Re: [Freeipa-users] [FreeIPA 4.3.0] CentOS 6.8 sudo fails

Rob Crittenden Mon, 13 Jun 2016 15:11:15 -0700

Nathan Peters wrote:

I have confirmed that on both CentOS 6.8 and CentOS 6.7 that if the group is a 
POSIX group, it can be used in sudo rules.
If the group is a 'normal' group it will fail when used in sudo rules.


This is really silly because in a previous version of CentOS (6.3) sudo rules 
would fail if the group was POSIX, and work if the group was 'normal'.

I'm not sure when this changed because we still have CentOS 6.7 machines that 
are working fine with the non posix groups.
I did notice that in sssd 1.13.3-22.el6 sudo fails with non posix groups
And with 1.12.4-47.el6_7.7 sudo works with non posix groups

So now FreeIPA exists in a really funky state where if you are below CentOS 6.4 
you MUST use non POSIX groups and If you are on CentOS 6.7 and above, you must 
use POSIX groups.

So basically, you need to roll forward your entire infrastructure to CentOS 6.7 
or above or else your old machines will suddently start failing sudo logins 
when you udate the groups or your new machines will simply fail with groups 
that worked on your old ones.

Can you please confirm what the intended behavior is because I would rather not 
go through the trouble of re-creating all our sudo / hbac rules and user 
groups...

Jakub already stated that this would be bug if it only worked with POSIXgroups, so you've confirmed that.

If you have a Red Hat subscription I'd open a support case and ask to beadded to bugzilla https://bugzilla.redhat.com/show_bug.cgi?id=1336548

rob




-----Original Message-----
From: Rob Crittenden [mailto:[email protected]]
Sent: Monday, June 13, 2016 2:20 PM
To: Nathan Peters; Jakub Hrozek
Cc: [email protected]
Subject: Re: [Freeipa-users] [FreeIPA 4.3.0] CentOS 6.8 sudo fails

Nathan Peters wrote:

There doesn't seem to be an option to add POSIX attributes to my sudo rules.

Which attributes should I be adding and how?


Not the sudo rule, the group. I'd create a new test group similar to one of 
your existing groups, add that to your sudo rule and try that.

rob


-----Original Message-----
From: Jakub Hrozek [mailto:[email protected]]
Sent: Monday, June 13, 2016 1:57 PM
To: Nathan Peters
Cc: [email protected]
Subject: Re: [Freeipa-users] [FreeIPA 4.3.0] CentOS 6.8 sudo fails

On Mon, Jun 13, 2016 at 05:30:16PM +0000, Nathan Peters wrote:

All group lists return correctly when using the ipa group-show command.

Like I said, there is definitely something wrong with CentOS 6.8 because all 
group lists are correct.  This was done on one of the CentOS 6.8 servers so we 
know that the server can retrieve the group lists properly.


We had a similar report (untriaged yet) where adding POSIX attributes made the 
difference. Could you test if also in your environment adding the POSIX 
attributes makes the rules work?


(It would be a bug nonetheless, but it's worth trying so that we
pinpoint the issue)


[nathan.peters@cass1 ~]$ klist
Ticket cache: FILE:/tmp/krb5cc_756600344 Default principal:
[email protected]

Valid starting     Expires            Service principal
06/13/16 17:21:56  06/14/16 17:21:41
krbtgt/[email protected]
[nathan.peters@cass1 ~]$ ipa group-show --all deployment_engineer ipa
group-show --all sysadmins ipa group-show --raw deployment_engineer
ipa group-show --raw sysadmins
ipa: ERROR: command 'group_show' takes at most 1 argument
[nathan.peters@cass1 ~]$ ipa group-show --all deployment_engineer
    dn: cn=deployment_engineer,cn=groups,cn=accounts,dc=dev-mydomain,dc=net
    Group name: deployment_engineer
    Description: deployment engineers
    Member users: nathan.peters, <other users - removed for privacy>
    Member of groups: admins
    Roles: DNS Administrator
    Member of Sudo rule: s_allow_deployment_engineer_to_all
    Member of HBAC rule: allow_deployment_engineer_to_all
    ipauniqueid: 8bba7068-04c8-11e5-931d-005056b71d17
    objectclass: top, ipaobject, groupofnames, ipausergroup,
nestedgroup
[nathan.peters@cass1 ~]$ ipa group-show --all sysadmins
    dn: cn=sysadmins,cn=groups,cn=accounts,dc=dev-mydomain,dc=net
    Group name: sysadmins
    Description: System Administrators
    Member users: nathan.peters, <other valid users removed for privacy>
    Member of groups: admins
    Member of Sudo rule: s_allow_sysadmins_to_all
    Member of HBAC rule: allow_sysadmins_to_all
    ipauniqueid: 828754c0-04c8-11e5-988f-005056b71d17
    objectclass: top, ipaobject, groupofnames, ipausergroup,
nestedgroup
[nathan.peters@cass1 ~]$ ipa group-show --raw deployment_engineer
    cn: deployment_engineer
    description: deployment engineers
    member: uid=nathan.peters,cn=users,cn=accounts,dc=dev-mydomain,dc=net
    <other valid member lines removed for privacy>
[nathan.peters@cass1 ~]$ ipa group-show --raw sysadmins
    cn: sysadmins
    description: System Administrators
    member: uid=nathan.peters,cn=users,cn=accounts,dc=dev-mydomain,dc=net
    <other users removed for privacy>
[nathan.peters@cass1 ~]$

