On Wed, Jul 13, 2016 at 11:18:21AM +0200, Tomas Simecek wrote:
> Dear freeIPA gurus,
> in previous thread (
> https://www.redhat.com/archives/freeipa-users/2016-July/msg00046.html) you
> helped me make sudo working for AD users on Centos 7.0 (
> spcss-2t-www.linuxdomain.cz).
> It was caused by not knowing sudo needs to be enabled in HBAC rules.
> Now it works properly on Centos 7.0 client.
> But it does not work on Centos 6.5 (zp-cml-test.linuxdomain.cz) with the
> same sssd.conf setup.
> Error message is always:
> 
> [simecek.to...@sd-stc.cz@zp-cml-test ~]$ sudo cat /etc/nsswitch.conf
> [sudo] password for simecek.to...@sd-stc.cz:
> simecek.to...@sd-stc.cz is not allowed to run sudo on zp-cml-test.  This
> incident will be reported.
> 
> Here are my HBAC rules, the second one should apply. It definitely applies
> for Centos 7.0 server:
> [root@svlxxipap ~]# ipa hbacrule-find
> --------------------
> 2 HBAC rules matched
> --------------------
>   Rule name: allow_all
>   User category: all
>   Host category: all
>   Service category: all
>   Description: Allow all users to access any host from any host
>   Enabled: FALSE
> 
>   Rule name: Unixari na test servery
>   Enabled: TRUE
>   User Groups: grpunixadmins
>   Hosts: spcss-2t-www.linuxdomain.cz, zp-cml-test.linuxdomain.cz
>   Services: login, sshd, sudo, sudo-i, su, su-l
> ----------------------------
> Number of entries returned 2
> ----------------------------
> 
> This is my /etc/sssd/sssd.conf. It the same like on Centos 7.0 server, just
> with proper server name of course:
> 
> [root@zp-cml-test sssd]# cat /etc/sssd/sssd.conf
> [domain/linuxdomain.cz]
> cache_credentials = True
> krb5_store_password_if_offline = True
> ipa_domain = linuxdomain.cz
> id_provider = ipa
> krb5_realm = LINUXDOMAIN.CZ
> auth_provider = ipa
> access_provider = ipa
> ipa_hostname = zp-cml-test.linuxdomain.cz
> chpass_provider = ipa
> ipa_server = svlxxipap.linuxdomain.cz
> ldap_tls_cacert = /etc/ipa/ca.crt
> override_shell = /bin/bash
> sudo_provider = ldap
> ldap_uri = ldap://svlxxipap.linuxdomain.cz
> ldap_sudo_search_base = ou=sudoers,dc=linuxdomain,dc=cz
> ldap_sasl_mech = GSSAPI
> #ldap_sasl_authid = host/zp-cml-test.linuxdomain...@linuxdomain.cz
> ldap_sasl_authid = host/zp-cml-test.linuxdomain.cz
> ldap_sasl_realm = LINUXDOMAIN.CZ
> krb5_server = svlxxipap.linuxdomain.cz
> 
> [sssd]
> services = nss, sudo, pam, ssh
> config_file_version = 2
> debug_level = 0x3ff0
> domains = linuxdomain.cz
> [nss]
> homedir_substring = /home
> 
> [pam]
> [sudo]
> debug_level = 0x3ff0
> [autofs]
> [ssh]
> [pac]
> [ifp]
> 
> This is output from sssd_sudo.log:
> (Wed Jul 13 08:58:38 2016) [sssd[sudo]] [accept_fd_handler] (0x0400):
> Client connected!
> (Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sss_cmd_get_version] (0x0200):
> Received client version [1].
> (Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sss_cmd_get_version] (0x0200):
> Offered version [1].
> (Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sudosrv_cmd] (0x2000): Using
> protocol version [1]
> (Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sss_parse_name_for_domains]
> (0x0200): name 'simecek.to...@sd-stc.cz' matched expression for domain '
> sd-stc.cz', user is simecek.tomas
> (Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sss_parse_name_for_domains]
> (0x0200): name 'simecek.to...@sd-stc.cz' matched expression for domain '
> sd-stc.cz', user is simecek.tomas
> (Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sudosrv_cmd_parse_query_done]
> (0x0200): Requesting default options for [simecek.tomas] from [sd-stc.cz]
> (Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sudosrv_get_user] (0x0200):
> Requesting info about [simecek.to...@sd-stc.cz]
> (Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sudosrv_get_user] (0x0400):
> Returning info for user [simecek.to...@sd-stc.cz]
> (Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sudosrv_get_rules] (0x0400):
