There doesn't seem to be an option to add POSIX attributes to my sudo rules.

Which attributes should I be adding and how?

-----Original Message-----
From: Jakub Hrozek [mailto:jhro...@redhat.com] 
Sent: Monday, June 13, 2016 1:57 PM
To: Nathan Peters
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] [FreeIPA 4.3.0] CentOS 6.8 sudo fails

On Mon, Jun 13, 2016 at 05:30:16PM +0000, Nathan Peters wrote:
> All group lists return correctly when using the ipa group-show command.
> 
> Like I said, there is definitely something wrong with CentOS 6.8 because all 
> group lists are correct.  This was done on one of the CentOS 6.8 servers so 
> we know that the server can retrieve the group lists properly.

We had a similar report (untriaged yet) where adding POSIX attributes made the 
difference. Could you test if also in your environment adding the POSIX 
attributes makes the rules work?


(It would be a bug nonetheless, but it's worth trying so that we pinpoint the 
issue)

> 
> [nathan.peters@cass1 ~]$ klist
> Ticket cache: FILE:/tmp/krb5cc_756600344 Default principal: 
> ad...@dev-mydomain.net
> 
> Valid starting     Expires            Service principal
> 06/13/16 17:21:56  06/14/16 17:21:41  
> krbtgt/dev-mydomain....@dev-mydomain.net
> [nathan.peters@cass1 ~]$ ipa group-show --all deployment_engineer ipa 
> group-show --all sysadmins ipa group-show --raw deployment_engineer 
> ipa group-show --raw sysadmins
> ipa: ERROR: command 'group_show' takes at most 1 argument
> [nathan.peters@cass1 ~]$ ipa group-show --all deployment_engineer
>   dn: cn=deployment_engineer,cn=groups,cn=accounts,dc=dev-mydomain,dc=net
>   Group name: deployment_engineer
>   Description: deployment engineers
>   Member users: nathan.peters, <other users - removed for privacy>
>   Member of groups: admins
>   Roles: DNS Administrator
>   Member of Sudo rule: s_allow_deployment_engineer_to_all
>   Member of HBAC rule: allow_deployment_engineer_to_all
>   ipauniqueid: 8bba7068-04c8-11e5-931d-005056b71d17
>   objectclass: top, ipaobject, groupofnames, ipausergroup, nestedgroup
> [nathan.peters@cass1 ~]$ ipa group-show --all sysadmins
>   dn: cn=sysadmins,cn=groups,cn=accounts,dc=dev-mydomain,dc=net
>   Group name: sysadmins
>   Description: System Administrators
>   Member users: nathan.peters, <other valid users removed for privacy>
>   Member of groups: admins
>   Member of Sudo rule: s_allow_sysadmins_to_all
>   Member of HBAC rule: allow_sysadmins_to_all
>   ipauniqueid: 828754c0-04c8-11e5-988f-005056b71d17
>   objectclass: top, ipaobject, groupofnames, ipausergroup, nestedgroup
> [nathan.peters@cass1 ~]$ ipa group-show --raw deployment_engineer
>   cn: deployment_engineer
>   description: deployment engineers
>   member: uid=nathan.peters,cn=users,cn=accounts,dc=dev-mydomain,dc=net
>   <other valid member lines removed for privacy>
> [nathan.peters@cass1 ~]$ ipa group-show --raw sysadmins
>   cn: sysadmins
>   description: System Administrators
>   member: uid=nathan.peters,cn=users,cn=accounts,dc=dev-mydomain,dc=net
>   <other users removed for privacy>
> [nathan.peters@cass1 ~]$
> 
> -----Original Message-----
> From: Lukas Slebodnik [mailto:lsleb...@redhat.com]
> Sent: Saturday, June 11, 2016 2:02 AM
> To: Nathan Peters
> Cc: Jakub Hrozek; freeipa-users@redhat.com
> Subject: Re: [Freeipa-users] [FreeIPA 4.3.0] CentOS 6.8 sudo fails
> 
