[7277] <- sudo_grlist_delref_item @ ./pwutil.c:810 >Jun 8 16:56:01 sudo[7277] <- _rbdestroy @ ./redblack.c:349 >Jun 8 16:56:01 sudo[7277] <- rbdestroy @ ./redblack.c:362 >Jun 8 16:56:01 sudo[7277] <- sudo_freegrcache @ ./pwutil.c:855 >Jun 8 16:56:01 sudo[7277] <- sudo_endgrent @ ./pwutil.c:866 >Jun 8 16:56:01 sudo[7277] <- sudoers_policy_main @ ./sudoers.c:753 := false >Jun 8 16:56:01 sudo[7277] <- sudoers_policy_check @ ./sudoers.c:766 := false >Jun 8 16:56:01 sudo[7277] <- policy_check @ ./sudo.c:1204 := false >Jun 8 16:56:01 sudo[7277] policy plugin returns 0 > >============== /var/log/sssd/sssd_sudo.log ===================== > >(Wed Jun 8 17:39:12 2016) [sssd[sudo]] [accept_fd_handler] (0x0400): Client >connected! >(Wed Jun 8 17:39:12 2016) [sssd[sudo]] [sss_cmd_get_version] (0x0200): >Received client version [1]. >(Wed Jun 8 17:39:12 2016) [sssd[sudo]] [sss_cmd_get_version] (0x0200): >Offered version [1]. >(Wed Jun 8 17:39:12 2016) [sssd[sudo]] [sudosrv_cmd] (0x2000): Using protocol >version [1] >(Wed Jun 8 17:39:12 2016) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): >name 'nathan.peters' matched without domain, user is nathan.peters >(Wed Jun 8 17:39:12 2016) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): >name 'nathan.peters' matched without domain, user is nathan.peters >(Wed Jun 8 17:39:12 2016) [sssd[sudo]] [sudosrv_cmd_parse_query_done] >(0x0200): Requesting default options for [nathan.peters] from [<ALL>] >(Wed Jun 8 17:39:12 2016) [sssd[sudo]] [sss_ncache_check_str] (0x2000): >Checking negative cache for [NCE/USER/dev-mydomain.net/nathan.peters] >(Wed Jun 8 17:39:12 2016) [sssd[sudo]] [sudosrv_get_user] (0x0200): >Requesting info about [nathan.pet...@dev-mydomain.net] >(Wed Jun 8 17:39:12 2016) [sssd[sudo]] [sudosrv_get_user] (0x0400): Returning >info for user [nathan.pet...@dev-mydomain.net] >(Wed Jun 8 17:39:12 2016) [sssd[sudo]] [sudosrv_get_rules] (0x0400): >Retrieving default options for [nathan.peters] from [dev-mydomain.net] >(Wed Jun 8 17:39:12 2016) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] >(0x0200): Searching sysdb with >[(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=nathan.peters)(sudoUser=#756600344)(sudoUser=%developers)(sudoUser=%admins)(sudoUser=%sysadmins)(sudoUser=%deployment_engineer)(sudoUser=%nathan.peters)(sudoUser=+*))(&(dataExpireTimestamp<=1465407552)))] >(Wed Jun 8 17:39:12 2016) [sssd[sudo]] [sudosrv_get_rules] (0x2000): About to >get sudo rules from cache >(Wed Jun 8 17:39:12 2016) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] >(0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(name=defaults)))] >(Wed Jun 8 17:39:12 2016) [sssd[sudo]] [sudosrv_get_sudorules_from_cache] >(0x0400): Returning 0 rules for [<default options>@dev-mydomain.net] >(Wed Jun 8 17:39:12 2016) [sssd[sudo]] [sudosrv_cmd] (0x2000): Using protocol >version [1] >(Wed Jun 8 17:39:12 2016) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): >name 'nathan.peters' matched without domain, user is nathan.peters >(Wed Jun 8 17:39:12 2016) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): >name 'nathan.peters' matched without domain, user is nathan.peters >(Wed Jun 8 17:39:12 2016) [sssd[sudo]] [sudosrv_cmd_parse_query_done] >(0x0200): Requesting rules for [nathan.peters] from [<ALL>] >(Wed Jun 8 17:39:12 2016) [sssd[sudo]] [sss_ncache_check_str] (0x2000): >Checking negative cache for [NCE/USER/dev-mydomain.net/nathan.peters] >(Wed Jun 8 17:39:12 2016) [sssd[sudo]] [sudosrv_get_user] (0x0200): >Requesting info about [nathan.pet...@dev-mydomain.net] >(Wed Jun 8 17:39:12 2016) [sssd[sudo]] [sudosrv_get_user] (0x0400): Returning >info for user [nathan.pet...