Taking a second look at the sudo debugging logs : it looks like it can't figure out that I'm in the right group ?
According to : https://fedorahosted.org/sssd/wiki/HOWTO_Troubleshoot_SUDO those next 2 lines should be true ? Jun 13 20:12:10 sudo[16270] <- user_in_group @ ./pwutil.c:957 := false Jun 13 20:12:10 sudo[16270] <- usergr_matches @ ./match.c:699 := false --- snip --- val[0]=%deployment_engineer Jun 13 20:12:10 sudo[16270] -> usergr_matches @ ./match.c:666 Jun 13 20:12:10 sudo[16270] -> user_in_group @ ./pwutil.c:914 Jun 13 20:12:10 sudo[16270] -> sudo_get_grlist @ ./pwutil.c:851 Jun 13 20:12:10 sudo[16270] -> rbfind @ ./redblack.c:273 Jun 13 20:12:10 sudo[16270] <- rbfind @ ./redblack.c:277 := 0x7f4bacb0e7f0 Jun 13 20:12:10 sudo[16270] <- sudo_get_grlist @ ./pwutil.c:904 := 0x7f4bacb11318 Jun 13 20:12:10 sudo[16270] -> sudo_getgrgid @ ./pwutil.c:655 Jun 13 20:12:10 sudo[16270] -> rbfind @ ./redblack.c:273 Jun 13 20:12:10 sudo[16270] <- rbfind @ ./redblack.c:277 := 0x7f4bacb111d0 Jun 13 20:12:10 sudo[16270] <- sudo_getgrgid @ ./pwutil.c:681 := 0x7f4bacb0e458 Jun 13 20:12:10 sudo[16270] -> sudo_gr_delref @ ./pwutil.c:642 Jun 13 20:12:10 sudo[16270] -> sudo_gr_delref_item @ ./pwutil.c:631 Jun 13 20:12:10 sudo[16270] <- sudo_gr_delref_item @ ./pwutil.c:636 Jun 13 20:12:10 sudo[16270] <- sudo_gr_delref @ ./pwutil.c:644 Jun 13 20:12:10 sudo[16270] -> sudo_grlist_delref @ ./pwutil.c:790 Jun 13 20:12:10 sudo[16270] -> sudo_grlist_delref_item @ ./pwutil.c:779 Jun 13 20:12:10 sudo[16270] <- sudo_grlist_delref_item @ ./pwutil.c:784 Jun 13 20:12:10 sudo[16270] <- sudo_grlist_delref @ ./pwutil.c:792 Jun 13 20:12:10 sudo[16270] <- user_in_group @ ./pwutil.c:957 := false Jun 13 20:12:10 sudo[16270] <- usergr_matches @ ./match.c:699 := false Jun 13 20:12:10 sudo[16270] <- sudo_sss_filter_sudoUser @ ./sssd.c:682 := false Jun 13 20:12:10 sudo[16270] <- sudo_sss_result_filterp @ ./sssd.c:696 := 0 Jun 13 20:12:10 sudo[16270] -> sudo_sss_result_filterp @ ./sssd.c:690 Jun 13 20:12:10 sudo[16270] -> sudo_sss_check_host @ ./sssd.c:577 Jun 13 20:12:10 sudo[16270] val[0]=ALL Jun 13 20:12:10 sudo[16270] sssd/ldap sudoHost 'ALL' ... MATCH! Jun 13 20:12:10 sudo[16270] <- sudo_sss_check_host @ ./sssd.c:613 := true Jun 13 20:12:10 sudo[16270] -> sudo_sss_filter_sudoUser @ ./sssd.c:626 Jun 13 20:12:10 sudo[16270] val[0]=%sysadmins Jun 13 20:12:10 sudo[16270] -> usergr_matches @ ./match.c:666 Jun 13 20:12:10 sudo[16270] -> user_in_group @ ./pwutil.c:914 Jun 13 20:12:10 sudo[16270] -> sudo_get_grlist @ ./pwutil.c:851 Jun 13 20:12:10 sudo[16270] -> rbfind @ ./redblack.c:273 Jun 13 20:12:10 sudo[16270] <- rbfind @ ./redblack.c:277 := 0x7f4bacb0e7f0 Jun 13 20:12:10 sudo[16270] <- sudo_get_grlist @ ./pwutil.c:904 := 0x7f4bacb11318 Jun 13 20:12:10 sudo[16270] -> sudo_getgrgid @ ./pwutil.c:655 Jun 13 20:12:10 sudo[16270] -> rbfind @ ./redblack.c:273 Jun 13 20:12:10 sudo[16270] <- rbfind @ ./redblack.c:277 := 0x7f4bacb111d0 Jun 13 20:12:10 sudo[16270] <- sudo_getgrgid @ ./pwutil.c:681 := 0x7f4bacb0e458 Jun 13 20:12:10 sudo[16270] -> sudo_gr_delref @ ./pwutil.c:642 Jun 13 20:12:10 sudo[16270] -> sudo_gr_delref_item @ ./pwutil.c:631 Jun 13 20:12:10 sudo[16270] <- sudo_gr_delref_item @ ./pwutil.c:636 Jun 13 20:12:10 sudo[16270] <- sudo_gr_delref @ ./pwutil.c:644 Jun 13 20:12:10 sudo[16270] -> sudo_grlist_delref @ ./pwutil.c:790 Jun 13 20:12:10 sudo[16270] -> sudo_grlist_delref_item @ ./pwutil.c:779 Jun 13 20:12:10 sudo[16270] <- sudo_grlist_delref_item @ ./pwutil.c:784 Jun 13 20:12:10 sudo[16270] <- sudo_grlist_delref @ ./pwutil.c:792 Jun 13 20:12:10 sudo[16270] <- user_in_group @ ./pwutil.c:957 := false Jun 13 20:12:10 sudo[16270] <- usergr_matches @ ./match.c:699 := false -----Original Message----- From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Nathan Peters Sent: Monday, June 13, 2016 12:55 PM To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] [FreeIPA 4.3.0] CentOS 6.8 sudo fails After more investigation I'm thinking this may be a bug in FreeIPA 4.3.1. I have for testing purposes, installed