-----Original Message-----
From: Lukas Slebodnik [mailto:[email protected]]
Sent: Saturday, June 11, 2016 2:02 AM
To: Nathan Peters
Cc: Jakub Hrozek; [email protected]
Subject: Re: [Freeipa-users] [FreeIPA 4.3.0] CentOS 6.8 sudo fails

On (08/06/16 18:14), Nathan Peters wrote:

I'm pretty lost here.  I tried following the directions on that page
but the results still make no sense to me.  From what I can see, the
account is successfully authorized, and the groups that I am part of
are found and some sudo rules are found, but then I am denied access
for no reason.  This is not working on any CentOS 6.8 server, and
working properly on all previous versions of CentOS.  I have tried
several steps including deleting and re-creating the 6.8 hosts, and
unjoining them and re-joining them to the domain.  Nothing helps

========== /var/log/sudo_debug ======================

Jun  8 16:56:01 sudo[7277] <- sudo_pam_verify @ ./auth/pam.c:138 :=
0 Jun  8 16:56:01 sudo[7277] <- verify_user @ ./auth/sudo_auth.c:282
:=
1 Jun  8 16:56:01 sudo[7277] -> sudo_auth_cleanup @
./auth/sudo_auth.c:160 Jun  8 16:56:01 sudo[7277] ->
sudo_pam_cleanup @
./auth/pam.c:185 Jun  8 16:56:01 sudo[7277] <- sudo_pam_cleanup @
./auth/pam.c:189 := 0 Jun  8 16:56:01 sudo[7277] <-
sudo_auth_cleanup @
./auth/sudo_auth.c:177 := 0 Jun  8 16:56:01 sudo[7277] ->
sudo_pw_delref @ ./pwutil.c:249 Jun  8 16:56:01 sudo[7277] ->
sudo_pw_delref_item @ ./pwutil.c:238 Jun  8 16:56:01 sudo[7277] <-
sudo_pw_delref_item @ ./pwutil.c:243 Jun  8 16:56:01 sudo[7277] <-
sudo_pw_delref @ ./pwutil.c:251 Jun  8 16:56:01 sudo[7277] <-
check_user @ ./check.c:189 := true Jun  8 16:56:01 sudo[7277] ->
log_failure @ ./logging.c:318 Jun  8 16:56:01 sudo[7277] ->
log_denial @ ./logging.c:256 Jun  8 16:56:01 sudo[7277] ->
audit_failure @
./audit.c:68 Jun  8 16:56:01 sudo[7277] -> linux_audit_command @
./linux_audit.c:70 Jun  8 16:56:01 sudo[7277] -> linux_audit_open @
./linux_audit.c:49 Jun  8 16:56:01 sudo[7277] <- linux_audit_open @
./linux_audit.c:61 := 15 Jun  8 16:56:01 sudo[7277] <-
linux_audit_command @ ./linux_audit.c:97 := 3 Jun  8 16:56:01
sudo[7277] <- audit_failure @ ./audit.c:81 Jun  8 16:56:01
sudo[7277]
-> new_logline @ ./logging.c:746 Jun  8 16:56:01 sudo[7277] <-
new_logline @ ./logging.c:867 := user NOT authorized on host ;
TTY=pts/1 ; PWD=/home/nathan.peters ; USER=root ; COMMAND=/bin/su -
Jun
8 16:56:01 sudo[7277] -> should_mail @ ./logging.c:712 Jun  8
16:56:01 sudo[7277] <- should_mail @ ./logging.c:717 := false Jun  8
16:56:01 sudo[7277] -> do_syslog @ ./logging.c:138 Jun  8 16:56:01
sudo[7277] -> mysyslog @ ./logging.c:96 Jun  8 16:56:01 sudo[7277]
<- mysyslog @
./logging.c:119 Jun  8 16:56:01 sudo[7277] <- do_syslog @