@dev-mydomain.net] >(Wed Jun 8 17:39:12 2016) [sssd[sudo]] [sudosrv_get_rules] (0x0400): >Retrieving rules for [nathan.peters] from [dev-mydomain.net] >(Wed Jun 8 17:39:12 2016) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] >(0x0200): Searching sysdb with >[(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=nathan.peters)(sudoUser=#756600344)(sudoUser=%developers)(sudoUser=%admins)(sudoUser=%sysadmins)(sudoUser=%deployment_engineer)(sudoUser=%nathan.peters)(sudoUser=+*))(&(dataExpireTimestamp<=1465407552)))] >(Wed Jun 8 17:39:12 2016) [sssd[sudo]] [sudosrv_get_rules] (0x2000): About to >get sudo rules from cache >(Wed Jun 8 17:39:12 2016) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] >(0x0200): Searching sysdb with >[(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=nathan.peters)(sudoUser=#756600344)(sudoUser=%developers)(sudoUser=%admins)(sudoUser=%sysadmins)(sudoUser=%deployment_engineer)(sudoUser=%nathan.peters)(sudoUser=+*)))] >(Wed Jun 8 17:39:12 2016) [sssd[sudo]] [sort_sudo_rules] (0x0400): Sorting >rules with higher-wins logic >(Wed Jun 8 17:39:12 2016) [sssd[sudo]] [sudosrv_get_sudorules_from_cache] >(0x0400): Returning 2 rules for [nathan.pet...@dev-mydomain.net] >(Wed Jun 8 17:39:16 2016) [sssd[sudo]] [sbus_message_handler] (0x2000): >Received SBUS method org.freedesktop.sssd.service.ping on path >/org/freedesktop/sssd/service >(Wed Jun 8 17:39:16 2016) [sssd[sudo]] [sbus_get_sender_id_send] (0x2000): >Not a sysbus message, quit >(Wed Jun 8 17:39:17 2016) [sssd[sudo]] [client_recv] (0x0200): Client >disconnected! >(Wed Jun 8 17:39:17 2016) [sssd[sudo]] [client_destructor] (0x2000): >Terminated client [0x1091360][17] >(Wed Jun 8 17:39:26 2016) [sssd[sudo]] [sbus_message_handler] (0x2000): >Received SBUS method org.freedesktop.sssd.service.ping on path >/org/freedesktop/sssd/service >(Wed Jun 8 17:39:26 2016) [sssd[sudo]] [sbus_get_sender_id_send] (0x2000): >Not a sysbus message, quit > >============= /var/log/sssd/sssd_mydomain.log ============== > >(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sbus_message_handler] >(0x2000): Received SBUS method >org.freedesktop.sssd.dataprovider.getAccountInfo on path >/org/freedesktop/sssd/dataprovider >(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] >[sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit >(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [be_get_account_info] >(0x0200): Got request for [0x1002][FAST >BE_REQ_GROUP][1][name=deployment_engineer] >(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [be_req_set_domain] >(0x0400): Changing request domain from [dev-mydomain.net] to [dev-mydomain.net] >(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] >[sdap_get_groups_next_base] (0x0400): Searching for groups with base >[cn=accounts,dc=dev-mydomain,dc=net] >(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_print_server] >(0x2000): Searching 10.178.0.98 >(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] >[sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with >[(&(cn=deployment_engineer)(|(objectClass=ipaUserGroup)(objectClass=posixGroup))(cn=*)(&(gidNumber=*)(!(gidNumber=0))))][cn=accounts,dc=dev-mydomain,dc=net]. >(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] >[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] >(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] >[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [posixGroup] >(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] >[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] >(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] >[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPassword] >(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] >[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber] >(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] >[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [member] >(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] >[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUniqueID] >(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] >[sdap_get_generic_ext_step] (0x1000): Requesting attrs: >[ipaNTSecurityIdentifier] >(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] >[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp] >(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] >[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [entryUSN] >(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] >[sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 14 >(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_op_add] >(0x2000): New operation 14 timeout 6 >(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_process_result] >(0x2000): Trace: sh[0xea9a60], connected[1], ops[0xebb690], ldap[0xea8500] >(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] >[sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg >set >(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_op_destructor] >(0x2000): Operation 14 finished >(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] >[sdap_get_groups_process] (0x0400): Search for groups, returned 0 results. It looks like group deployment_engineer cannot be find in IPA.