a CentOS 6.7 client and I'm getting the same issues. The only thing I can think of is that we updated our FreeIPA servers to 4.3.1 a few weeks ago and hadn't provisioned any new machines since then. It's like the server isn't properly storing the new clients in the database and is missing some flag that allows them to use sudo. You can see from the output below that pam and sss both allow the user access, but the sudo command itself denies it. It's like the sudo package is only looking in the local sudoers files and ignoring the previous calls to the IPA server. Jun 13 19:26:13 kafka1-msg-cpqa1-nvan sudo: pam_unix(sudo:auth): authentication failure; logname=nathan.peters uid=756600344 euid=0 tty=/dev/pts/0 ruser=nathan.peters rhost= user=nathan.peters Jun 13 19:26:14 kafka1-msg-cpqa1-nvan sudo: pam_sss(sudo:auth): authentication success; logname=nathan.peters uid=756600344 euid=0 tty=/dev/pts/0 ruser=nathan.peters rhost= user=nathan.peters Jun 13 19:26:14 kafka1-msg-cpqa1-nvan sudo: nathan.peters : user NOT authorized on host ; TTY=pts/0 ; PWD=/home/nathan.peters ; USER=root ; COMMAND=/bin/su - -----Original Message----- From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Nathan Peters Sent: Monday, June 13, 2016 10:30 AM To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] [FreeIPA 4.3.0] CentOS 6.8 sudo fails All group lists return correctly when using the ipa group-show command. Like I said, there is definitely something wrong with CentOS 6.8 because all group lists are correct. This was done on one of the CentOS 6.8 servers so we know that the server can retrieve the group lists properly. [nathan.peters@cass1 ~]$ klist Ticket cache: FILE:/tmp/krb5cc_756600344 Default principal: ad...@dev-mydomain.net Valid starting Expires Service principal 06/13/16 17:21:56 06/14/16 17:21:41 krbtgt/dev-mydomain....@dev-mydomain.net [nathan.peters@cass1 ~]$ ipa group-show --all deployment_engineer ipa group-show --all sysadmins ipa group-show --raw deployment_engineer ipa group-show --raw sysadmins ipa: ERROR: command 'group_show' takes at most 1 argument [nathan.peters@cass1 ~]$ ipa group-show --all deployment_engineer dn: cn=deployment_engineer,cn=groups,cn=accounts,dc=dev-mydomain,dc=net Group name: deployment_engineer Description: deployment engineers Member users: nathan.peters, <other users - removed for privacy> Member of groups: admins Roles: DNS Administrator Member of Sudo rule: s_allow_deployment_engineer_to_all Member of HBAC rule: allow_deployment_engineer_to_all ipauniqueid: 8bba7068-04c8-11e5-931d-005056b71d17 objectclass: top, ipaobject, groupofnames, ipausergroup, nestedgroup [nathan.peters@cass1 ~]$ ipa group-show --all sysadmins dn: cn=sysadmins,cn=groups,cn=accounts,dc=dev-mydomain,dc=net Group name: sysadmins Description: System Administrators Member users: nathan.peters, <other valid users removed for privacy> Member of groups: admins Member of Sudo rule: s_allow_sysadmins_to_all Member of HBAC rule: allow_sysadmins_to_all ipauniqueid: 828754c0-04c8-11e5-988f-005056b71d17 objectclass: top, ipaobject, groupofnames, ipausergroup, nestedgroup [nathan.peters@cass1 ~]$ ipa group-show --raw deployment_engineer cn: deployment_engineer description: deployment engineers member: uid=nathan.peters,cn=users,cn=accounts,dc=dev-mydomain,dc=net <other valid member lines removed for privacy> [nathan.peters@cass1 ~]$ ipa group-show --raw sysadmins cn: sysadmins description: System Administrators member: uid=nathan.peters,cn=users,cn=accounts,dc=dev-mydomain,dc=net <other users removed for privacy> [nathan.peters@cass1 ~]$ -----Original Message----- From: Lukas Slebodnik [mailto:lsleb...