./logging.c:185 Jun  8 16:56:01 sudo[7277] <- log_denial @
./logging.c:309 Jun  8 16:56:01 sudo[7277] <- log_failure @
./logging.c:341 Jun  8 16:56:01 sudo[7277] -> rewind_perms @
./set_perms.c:90 Jun  8 16:56:01 sudo[7277] -> restore_perms @
./set_perms.c:363 Jun  8 16:56:01 sudo[7277] restore_perms: uid:
[756600344, 0, 0] -> [756600344, 0, 0] Jun  8 16:56:01 sudo[7277]
restore_perms: gid: [756600344, 756600344, 756600344] -> [756600344,
756600344, 756600344] Jun  8 16:56:01 sudo[7277] ->
sudo_grlist_delref @ ./pwutil.c:816 Jun  8 16:56:01 sudo[7277] ->
sudo_grlist_delref_item @ ./pwutil.c:805 Jun  8 16:56:01 sudo[7277]
<- sudo_grlist_delref_item @ ./pwutil.c:810 Jun  8 16:56:01
sudo[7277] <- sudo_grlist_delref @
./pwutil.c:818 Jun  8 16:56:01 sudo[7277] <- restore_perms @
./set_perms.c:407 Jun  8 16:56:01 sudo[7277] -> sudo_grlist_delref @
./pwutil.c:816 Jun  8 16:56:01 sudo[7277] -> sudo_grlist_delref_item
@
./pwutil.c:805 Jun  8 16:56:01 sudo[7277] <- sudo_grlist_delref_item
@
./pwutil.c:810 Jun  8 16:56:01 sudo[7277] <- sudo_grlist_delref @
./pwutil.c:818 Jun  8 16:56:01 sudo[7277] <- rewind_perms @
./set_perms.c:96 Jun  8 16:56:01 sudo[7277] -> sudo_endpwent @
./pwutil.c:443 Jun  8 16:56:01 sudo[7277] -> sudo_freepwcache @
./pwutil.c:426 Jun  8 16:56:01 sudo[7277] -> rbdestroy @
./redblack.c:359 Jun  8 16:56:01 sudo[7277] -> _rbdestroy @
./redblack.c:341 Jun  8 16:56:01 sudo[7277] -> _rbdestroy @
./redblack.c:341 Jun  8 16:56:01 sudo[7277] <- _rbdestroy @
./redblack.c:349 Jun  8 16:56:01 sudo[7277] -> _rbdestroy @
./redblack.c:341 Jun  8 16:56:01 sudo[7277] <- _rbdestroy @
./redblack.c:349 Jun  8 16:56:01 sudo[7277] -> sudo_pw_delref_item @
./pwutil.c:238 Jun  8 16:56:01 sudo[7277] <- sudo_pw_delref_item @
./pwutil.c:243 Jun  8 16:56:01 sudo[7277] <- _rbdestroy @
./redblack.c:349 Jun  8 16:56:01 sudo[7277] <- rbdestroy @
./redblack.c:362 Jun  8 16:56:01 sudo[7277] -> rbdestroy @
./redblack.c:359 Jun  8 16:56:01 sudo[7277] -> _rbdestroy @
./redblack.c:341 Jun  8 16:56:01 sudo[7277] -> _rbdestroy @
./redblack.c:341 Jun  8 16:56:01 sudo[7277] <- _rbdestroy @
./redblack.c:349 Jun  8 16:56:01 sudo[7277] -> _rbdestroy @
./redblack.c:341 Jun  8 16:56:01 sudo[7277] <- _rbdestroy @
./redblack.c:349 Jun  8 16:56:01 sudo[7277] -> sudo_pw_delref_item @
./pwutil.c:238 Jun  8 16:56:01 sudo[7277] <- sudo_pw_delref_item @
./pwutil.c:243 Jun  8 16:56:01 sudo[7277] <- _rbdestroy @
./redblack.c:349 Jun  8 16:56:01 sudo[7277] <- rbdestroy @
./redblack.c:362 Jun  8 16:56:01 sudo[7277] <- sudo_freepwcache @
./pwutil.c:437 Jun  8 16:56:01 sudo[7277] <- sudo_endpwent @
./pwutil.c:448 Jun  8 16:56:01 sudo[7277] -> sudo_endgrent @
