On Mon, Jun 13, 2016 at 05:30:16PM +0000, Nathan Peters wrote: > All group lists return correctly when using the ipa group-show command. > > Like I said, there is definitely something wrong with CentOS 6.8 because all > group lists are correct. This was done on one of the CentOS 6.8 servers so > we know that the server can retrieve the group lists properly.
We had a similar report (untriaged yet) where adding POSIX attributes made the difference. Could you test if also in your environment adding the POSIX attributes makes the rules work? (It would be a bug nonetheless, but it's worth trying so that we pinpoint the issue) > > [nathan.peters@cass1 ~]$ klist > Ticket cache: FILE:/tmp/krb5cc_756600344 > Default principal: ad...@dev-mydomain.net > > Valid starting Expires Service principal > 06/13/16 17:21:56 06/14/16 17:21:41 krbtgt/dev-mydomain....@dev-mydomain.net > [nathan.peters@cass1 ~]$ ipa group-show --all deployment_engineer ipa > group-show --all sysadmins ipa group-show --raw deployment_engineer ipa > group-show --raw sysadmins > ipa: ERROR: command 'group_show' takes at most 1 argument > [nathan.peters@cass1 ~]$ ipa group-show --all deployment_engineer > dn: cn=deployment_engineer,cn=groups,cn=accounts,dc=dev-mydomain,dc=net > Group name: deployment_engineer > Description: deployment engineers > Member users: nathan.peters, <other users - removed for privacy> > Member of groups: admins > Roles: DNS Administrator > Member of Sudo rule: s_allow_deployment_engineer_to_all > Member of HBAC rule: allow_deployment_engineer_to_all > ipauniqueid: 8bba7068-04c8-11e5-931d-005056b71d17 > objectclass: top, ipaobject, groupofnames, ipausergroup, nestedgroup > [nathan.peters@cass1 ~]$ ipa group-show --all sysadmins > dn: cn=sysadmins,cn=groups,cn=accounts,dc=dev-mydomain,dc=net > Group name: sysadmins > Description: System Administrators > Member users: nathan.peters, <other valid users removed for privacy> > Member of groups: admins > Member of Sudo rule: s_allow_sysadmins_to_all > Member of HBAC rule: allow_sysadmins_to_all > ipauniqueid: 828754c0-04c8-11e5-988f-005056b71d17 > objectclass: top, ipaobject, groupofnames, ipausergroup, nestedgroup > [nathan.peters@cass1 ~]$ ipa group-show --raw deployment_engineer > cn: deployment_engineer > description: deployment engineers > member: uid=nathan.peters,cn=users,cn=accounts,dc=dev-mydomain,dc=net > <other valid member lines removed for privacy> > [nathan.peters@cass1 ~]$ ipa group-show --raw sysadmins > cn: sysadmins > description: System Administrators > member: uid=nathan.peters,cn=users,cn=accounts,dc=dev-mydomain,dc=net > <other users removed for privacy> > [nathan.peters@cass1 ~]$ > > -----Original Message----- > From: Lukas Slebodnik [mailto:lsleb...@redhat.com] > Sent: Saturday, June 11, 2016 2:02 AM > To: Nathan Peters > Cc: Jakub Hrozek; freeipa-users@redhat.com > Subject: Re: [Freeipa-users] [FreeIPA 4.3.0] CentOS 6.8 sudo fails > > On (08/06/16 18:14), Nathan Peters wrote: > >I'm pretty lost here. I tried following the directions on that page > >but the results still make no sense to me. From what I can see, the > >account is successfully authorized, and the groups that I am part of > >are found and some sudo rules are found, but then I am denied access > >for no reason. This is not working on any CentOS 6.8 server, and > >working properly on all previous versions of CentOS. I have tried > >several steps including deleting and re-creating the 6.8 hosts, and > >unjoining them and re-joining them to the domain. Nothing helps > > > >========== /var/log/sudo_debug ====================== > > > >Jun 8 16:56:01 sudo[7277] <- sudo_pam_verify @ ./auth/pam.c:138 := 0 > >Jun 8 16:56:01 sudo[7277] <- verify_user @ ./auth/sudo_auth.c:282 := 1 > >Jun 8 16:56:01 sudo[7277] -> sudo_auth_cleanup @ > >./auth/sudo_auth.c:160 Jun 8 16:56:01 sudo[7277] -> sudo_pam_cleanup @ > >./auth/pam.c:185 Jun 8 16:56:01 sudo[7277] <- sudo_pam_cleanup @ > >./auth/pam.c:189 := 0 Jun 8 16:56:01 sudo[7277] <- sudo_auth_cleanup @ > >./auth/sudo_auth.c:177 := 0 Jun 8 16:56:01 sudo[7277] -> > >sudo_pw_delref @ ./pwutil.c:249 Jun 8 16:56:01 sudo[7277] -> > >sudo_pw_delref_item @ ./pwutil.c:238 Jun 8 16:56:01 sudo[7277] <- > >sudo_pw_delref_item @ ./pwutil.c:243 Jun 8 16:56:01 sudo[7277] <- > >sudo_pw_delref @ ./pwutil.c:251 Jun 8 16:56:01 sudo[7277] <- > >check_user @ ./check.c:189 := true Jun 8 16:56:01 sudo[7277] -> > >log_failure @ ./logging.c:318 Jun 8 16:56:01 sudo[7277] -> log_denial > >@ ./logging.c:256 Jun 8 16:56:01 sudo[7277] -> audit_failure @ > >./audit.c:68 Jun 8 16:56:01 sudo[7277] -> linux_audit_command @ > >./linux_audit.c:70 Jun 8 16:56:01 sudo[7277] -> linux_audit_open @ > >./linux_audit.c:49 Jun 8 16:56:01 sudo[7277] <- linux_audit_open @ > >./linux_audit.c:61 := 15 Jun 8 16:56:01 sudo[7277] <- > >linux_audit_command @ ./linux_audit.c:97 := 3 Jun 8 16:56:01 > >sudo[7277] <- audit_failure @ ./audit.c:81 Jun 8 16:56:01 sudo[7277] > >-> new_logline @ ./logging.c:746 Jun 8 16:56:01 sudo[7277] <- > >new_logline @ ./logging.c:867 := user NOT authorized on host ; > >TTY=pts/1 ; PWD=/home/nathan.peters ; USER=root ; COMMAND=/bin/su - Jun > >8 16:56:01 sudo[7277] -> should_mail @ ./logging.c:712 Jun 8 16:56:01 > >sudo[7277] <- should_mail @ ./logging.c:717 := false Jun 8 16:56:01 > >sudo[7277] -> do_syslog @ ./logging.c:138 Jun 8 16:56:01 sudo[7277] -> > >mysyslog @ ./logging.c:96 Jun 8 16:56:01 sudo[7277] <- mysyslog @ > >./logging.c:119 Jun 8 16:56:01 sudo[7277] <- do_syslog @ > >./logging.c:185 Jun 8 16:56:01 sudo[7277] <- log_denial @ > >./logging.c:309 Jun 8 16:56:01 sudo[7277] <- log_failure @ > >./logging.c:341 Jun 8 16:56:01 sudo[7277] -> rewind_perms @ > >./set_perms.c:90 Jun 8 16:56:01 sudo[7277] -> restore_perms @ > >./set_perms.c:363 Jun 8 16:56:01 sudo[7277] restore_perms: uid: > >[756600344, 0, 0] -> [756600344, 0, 0] Jun 8 16:56:01 sudo[7277] > >restore_perms: gid: [756600344, 756600344, 756600344] -> [756600344, > >756600344, 756600344] Jun 8 16:56:01 sudo[7277] -> sudo_grlist_delref > >@ ./pwutil.c:816 Jun 8 16:56:01 sudo[7277] -> sudo_grlist_delref_item > >@ ./pwutil.c:805 Jun 8 16:56:01 sudo[7277] <- sudo_grlist_delref_item > >@ ./pwutil.c:810 Jun 8 16:56:01 sudo[7277] <- sudo_grlist_delref @ > >./pwutil.c:818 Jun 8 16:56:01 sudo[7277] <- restore_perms @ > >./set_perms.c:407 Jun 8 16:56:01 sudo[7277] -> sudo_grlist_delref @ > >./pwutil.c:816 Jun 8 16:56:01 sudo[7277] -> sudo_grlist_delref_item @ > >./pwutil.c:805 Jun 8 16:56:01 sudo[7277] <- sudo_grlist_delref_item @ > >./pwutil.c:810 Jun 8 16:56:01 sudo[7277] <- sudo_grlist_delref @ > >./pwutil.c:818 Jun 8 16:56:01 sudo[7277] <- rewind_perms @ > >./set_perms.c:96 Jun 8 16:56:01 sudo[7277] -> sudo_endpwent @ > >./pwutil.c:443 Jun 8 16:56:01 sudo[7277] -> sudo_freepwcache @ > >./pwutil.c:426 Jun 8 16:56:01 sudo[7277] -> rbdestroy @ > >./redblack.c:359 Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ > >./redblack.c:341 Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ > >./redblack.c:341 Jun 8 16:56:01 sudo[7277] <- _rbdestroy @ > >./redblack.c:349 Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ > >./redblack.c:341 Jun 8 16:56:01 sudo[7277] <- _rbdestroy @ > >./redblack.c:349 Jun 8 16:56:01 sudo[7277] -> sudo_pw_delref_item @ > >./pwutil.c:238 Jun 8 16:56:01 sudo[7277] <- sudo_pw_delref_item @ > >./pwutil.c:243 Jun 8 16:56:01 sudo[7277] <- _rbdestroy @ > >./redblack.c:349 Jun 8 16:56:01 sudo[7277] <- rbdestroy @ > >./redblack.c:362 Jun 8 16:56:01 sudo[7277] -> rbdestroy @ > >./redblack.c:359 Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ > >./redblack.c:341 Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ > >./redblack.c:341 Jun 8 16:56:01 sudo[7277] <- _rbdestroy @ > >./redblack.c:349 Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ > >./redblack.c:341 Jun 8 16:56:01 sudo[7277] <- _rbdestroy @ > >./redblack.c:349 Jun 8 16:56:01 sudo[7277] -> sudo_pw_delref_item @ > >./pwutil.c:238 Jun 8 16:56:01 sudo[7277] <- sudo_pw_delref_item @ > >./pwutil.c:243 Jun 8 16:56:01 sudo[7277] <- _rbdestroy @ > >./redblack.c:349 Jun 8 16:56:01 sudo[7277] <- rbdestroy @ > >./redblack.c:362 Jun 8 16:56:01 sudo[7277] <- sudo_freepwcache @ > >./pwutil.c:437 Jun 8 16:56:01 sudo[7277] <- sudo_endpwent @ > >./pwutil.c:448 Jun 8 16:56:01 sudo[7277] -> sudo_endgrent @ > >./pwutil.c:861 Jun 8 16:56:01 sudo[7277] -> sudo_freegrcache @ > >./pwutil.c:840 Jun 8 16:56:01 sudo[7277] -> rbdestroy @ > >./redblack.c:359 Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ > >./redblack.c:341 Jun 8 16:56:01 sudo[7277] <- _rbdestroy @ > >./redblack.c:349 Jun 8 16:56:01 sudo[7277] <- rbdestroy @ > >./redblack.c:362 Jun 8 16:56:01 sudo[7277] -> rbdestroy @ > >./redblack.c:359 Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ > >./redblack.c:341 Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ > >./redblack.c:341 Jun 8 16:56:01 sudo[7277] <- _rbdestroy @ > >./redblack.c:349 Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ > >./redblack.c:341 Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ > >./redblack.c:341 Jun 8 16:56:01 sudo[7277] <- _rbdestroy @ > >./redblack.c:349 Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ > >./redblack.c:341 Jun 8 16:56:01 sudo[7277] <- _rbdestroy @ > >./redblack.c:349 Jun 8 16:56:01 sudo[7277] -> sudo_gr_delref_item @ > >./pwutil.c:657 Jun 8 16:56:01 sudo[7277] <- sudo_gr_delref_item @ > >./pwutil.c:662 Jun 8 16:56:01 sudo[7277] <- _rbdestroy @ > >./redblack.c:349 Jun 8 16:56:01 sudo[7277] -> sudo_gr_delref_item @ > >./pwutil.c:657 Jun 8 16:56:01 sudo[7277] <- sudo_gr_delref_item @ > >./pwutil.c:662 Jun 8 16:56:01 sudo[7277] <- _rbdestroy @ > >./redblack.c:349 Jun 8 16:56:01 sudo[7277] <- rbdestroy @ > >./redblack.c:362 Jun 8 16:56:01 sudo[7277] -> rbdestroy @ > >./redblack.c:359 Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ > >./redblack.c:341 Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ > >./redblack.c:341 Jun 8 16:56:01 sudo[7277] <- _rbdestroy @ > >./redblack.c:349 Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ > >./redblack.c:341 Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ > >./redblack.c:341 Jun 8 16:56:01 sudo[7277] <- _rbdestroy @ > >./redblack.c:349 Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ > >./redblack.c:341 Jun 8 16:56:01 sudo[7277] <- _rbdestroy @ > >./redblack.c:349 Jun 8 16:56:01 sudo[7277] -> sudo_grlist_delref_item > >@ ./pwutil.c:805 Jun 8 16:56:01 sudo[7277] <- sudo_grlist_delref_item > >@ ./pwutil.c:810 Jun 8 16:56:01 sudo[7277] <- _rbdestroy @ > >./redblack.c:349 Jun 8 16:56:01 sudo[7277] -> sudo_grlist_delref_item > >@ ./pwutil.c:805 