> Retrieving default options for [simecek.to...@sd-stc.cz] from [sd-stc.cz]
> (Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sysdb_search_group_by_gid]
> (0x0400): No such entry
> (Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sudosrv_get_sudorules_query_cache]
> (0x0200): Searching sysdb with
> [(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=
> simecek.to...@sd-stc.cz)(sudoUser=#988604700)(sudoUser=%domain
> us...@sd-stc.cz)(sudoUser=%unixadm...@sd-stc.cz)(sudoUser=%
> mfcr_...@sd-stc.cz)(sudoUser=%acco...@sd-stc.cz)(sudoUser=%w...@sd-stc.cz
> )(sudoUser=%grpunixadmins)(sudoUser=+*))(&(dataExpireTimestamp<=1468393118)))]
> (Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sudosrv_get_rules] (0x2000): About
> to get sudo rules from cache
> (Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sudosrv_get_sudorules_query_cache]
> (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(name=defaults)))]
> (Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sudosrv_get_sudorules_from_cache]
> (0x0400): Returning 0 rules for [<default options>@sd-stc.cz]
> (Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sudosrv_cmd] (0x2000): Using
> protocol version [1]
> (Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sss_parse_name_for_domains]
> (0x0200): name 'simecek.to...@sd-stc.cz' matched expression for domain '
> sd-stc.cz', user is simecek.tomas
> (Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sss_parse_name_for_domains]
> (0x0200): name 'simecek.to...@sd-stc.cz' matched expression for domain '
> sd-stc.cz', user is simecek.tomas
> (Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sudosrv_cmd_parse_query_done]
> (0x0200): Requesting rules for [simecek.tomas] from [sd-stc.cz]
> (Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sudosrv_get_user] (0x0200):
> Requesting info about [simecek.to...@sd-stc.cz]
> (Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sudosrv_get_user] (0x0400):
> Returning info for user [simecek.to...@sd-stc.cz]
> (Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sudosrv_get_rules] (0x0400):
> Retrieving rules for [simecek.to...@sd-stc.cz] from [sd-stc.cz]
> (Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sysdb_search_group_by_gid]
> (0x0400): No such entry
> (Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sudosrv_get_sudorules_query_cache]
> (0x0200): Searching sysdb with
> [(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=
> simecek.to...@sd-stc.cz)(sudoUser=#988604700)(sudoUser=%domain
> us...@sd-stc.cz)(sudoUser=%unixadm...@sd-stc.cz)(sudoUser=%
> mfcr_...@sd-stc.cz)(sudoUser=%acco...@sd-stc.cz)(sudoUser=%w...@sd-stc.cz
> )(sudoUser=%grpunixadmins)(sudoUser=+*))(&(dataExpireTimestamp<=1468393118)))]
> (Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sudosrv_get_rules] (0x2000): About
> to get sudo rules from cache
> (Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sysdb_search_group_by_gid]
> (0x0400): No such entry
> (Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sudosrv_get_sudorules_query_cache]
> (0x0200): Searching sysdb with
> [(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=simecek.to...@sd-stc.cz)(sudoUser=#988604700)(sudoUser=%domain
> us...@sd-stc.cz)(sudoUser=%unixadm...@sd-stc.cz)(sudoUser=%
> mfcr_...@sd-stc.cz)(sudoUser=%acco...@sd-stc.cz)(sudoUser=%w...@sd-stc.cz
> )(sudoUser=%grpunixadmins)(sudoUser=+*)))]
> (Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sudosrv_get_sudorules_from_cache]
> (0x0400): Returning 0 rules for [simecek.to...@sd-stc.cz]
> (Wed Jul 13 08:58:42 2016) [sssd[sudo]] [client_recv] (0x0200): Client
> disconnected!
> (Wed Jul 13 08:58:42 2016) [sssd[sudo]] [client_destructor] (0x2000):
> Terminated client [0x1330300][18]

When you look into the domain logs, do they show some rules being
fetched?

You can also install ldbsearch and then check what rules got stored in
the cache:
    ldbsearch -H /var/lib/sss/db/cache_$domain.ldb

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to