> On (08/06/16 18:14), Nathan Peters wrote:
> >I'm pretty lost here.  I tried following the directions on that page 
> >but the results still make no sense to me.  From what I can see, the 
> >account is successfully authorized, and the groups that I am part of 
> >are found and some sudo rules are found, but then I am denied access 
> >for no reason.  This is not working on any CentOS 6.8 server, and 
> >working properly on all previous versions of CentOS.  I have tried 
> >several steps including deleting and re-creating the 6.8 hosts, and 
> >unjoining them and re-joining them to the domain.  Nothing helps
> >
> >========== /var/log/sudo_debug ======================
> >
> >Jun  8 16:56:01 sudo[7277] <- sudo_pam_verify @ ./auth/pam.c:138 := 0 
> >Jun  8 16:56:01 sudo[7277] <- verify_user @ ./auth/sudo_auth.c:282 := 
> >1 Jun  8 16:56:01 sudo[7277] -> sudo_auth_cleanup @
> >./auth/sudo_auth.c:160 Jun  8 16:56:01 sudo[7277] -> sudo_pam_cleanup 
> >@
> >./auth/pam.c:185 Jun  8 16:56:01 sudo[7277] <- sudo_pam_cleanup @
> >./auth/pam.c:189 := 0 Jun  8 16:56:01 sudo[7277] <- sudo_auth_cleanup 
> >@
> >./auth/sudo_auth.c:177 := 0 Jun  8 16:56:01 sudo[7277] -> 
> >sudo_pw_delref @ ./pwutil.c:249 Jun  8 16:56:01 sudo[7277] -> 
> >sudo_pw_delref_item @ ./pwutil.c:238 Jun  8 16:56:01 sudo[7277] <- 
> >sudo_pw_delref_item @ ./pwutil.c:243 Jun  8 16:56:01 sudo[7277] <- 
> >sudo_pw_delref @ ./pwutil.c:251 Jun  8 16:56:01 sudo[7277] <- 
> >check_user @ ./check.c:189 := true Jun  8 16:56:01 sudo[7277] -> 
> >log_failure @ ./logging.c:318 Jun  8 16:56:01 sudo[7277] -> 
> >log_denial @ ./logging.c:256 Jun  8 16:56:01 sudo[7277] -> 
> >audit_failure @
> >./audit.c:68 Jun  8 16:56:01 sudo[7277] -> linux_audit_command @
> >./linux_audit.c:70 Jun  8 16:56:01 sudo[7277] -> linux_audit_open @
> >./linux_audit.c:49 Jun  8 16:56:01 sudo[7277] <- linux_audit_open @
> >./linux_audit.c:61 := 15 Jun  8 16:56:01 sudo[7277] <- 
> >linux_audit_command @ ./linux_audit.c:97 := 3 Jun  8 16:56:01 
> >sudo[7277] <- audit_failure @ ./audit.c:81 Jun  8 16:56:01 sudo[7277]
> >-> new_logline @ ./logging.c:746 Jun  8 16:56:01 sudo[7277] <-
> >new_logline @ ./logging.c:867 := user NOT authorized on host ;
> >TTY=pts/1 ; PWD=/home/nathan.peters ; USER=root ; COMMAND=/bin/su - 
> >Jun
> >8 16:56:01 sudo[7277] -> should_mail @ ./logging.c:712 Jun  8 
> >16:56:01 sudo[7277] <- should_mail @ ./logging.c:717 := false Jun  8 
> >16:56:01 sudo[7277] -> do_syslog @ ./logging.c:138 Jun  8 16:56:01 
> >sudo[7277] -> mysyslog @ ./logging.c:96 Jun  8 16:56:01 sudo[7277] <- 
> >mysyslog @
> >./logging.c:119 Jun  8 16:56:01 sudo[7277] <- do_syslog @
> >./logging.c:185 Jun  8 16:56:01 sudo[7277] <- log_denial @
> >./logging.c:309 Jun  8 16:56:01 sudo[7277] <- log_failure @
> >./logging.c:341 Jun  8 16:56:01 sudo[7277] -> rewind_perms @
> >./set_perms.c:90 Jun  8 16:56:01 sudo[7277] -> restore_perms @
> >./set_perms.c:363 Jun  8 16:56:01 sudo[7277] restore_perms: uid: 
> >[756600344, 0, 0] -> [756600344, 0, 0] Jun  8 16:56:01 sudo[7277]
> >restore_perms: gid: [756600344, 756600344, 756600344] -> [756600344, 
> >756600344, 756600344] Jun  8 16:56:01 sudo[7277] -> 
> >sudo_grlist_delref @ ./pwutil.c:816 Jun  8 16:56:01 sudo[7277] -> 
> >sudo_grlist_delref_item @ ./pwutil.c:805 Jun  8 16:56:01 sudo[7277] 
> ><- sudo_grlist_delref_item @ ./pwutil.c:810 Jun  8 16:56:01 
