Re: [Freeipa-users] sudo rules question on ubuntu 16.0.1

Jeff Goddard Thu, 11 Aug 2016 11:29:17 -0700

Here is relevant configuration files:

*nsswitch.conf:*


passwd:         compat sss
group:          compat sss
shadow:         compat sss
gshadow:        files

hosts:          files dns
networks:       files

protocols:      db files
services:       db files sss
ethers:         db files
rpc:            db files

netgroup:       nis sss
sudoers: sss files

*sssd.conf:*

[domain/internal.emerlyn.com]

cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = internal.emerlyn.com
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = docker-dev-01.internal.emerlyn.com
chpass_provider = ipa
ipa_server = _srv_, id-management-1.internal.emerlyn.com
ldap_tls_cacert = /etc/ipa/ca.crt
sudo_provider=ipa
ldap_uri=ldap://id-management-1.internal.emerlyn.com
ldap_sudo_search_base=ou=sudoers,dc=internal,dc=emerlyn,dc=com
debug_level=7

[sssd]
services = nss, pam, sudo, ssh
debug_level=7
domains = internal.emerlyn.com

[nss]
homedir_substring = /home

[pam]

[sudo]
debug_level=7
[autofs]

[ssh]
debug_level=7
[pac]

[ifp]



*Log output - /var/log/sssd/sssd_sudo.log:*(Thu Aug 11 12:21:43 2016)
[sssd[sudo]] [accept_fd_handler] (0x0400): Client connected!
(Thu Aug 11 12:21:43 2016) [sssd[sudo]] [sss_cmd_get_version] (0x0200):
Received client version [1].
(Thu Aug 11 12:21:43 2016) [sssd[sudo]] [sss_cmd_get_version] (0x0200):
Offered version [1].
(Thu Aug 11 12:21:43 2016) [sssd[sudo]] [sss_parse_name_for_domains]
(0x0200): name 'jgoddard' matched without domain, user is jgoddard
(Thu Aug 11 12:21:43 2016) [sssd[sudo]] [sss_parse_name_for_domains]
(0x0200): name 'jgoddard' matched without domain, user is jgoddard
(Thu Aug 11 12:21:43 2016) [sssd[sudo]] [sudosrv_cmd_parse_query_done]
(0x0200): Requesting default options for [jgoddard] from [<ALL>]
(Thu Aug 11 12:21:43 2016) [sssd[sudo]] [sudosrv_get_user] (0x0200):
Requesting info about [[email protected]]
(Thu Aug 11 12:21:43 2016) [sssd[sudo]] [sudosrv_get_user] (0x0400):
Returning info for user [[email protected]]
(Thu Aug 11 12:21:43 2016) [sssd[sudo]] [sudosrv_get_rules] (0x0400):
Retrieving default options for [jgoddard] from [internal.emerlyn.com]
(Thu Aug 11 12:21:43 2016) [sssd[sudo]] [sudosrv_get_sudorules_query_cache]
(0x0200): Searching sysdb with
[(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=jgoddard)(sudoUser=#320000001)(sudoUser=%developers)(sudoUser=%jira-administrators)(sudoUser=%admins)(sudoUser=%ipausers)(sudoUser=%jgoddard)(sudoUser=+*))(&(dataExpireTimestamp<=1470932503)))]
(Thu Aug 11 12:21:43 2016) [sssd[sudo]] [sudosrv_get_sudorules_query_cache]
(0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(name=defaults)))]
(Thu Aug 11 12:21:43 2016) [sssd[sudo]] [sudosrv_get_sudorules_from_cache]
(0x0400): Returning 0 rules for [<default options>@internal.emerlyn.com]
(Thu Aug 11 12:21:43 2016) [sssd[sudo]] [sss_parse_name_for_domains]
(0x0200): name 'jgoddard' matched without domain, user is jgoddard
*(*Thu Aug 11 12:21:43 2016) [sssd[sudo]] [sss_parse_name_for_domains]
(0x0200): name 'jgoddard' matched without domain, user is jgoddard
(Thu Aug 11 12:21:43 2016) [sssd[sudo]] [sudosrv_cmd_parse_query_done]
(0x0200): Requesting rules for [jgoddard] from [<ALL>]
(Thu Aug 11 12:21:43 2016) [sssd[sudo]] [sudosrv_get_user] (0x0200):
Requesting info about [[email protected]]
(Thu Aug 11 12:21:43 2016) [sssd[sudo]] [sudosrv_get_user] (0x0400):
Returning info for user [[email protected]]
(Thu Aug 11 12:21:43 2016) [sssd[sudo]] [sudosrv_get_rules] (0x0400):
Retrieving rules for [jgoddard] from [internal.emerlyn.com]
(Thu Aug 11 12:21:43 2016) [sssd[sudo]] [sudosrv_get_sudorules_query_cache]
(0x0200): Searching sysdb with
[(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=jgoddard)(sudoUser=#320000001)(sudoUser=%developers)(sudoUser=%jira-administrators)(sudoUser=%admins)(sudoUser=%ipausers)(sudoUser=%jgoddard)(sudoUser=+*))(&(dataExpireTimestamp<=1470932503)))]