Jun 8 16:56:01 sudo[7277] <- sudo_grlist_delref_item > >@ ./pwutil.c:810 Jun 8 16:56:01 sudo[7277] <- _rbdestroy @ > >./redblack.c:349 Jun 8 16:56:01 sudo[7277] <- rbdestroy @ > >./redblack.c:362 Jun 8 16:56:01 sudo[7277] <- sudo_freegrcache @ > >./pwutil.c:855 Jun 8 16:56:01 sudo[7277] <- sudo_endgrent @ > >./pwutil.c:866 Jun 8 16:56:01 sudo[7277] <- sudoers_policy_main @ > >./sudoers.c:753 := false Jun 8 16:56:01 sudo[7277] <- > >sudoers_policy_check @ ./sudoers.c:766 := false Jun 8 16:56:01 > >sudo[7277] <- policy_check @ ./sudo.c:1204 := false Jun 8 16:56:01 > >sudo[7277] policy plugin returns 0 > > > >============== /var/log/sssd/sssd_sudo.log ===================== > > > >(Wed Jun 8 17:39:12 2016) [sssd[sudo]] [accept_fd_handler] (0x0400): Client > >connected! > >(Wed Jun 8 17:39:12 2016) [sssd[sudo]] [sss_cmd_get_version] (0x0200): > >Received client version [1]. > >(Wed Jun 8 17:39:12 2016) [sssd[sudo]] [sss_cmd_get_version] (0x0200): > >Offered version [1]. > >(Wed Jun 8 17:39:12 2016) [sssd[sudo]] [sudosrv_cmd] (0x2000): Using > >protocol version [1] (Wed Jun 8 17:39:12 2016) [sssd[sudo]] > >[sss_parse_name_for_domains] (0x0200): name 'nathan.peters' matched > >without domain, user is nathan.peters (Wed Jun 8 17:39:12 2016) > >[sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name > >'nathan.peters' matched without domain, user is nathan.peters (Wed Jun > >8 17:39:12 2016) [sssd[sudo]] [sudosrv_cmd_parse_query_done] (0x0200): > >Requesting default options for [nathan.peters] from [<ALL>] (Wed Jun 8 > >17:39:12 2016) [sssd[sudo]] [sss_ncache_check_str] (0x2000): Checking > >negative cache for [NCE/USER/dev-mydomain.net/nathan.peters] > >(Wed Jun 8 17:39:12 2016) [sssd[sudo]] [sudosrv_get_user] (0x0200): > >Requesting info about [nathan.pet...@dev-mydomain.net] (Wed Jun 8 > >17:39:12 2016) [sssd[sudo]] [sudosrv_get_user] (0x0400): Returning info > >for user [nathan.pet...@dev-mydomain.net] (Wed Jun 8 17:39:12 2016) > >[sssd[sudo]] [sudosrv_get_rules] (0x0400): Retrieving default options > >for [nathan.peters] from [dev-mydomain.net] (Wed Jun 8 17:39:12 2016) > >[sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching > >sysdb with > >[(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=natha > >n.peters)(sudoUser=#756600344)(sudoUser=%developers)(sudoUser=%admins)( > >sudoUser=%sysadmins)(sudoUser=%deployment_engineer)(sudoUser=%nathan.pe > >ters)(sudoUser=+*))(&(dataExpireTimestamp<=1465407552)))] > >(Wed Jun 8 17:39:12 2016) [sssd[sudo]] [sudosrv_get_rules] (0x2000): > >About to get sudo rules from cache (Wed Jun 8 17:39:12 2016) > >[sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching > >sysdb with [(&(objectClass=sudoRule)(|(name=defaults)))] > >(Wed Jun 8 17:39:12 2016) [sssd[sudo]] > >[sudosrv_get_sudorules_from_cache] (0x0400): Returning 0 rules for > >[<default options>@dev-mydomain.net] (Wed Jun 8 17:39:12 2016) > >[sssd[sudo]] [sudosrv_cmd] (0x2000): Using protocol version [1] (Wed > >Jun 8 17:39:12 2016) [sssd[sudo]] [sss_parse_name_for_domains] > >(0x0200): name 'nathan.peters' matched without domain, user is > >nathan.peters (Wed Jun 8 17:39:12 2016) [sssd[sudo]] > >[sss_parse_name_for_domains] (0x0200): name 'nathan.peters' matched > >without domain, user is nathan.peters (Wed Jun 8 17:39:12 2016) > >[sssd[sudo]] [sudosrv_cmd_parse_query_done] (0x0200): Requesting rules > >for [nathan.peters] from [<ALL>] (Wed Jun 8 17:39:12 2016) > >[sssd[sudo]] [sss_ncache_check_str] (0x2000): Checking negative cache > >for [NCE/USER/dev-mydomain.net/nathan.peters] > >(Wed Jun 8 17:39:12 2016) [sssd[sudo]] [sudosrv_get_user] (0x0200): > >Requesting info about [nathan.pet...