> >sudo[7277] <- sudo_grlist_delref @
> >./pwutil.c:818 Jun  8 16:56:01 sudo[7277] <- restore_perms @
> >./set_perms.c:407 Jun  8 16:56:01 sudo[7277] -> sudo_grlist_delref @
> >./pwutil.c:816 Jun  8 16:56:01 sudo[7277] -> sudo_grlist_delref_item 
> >@
> >./pwutil.c:805 Jun  8 16:56:01 sudo[7277] <- sudo_grlist_delref_item 
> >@
> >./pwutil.c:810 Jun  8 16:56:01 sudo[7277] <- sudo_grlist_delref @
> >./pwutil.c:818 Jun  8 16:56:01 sudo[7277] <- rewind_perms @
> >./set_perms.c:96 Jun  8 16:56:01 sudo[7277] -> sudo_endpwent @
> >./pwutil.c:443 Jun  8 16:56:01 sudo[7277] -> sudo_freepwcache @
> >./pwutil.c:426 Jun  8 16:56:01 sudo[7277] -> rbdestroy @
> >./redblack.c:359 Jun  8 16:56:01 sudo[7277] -> _rbdestroy @
> >./redblack.c:341 Jun  8 16:56:01 sudo[7277] -> _rbdestroy @
> >./redblack.c:341 Jun  8 16:56:01 sudo[7277] <- _rbdestroy @
> >./redblack.c:349 Jun  8 16:56:01 sudo[7277] -> _rbdestroy @
> >./redblack.c:341 Jun  8 16:56:01 sudo[7277] <- _rbdestroy @
> >./redblack.c:349 Jun  8 16:56:01 sudo[7277] -> sudo_pw_delref_item @
> >./pwutil.c:238 Jun  8 16:56:01 sudo[7277] <- sudo_pw_delref_item @
> >./pwutil.c:243 Jun  8 16:56:01 sudo[7277] <- _rbdestroy @
> >./redblack.c:349 Jun  8 16:56:01 sudo[7277] <- rbdestroy @
> >./redblack.c:362 Jun  8 16:56:01 sudo[7277] -> rbdestroy @
> >./redblack.c:359 Jun  8 16:56:01 sudo[7277] -> _rbdestroy @
> >./redblack.c:341 Jun  8 16:56:01 sudo[7277] -> _rbdestroy @
> >./redblack.c:341 Jun  8 16:56:01 sudo[7277] <- _rbdestroy @
> >./redblack.c:349 Jun  8 16:56:01 sudo[7277] -> _rbdestroy @
> >./redblack.c:341 Jun  8 16:56:01 sudo[7277] <- _rbdestroy @
> >./redblack.c:349 Jun  8 16:56:01 sudo[7277] -> sudo_pw_delref_item @
> >./pwutil.c:238 Jun  8 16:56:01 sudo[7277] <- sudo_pw_delref_item @
> >./pwutil.c:243 Jun  8 16:56:01 sudo[7277] <- _rbdestroy @
> >./redblack.c:349 Jun  8 16:56:01 sudo[7277] <- rbdestroy @
> >./redblack.c:362 Jun  8 16:56:01 sudo[7277] <- sudo_freepwcache @
> >./pwutil.c:437 Jun  8 16:56:01 sudo[7277] <- sudo_endpwent @
> >./pwutil.c:448 Jun  8 16:56:01 sudo[7277] -> sudo_endgrent @
> >./pwutil.c:861 Jun  8 16:56:01 sudo[7277] -> sudo_freegrcache @
> >./pwutil.c:840 Jun  8 16:56:01 sudo[7277] -> rbdestroy @
> >./redblack.c:359 Jun  8 16:56:01 sudo[7277] -> _rbdestroy @
> >./redblack.c:341 Jun  8 16:56:01 sudo[7277] <- _rbdestroy @
> >./redblack.c:349 Jun  8 16:56:01 sudo[7277] <- rbdestroy @
> >./redblack.c:362 Jun  8 16:56:01 sudo[7277] -> rbdestroy @
> >./redblack.c:359 Jun  8 16:56:01 sudo[7277] -> _rbdestroy @
> >./redblack.c:341 Jun  8 16:56:01 sudo[7277] -> _rbdestroy @
> >./redblack.c:341 Jun  8 16:56:01 sudo[7277] <- _rbdestroy @
> >./redblack.c:349 Jun  8 16:56:01 sudo[7277] -> _rbdestroy @
> >./redblack.c:341 Jun  8 16:56:01 sudo[7277] -> _rbdestroy @
> >./redblack.c:341 Jun  8 16:56:01 sudo[7277] <- _rbdestroy @
> >./redblack.c:349 Jun  8 16:56:01 sudo[7277] -> _rbdestroy @
> >./redblack.c:341 Jun  8 16:56:01 sudo[7277] <- _rbdestroy @
> >./redblack.c:349 Jun  8 16:56:01 sudo[7277] -> sudo_gr_delref_item @
> >./pwutil.c:657 Jun  8 16:56:01 sudo[7277] <- sudo_gr_delref_item @
> >./pwutil.c:662 Jun  8 16:56:01 sudo[7277] <- _rbdestroy @
> >./redblack.c:349 Jun  8 16:56:01 sudo[7277] -> sudo_gr_delref_item @
> >./pwutil.c:657 Jun  8 16:56:01 sudo[7277] <- sudo_gr_delref_item @
> >./pwutil.c:662 Jun  8 16:56:01 sudo[7277] <- _rbdestroy @
> >./redblack.c:349 Jun  8 16:56:01 sudo[7277] <- rbdestroy @