(Thu Aug 11 12:21:43 2016) [sssd[sudo]] [sudosrv_get_sudorules_query_cache]
(0x0200): Searching sysdb with
[(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=jgoddard)(sudoUser=#320000001)(sudoUser=%developers)(sudoUser=%jira-administrators)(sudoUser=%admins)(sudoUser=%ipausers)(sudoUser=%jgoddard)(sudoUser=+*)))]
(Thu Aug 11 12:21:43 2016) [sssd[sudo]] [sort_sudo_rules] (0x0400): Sorting
rules with higher-wins logic
(Thu Aug 11 12:21:43 2016) [sssd[sudo]] [sudosrv_get_sudorules_from_cache]
(0x0400): Returning 1 rules for [[email protected]]
(Thu Aug 11 12:21:47 2016) [sssd[sudo]] [client_recv] (0x0200): Client
disconnected!
(Thu Aug 11 12:22:12 2016) [sssd[sudo]] [accept_fd_handler] (0x0400):
Client connected!
(Thu Aug 11 12:22:12 2016) [sssd[sudo]] [sss_cmd_get_version] (0x0200):
Received client version [1].
(Thu Aug 11 12:22:12 2016) [sssd[sudo]] [sss_cmd_get_version] (0x0200):
Offered version [1].
(Thu Aug 11 12:22:12 2016) [sssd[sudo]] [sss_parse_name_for_domains]
(0x0200): name 'jgoddard' matched without domain, user is jgoddard
(Thu Aug 11 12:22:12 2016) [sssd[sudo]] [sss_parse_name_for_domains]
(0x0200): name 'jgoddard' matched without domain, user is jgoddard
(Thu Aug 11 12:22:12 2016) [sssd[sudo]] [sudosrv_cmd_parse_query_done]
(0x0200): Requesting default options for [jgoddard] from [<ALL>]
(Thu Aug 11 12:22:12 2016) [sssd[sudo]] [sudosrv_get_user] (0x0200):
Requesting info about [[email protected]]
(Thu Aug 11 12:22:12 2016) [sssd[sudo]] [sudosrv_get_user] (0x0400):
Returning info for user [[email protected]]
(Thu Aug 11 12:22:12 2016) [sssd[sudo]] [sudosrv_get_rules] (0x0400):
Retrieving default options for [jgoddard] from [internal.emerlyn.com]
(Thu Aug 11 12:22:12 2016) [sssd[sudo]] [sudosrv_get_sudorules_query_cache]
(0x0200): Searching sysdb with
[(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=jgoddard)(sudoUser=#320000001)(sudoUser=%developers)(sudoUser=%jira-administrators)(sudoUser=%admins)(sudoUser=%ipausers)(sudoUser=%jgoddard)(sudoUser=+*))(&(dataExpireTimestamp<=1470932532)))]
(Thu Aug 11 12:22:12 2016) [sssd[sudo]] [sudosrv_get_sudorules_query_cache]
(0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(name=defaults)))]
(Thu Aug 11 12:22:12 2016) [sssd[sudo]] [sudosrv_get_sudorules_from_cache]
(0x0400): Returning 0 rules for [<default options>@internal.emerlyn.com]
(Thu Aug 11 12:22:12 2016) [sssd[sudo]] [sss_parse_name_for_domains]
(0x0200): name 'jgoddard' matched without domain, user is jgoddard
(Thu Aug 11 12:22:12 2016) [sssd[sudo]] [sss_parse_name_for_domains]
(0x0200): name 'jgoddard' matched without domain, user is jgoddard
(Thu Aug 11 12:22:12 2016) [sssd[sudo]] [sudosrv_cmd_parse_query_done]
(0x0200): Requesting rules for [jgoddard] from [<ALL>]
(Thu Aug 11 12:22:12 2016) [sssd[sudo]] [sudosrv_get_user] (0x0200):
Requesting info about [[email protected]]
(Thu Aug 11 12:22:12 2016) [sssd[sudo]] [sudosrv_get_user] (0x0400):
Returning info for user [[email protected]]
(Thu Aug 11 12:22:12 2016) [sssd[sudo]] [sudosrv_get_rules] (0x0400):
Retrieving rules for [jgoddard] from [internal.emerlyn.com]
(Thu Aug 11 12:22:12 2016) [sssd[sudo]] [sudosrv_get_sudorules_query_cache]
(0x0200): Searching sysdb with
[(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=jgoddard)(sudoUser=#320000001)(sudoUser=%developers)(sudoUser=%jira-administrators)(sudoUser=%admins)(sudoUser=%ipausers)(sudoUser=%jgoddard)(sudoUser=+*))(&(dataExpireTimestamp<=1470932532)))]
(Thu Aug 11 12:22:12 2016) [sssd[sudo]] [sudosrv_get_sudorules_query_cache]
(0x0200): Searching sysdb with
[(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=jgoddard)(sudoUser=#320000001)(sudoUser=%developers)(sudoUser=%jira-administrators)(sudoUser=%admins)(sudoUser=%ipausers)(sudoUser=%jgoddard)(sudoUser=+*)))]
(Thu Aug 11 12:22:12 2016) [sssd[sudo]] [sort_sudo_rules] (0x0400): Sorting
rules with higher-wins logic
(Thu Aug 11 12:22:12 2016) [sssd[sudo]] [sudosrv_get_sudorules_from_cache]
(0x0400): Returning 1 rules for [[email protected]]