./pwutil.c:861 Jun  8 16:56:01 sudo[7277] -> sudo_freegrcache @
./pwutil.c:840 Jun  8 16:56:01 sudo[7277] -> rbdestroy @
./redblack.c:359 Jun  8 16:56:01 sudo[7277] -> _rbdestroy @
./redblack.c:341 Jun  8 16:56:01 sudo[7277] <- _rbdestroy @
./redblack.c:349 Jun  8 16:56:01 sudo[7277] <- rbdestroy @
./redblack.c:362 Jun  8 16:56:01 sudo[7277] -> rbdestroy @
./redblack.c:359 Jun  8 16:56:01 sudo[7277] -> _rbdestroy @
./redblack.c:341 Jun  8 16:56:01 sudo[7277] -> _rbdestroy @
./redblack.c:341 Jun  8 16:56:01 sudo[7277] <- _rbdestroy @
./redblack.c:349 Jun  8 16:56:01 sudo[7277] -> _rbdestroy @
./redblack.c:341 Jun  8 16:56:01 sudo[7277] -> _rbdestroy @
./redblack.c:341 Jun  8 16:56:01 sudo[7277] <- _rbdestroy @
./redblack.c:349 Jun  8 16:56:01 sudo[7277] -> _rbdestroy @
./redblack.c:341 Jun  8 16:56:01 sudo[7277] <- _rbdestroy @
./redblack.c:349 Jun  8 16:56:01 sudo[7277] -> sudo_gr_delref_item @
./pwutil.c:657 Jun  8 16:56:01 sudo[7277] <- sudo_gr_delref_item @
./pwutil.c:662 Jun  8 16:56:01 sudo[7277] <- _rbdestroy @
./redblack.c:349 Jun  8 16:56:01 sudo[7277] -> sudo_gr_delref_item @
./pwutil.c:657 Jun  8 16:56:01 sudo[7277] <- sudo_gr_delref_item @
./pwutil.c:662 Jun  8 16:56:01 sudo[7277] <- _rbdestroy @
./redblack.c:349 Jun  8 16:56:01 sudo[7277] <- rbdestroy @
./redblack.c:362 Jun  8 16:56:01 sudo[7277] -> rbdestroy @
./redblack.c:359 Jun  8 16:56:01 sudo[7277] -> _rbdestroy @
./redblack.c:341 Jun  8 16:56:01 sudo[7277] -> _rbdestroy @
./redblack.c:341 Jun  8 16:56:01 sudo[7277] <- _rbdestroy @
./redblack.c:349 Jun  8 16:56:01 sudo[7277] -> _rbdestroy @
./redblack.c:341 Jun  8 16:56:01 sudo[7277] -> _rbdestroy @
./redblack.c:341 Jun  8 16:56:01 sudo[7277] <- _rbdestroy @
./redblack.c:349 Jun  8 16:56:01 sudo[7277] -> _rbdestroy @
./redblack.c:341 Jun  8 16:56:01 sudo[7277] <- _rbdestroy @
./redblack.c:349 Jun  8 16:56:01 sudo[7277] ->
sudo_grlist_delref_item @ ./pwutil.c:805 Jun  8 16:56:01 sudo[7277]
<- sudo_grlist_delref_item @ ./pwutil.c:810 Jun  8 16:56:01
sudo[7277] <- _rbdestroy @
./redblack.c:349 Jun  8 16:56:01 sudo[7277] ->
sudo_grlist_delref_item @ ./pwutil.c:805 Jun  8 16:56:01 sudo[7277]
<- sudo_grlist_delref_item @ ./pwutil.c:810 Jun  8 16:56:01
sudo[7277] <- _rbdestroy @
./redblack.c:349 Jun  8 16:56:01 sudo[7277] <- rbdestroy @
./redblack.c:362 Jun  8 16:56:01 sudo[7277] <- sudo_freegrcache @
./pwutil.c:855 Jun  8 16:56:01 sudo[7277] <- sudo_endgrent @
./pwutil.c:866 Jun  8 16:56:01 sudo[7277] <- sudoers_policy_main @
./sudoers.c:753 := false Jun  8 16:56:01 sudo[7277] <-
sudoers_policy_check @ ./sudoers.c:766 := false Jun  8 16:56:01
sudo[7277] <- policy_check @ ./sudo.c:1204 := false Jun  8 16:56:01
sudo[7277] policy plugin returns 0