@redhat.com] Sent: Saturday, June 11, 2016 2:02 AM To: Nathan Peters Cc: Jakub Hrozek; freeipa-users@redhat.com Subject: Re: [Freeipa-users] [FreeIPA 4.3.0] CentOS 6.8 sudo fails On (08/06/16 18:14), Nathan Peters wrote: >I'm pretty lost here. I tried following the directions on that page >but the results still make no sense to me. From what I can see, the >account is successfully authorized, and the groups that I am part of >are found and some sudo rules are found, but then I am denied access >for no reason. This is not working on any CentOS 6.8 server, and >working properly on all previous versions of CentOS. I have tried >several steps including deleting and re-creating the 6.8 hosts, and >unjoining them and re-joining them to the domain. Nothing helps > >========== /var/log/sudo_debug ====================== > >Jun 8 16:56:01 sudo[7277] <- sudo_pam_verify @ ./auth/pam.c:138 := 0 >Jun 8 16:56:01 sudo[7277] <- verify_user @ ./auth/sudo_auth.c:282 := 1 >Jun 8 16:56:01 sudo[7277] -> sudo_auth_cleanup @ >./auth/sudo_auth.c:160 Jun 8 16:56:01 sudo[7277] -> sudo_pam_cleanup @ >./auth/pam.c:185 Jun 8 16:56:01 sudo[7277] <- sudo_pam_cleanup @ >./auth/pam.c:189 := 0 Jun 8 16:56:01 sudo[7277] <- sudo_auth_cleanup @ >./auth/sudo_auth.c:177 := 0 Jun 8 16:56:01 sudo[7277] -> >sudo_pw_delref @ ./pwutil.c:249 Jun 8 16:56:01 sudo[7277] -> >sudo_pw_delref_item @ ./pwutil.c:238 Jun 8 16:56:01 sudo[7277] <- >sudo_pw_delref_item @ ./pwutil.c:243 Jun 8 16:56:01 sudo[7277] <- >sudo_pw_delref @ ./pwutil.c:251 Jun 8 16:56:01 sudo[7277] <- >check_user @ ./check.c:189 := true Jun 8 16:56:01 sudo[7277] -> >log_failure @ ./logging.c:318 Jun 8 16:56:01 sudo[7277] -> log_denial >@ ./logging.c:256 Jun 8 16:56:01 sudo[7277] -> audit_failure @ >./audit.c:68 Jun 8 16:56:01 sudo[7277] -> linux_audit_command @ >./linux_audit.c:70 Jun 8 16:56:01 sudo[7277] -> linux_audit_open @ >./linux_audit.c:49 Jun 8 16:56:01 sudo[7277] <- linux_audit_open @ >./linux_audit.c:61 := 15 Jun 8 16:56:01 sudo[7277] <- >linux_audit_command @ ./linux_audit.c:97 := 3 Jun 8 16:56:01 >sudo[7277] <- audit_failure @ ./audit.c:81 Jun 8 16:56:01 sudo[7277] >-> new_logline @ ./logging.c:746 Jun 8 16:56:01 sudo[7277] <- >new_logline @ ./logging.c:867 := user NOT authorized on host ; >TTY=pts/1 ; PWD=/home/nathan.peters ; USER=root ; COMMAND=/bin/su - Jun >8 16:56:01 sudo[7277] -> should_mail @ ./logging.c:712 Jun 8 16:56:01 >sudo[7277] <- should_mail @ ./logging.c:717 := false Jun 8 16:56:01 >sudo[7277] -> do_syslog @ ./logging.c:138 Jun 8 16:56:01 sudo[7277] -> >mysyslog @ ./logging.c:96 Jun 8 16:56:01 sudo[7277] <- mysyslog @ >./logging.c:119 Jun 8 16:56:01 sudo[7277] <- do_syslog @ >./logging.c:185 Jun 8 16:56:01 sudo[7277] <- log_denial @ >./logging.c:309 Jun 8 16:56:01 sudo[7277] <- log_failure @ >./logging.c:341 Jun 8 16:56:01 sudo[7277] -> rewind_perms @ >./set_perms.c:90 Jun 8 16:56:01 sudo[7277] -> restore_perms @ >./set_perms.c:363 Jun 8 16:56:01 sudo[7277] restore_perms: uid: >[756600344, 0, 0] -> [756600344, 0, 0] Jun 8 16:56:01 sudo[7277] >restore_perms: gid: [756600344, 756600344, 756600344] -> [756600344, >756600344, 756600344] Jun 8 16:56:01 sudo[7277] -> sudo_grlist_delref >@ ./pwutil.c:816 Jun 8 16:56:01 sudo[7277] -> sudo_grlist_delref_item >@ ./pwutil.c:805 Jun 8 16:56:01 sudo[7277] <- sudo_grlist_delref_item >@ ./pwutil.c:810 Jun 8 16:56:01 sudo[7277] <- sudo_grlist_delref @ >./pwutil.c:818 Jun 8 16:56:01 sudo[7277] <- restore_perms @ >./set_perms.c:407 Jun 8 16:56:01 sudo[7277] -> sudo_grlist_delref @ >./pwutil.c:816 Jun 8 16:56:01 sudo[7277] -> sudo_grlist_delref_item @ >./pwutil.c:805 Jun 8 16:56:01 sudo[7277] <- sudo_grlist_delref_item @ >./pwutil.c:810 Jun 8 16:56:01 sudo[7277] <- sudo_grlist_delref @ >./pwutil.c:818 Jun 8 16:56:01 sudo[7277] <- rewind_perms @ >./set_perms.c:96 Jun 8 16:56:01 sudo[7277] -> sudo_endpwent @ >./pwutil.c:443 Jun 8 16:56:01 sudo[7277] -> sudo_freepwcache @ >./pwutil.c:426 Jun 8 16:56:01 sudo[7277] -> rbdestroy @ >./redblack.c:359 Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ >./redblack.c:341 Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ >./redblack.c:341 Jun 8 16:56:01 sudo[7277] <- _rbdestroy @ >./redblack.c:349 Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ >./redblack.c:341 Jun 8 16:56:01 sudo[7277] <- _rbdestroy @ >./redblack.c:349 Jun 8 16:56:01 sudo[7277] -> sudo_pw_delref_item @ >./pwutil.c:238 Jun 8 16:56:01 sudo[7277] <- sudo_pw_delref_item @ >./pwutil.c:243 Jun 8 16:56:01 sudo[7277] <- _rbdestroy @ >./redblack.c:349 Jun 8 16:56:01 sudo[7277] <- rbdestroy @ >./redblack.c:362 Jun 8 16:56:01 sudo[7277] -> rbdestroy @ >./redblack.c:359 Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ >./redblack.c:341 Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ >./redblack.c:341 Jun 8 16:56:01 sudo[7277] <- _rbdestroy @ >./redblack.c:349 Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ >./redblack.c:341 Jun 8 16:56:01 sudo[7277] <- _rbdestroy @ >./redblack.c:349 Jun 8 16:56:01 sudo[7277] -> sudo_pw_delref_item @ >./pwutil.c:238 Jun 8 16:56:01 sudo[7277] <- sudo_pw_delref_item @ >./pwutil.c:243 Jun 8 16:56:01 sudo[7277] <- _rbdestroy @ >./redblack.c:349 Jun 8 16:56:01 sudo[7277] <- rbdestroy @ >./redblack.c:362 Jun 8 16:56:01 sudo[7277] <- sudo_freepwcache @ >./pwutil.c:437 Jun 8 16:56:01 sudo[7277] <- sudo_endpwent @ >./pwutil.c:448 Jun 8 16:56:01 sudo[7277] -> sudo_endgrent @ >./pwutil.c:861 Jun 8 16:56:01 sudo[7277] -> sudo_freegrcache @ >./pwutil.c:840 Jun 8 16:56:01 sudo[7277] -> rbdestroy @ >./redblack.c:359 Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ >./redblack.c:341 Jun 8 16:56:01 sudo[7277] <- _rbdestroy @ >./redblack.c:349 Jun 8 16:56:01 sudo[7277] <- rbdestroy @ >./redblack.c:362 Jun 8 16:56:01 sudo[7277] -> rbdestroy @ >./redblack.c:359 Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ >./redblack.c:341 Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ >./redblack.c:341 Jun 8 16:56:01 sudo[7277] <- _rbdestroy @ >./redblack.c:349 Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ >./redblack.c:341 Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ >./redblack.c:341 Jun 8 16:56:01 sudo[7277] <- _rbdestroy @ >./redblack.c:349 Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ >./redblack.c:341 Jun 8 16:56:01 sudo[7277] <- _rbdestroy @ >./redblack.c:349 Jun 8 16:56:01 sudo[7277] -> sudo_gr_delref_item @ >./pwutil.c:657 Jun 8 16:56:01 sudo[7277] <- sudo_gr_delref_item @ >./pwutil.c:662 Jun 8 16:56:01 sudo[7277] <- _rbdestroy @ >./redblack.c:349 Jun 8 16:56:01 sudo[7277] -> sudo_gr_delref_item @ >./pwutil.c:657 Jun 8 16:56:01 sudo[7277] <- sudo_gr_delref_item @ >./pwutil.c:662 Jun 8 16:56:01 sudo[7277] <- _rbdestroy @ >./redblack.c:349 Jun 8 16:56:01 sudo[7277] <- rbdestroy @ >./redblack.c:362 Jun 8 16:56:01 sudo[7277] -> rbdestroy @ >./redblack.c:359 Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ >./redblack.c:341 Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ >./redblack.c:341 Jun 8 16:56:01 sudo[7277] <- _rbdestroy @ >./redblack.c:349 Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ >./redblack.c:341 Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ >./redblack.c:341 Jun 8 16:56:01 sudo[7277] <- _rbdestroy @ >./redblack.c:349 Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ >./redblack.c:341 Jun 8 16:56:01 sudo[7277] <- _rbdestroy @ >./redblack.c:349 Jun 8 16:56:01 sudo[7277] -> sudo_grlist_delref_item >@ ./pwutil.c:805 Jun 8 16:56:01 sudo[7277] <- sudo_grlist_delref_item >@ ./pwutil.c:810 Jun 8 16:56:01 sudo[7277] <- _rbdestroy @ >./redblack.c:349 Jun 8 16:56:01 sudo[7277] -> sudo_grlist_delref_item >@ ./pwutil.c:805 Jun 8 16:56:01 sudo[7277] <- sudo_grlist_delref_item >@ ./pwutil.c:810 Jun 8 16:56:01 sudo[7277] <- _rbdestroy @ >./redblack.c:349 Jun 8 16:56:01 sudo[7277] <- rbdestroy @ >./redblack.c:362 Jun 8 16:56:01 sudo[7277] <- sudo_freegrcache @ >./pwutil.c:855 Jun 8 16:56:01 sudo[7277] <- sudo_endgrent @ >./pwutil.c:866 Jun 8 16:56:01 sudo[7277] <- sudoers_policy_main @ >./sudoers.c:753 := false Jun 8 16:56:01 sudo[7277] <- >sudoers_policy_check @ ./sudoers.c:766 := false Jun 8 16:56:01 >sudo[7277] <- policy_check @ ./sudo.c:1204 := false Jun 8 16:56:01 >sudo[7277] policy plugin returns 0 > >============== /var/log/sssd/sssd_sudo.log ===================== > >(Wed Jun 8 17:39:12 2016) [sssd[sudo]] [accept_fd_handler] (0x0400): Client >connected! >(Wed Jun 8 17:39:12 2016) [sssd[sudo]] [sss_cmd_get_version] (0x0200): >Received client