@dev-mydomain.net] (Wed Jun 8 > >17:39:12 2016) [sssd[sudo]] [sudosrv_get_user] (0x0400): Returning info > >for user [nathan.pet...@dev-mydomain.net] (Wed Jun 8 17:39:12 2016) > >[sssd[sudo]] [sudosrv_get_rules] (0x0400): Retrieving rules for > >[nathan.peters] from [dev-mydomain.net] (Wed Jun 8 17:39:12 2016) > >[sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching > >sysdb with > >[(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=natha > >n.peters)(sudoUser=#756600344)(sudoUser=%developers)(sudoUser=%admins)( > >sudoUser=%sysadmins)(sudoUser=%deployment_engineer)(sudoUser=%nathan.pe > >ters)(sudoUser=+*))(&(dataExpireTimestamp<=1465407552)))] > >(Wed Jun 8 17:39:12 2016) [sssd[sudo]] [sudosrv_get_rules] (0x2000): > >About to get sudo rules from cache (Wed Jun 8 17:39:12 2016) > >[sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching > >sysdb with > >[(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=nathan.peters)(sudoU > >ser=#756600344)(sudoUser=%developers)(sudoUser=%admins)(sudoUser=%sysad > >mins)(sudoUser=%deployment_engineer)(sudoUser=%nathan.peters)(sudoUser= > >+*)))] (Wed Jun 8 17:39:12 2016) [sssd[sudo]] [sort_sudo_rules] > >(0x0400): Sorting rules with higher-wins logic (Wed Jun 8 17:39:12 > >2016) [sssd[sudo]] [sudosrv_get_sudorules_from_cache] (0x0400): > >Returning 2 rules for [nathan.pet...@dev-mydomain.net] (Wed Jun 8 > >17:39:16 2016) [sssd[sudo]] [sbus_message_handler] (0x2000): Received > >SBUS method org.freedesktop.sssd.service.ping on path > >/org/freedesktop/sssd/service (Wed Jun 8 17:39:16 2016) [sssd[sudo]] > >[sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Wed Jun 8 > >17:39:17 2016) [sssd[sudo]] [client_recv] (0x0200): Client disconnected! > >(Wed Jun 8 17:39:17 2016) [sssd[sudo]] [client_destructor] (0x2000): > >Terminated client [0x1091360][17] (Wed Jun 8 17:39:26 2016) > >[sssd[sudo]] [sbus_message_handler] (0x2000): Received SBUS method > >org.freedesktop.sssd.service.ping on path /org/freedesktop/sssd/service > >(Wed Jun 8 17:39:26 2016) [sssd[sudo]] [sbus_get_sender_id_send] > >(0x2000): Not a sysbus message, quit > > > >============= /var/log/sssd/sssd_mydomain.log ============== > > > >(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] > >[sbus_message_handler] (0x2000): Received SBUS method > >org.freedesktop.sssd.dataprovider.getAccountInfo on path > >/org/freedesktop/sssd/dataprovider > >(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] > >[sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Wed Jun > >8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [be_get_account_info] > >(0x0200): Got request for [0x1002][FAST > >BE_REQ_GROUP][1][name=deployment_engineer] > >(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] > >[be_req_set_domain] (0x0400): Changing request domain from > >[dev-mydomain.net] to [dev-mydomain.net] (Wed Jun 8 17:39:12 2016) > >[sssd[be[dev-mydomain.net]]] [sdap_get_groups_next_base] (0x0400): > >Searching for groups with base [cn=accounts,dc=dev-mydomain,dc=net] > >(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] > >[sdap_print_server] (0x2000): Searching 10.178.0.98 (Wed Jun 8 17:39:12 > >2016) [sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x0400): > >calling ldap_search_ext with > >[(&(cn=deployment_engineer)(|(objectClass=ipaUserGroup)(objectClass=posixGroup))(cn=*)(&(gidNumber=*)(!