On Thu, Aug 11, 2016 at 2:15 PM, Rob Crittenden <[email protected]> wrote:

> Jeff Goddard wrote:
>
>> I've looked though these but not found anything helpful. It appears as
>> though my previous statement about the 1 group being found was
>> misleading as the sssd.$mydomain.com.log file reports that no sudo rules
>> are found. Does this mean that the LDAP tree being searched is different
>> on ubuntu vs centos?
>>
>
> I find that extremely unlikely.
>
> You may want to outline more what you've already checked.
>
> For example, is sss in sudoers in /etc/nsswitch.conf?
>
> You can check the 389-ds access log to see what, if any queries are being
> made. I'd clean the sssd cache in advance.
>
> rob
>
>
>> Jeff
>>
>> On Wed, Aug 10, 2016 at 2:13 PM, Rob Crittenden <[email protected]
>> <mailto:[email protected]>> wrote:
>>
>>     Jeff Goddard wrote:
>>
>>         Sean,
>>
>>         Thanks for the reply. I don't think that's my problem but I'm
>>         posting a
>>         redacted copy of the sssd.conf file for review below.
>>
>>
>>     I'd start here:
>>     https://fedorahosted.org/sssd/wiki/HOWTO_Troubleshoot_SUDO
>>     <https://fedorahosted.org/sssd/wiki/HOWTO_Troubleshoot_SUDO>
>>
>>     rob
>>
>>
>>
>>
>>
>>
>


-- 
Jeff Goddard
Director of Information Technology
Emerlyn Technology

Email: [email protected]
Telephone: (603) 447-8571
Toll free: (888) 363-7596 ext. 108
Fax: (603) 356-3346

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] sudo rules question on ubuntu 16.0.1

Reply via email to