============== /var/log/sssd/sssd_sudo.log =====================

(Wed Jun  8 17:39:12 2016) [sssd[sudo]] [accept_fd_handler] (0x0400): Client 
connected!
(Wed Jun  8 17:39:12 2016) [sssd[sudo]] [sss_cmd_get_version] (0x0200): 
Received client version [1].
(Wed Jun  8 17:39:12 2016) [sssd[sudo]] [sss_cmd_get_version] (0x0200): Offered 
version [1].
(Wed Jun  8 17:39:12 2016) [sssd[sudo]] [sudosrv_cmd] (0x2000):
Using protocol version [1] (Wed Jun  8 17:39:12 2016) [sssd[sudo]]
[sss_parse_name_for_domains] (0x0200): name 'nathan.peters' matched
without domain, user is nathan.peters (Wed Jun  8 17:39:12 2016)
[sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name
'nathan.peters' matched without domain, user is nathan.peters (Wed
Jun
8 17:39:12 2016) [sssd[sudo]] [sudosrv_cmd_parse_query_done] (0x0200):
Requesting default options for [nathan.peters] from [<ALL>] (Wed Jun
8
17:39:12 2016) [sssd[sudo]] [sss_ncache_check_str] (0x2000):
Checking negative cache for
[NCE/USER/dev-mydomain.net/nathan.peters]
(Wed Jun  8 17:39:12 2016) [sssd[sudo]] [sudosrv_get_user] (0x0200):
Requesting info about [[email protected]] (Wed Jun  8
17:39:12 2016) [sssd[sudo]] [sudosrv_get_user] (0x0400): Returning
info for user [[email protected]] (Wed Jun  8 17:39:12
2016) [sssd[sudo]] [sudosrv_get_rules] (0x0400): Retrieving default
options for [nathan.peters] from [dev-mydomain.net] (Wed Jun  8
17:39:12 2016) [sssd[sudo]] [sudosrv_get_sudorules_query_cache]
(0x0200): Searching sysdb with
[(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=na
t
ha
n.peters)(sudoUser=#756600344)(sudoUser=%developers)(sudoUser=%admin
s
)(
sudoUser=%sysadmins)(sudoUser=%deployment_engineer)(sudoUser=%nathan.
pe ters)(sudoUser=+*))(&(dataExpireTimestamp<=1465407552)))]
(Wed Jun  8 17:39:12 2016) [sssd[sudo]] [sudosrv_get_rules] (0x2000):
About to get sudo rules from cache (Wed Jun  8 17:39:12 2016)
[sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching
sysdb with [(&(objectClass=sudoRule)(|(name=defaults)))]
(Wed Jun  8 17:39:12 2016) [sssd[sudo]]
[sudosrv_get_sudorules_from_cache] (0x0400): Returning 0 rules for
[<default options>@dev-mydomain.net] (Wed Jun  8 17:39:12 2016)
[sssd[sudo]] [sudosrv_cmd] (0x2000): Using protocol version [1] (Wed
Jun  8 17:39:12 2016) [sssd[sudo]] [sss_parse_name_for_domains]
(0x0200): name 'nathan.peters' matched without domain, user is
nathan.peters (Wed Jun  8 17:39:12 2016) [sssd[sudo]]
[sss_parse_name_for_domains] (0x0200): name 'nathan.peters' matched
without domain, user is nathan.peters (Wed Jun  8 17:39:12 2016)
[sssd[sudo]] [sudosrv_cmd_parse_query_done] (0x0200): Requesting
rules for [nathan.peters] from [<ALL>] (Wed Jun  8 17:39:12 2016)
[sssd[sudo]] [sss_ncache_check_str] (0x2000): Checking negative
cache for [NCE/USER/dev-mydomain.net/nathan.peters]
(Wed Jun  8 17:39:12 2016) [sssd[sudo]] [sudosrv_get_user] (0x0200):
Requesting info about [[email protected]] (Wed Jun  8
17:39:12 2016) [sssd[sudo]] [sudosrv_get_user] (0x0400): Returning
info for user [[email protected]] (Wed Jun  8 17:39:12
2016) [sssd[sudo]] [sudosrv_get_rules] (0x0400): Retrieving rules
for [nathan.peters] from [dev-mydomain.net] (Wed Jun  8 17:39:12
2016) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200):
Searching sysdb with
[(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=na
t
ha
n.peters)(sudoUser=#756600344)(sudoUser=%developers)(sudoUser=%admin
s
)(
sudoUser=%sysadmins)(sudoUser=%deployment_engineer)(sudoUser=%nathan.
pe ters)(sudoUser=+*))(&(dataExpireTimestamp<=1465407552)))]
(Wed Jun  8 17:39:12 2016) [sssd[sudo]] [sudosrv_get_rules] (0x2000):
About to get sudo rules from cache (Wed Jun  8 17:39:12 2016)
[sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching
sysdb with
[(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=nathan.peters)(su
d
oU
ser=#756600344)(sudoUser=%developers)(sudoUser=%admins)(sudoUser=%sy
s
ad
mins)(sudoUser=%deployment_engineer)(sudoUser=%nathan.peters)(sudoUs
e
r=
+*)))] (Wed Jun  8 17:39:12 2016) [sssd[sudo]] [sort_sudo_rules]
(0x0400): Sorting rules with higher-wins logic (Wed Jun  8 17:39:12
2016) [sssd[sudo]] [sudosrv_get_sudorules_from_cache] (0x0400):
Returning 2 rules for [[email protected]] (Wed Jun  8
17:39:16 2016) [sssd[sudo]] [sbus_message_handler] (0x2000):
Received SBUS method org.freedesktop.sssd.service.ping on path 
/org/freedesktop/sssd/service (Wed Jun  8 17:39:16 2016) [sssd[sudo]] 
[sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Wed Jun  8 
17:39:17 2016) [sssd[sudo]] [client_recv] (0x0200): Client disconnected!
(Wed Jun  8 17:39:17 2016) [sssd[sudo]] [client_destructor] (0x2000):
Terminated client [0x1091360][17] (Wed Jun  8 17:39:26 2016)
[sssd[sudo]] [sbus_message_handler] (0x2000): Received SBUS method
org.freedesktop.sssd.service.ping on path
/org/freedesktop/sssd/service (Wed Jun  8 17:39:26 2016)
[sssd[sudo]] [sbus_get_sender_id_send]
(0x2000): Not a sysbus message, quit