> >./redblack.c:362 Jun  8 16:56:01 sudo[7277] -> rbdestroy @
> >./redblack.c:359 Jun  8 16:56:01 sudo[7277] -> _rbdestroy @
> >./redblack.c:341 Jun  8 16:56:01 sudo[7277] -> _rbdestroy @
> >./redblack.c:341 Jun  8 16:56:01 sudo[7277] <- _rbdestroy @
> >./redblack.c:349 Jun  8 16:56:01 sudo[7277] -> _rbdestroy @
> >./redblack.c:341 Jun  8 16:56:01 sudo[7277] -> _rbdestroy @
> >./redblack.c:341 Jun  8 16:56:01 sudo[7277] <- _rbdestroy @
> >./redblack.c:349 Jun  8 16:56:01 sudo[7277] -> _rbdestroy @
> >./redblack.c:341 Jun  8 16:56:01 sudo[7277] <- _rbdestroy @
> >./redblack.c:349 Jun  8 16:56:01 sudo[7277] -> 
> >sudo_grlist_delref_item @ ./pwutil.c:805 Jun  8 16:56:01 sudo[7277] 
> ><- sudo_grlist_delref_item @ ./pwutil.c:810 Jun  8 16:56:01 
> >sudo[7277] <- _rbdestroy @
> >./redblack.c:349 Jun  8 16:56:01 sudo[7277] -> 
> >sudo_grlist_delref_item @ ./pwutil.c:805 Jun  8 16:56:01 sudo[7277] 
> ><- sudo_grlist_delref_item @ ./pwutil.c:810 Jun  8 16:56:01 
> >sudo[7277] <- _rbdestroy @
> >./redblack.c:349 Jun  8 16:56:01 sudo[7277] <- rbdestroy @
> >./redblack.c:362 Jun  8 16:56:01 sudo[7277] <- sudo_freegrcache @
> >./pwutil.c:855 Jun  8 16:56:01 sudo[7277] <- sudo_endgrent @
> >./pwutil.c:866 Jun  8 16:56:01 sudo[7277] <- sudoers_policy_main @
> >./sudoers.c:753 := false Jun  8 16:56:01 sudo[7277] <- 
> >sudoers_policy_check @ ./sudoers.c:766 := false Jun  8 16:56:01 
> >sudo[7277] <- policy_check @ ./sudo.c:1204 := false Jun  8 16:56:01 
> >sudo[7277] policy plugin returns 0
> >
> >============== /var/log/sssd/sssd_sudo.log =====================
> >
> >(Wed Jun  8 17:39:12 2016) [sssd[sudo]] [accept_fd_handler] (0x0400): Client 
> >connected!
> >(Wed Jun  8 17:39:12 2016) [sssd[sudo]] [sss_cmd_get_version] (0x0200): 
> >Received client version [1].
> >(Wed Jun  8 17:39:12 2016) [sssd[sudo]] [sss_cmd_get_version] (0x0200): 
> >Offered version [1].
> >(Wed Jun  8 17:39:12 2016) [sssd[sudo]] [sudosrv_cmd] (0x2000): Using 
> >protocol version [1] (Wed Jun  8 17:39:12 2016) [sssd[sudo]] 
> >[sss_parse_name_for_domains] (0x0200): name 'nathan.peters' matched 
> >without domain, user is nathan.peters (Wed Jun  8 17:39:12 2016) 
> >[sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 
> >'nathan.peters' matched without domain, user is nathan.peters (Wed 
> >Jun
> >8 17:39:12 2016) [sssd[sudo]] [sudosrv_cmd_parse_query_done] (0x0200): 
> >Requesting default options for [nathan.peters] from [<ALL>] (Wed Jun  
> >8
> >17:39:12 2016) [sssd[sudo]] [sss_ncache_check_str] (0x2000): Checking 
> >negative cache for [NCE/USER/dev-mydomain.net/nathan.peters]
> >(Wed Jun  8 17:39:12 2016) [sssd[sudo]] [sudosrv_get_user] (0x0200): 
> >Requesting info about [nathan.pet...@dev-mydomain.net] (Wed Jun  8
> >17:39:12 2016) [sssd[sudo]] [sudosrv_get_user] (0x0400): Returning 
> >info for user [nathan.pet...@dev-mydomain.net] (Wed Jun  8 17:39:12 
> >2016) [sssd[sudo]] [sudosrv_get_rules] (0x0400): Retrieving default 
> >options for [nathan.peters] from [dev-mydomain.net] (Wed Jun  8 
> >17:39:12 2016) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] 
> >(0x0200): Searching sysdb with 
> >[(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=nat
> >ha 
> >n.peters)(sudoUser=#756600344)(sudoUser=%developers)(sudoUser=%admins
> >)( 
> >sudoUser=%sysadmins)(sudoUser=%deployment_engineer)(sudoUser=%nathan.