>(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sysdb_search_by_name] >(0x0400): No such entry >(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] >[ipa_id_get_account_info_orig_done] (0x0080): Object not found, ending request >(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [acctinfo_callback] >(0x0100): Request processed. Returned 3,0,Account info lookup failed >(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_process_result] >(0x2000): Trace: sh[0xea9a60], connected[1], ops[(nil)], ldap[0xea8500] >(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_process_result] >(0x2000): Trace: ldap_result found nothing! >(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sbus_message_handler] >(0x2000): Received SBUS method >org.freedesktop.sssd.dataprovider.getAccountInfo on path >/org/freedesktop/sssd/dataprovider >(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] >[sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit >(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [be_get_account_info] >(0x0200): Got request for [0x1002][FAST BE_REQ_GROUP][1][name=sysadmins] >(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [be_req_set_domain] >(0x0400): Changing request domain from [dev-mydomain.net] to [dev-mydomain.net] >(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] >[sdap_get_groups_next_base] (0x0400): Searching for groups with base >[cn=accounts,dc=dev-mydomain,dc=net] >(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_print_server] >(0x2000): Searching 10.178.0.98 >(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] >[sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with >[(&(cn=sysadmins)(|(objectClass=ipaUserGroup)(objectClass=posixGroup))(cn=*)(&(gidNumber=*)(!(gidNumber=0))))][cn=accounts,dc=dev-mydomain,dc=net]. >(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] >[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] >(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] >[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [posixGroup] >(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] >[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] >(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] >[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPassword] >(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] >[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber] >(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] >[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [member] >(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] >[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUniqueID] >(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] >[sdap_get_generic_ext_step] (0x1000): Requesting attrs: >[ipaNTSecurityIdentifier] >(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] >[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp] >(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] >[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [entryUSN] >(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] >[sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 15 >(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_op_add] >(0x2000): New operation 15 timeout 6 >(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_process_result] >(0x2000): Trace: sh[0xea9a60], connected[1], ops[0xeaaf30], ldap[0xea8500] >(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] >[sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg >set >(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_op_destructor] >(0x2000): Operation 15 finished >(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] >[sdap_get_groups_process] (0x0400): Search for groups, returned 0 results. It looks like group