version [1]. >(Wed Jun 8 17:39:12 2016) [sssd[sudo]] [sss_cmd_get_version] (0x0200): >Offered version [1]. >(Wed Jun 8 17:39:12 2016) [sssd[sudo]] [sudosrv_cmd] (0x2000): Using >protocol version [1] (Wed Jun 8 17:39:12 2016) [sssd[sudo]] >[sss_parse_name_for_domains] (0x0200): name 'nathan.peters' matched >without domain, user is nathan.peters (Wed Jun 8 17:39:12 2016) >[sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name >'nathan.peters' matched without domain, user is nathan.peters (Wed Jun >8 17:39:12 2016) [sssd[sudo]] [sudosrv_cmd_parse_query_done] (0x0200): >Requesting default options for [nathan.peters] from [<ALL>] (Wed Jun 8 >17:39:12 2016) [sssd[sudo]] [sss_ncache_check_str] (0x2000): Checking >negative cache for [NCE/USER/dev-mydomain.net/nathan.peters] >(Wed Jun 8 17:39:12 2016) [sssd[sudo]] [sudosrv_get_user] (0x0200): >Requesting info about [nathan.pet...@dev-mydomain.net] (Wed Jun 8 >17:39:12 2016) [sssd[sudo]] [sudosrv_get_user] (0x0400): Returning info >for user [nathan.pet...@dev-mydomain.net] (Wed Jun 8 17:39:12 2016) >[sssd[sudo]] [sudosrv_get_rules] (0x0400): Retrieving default options >for [nathan.peters] from [dev-mydomain.net] (Wed Jun 8 17:39:12 2016) >[sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching >sysdb with >[(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=natha >n.peters)(sudoUser=#756600344)(sudoUser=%developers)(sudoUser=%admins)( >sudoUser=%sysadmins)(sudoUser=%deployment_engineer)(sudoUser=%nathan.pe >ters)(sudoUser=+*))(&(dataExpireTimestamp<=1465407552)))] >(Wed Jun 8 17:39:12 2016) [sssd[sudo]] [sudosrv_get_rules] (0x2000): >About to get sudo rules from cache (Wed Jun 8 17:39:12 2016) >[sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching >sysdb with [(&(objectClass=sudoRule)(|(name=defaults)))] >(Wed Jun 8 17:39:12 2016) [sssd[sudo]] >[sudosrv_get_sudorules_from_cache] (0x0400): Returning 0 rules for >[<default options>@dev-mydomain.net] (Wed Jun 8 17:39:12 2016) >[sssd[sudo]] [sudosrv_cmd] (0x2000): Using protocol version [1] (Wed >Jun 8 17:39:12 2016) [sssd[sudo]] [sss_parse_name_for_domains] >(0x0200): name 'nathan.peters' matched without domain, user is >nathan.peters (Wed Jun 8 17:39:12 2016) [sssd[sudo]] >[sss_parse_name_for_domains] (0x0200): name 'nathan.peters' matched >without domain, user is nathan.peters (Wed Jun 8 17:39:12 2016) >[sssd[sudo]] [sudosrv_cmd_parse_query_done] (0x0200): Requesting rules >for [nathan.peters] from [<ALL>] (Wed Jun 8 17:39:12 2016) >[sssd[sudo]] [sss_ncache_check_str] (0x2000): Checking negative cache >for [NCE/USER/dev-mydomain.net/nathan.peters] >(Wed Jun 8 17:39:12 2016) [sssd[sudo]] [sudosrv_get_user] (0x0200): >Requesting info about [nathan.pet...@dev-mydomain.net] (Wed Jun 8 >17:39:12 2016) [sssd[sudo]] [sudosrv_get_user] (0x0400): Returning info >for user [nathan.pet...@dev-mydomain.net] (Wed Jun 8 17:39:12 2016) >[sssd[sudo]] [sudosrv_get_rules] (0x0400): Retrieving rules for >[nathan.peters] from [dev-mydomain.net] (Wed Jun 8 17:39:12 2016) >[sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching >sysdb with >[(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=natha >n.peters)(sudoUser=#756600344)(sudoUser=%developers)(sudoUser=%admins)( >sudoUser=%sysadmins)(sudoUser=%deployment_engineer)(sudoUser=%nathan.pe >ters)(sudoUser=+*))(&(dataExpireTimestamp<=1465407552)))] >(Wed Jun 8 17:39:12 2016) [sssd[sudo]] [sudosrv_get_rules] (0x2000): >About to get sudo rules from cache (Wed Jun 8 17:39:12 2016) >[sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching >sysdb with >[(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=nathan.peters)(sudoU >ser=#756600344)(sudoUser=%developers)(sudoUser=%admins)(sudoUser=%sysad >mins)(sudoUser=%deployment_engineer)(sudoUser=%nathan.peters)(sudoUser= >+*)))] (Wed Jun 8 17:39:12 2016) [sssd[sudo]] [sort_sudo_rules] >(0x0400): Sorting rules with higher-wins logic (Wed Jun 8 17:39:12 >2016) [sssd[sudo]] [sudosrv_get_sudorules_from_cache] (0x0400): >Returning 2 rules for [nathan.pet...