> >pe ters)(sudoUser=+*))(&(dataExpireTimestamp<=1465407552)))]
> >(Wed Jun  8 17:39:12 2016) [sssd[sudo]] [sudosrv_get_rules] (0x2000): 
> >About to get sudo rules from cache (Wed Jun  8 17:39:12 2016) 
> >[sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching 
> >sysdb with [(&(objectClass=sudoRule)(|(name=defaults)))]
> >(Wed Jun  8 17:39:12 2016) [sssd[sudo]] 
> >[sudosrv_get_sudorules_from_cache] (0x0400): Returning 0 rules for 
> >[<default options>@dev-mydomain.net] (Wed Jun  8 17:39:12 2016) 
> >[sssd[sudo]] [sudosrv_cmd] (0x2000): Using protocol version [1] (Wed 
> >Jun  8 17:39:12 2016) [sssd[sudo]] [sss_parse_name_for_domains]
> >(0x0200): name 'nathan.peters' matched without domain, user is 
> >nathan.peters (Wed Jun  8 17:39:12 2016) [sssd[sudo]] 
> >[sss_parse_name_for_domains] (0x0200): name 'nathan.peters' matched 
> >without domain, user is nathan.peters (Wed Jun  8 17:39:12 2016) 
> >[sssd[sudo]] [sudosrv_cmd_parse_query_done] (0x0200): Requesting 
> >rules for [nathan.peters] from [<ALL>] (Wed Jun  8 17:39:12 2016) 
> >[sssd[sudo]] [sss_ncache_check_str] (0x2000): Checking negative cache 
> >for [NCE/USER/dev-mydomain.net/nathan.peters]
> >(Wed Jun  8 17:39:12 2016) [sssd[sudo]] [sudosrv_get_user] (0x0200): 
> >Requesting info about [nathan.pet...@dev-mydomain.net] (Wed Jun  8
> >17:39:12 2016) [sssd[sudo]] [sudosrv_get_user] (0x0400): Returning 
> >info for user [nathan.pet...@dev-mydomain.net] (Wed Jun  8 17:39:12 
> >2016) [sssd[sudo]] [sudosrv_get_rules] (0x0400): Retrieving rules for 
> >[nathan.peters] from [dev-mydomain.net] (Wed Jun  8 17:39:12 2016) 
> >[sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching 
> >sysdb with 
> >[(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=nat
> >ha 
> >n.peters)(sudoUser=#756600344)(sudoUser=%developers)(sudoUser=%admins
> >)( 
> >sudoUser=%sysadmins)(sudoUser=%deployment_engineer)(sudoUser=%nathan.
> >pe ters)(sudoUser=+*))(&(dataExpireTimestamp<=1465407552)))]
> >(Wed Jun  8 17:39:12 2016) [sssd[sudo]] [sudosrv_get_rules] (0x2000): 
> >About to get sudo rules from cache (Wed Jun  8 17:39:12 2016) 
> >[sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching 
> >sysdb with 
> >[(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=nathan.peters)(sud
> >oU 
> >ser=#756600344)(sudoUser=%developers)(sudoUser=%admins)(sudoUser=%sys
> >ad 
> >mins)(sudoUser=%deployment_engineer)(sudoUser=%nathan.peters)(sudoUse
> >r=
> >+*)))] (Wed Jun  8 17:39:12 2016) [sssd[sudo]] [sort_sudo_rules]
> >(0x0400): Sorting rules with higher-wins logic (Wed Jun  8 17:39:12
> >2016) [sssd[sudo]] [sudosrv_get_sudorules_from_cache] (0x0400): 
> >Returning 2 rules for [nathan.pet...@dev-mydomain.net] (Wed Jun  8
> >17:39:16 2016) [sssd[sudo]] [sbus_message_handler] (0x2000): Received 
> >SBUS method org.freedesktop.sssd.service.ping on path 
> >/org/freedesktop/sssd/service (Wed Jun  8 17:39:16 2016) [sssd[sudo]] 
> >[sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Wed Jun  8 
> >17:39:17 2016) [sssd[sudo]] [client_recv] (0x0200): Client disconnected!