sysadmins cannot be find in IPA. >(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sysdb_search_by_name] >(0x0400): No such entry >(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] >[ipa_id_get_account_info_orig_done] (0x0080): Object not found, ending request >(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [acctinfo_callback] >(0x0100): Request processed. Returned 3,0,Account info lookup failed >(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_process_result] >(0x2000): Trace: sh[0xea9a60], connected[1], ops[(nil)], ldap[0xea8500] >(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_process_result] >(0x2000): Trace: ldap_result found nothing! > >===== output of ldap query manually copied from the sssd_sudo.log first >search returns nothing second search returns 2 rules ================== > >[root@cass1-msg-cpqa1-nvan sssd]# ldbsearch -H >/var/lib/sss/db/cache_dev-mydomain.net.ldb -b cn=sysdb >'(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=nathan.peters)(sudoUser=#756600344)(sudoUser=%developers)(sudoUser=%admins)(sudoUser=%sysadmins)(sudoUser=%deployment_engineer)(sudoUser=%nathan.peters)(sudoUser=+*))(&(dataExpireTimestamp<=1465407552)))' >asq: Unable to register control with rootdse! ># returned 0 records ># 0 entries ># 0 referrals > > >[root@cass1-msg-cpqa1-nvan sssd]# ldbsearch -H >/var/lib/sss/db/cache_dev-mydomain.net.ldb -b cn=sysdb >'(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=nathan.peters)(sudoUser=#756600344)(sudoUser=%developers)(sudoUser=%admins)(sudoUser=%sysadmins)(sudoUser=%deployment_engineer)(sudoUser=%nathan.peters)(sudoUser=+*)))' >asq: Unable to register control with rootdse! ># record 1 >dn: >name=s_allow_deployment_engineer_to_all,cn=sudorules,cn=custom,cn=dev-mydomain.net,cn=sysdb >cn: s_allow_deployment_engineer_to_all >dataExpireTimestamp: 1465412946 >name: s_allow_deployment_engineer_to_all >objectClass: sudoRule >sudoCommand: ALL >sudoHost: ALL >sudoOption: !authenticate >sudoRunAsGroup: ALL >sudoRunAsUser: ALL >sudoUser: %deployment_engineer >distinguishedName: name=s_allow_deployment_engineer_to_all,cn=sudorules,cn=cus > tom,cn=dev-mydomain.net,cn=sysdb > ># record 2 >dn: >name=s_allow_sysadmins_to_all,cn=sudorules,cn=custom,cn=dev-mydomain.net,cn=sysdb >cn: s_allow_sysadmins_to_all >dataExpireTimestamp: 1465412946 >name: s_allow_sysadmins_to_all >objectClass: sudoRule >sudoCommand: ALL >sudoHost: ALL >sudoOption: !authenticate >sudoRunAsGroup: ALL >sudoRunAsUser: ALL >sudoUser: %sysadmins >distinguishedName: name=s_allow_sysadmins_to_all,cn=sudorules,cn=custom,cn=dev > -mydomain.net,cn=sysdb > ># returned 2 records ># 2 entries ># 0 referrals > >====== output of ldap query against directory for search used in the >sssd_domain.log =========== > >[root@cass1-msg-cpqa1-nvan sssd]# ldapsearch -x -H ldap://10.178.0.98 -b >cn=accounts,dc=dev-mydomain,dc=net >'(&(cn=deployment_engineer)(|(objectClass=ipaUserGroup)(objectClass=posixGroup))(cn=*)(&(gidNumber=*)(!(gidNumber=0))))' ># extended LDIF ># ># LDAPv3 ># base <cn=accounts,dc=dev-mydomain,dc=net> with scope subtree ># filter: >(&(cn=deployment_engineer)(|(objectClass=ipaUserGroup)(objectClass=posixGroup))(cn=*)(&(gidNumber=*)(!(gidNumber=0)))) ># requesting: ALL ># > ># search result >search: 2 >result: 0 Success > ># numResponses: 1 > >[root@cass1-msg-cpqa1-nvan sssd]# ldapsearch -x -H ldap://10.178.0.98 -b >cn=accounts,dc=dev-mydomain,dc=net >'(&(cn=sysadmins)(|(objectClass=ipaUserGroup)(objectClass=posixGroup))(cn=*)(&(gidNumber=*)(!(gidNumber=0))))' ># extended LDIF ># ># LDAPv3 ># base <cn=accounts,dc=dev-mydomain,dc=net> with scope subtree ># filter: >(&(cn=sysadmins)(|(objectClass=ipaUserGroup)(objectClass=posixGroup))(cn=*)(&(gidNumber=*)(!(gidNumber=0)))) ># requesting: ALL ># > LDAP searches confirmed that it's not possible to find groups: deployment_engineer and sysadmins. But you used anonymous search. It would be good if you could provide an output of for groups using ipa command. e.g. kinit admin ipa group-show --all deployment_engineer ipa group-show --all sysadmins ipa group-show --raw deployment_engineer ipa group-show --raw sysadmins LS -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