============= /var/log/sssd/sssd_mydomain.log ==============

(Wed Jun  8 17:39:12 2016) [sssd[be[dev-mydomain.net]]]
[sbus_message_handler] (0x2000): Received SBUS method
org.freedesktop.sssd.dataprovider.getAccountInfo on path
/org/freedesktop/sssd/dataprovider
(Wed Jun  8 17:39:12 2016) [sssd[be[dev-mydomain.net]]]
[sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Wed
Jun
8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [be_get_account_info]
(0x0200): Got request for [0x1002][FAST
BE_REQ_GROUP][1][name=deployment_engineer]
(Wed Jun  8 17:39:12 2016) [sssd[be[dev-mydomain.net]]]
[be_req_set_domain] (0x0400): Changing request domain from
[dev-mydomain.net] to [dev-mydomain.net] (Wed Jun  8 17:39:12 2016)
[sssd[be[dev-mydomain.net]]] [sdap_get_groups_next_base] (0x0400):
Searching for groups with base [cn=accounts,dc=dev-mydomain,dc=net]
(Wed Jun  8 17:39:12 2016) [sssd[be[dev-mydomain.net]]]
[sdap_print_server] (0x2000): Searching 10.178.0.98 (Wed Jun  8 17:39:12 2016) 
[sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x0400): calling 
ldap_search_ext with 
[(&(cn=deployment_engineer)(|(objectClass=ipaUserGroup)(objectClass=posixGroup))(cn=*)(&(gidNumber=*)(!(gidNumber=0))))][cn=accounts,dc=dev-mydomain,dc=net].
(Wed Jun  8 17:39:12 2016) [sssd[be[dev-mydomain.net]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs:
[objectClass] (Wed Jun  8 17:39:12 2016)
[sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x1000):
Requesting attrs: [posixGroup] (Wed Jun  8 17:39:12 2016)
[sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x1000):
Requesting attrs: [cn] (Wed Jun
8 17:39:12 2016) [sssd[be[dev-mydomain.net]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs:
[userPassword] (Wed Jun  8 17:39:12 2016)
[sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x1000):
Requesting attrs: [gidNumber] (Wed Jun  8 17:39:12 2016)
[sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x1000):
Requesting attrs: [member] (Wed Jun  8 17:39:12 2016)
[sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x1000):
Requesting attrs: [ipaUniqueID] (Wed Jun  8 17:39:12 2016)
[sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x1000): Requesting 
attrs: [ipaNTSecurityIdentifier] (Wed Jun  8 17:39:12 2016) 
[sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x1000): Requesting 
attrs: [modifyTimestamp] (Wed Jun  8 17:39:12 2016) 
[sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x1000): Requesting 
attrs: [entryUSN] (Wed Jun  8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] 
[sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 14 (Wed 
Jun  8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_op_add] (0x2000): New 
operation 14 timeout 6 (Wed Jun  8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] 
[sdap_process_result] (0x2000): Trace: sh[0xea9a60], connected[1], 
ops[0xebb690], ldap[0xea8500] (Wed Jun  8 17:39:12 2016) 
[sssd[be[dev-mydomain.net]]] [sdap_get_generic_op_finished] (0x0400): Search 
result: Success(0), no errmsg set (Wed Jun  8 17:39:12 2016) 
[sssd[be[dev-mydomain.net]]] [sdap_op_destructor] (0x2000): Operat!

i!

o!

   n 14 finished (Wed Jun  8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] 
[sdap_get_groups_process] (0x0400): Search for groups, returned 0 results.

It looks like group deployment_engineer cannot be find in IPA.