> >(Wed Jun  8 17:39:17 2016) [sssd[sudo]] [client_destructor] (0x2000): 
> >Terminated client [0x1091360][17] (Wed Jun  8 17:39:26 2016) 
> >[sssd[sudo]] [sbus_message_handler] (0x2000): Received SBUS method 
> >org.freedesktop.sssd.service.ping on path 
> >/org/freedesktop/sssd/service (Wed Jun  8 17:39:26 2016) [sssd[sudo]] 
> >[sbus_get_sender_id_send]
> >(0x2000): Not a sysbus message, quit
> >
> >============= /var/log/sssd/sssd_mydomain.log ==============
> >
> >(Wed Jun  8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] 
> >[sbus_message_handler] (0x2000): Received SBUS method 
> >org.freedesktop.sssd.dataprovider.getAccountInfo on path 
> >/org/freedesktop/sssd/dataprovider
> >(Wed Jun  8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] 
> >[sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Wed 
> >Jun
> >8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [be_get_account_info]
> >(0x0200): Got request for [0x1002][FAST 
> >BE_REQ_GROUP][1][name=deployment_engineer]
> >(Wed Jun  8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] 
> >[be_req_set_domain] (0x0400): Changing request domain from 
> >[dev-mydomain.net] to [dev-mydomain.net] (Wed Jun  8 17:39:12 2016) 
> >[sssd[be[dev-mydomain.net]]] [sdap_get_groups_next_base] (0x0400):
> >Searching for groups with base [cn=accounts,dc=dev-mydomain,dc=net]
> >(Wed Jun  8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] 
> >[sdap_print_server] (0x2000): Searching 10.178.0.98 (Wed Jun  8 17:39:12 
> >2016) [sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x0400): 
> >calling ldap_search_ext with 
> >[(&(cn=deployment_engineer)(|(objectClass=ipaUserGroup)(objectClass=posixGroup))(cn=*)(&(gidNumber=*)(!(gidNumber=0))))][cn=accounts,dc=dev-mydomain,dc=net].
> >(Wed Jun  8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] 
> >[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] 
> >(Wed Jun  8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] 
> >[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [posixGroup] 
> >(Wed Jun  8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] 
> >[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Wed Jun
> >8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] 
> >[sdap_get_generic_ext_step] (0x1000): Requesting attrs: 
> >[userPassword] (Wed Jun  8 17:39:12 2016) 
> >[sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x1000): 
> >Requesting attrs: [gidNumber] (Wed Jun  8 17:39:12 2016) 
> >[sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x1000): 
> >Requesting attrs: [member] (Wed Jun  8 17:39:12 2016) 
> >[sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x1000): 
> >Requesting attrs: [ipaUniqueID] (Wed Jun  8 17:39:12 2016) 
> >[sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x1000): 
> >Requesting attrs: [ipaNTSecurityIdentifier] (Wed Jun  8 17:39:12 2016) 
> >[sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x1000): 
> >Requesting attrs: [modifyTimestamp] (Wed Jun  8 17:39:12 2016) 
> >[sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x1000): 
> >Requesting attrs: [entryUSN] (Wed Jun  8 17:39:12 2016) 
> >[sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x2000): 
> >ldap_search_ext called, msgid = 14 (Wed Jun  8 17:39:12 2016) 
> >[sssd[be[dev-mydomain.net]]] [sdap_op_add] (0x2000): New operation 14 
> >timeout 6 (Wed Jun  8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] 
> >[sdap_process_result] (0x2000): Trace: sh[0xea9a60], connected[1], 
> >ops[0xebb690], ldap[0xea8500] (Wed Jun  8 17:39:12 2016) 
> >[sssd[be[dev-mydomain.net]]] [sdap_get_generic_op_finished] (0x0400): Search 
> >result: Success(0), no errmsg set (Wed Jun  8 17:39:12 2016) 
> >[sssd[be[dev-mydomain.net]]] [sdap_op_destructor] (0x2000): Operatio!
 n 14 finished (Wed Jun  8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] 
[sdap_get_groups_process] (0x0400): Search for groups, returned 0 results.
> It looks like group deployment_engineer cannot be find in IPA.
> 
> >(Wed Jun  8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] 
> >[sysdb_search_by_name] (0x0400): No such entry (Wed Jun  8 17:39:12
> >2016) [sssd[be[dev-mydomain.net]]] 
> >[ipa_id_get_account_info_orig_done]
> >(0x0080): Object not found, ending request (Wed Jun  8 17:39:12 2016) 
> >[sssd[be[dev-mydomain.net]]] [acctinfo_callback] (0x0100): Request 
> >processed. Returned 3,0,Account info lookup failed (Wed Jun  8 17:39:12 
> >2016) [sssd[be[dev-mydomain.net]]] [sdap_process_result] (0x2000): Trace: 
> >sh[0xea9a60], connected[1], ops[(nil)], ldap[0xea8500] (Wed Jun  8 17:39:12 
> >2016) [sssd[be[dev-mydomain.net]]] [sdap_process_result] (0x2000): Trace: 
> >ldap_result found nothing!