@dev-mydomain.net] (Wed Jun 8 >17:39:16 2016) [sssd[sudo]] [sbus_message_handler] (0x2000): Received >SBUS method org.freedesktop.sssd.service.ping on path >/org/freedesktop/sssd/service (Wed Jun 8 17:39:16 2016) [sssd[sudo]] >[sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Wed Jun 8 >17:39:17 2016) [sssd[sudo]] [client_recv] (0x0200): Client disconnected! >(Wed Jun 8 17:39:17 2016) [sssd[sudo]] [client_destructor] (0x2000): >Terminated client [0x1091360][17] (Wed Jun 8 17:39:26 2016) >[sssd[sudo]] [sbus_message_handler] (0x2000): Received SBUS method >org.freedesktop.sssd.service.ping on path /org/freedesktop/sssd/service >(Wed Jun 8 17:39:26 2016) [sssd[sudo]] [sbus_get_sender_id_send] >(0x2000): Not a sysbus message, quit > >============= /var/log/sssd/sssd_mydomain.log ============== > >(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] >[sbus_message_handler] (0x2000): Received SBUS method >org.freedesktop.sssd.dataprovider.getAccountInfo on path >/org/freedesktop/sssd/dataprovider >(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] >[sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Wed Jun >8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [be_get_account_info] >(0x0200): Got request for [0x1002][FAST >BE_REQ_GROUP][1][name=deployment_engineer] >(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] >[be_req_set_domain] (0x0400): Changing request domain from >[dev-mydomain.net] to [dev-mydomain.net] (Wed Jun 8 17:39:12 2016) >[sssd[be[dev-mydomain.net]]] [sdap_get_groups_next_base] (0x0400): >Searching for groups with base [cn=accounts,dc=dev-mydomain,dc=net] >(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] >[sdap_print_server] (0x2000): Searching 10.178.0.98 (Wed Jun 8 17:39:12 2016) >[sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x0400): calling >ldap_search_ext with >[(&(cn=deployment_engineer)(|(objectClass=ipaUserGroup)(objectClass=posixGroup))(cn=*)(&(gidNumber=*)(!(gidNumber=0))))][cn=accounts,dc=dev-mydomain,dc=net]. >(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] >[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] >(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] >[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [posixGroup] >(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] >[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Wed Jun >8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] >[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPassword] >(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] >[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber] >(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] >[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [member] (Wed >Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] >[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUniqueID] >(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] >[sdap_get_generic_ext_step] (0x1000): Requesting attrs: >[ipaNTSecurityIdentifier] (Wed Jun 8 17:39:12 2016) >[sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x1000): Requesting >attrs: [modifyTimestamp] (Wed Jun 8 17:39:12 2016) >[sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x1000): Requesting >attrs: [entryUSN] (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] >[sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 14 (Wed >Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_op_add] (0x2000): New >operation 14 timeout 6 (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] >[sdap_process_result] (0x2000): Trace: sh[0xea9a60], connected[1], >ops[0xebb690], ldap[0xea8500] (Wed Jun 8 17:39:12 2016) >[sssd[be[dev-mydomain.net]]] [sdap_get_generic_op_finished] (0x0400): Search >result: Success(0), no errmsg set (Wed Jun 8 17:39:12 2016) >[sssd[be[dev-mydomain.net]]] [sdap_op_destructor] (0x2000): Operation 14 >finished (Wed Jun 8 17:39! :12 2016) [sssd[be[dev-mydomain.net]]] [sdap_get_groups_process] (0x0400): Search for groups, returned 0 results. It looks like group deployment_engineer cannot be find in