(Wed Jun  8 17:39:12 2016) [sssd[be[dev-mydomain.net]]]
[sysdb_search_by_name] (0x0400): No such entry (Wed Jun  8 17:39:12
2016) [sssd[be[dev-mydomain.net]]]
[ipa_id_get_account_info_orig_done]
(0x0080): Object not found, ending request (Wed Jun  8 17:39:12
2016) [sssd[be[dev-mydomain.net]]] [acctinfo_callback] (0x0100): Request 
processed. Returned 3,0,Account info lookup failed (Wed Jun  8 17:39:12 2016) 
[sssd[be[dev-mydomain.net]]] [sdap_process_result] (0x2000): Trace: 
sh[0xea9a60], connected[1], ops[(nil)], ldap[0xea8500] (Wed Jun  8 17:39:12 
2016) [sssd[be[dev-mydomain.net]]] [sdap_process_result] (0x2000): Trace: 
ldap_result found nothing!
(Wed Jun  8 17:39:12 2016) [sssd[be[dev-mydomain.net]]]
[sbus_message_handler] (0x2000): Received SBUS method
org.freedesktop.sssd.dataprovider.getAccountInfo on path
/org/freedesktop/sssd/dataprovider
(Wed Jun  8 17:39:12 2016) [sssd[be[dev-mydomain.net]]]
[sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Wed
Jun
8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [be_get_account_info]
(0x0200): Got request for [0x1002][FAST
BE_REQ_GROUP][1][name=sysadmins] (Wed Jun  8 17:39:12 2016)
[sssd[be[dev-mydomain.net]]] [be_req_set_domain] (0x0400): Changing
request domain from [dev-mydomain.net] to [dev-mydomain.net] (Wed
Jun
8 17:39:12 2016) [sssd[be[dev-mydomain.net]]]
[sdap_get_groups_next_base] (0x0400): Searching for groups with base
[cn=accounts,dc=dev-mydomain,dc=net]
(Wed Jun  8 17:39:12 2016) [sssd[be[dev-mydomain.net]]]
[sdap_print_server] (0x2000): Searching 10.178.0.98 (Wed Jun  8 17:39:12 2016) 
[sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x0400): calling 
ldap_search_ext with 
[(&(cn=sysadmins)(|(objectClass=ipaUserGroup)(objectClass=posixGroup))(cn=*)(&(gidNumber=*)(!(gidNumber=0))))][cn=accounts,dc=dev-mydomain,dc=net].
(Wed Jun  8 17:39:12 2016) [sssd[be[dev-mydomain.net]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs:
[objectClass] (Wed Jun  8 17:39:12 2016)
[sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x1000):
Requesting attrs: [posixGroup] (Wed Jun  8 17:39:12 2016)
[sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x1000):
Requesting attrs: [cn] (Wed Jun
8 17:39:12 2016) [sssd[be[dev-mydomain.net]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs:
[userPassword] (Wed Jun  8 17:39:12 2016)
[sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x1000):
Requesting attrs: [gidNumber] (Wed Jun  8 17:39:12 2016)
[sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x1000):
Requesting attrs: [member] (Wed Jun  8 17:39:12 2016)
[sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x1000):
Requesting attrs: [ipaUniqueID] (Wed Jun  8 17:39:12 2016)
[sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x1000): Requesting 
attrs: [ipaNTSecurityIdentifier] (Wed Jun  8 17:39:12 2016) 
[sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x1000): Requesting 
attrs: [modifyTimestamp] (Wed Jun  8 17:39:12 2016) 
[sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x1000): Requesting 
attrs: [entryUSN] (Wed Jun  8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] 
[sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 15 (Wed 
Jun  8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_op_add] (0x2000): New 
operation 15 timeout 6 (Wed Jun  8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] 
[sdap_process_result] (0x2000): Trace: sh[0xea9a60], connected[1], 
ops[0xeaaf30], ldap[0xea8500] (Wed Jun  8 17:39:12 2016) 
[sssd[be[dev-mydomain.net]]] [sdap_get_generic_op_finished] (0x0400): Search 
result: Success(0), no errmsg set (Wed Jun  8 17:39:12 2016) 
[sssd[be[dev-mydomain.net]]] [sdap_op_destructor] (0x2000): Operat!

i!

o!

   n 15 finished (Wed Jun  8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] 
[sdap_get_groups_process] (0x0400): Search for groups, returned 0 results.

It looks like group sysadmins cannot be find in IPA.

(Wed Jun  8 17:39:12 2016) [sssd[be[dev-mydomain.net]]]
[sysdb_search_by_name] (0x0400): No such entry (Wed Jun  8 17:39:12
2016) [sssd[be[dev-mydomain.net]]]
[ipa_id_get_account_info_orig_done]
(0x0080): Object not found, ending request (Wed Jun  8 17:39:12
2016) [sssd[be[dev-mydomain.net]]] [acctinfo_callback] (0x0100): Request 
processed. Returned 3,0,Account info lookup failed (Wed Jun  8 17:39:12 2016) 
[sssd[be[dev-mydomain.net]]] [sdap_process_result] (0x2000): Trace: 
sh[0xea9a60], connected[1], ops[(nil)], ldap[0xea8500] (Wed Jun  8 17:39:12 
2016) [sssd[be[dev-mydomain.net]]] [sdap_process_result] (0x2000): Trace: 
ldap_result found nothing!