(gidNumber=0))))][cn=accounts,dc=dev-mydomain,dc=net]. > >(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] > >[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] > >(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] > >[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [posixGroup] > >(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] > >[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Wed Jun > >8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] > >[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPassword] > >(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] > >[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber] > >(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] > >[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [member] (Wed > >Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] > >[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUniqueID] > >(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] > >[sdap_get_generic_ext_step] (0x1000): Requesting attrs: > >[ipaNTSecurityIdentifier] (Wed Jun 8 17:39:12 2016) > >[sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x1000): > >Requesting attrs: [modifyTimestamp] (Wed Jun 8 17:39:12 2016) > >[sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x1000): > >Requesting attrs: [entryUSN] (Wed Jun 8 17:39:12 2016) > >[sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x2000): > >ldap_search_ext called, msgid = 14 (Wed Jun 8 17:39:12 2016) > >[sssd[be[dev-mydomain.net]]] [sdap_op_add] (0x2000): New operation 14 > >timeout 6 (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] > >[sdap_process_result] (0x2000): Trace: sh[0xea9a60], connected[1], > >ops[0xebb690], ldap[0xea8500] (Wed Jun 8 17:39:12 2016) > >[sssd[be[dev-mydomain.net]]] [sdap_get_generic_op_finished] (0x0400): Search > >result: Success(0), no errmsg set (Wed Jun 8 17:39:12 2016) > >[sssd[be[dev-mydomain.net]]] [sdap_op_destructor] (0x2000): Operation 14 > >finished (Wed Jun 8 17:! 39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_get_groups_process] (0x0400): Search for groups, returned 0 results. > It looks like group deployment_engineer cannot be find in IPA. > > >(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] > >[sysdb_search_by_name] (0x0400): No such entry (Wed Jun 8 17:39:12 > >2016) [sssd[be[dev-mydomain.net]]] [ipa_id_get_account_info_orig_done] > >(0x0080): Object not found, ending request (Wed Jun 8 17:39:12 2016) > >[sssd[be[dev-mydomain.net]]] [acctinfo_callback] (0x0100): Request > >processed. Returned 3,0,Account info lookup failed (Wed Jun 8 17:39:12 > >2016) [sssd[be[dev-mydomain.net]]] [sdap_process_result] (0x2000): Trace: > >sh[0xea9a60], connected[1], ops[(nil)], ldap[0xea8500] (Wed Jun 8 17:39:12 > >2016) [sssd[be[dev-mydomain.net]]] [sdap_process_result] (0x2000): Trace: > >ldap_result found nothing! > >(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] > >[sbus_message_handler] (0x2000): Received SBUS method > >org.freedesktop.sssd.dataprovider.getAccountInfo on path > >/org/freedesktop/sssd/dataprovider > >(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] > >[sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Wed Jun > >8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [be_get_account_info] > >(0x0200): Got request for [0x1002][FAST > >BE_REQ_GROUP][1][name=sysadmins] (Wed Jun 8 17:39:12 2016) > >[sssd[be[dev-mydomain.net]]] [be_req_set_domain] (0x0400): Changing > >request domain from [dev-mydomain.net] to [dev-mydomain.net] (Wed Jun > >8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] > >[sdap_get_groups_next_base] (0x0400): Searching for groups with base > >[cn=accounts,dc=dev-mydomain,dc=net] > >(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] > >[sdap_print_server] (0x2000): Searching 10.178.0.98 (Wed Jun 8 17:39:12 > >2016) [sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x0400): > >calling ldap_search_ext with > >[(&(cn=sysadmins)(|(objectClass=ipaUserGroup)(objectClass=posixGroup))(cn=*)(&(gidNumber=*)(!