> >(Wed Jun  8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] 
> >[sbus_message_handler] (0x2000): Received SBUS method 
> >org.freedesktop.sssd.dataprovider.getAccountInfo on path 
> >/org/freedesktop/sssd/dataprovider
> >(Wed Jun  8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] 
> >[sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Wed 
> >Jun
> >8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [be_get_account_info]
> >(0x0200): Got request for [0x1002][FAST 
> >BE_REQ_GROUP][1][name=sysadmins] (Wed Jun  8 17:39:12 2016) 
> >[sssd[be[dev-mydomain.net]]] [be_req_set_domain] (0x0400): Changing 
> >request domain from [dev-mydomain.net] to [dev-mydomain.net] (Wed Jun
> >8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] 
> >[sdap_get_groups_next_base] (0x0400): Searching for groups with base 
> >[cn=accounts,dc=dev-mydomain,dc=net]
> >(Wed Jun  8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] 
> >[sdap_print_server] (0x2000): Searching 10.178.0.98 (Wed Jun  8 17:39:12 
> >2016) [sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x0400): 
> >calling ldap_search_ext with 
> >[(&(cn=sysadmins)(|(objectClass=ipaUserGroup)(objectClass=posixGroup))(cn=*)(&(gidNumber=*)(!(gidNumber=0))))][cn=accounts,dc=dev-mydomain,dc=net].
> >(Wed Jun  8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] 
> >[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] 
> >(Wed Jun  8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] 
> >[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [posixGroup] 
> >(Wed Jun  8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] 
> >[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Wed Jun
> >8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] 
> >[sdap_get_generic_ext_step] (0x1000): Requesting attrs: 
> >[userPassword] (Wed Jun  8 17:39:12 2016) 
> >[sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x1000): 
> >Requesting attrs: [gidNumber] (Wed Jun  8 17:39:12 2016) 
> >[sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x1000): 
> >Requesting attrs: [member] (Wed Jun  8 17:39:12 2016) 
> >[sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x1000): 
> >Requesting attrs: [ipaUniqueID] (Wed Jun  8 17:39:12 2016) 
> >[sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x1000): 
> >Requesting attrs: [ipaNTSecurityIdentifier] (Wed Jun  8 17:39:12 2016) 
> >[sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x1000): 
> >Requesting attrs: [modifyTimestamp] (Wed Jun  8 17:39:12 2016) 
> >[sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x1000): 
> >Requesting attrs: [entryUSN] (Wed Jun  8 17:39:12 2016) 
> >[sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x2000): 
> >ldap_search_ext called, msgid = 15 (Wed Jun  8 17:39:12 2016) 
> >[sssd[be[dev-mydomain.net]]] [sdap_op_add] (0x2000): New operation 15 
> >timeout 6 (Wed Jun  8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] 
> >[sdap_process_result] (0x2000): Trace: sh[0xea9a60], connected[1], 
> >ops[0xeaaf30], ldap[0xea8500] (Wed Jun  8 17:39:12 2016) 
> >[sssd[be[dev-mydomain.net]]] [sdap_get_generic_op_finished] (0x0400): Search 
> >result: Success(0), no errmsg set (Wed Jun  8 17:39:12 2016) 
> >[sssd[be[dev-mydomain.net]]] [sdap_op_destructor] (0x2000): Operatio!
 n 15 finished (Wed Jun  8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] 
[sdap_get_groups_process] (0x0400): Search for groups, returned 0 results.
> It looks like group sysadmins cannot be find in IPA.
> 
> >(Wed Jun  8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] 
> >[sysdb_search_by_name] (0x0400): No such entry (Wed Jun  8 17:39:12
> >2016) [sssd[be[dev-mydomain.net]]] 
> >[ipa_id_get_account_info_orig_done]
> >(0x0080): Object not found, ending request (Wed Jun  8 17:39:12 2016) 
> >[sssd[be[dev-mydomain.net]]] [acctinfo_callback] (0x0100): Request 
> >processed. Returned 3,0,Account info lookup failed (Wed Jun  8 17:39:12 
> >2016) [sssd[be[dev-mydomain.net]]] [sdap_process_result] (0x2000): Trace: 
> >sh[0xea9a60], connected[1], ops[(nil)], ldap[0xea8500] (Wed Jun  8 17:39:12 
> >2016) [sssd[be[dev-mydomain.net]]] [sdap_process_result] (0x2000): Trace: 
> >ldap_result found nothing!
> >
> >===== output of ldap query manually copied from the sssd_sudo.log 
> >first search returns nothing second search returns 2 rules 
> >==================
> >
> >[root@cass1-msg-cpqa1-nvan sssd]# ldbsearch -H 
> >/var/lib/sss/db/cache_dev-mydomain.net.ldb -b cn=sysdb 
> >'(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=nathan.peters)(sudoUser=#756600344)(sudoUser=%developers)(sudoUser=%admins)(sudoUser=%sysadmins)(sudoUser=%deployment_engineer)(sudoUser=%nathan.peters)(sudoUser=+*))(&(dataExpireTimestamp<=1465407552)))'
> >asq: Unable to register control with rootdse!