===== output of ldap query manually copied from the sssd_sudo.log
first search returns nothing second search returns 2 rules
==================

[root@cass1-msg-cpqa1-nvan sssd]# ldbsearch -H /var/lib/sss/db/cache_dev-mydomain.net.ldb 
-b cn=sysdb 
'(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=nathan.peters)(sudoUser=#756600344)(sudoUser=%developers)(sudoUser=%admins)(sudoUser=%sysadmins)(sudoUser=%deployment_engineer)(sudoUser=%nathan.peters)(sudoUser=+*))(&(dataExpireTimestamp<=1465407552)))'
asq: Unable to register control with rootdse!
# returned 0 records
# 0 entries
# 0 referrals


[root@cass1-msg-cpqa1-nvan sssd]# ldbsearch -H 
/var/lib/sss/db/cache_dev-mydomain.net.ldb -b cn=sysdb 
'(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=nathan.peters)(sudoUser=#756600344)(sudoUser=%developers)(sudoUser=%admins)(sudoUser=%sysadmins)(sudoUser=%deployment_engineer)(sudoUser=%nathan.peters)(sudoUser=+*)))'
asq: Unable to register control with rootdse!
# record 1
dn:
name=s_allow_deployment_engineer_to_all,cn=sudorules,cn=custom,cn=de
v
-m
ydomain.net,cn=sysdb
cn: s_allow_deployment_engineer_to_all
dataExpireTimestamp: 1465412946
name: s_allow_deployment_engineer_to_all
objectClass: sudoRule
sudoCommand: ALL
sudoHost: ALL
sudoOption: !authenticate
sudoRunAsGroup: ALL
sudoRunAsUser: ALL
sudoUser: %deployment_engineer
distinguishedName:
name=s_allow_deployment_engineer_to_all,cn=sudorules,cn=cus
tom,cn=dev-mydomain.net,cn=sysdb

# record 2
dn:
name=s_allow_sysadmins_to_all,cn=sudorules,cn=custom,cn=dev-mydomain.
ne
t,cn=sysdb
cn: s_allow_sysadmins_to_all
dataExpireTimestamp: 1465412946
name: s_allow_sysadmins_to_all
objectClass: sudoRule
sudoCommand: ALL
sudoHost: ALL
sudoOption: !authenticate
sudoRunAsGroup: ALL
sudoRunAsUser: ALL
sudoUser: %sysadmins
distinguishedName:
name=s_allow_sysadmins_to_all,cn=sudorules,cn=custom,cn=dev
-mydomain.net,cn=sysdb

# returned 2 records
# 2 entries
# 0 referrals

====== output of ldap query against directory for search used in the
sssd_domain.log ===========

[root@cass1-msg-cpqa1-nvan sssd]# ldapsearch -x -H ldap://10.178.0.98 -b 
cn=accounts,dc=dev-mydomain,dc=net 
'(&(cn=deployment_engineer)(|(objectClass=ipaUserGroup)(objectClass=posixGroup))(cn=*)(&(gidNumber=*)(!(gidNumber=0))))'
# extended LDIF
#
# LDAPv3
# base <cn=accounts,dc=dev-mydomain,dc=net> with scope subtree #
filter:
(&(cn=deployment_engineer)(|(objectClass=ipaUserGroup)(objectClass=p
o
si
xGroup))(cn=*)(&(gidNumber=*)(!(gidNumber=0))))
# requesting: ALL
#

# search result
search: 2
result: 0 Success

# numResponses: 1

[root@cass1-msg-cpqa1-nvan sssd]# ldapsearch -x -H ldap://10.178.0.98 -b 
cn=accounts,dc=dev-mydomain,dc=net 
'(&(cn=sysadmins)(|(objectClass=ipaUserGroup)(objectClass=posixGroup))(cn=*)(&(gidNumber=*)(!(gidNumber=0))))'
# extended LDIF
#
# LDAPv3
# base <cn=accounts,dc=dev-mydomain,dc=net> with scope subtree #
filter:
(&(cn=sysadmins)(|(objectClass=ipaUserGroup)(objectClass=posixGroup)
)
(c
n=*)(&(gidNumber=*)(!(gidNumber=0))))
# requesting: ALL
#

LDAP searches confirmed that it's not possible to find groups:
deployment_engineer and sysadmins. But you used anonymous search.

It would be good if you could provide an output of for groups using ipa command.

e.g.
kinit admin
ipa group-show --all deployment_engineer ipa group-show --all
sysadmins ipa group-show --raw deployment_engineer ipa group-show
--raw sysadmins

LS


--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] [FreeIPA 4.3.0] CentOS 6.8 sudo fails

Reply via email to