(gidNumber=0))))][cn=accounts,dc=dev-mydomain,dc=net]. > >(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] > >[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] > >(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] > >[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [posixGroup] > >(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] > >[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Wed Jun > >8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] > >[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPassword] > >(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] > >[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber] > >(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] > >[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [member] (Wed > >Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] > >[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUniqueID] > >(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] > >[sdap_get_generic_ext_step] (0x1000): Requesting attrs: > >[ipaNTSecurityIdentifier] (Wed Jun 8 17:39:12 2016) > >[sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x1000): > >Requesting attrs: [modifyTimestamp] (Wed Jun 8 17:39:12 2016) > >[sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x1000): > >Requesting attrs: [entryUSN] (Wed Jun 8 17:39:12 2016) > >[sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x2000): > >ldap_search_ext called, msgid = 15 (Wed Jun 8 17:39:12 2016) > >[sssd[be[dev-mydomain.net]]] [sdap_op_add] (0x2000): New operation 15 > >timeout 6 (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] > >[sdap_process_result] (0x2000): Trace: sh[0xea9a60], connected[1], > >ops[0xeaaf30], ldap[0xea8500] (Wed Jun 8 17:39:12 2016) > >[sssd[be[dev-mydomain.net]]] [sdap_get_generic_op_finished] (0x0400): Search > >result: Success(0), no errmsg set (Wed Jun 8 17:39:12 2016) > >[sssd[be[dev-mydomain.net]]] [sdap_op_destructor] (0x2000): Operation 15 > >finished (Wed Jun 8 17:! 39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_get_groups_process] (0x0400): Search for groups, returned 0 results. > It looks like group sysadmins cannot be find in IPA. > > >(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] > >[sysdb_search_by_name] (0x0400): No such entry (Wed Jun 8 17:39:12 > >2016) [sssd[be[dev-mydomain.net]]] [ipa_id_get_account_info_orig_done] > >(0x0080): Object not found, ending request (Wed Jun 8 17:39:12 2016) > >[sssd[be[dev-mydomain.net]]] [acctinfo_callback] (0x0100): Request > >processed. Returned 3,0,Account info lookup failed (Wed Jun 8 17:39:12 > >2016) [sssd[be[dev-mydomain.net]]] [sdap_process_result] (0x2000): Trace: > >sh[0xea9a60], connected[1], ops[(nil)], ldap[0xea8500] (Wed Jun 8 17:39:12 > >2016) [sssd[be[dev-mydomain.net]]] [sdap_process_result] (0x2000): Trace: > >ldap_result found nothing! > > > >===== output of ldap query manually copied from the sssd_sudo.log > >first search returns nothing second search returns 2 rules > >================== > > > >[root@cass1-msg-cpqa1-nvan sssd]# ldbsearch -H > >/var/lib/sss/db/cache_dev-mydomain.net.ldb -b cn=sysdb > >'(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=nathan.peters)(sudoUser=#756600344)(sudoUser=%developers)(sudoUser=%admins)(sudoUser=%sysadmins)(sudoUser=%deployment_engineer)(sudoUser=%nathan.peters)(sudoUser=+*))(&(dataExpireTimestamp<=1465407552)))' > >asq: Unable to register control with rootdse! > ># returned 0 records > ># 0 entries > ># 0 referrals > > > > > >[root@cass1-msg-cpqa1-nvan sssd]# ldbsearch -H > >/var/lib/sss/db/cache_dev-mydomain.net.ldb -b cn=sysdb > >'(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=nathan.peters)(sudoUser=#756600344)(sudoUser=%developers)(sudoUser=%admins)(sudoUser=%sysadmins)(sudoUser=%deployment_engineer)(sudoUser=%nathan.peters)(sudoUser=+*)))' > >asq: Unable to register control with rootdse! > ># record 1 > >dn: > >name=s_allow_deployment_engineer_to_all,cn=sudorules,cn=custom,cn=dev-m > >ydomain.net,cn=sysdb > >cn: s_allow_deployment_engineer_to_all > >dataExpireTimestamp: 1465412946 > >name: s_allow_deployment_engineer_to_all > >objectClass: sudoRule > >sudoCommand: ALL > >sudoHost: ALL > >sudoOption: !authenticate > >sudoRunAsGroup: ALL > >sudoRunAsUser: ALL > >sudoUser: %deployment_engineer > >distinguishedName: > >name=s_allow_deployment_engineer_to_all,cn=sudorules,cn=cus > > tom,cn=dev-mydomain.net,cn=sysdb > > > ># record 2 > >dn: > >name=s_allow_sysadmins_to_all,cn=sudorules,cn=custom,cn=dev-mydomain.ne > >t,cn=sysdb > >cn: s_allow_sysadmins_to_all > >dataExpireTimestamp: 1465412946 > >name: s_allow_sysadmins_to_all > >objectClass: sudoRule > >sudoCommand: ALL > >sudoHost: ALL > >sudoOption: !authenticate > >sudoRunAsGroup: ALL > >sudoRunAsUser: ALL > >sudoUser: %sysadmins > >distinguishedName: > >name=s_allow_sysadmins_to_all,cn=sudorules,cn=custom,cn=dev > > -mydomain.net,cn=sysdb > > > ># returned 2 records > ># 2 entries > ># 0 referrals > > > >====== output of ldap query against directory for search used in the > >sssd_domain.log =========== > > > >[root@cass1-msg-cpqa1-nvan sssd]# ldapsearch -x -H ldap://10.178.0.98 -b > >cn=accounts,dc=dev-mydomain,dc=net > >'(&(cn=deployment_engineer)(|(objectClass=ipaUserGroup)(objectClass=posixGroup))(cn=*)(&(gidNumber=*)(!(gidNumber=0))))' > ># extended LDIF > ># > ># LDAPv3 > ># base <cn=accounts,dc=dev-mydomain,dc=net> with scope subtree # > >filter: > >(&(cn=deployment_engineer)(|(objectClass=ipaUserGroup)(objectClass=posi > >xGroup))(cn=*)(&(gidNumber=*)(!(gidNumber=0)))) > ># requesting: ALL > ># > > > ># search result > >search: 2 > >result: 0 Success > > > ># numResponses: 1 > > > >[root@cass1-msg-cpqa1-nvan sssd]# ldapsearch -x -H ldap://10.178.0.98 -b > >cn=accounts,dc=dev-mydomain,dc=net > >'(&(cn=sysadmins)(|(objectClass=ipaUserGroup)(objectClass=posixGroup))(cn=*)(&(gidNumber=*)(!(gidNumber=0))))' > ># extended LDIF > ># > ># LDAPv3 > ># base <cn=accounts,dc=dev-mydomain,dc=net> with scope subtree # > >filter: > >(&(cn=sysadmins)(|(objectClass=ipaUserGroup)(objectClass=posixGroup))(c > >n=*)(&(gidNumber=*)(!(gidNumber=0)))) > ># requesting: ALL > ># > > > LDAP searches confirmed that it's not possible to find groups: > deployment_engineer and sysadmins. But you used anonymous search. > > It would be good if you could provide an output of for groups using ipa > command. > > e.g. > kinit admin > ipa group-show --all deployment_engineer ipa group-show --all sysadmins ipa > group-show --raw deployment_engineer ipa group-show --raw sysadmins > > LS -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project