> ># returned 0 records
> ># 0 entries
> ># 0 referrals
> >
> >
> >[root@cass1-msg-cpqa1-nvan sssd]# ldbsearch -H 
> >/var/lib/sss/db/cache_dev-mydomain.net.ldb -b cn=sysdb 
> >'(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=nathan.peters)(sudoUser=#756600344)(sudoUser=%developers)(sudoUser=%admins)(sudoUser=%sysadmins)(sudoUser=%deployment_engineer)(sudoUser=%nathan.peters)(sudoUser=+*)))'
> >asq: Unable to register control with rootdse!
> ># record 1
> >dn: 
> >name=s_allow_deployment_engineer_to_all,cn=sudorules,cn=custom,cn=dev
> >-m
> >ydomain.net,cn=sysdb
> >cn: s_allow_deployment_engineer_to_all
> >dataExpireTimestamp: 1465412946
> >name: s_allow_deployment_engineer_to_all
> >objectClass: sudoRule
> >sudoCommand: ALL
> >sudoHost: ALL
> >sudoOption: !authenticate
> >sudoRunAsGroup: ALL
> >sudoRunAsUser: ALL
> >sudoUser: %deployment_engineer
> >distinguishedName: 
> >name=s_allow_deployment_engineer_to_all,cn=sudorules,cn=cus
> > tom,cn=dev-mydomain.net,cn=sysdb
> >
> ># record 2
> >dn: 
> >name=s_allow_sysadmins_to_all,cn=sudorules,cn=custom,cn=dev-mydomain.
> >ne
> >t,cn=sysdb
> >cn: s_allow_sysadmins_to_all
> >dataExpireTimestamp: 1465412946
> >name: s_allow_sysadmins_to_all
> >objectClass: sudoRule
> >sudoCommand: ALL
> >sudoHost: ALL
> >sudoOption: !authenticate
> >sudoRunAsGroup: ALL
> >sudoRunAsUser: ALL
> >sudoUser: %sysadmins
> >distinguishedName: 
> >name=s_allow_sysadmins_to_all,cn=sudorules,cn=custom,cn=dev
> > -mydomain.net,cn=sysdb
> >
> ># returned 2 records
> ># 2 entries
> ># 0 referrals
> >
> >====== output of ldap query against directory for search used in the 
> >sssd_domain.log ===========
> >
> >[root@cass1-msg-cpqa1-nvan sssd]# ldapsearch -x -H ldap://10.178.0.98 -b 
> >cn=accounts,dc=dev-mydomain,dc=net 
> >'(&(cn=deployment_engineer)(|(objectClass=ipaUserGroup)(objectClass=posixGroup))(cn=*)(&(gidNumber=*)(!(gidNumber=0))))'
> ># extended LDIF
> >#
> ># LDAPv3
> ># base <cn=accounts,dc=dev-mydomain,dc=net> with scope subtree #
> >filter: 
> >(&(cn=deployment_engineer)(|(objectClass=ipaUserGroup)(objectClass=po
> >si
> >xGroup))(cn=*)(&(gidNumber=*)(!(gidNumber=0))))
> ># requesting: ALL
> >#
> >
> ># search result
> >search: 2
> >result: 0 Success
> >
> ># numResponses: 1
> >
> >[root@cass1-msg-cpqa1-nvan sssd]# ldapsearch -x -H ldap://10.178.0.98 -b 
> >cn=accounts,dc=dev-mydomain,dc=net 
> >'(&(cn=sysadmins)(|(objectClass=ipaUserGroup)(objectClass=posixGroup))(cn=*)(&(gidNumber=*)(!(gidNumber=0))))'
> ># extended LDIF
> >#
> ># LDAPv3
> ># base <cn=accounts,dc=dev-mydomain,dc=net> with scope subtree #
> >filter: 
> >(&(cn=sysadmins)(|(objectClass=ipaUserGroup)(objectClass=posixGroup))
> >(c
> >n=*)(&(gidNumber=*)(!(gidNumber=0))))
> ># requesting: ALL
> >#
> >
> LDAP searches confirmed that it's not possible to find groups:
> deployment_engineer and sysadmins. But you used anonymous search.
> 
> It would be good if you could provide an output of for groups using ipa 
> command.
> 
> e.g.
> kinit admin
> ipa group-show --all deployment_engineer ipa group-show --all 
> sysadmins ipa group-show --raw deployment_engineer ipa group-show 
> --raw sysadmins
> 
> LS

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to