IPA. >(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] >[sysdb_search_by_name] (0x0400): No such entry (Wed Jun 8 17:39:12 >2016) [sssd[be[dev-mydomain.net]]] [ipa_id_get_account_info_orig_done] >(0x0080): Object not found, ending request (Wed Jun 8 17:39:12 2016) >[sssd[be[dev-mydomain.net]]] [acctinfo_callback] (0x0100): Request processed. >Returned 3,0,Account info lookup failed (Wed Jun 8 17:39:12 2016) >[sssd[be[dev-mydomain.net]]] [sdap_process_result] (0x2000): Trace: >sh[0xea9a60], connected[1], ops[(nil)], ldap[0xea8500] (Wed Jun 8 17:39:12 >2016) [sssd[be[dev-mydomain.net]]] [sdap_process_result] (0x2000): Trace: >ldap_result found nothing! >(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] >[sbus_message_handler] (0x2000): Received SBUS method >org.freedesktop.sssd.dataprovider.getAccountInfo on path >/org/freedesktop/sssd/dataprovider >(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] >[sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Wed Jun >8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [be_get_account_info] >(0x0200): Got request for [0x1002][FAST >BE_REQ_GROUP][1][name=sysadmins] (Wed Jun 8 17:39:12 2016) >[sssd[be[dev-mydomain.net]]] [be_req_set_domain] (0x0400): Changing >request domain from [dev-mydomain.net] to [dev-mydomain.net] (Wed Jun >8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] >[sdap_get_groups_next_base] (0x0400): Searching for groups with base >[cn=accounts,dc=dev-mydomain,dc=net] >(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] >[sdap_print_server] (0x2000): Searching 10.178.0.98 (Wed Jun 8 17:39:12 2016) >[sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x0400): calling >ldap_search_ext with >[(&(cn=sysadmins)(|(objectClass=ipaUserGroup)(objectClass=posixGroup))(cn=*)(&(gidNumber=*)(!(gidNumber=0))))][cn=accounts,dc=dev-mydomain,dc=net]. >(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] >[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] >(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] >[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [posixGroup] >(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] >[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Wed Jun >8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] >[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPassword] >(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] >[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber] >(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] >[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [member] (Wed >Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] >[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUniqueID] >(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] >[sdap_get_generic_ext_step] (0x1000): Requesting attrs: >[ipaNTSecurityIdentifier] (Wed Jun 8 17:39:12 2016) >[sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x1000): Requesting >attrs: [modifyTimestamp] (Wed Jun 8 17:39:12 2016) >[sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x1000): Requesting >attrs: [entryUSN] (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] >[sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 15 (Wed >Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_op_add] (0x2000): New >operation 15 timeout 6 (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] >[sdap_process_result] (0x2000): Trace: sh[0xea9a60], connected[1], >ops[0xeaaf30], ldap[0xea8500] (Wed Jun 8 17:39:12 2016) >[sssd[be[dev-mydomain.net]]] [sdap_get_generic_op_finished] (0x0400): Search >result: Success(0), no errmsg set (Wed Jun 8 17:39:12 2016) >[sssd[be[dev-mydomain.net]]] [sdap_op_destructor] (0x2000): Operation 15 >finished (Wed Jun 8 17:39! :12 2016) [sssd[be[dev-mydomain.net]]] [sdap_get_groups_process] (0x0400): Search for groups, returned 0 results. It looks like group sysadmins cannot be find in IPA. >(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] >[sysdb_search_by_name] (0x0400): No such entry (Wed Jun 8 17:39:12 >2016) [sssd[be[dev-mydomain.net]]] [ipa_id_get_account_info_orig_done] >(0x0080): Object not found, ending request (Wed Jun 8 17:39:12 2016) >[sssd[be[dev-mydomain.net]]] [acctinfo_callback] (0x0100): Request processed. >Returned 3,0,Account info lookup failed (Wed Jun 8 17:39:12 2016) >[sssd[be[dev-mydomain.net]]] [sdap_process_result] (0x2000): Trace: >sh[0xea9a60], connected[1], ops[(nil)], ldap[0xea8500] (Wed Jun 8 17:39:12 >2016) [sssd[be[dev-mydomain.net]]] [sdap_process_result] (0x2000): Trace: >ldap_result found nothing! > >===== output of ldap query manually copied from the sssd_sudo.log first >search returns nothing second search returns 2 rules ================== > >[root@cass1-msg-cpqa1-nvan sssd]# ldbsearch -H >/var/lib/sss/db/cache_dev-mydomain.net.ldb -b cn=sysdb >'(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=nathan.peters)(sudoUser=#756600344)(sudoUser=%developers)(sudoUser=%admins)(sudoUser=%sysadmins)(sudoUser=%deployment_engineer)(sudoUser=%nathan.peters)(sudoUser=+*))(&(dataExpireTimestamp<=1465407552)))' >asq: Unable to register control with rootdse! ># returned 0 records ># 0 entries ># 0 referrals > > >[root@cass1-msg-cpqa1-nvan sssd]# ldbsearch -H >/var/lib/sss/db/cache_dev-mydomain.net.ldb -b cn=sysdb >'(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=nathan.peters)(sudoUser=#756600344)(sudoUser=%developers)(sudoUser=%admins)(sudoUser=%sysadmins)(sudoUser=%deployment_engineer)(sudoUser=%nathan.peters)(sudoUser=+*)))' >asq: Unable to register control with rootdse! ># record 1 >dn: >name=s_allow_deployment_engineer_to_all,cn=sudorules,cn=custom,cn=dev-m >ydomain.net,cn=sysdb >cn: s_allow_deployment_engineer_to_all >dataExpireTimestamp: 1465412946 >name: s_allow_deployment_engineer_to_all >objectClass: sudoRule >sudoCommand: ALL >sudoHost: ALL >sudoOption: !authenticate >sudoRunAsGroup: ALL >sudoRunAsUser: ALL >sudoUser: %deployment_engineer >distinguishedName: >name=s_allow_deployment_engineer_to_all,cn=sudorules,cn=cus > tom,cn=dev-mydomain.net,cn=sysdb > ># record 2 >dn: >name=s_allow_sysadmins_to_all,cn=sudorules,cn=custom,cn=dev-mydomain.ne >t,cn=sysdb >cn: s_allow_sysadmins_to_all >dataExpireTimestamp: 1465412946 >name: s_allow_sysadmins_to_all >objectClass: sudoRule >sudoCommand: ALL >sudoHost: ALL >sudoOption: !authenticate >sudoRunAsGroup: ALL >sudoRunAsUser: ALL >sudoUser: %sysadmins >distinguishedName: >name=s_allow_sysadmins_to_all,cn=sudorules,cn=custom,cn=dev > -mydomain.net,cn=sysdb > ># returned 2 records ># 2 entries ># 0 referrals > >====== output of ldap query against directory for search used in the >sssd_domain.log =========== > >[root@cass1-msg-cpqa1-nvan sssd]# ldapsearch -x -H ldap://10.178.0.98 -b >cn=accounts,dc=dev-mydomain,dc=net >'(&(cn=deployment_engineer)(|(objectClass=ipaUserGroup)(objectClass=posixGroup))(cn=*)(&(gidNumber=*)(!(gidNumber=0))))' ># extended LDIF ># ># LDAPv3 ># base <cn=accounts,dc=dev-mydomain,dc=net> with scope subtree # >filter: >(&(cn=deployment_engineer)(|(objectClass=ipaUserGroup)(objectClass=posi >xGroup))(cn=*)(&(gidNumber=*)(!(gidNumber=0)))) ># requesting: ALL ># > ># search result >search: 2 >result: 0 Success > ># numResponses: 1 > >[root@cass1-msg-cpqa1-nvan sssd]# ldapsearch -x -H ldap://10.178.0.98 -b >cn=accounts,dc=dev-mydomain,dc=net >'(&(cn=sysadmins)(|(objectClass=ipaUserGroup)(objectClass=posixGroup))(cn=*)(&(gidNumber=*)(!(gidNumber=0))))' ># extended LDIF ># ># LDAPv3 ># base <cn=accounts,dc=dev-mydomain,dc=net> with scope subtree # >filter: >(&(cn=sysadmins)(|(objectClass=ipaUserGroup)(objectClass=posixGroup))(c >n=*)(&(gidNumber=*)(!(gidNumber=0)))) ># requesting: ALL ># > LDAP searches confirmed that it's not possible to find groups: deployment_engineer and sysadmins. But you used anonymous search. It would be good if you could provide an output of for groups using ipa command. e.g. kinit admin ipa group-show --all deployment_engineer ipa group-show --all sysadmins ipa group-show --raw deployment_engineer ipa group-show --raw sysadmins LS -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project