On (06/01/17 17:15), James Harrison wrote: >Any ideas? > From: James Harrison <[email protected]> > To: "[email protected]" <[email protected]> > Sent: Thursday, 5 January 2017, 13:36 > Subject: FreeIPA sudo not working on ububtu xenial sssd version > 1.13.4-1ubuntu1.1 > >Hi all,I having problems with a FreeIPA client running Ububtu Xenial. >I can authenticate OK, I get a kerberos ticket, but cannot run sudo. >I get 1 rule returned, which I expect. >Many thanks,James Harrison > > >(Thu Jan 5 12:09:57 2017) [sssd[sudo]] [sudosrv_get_user] (0x0400): Returning >info for user [[email protected]] >(Thu Jan 5 12:09:57 2017) [sssd[sudo]] [sudosrv_get_rules] (0x0400): >Retrieving rules for [x_james.harrison] from [domain.com] >(Thu Jan 5 12:09:57 2017) [sssd[sudo]] [ldb] (0x4000): Added timed event >"ltdb_callback": 0x1c11d70 >(Thu Jan 5 12:09:57 2017) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] >(0x0200): Searching sysdb with >[(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=x_james.harrison)(sudoUser=#1082600012)(sudoUser=%admins)(sudoUser=%ipausers)(sudoUser=%x_james.harrison)(sudoUser=+*))(&(dataExpireTimestamp<=1483618197)))] >(Thu Jan 5 12:09:57 2017) [sssd[sudo]] [sudosrv_get_rules] (0x2000): About to >get sudo rules from cache >(Thu Jan 5 12:09:57 2017) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] >(0x0200): Searching sysdb with >[(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=x_james.harrison)(sudoUser=#1082600012)(sudoUser=%admins)(sudoUser=%ipausers)(sudoUser=%x_james.harrison)(sudoUser=+*)))] >(Thu Jan 5 12:09:57 2017) [sssd[sudo]] [sort_sudo_rules] (0x0400): Sorting >rules with higher-wins logic >(Thu Jan 5 12:09:57 2017) [sssd[sudo]] [sudosrv_get_sudorules_from_cache] >(0x0400): Returning 1 rules for [[email protected]] >(Thu Jan 5 12:09:57 2017) [sssd[sudo]] [reset_idle_timer] (0x4000): Idle >timer re-set for client [0x1c0e770][18] > Yes, 1 rule was returned for user x_james.harrison. Can you see something in output of "sudo -l"
>==> sssd/sssd_pam.log <== >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [get_client_cred] (0x4000): Client >creds: euid[0] egid[1082600012] pid[5470]. >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [reset_idle_timer] (0x4000): Idle timer >re-set for client [0x2466e50][19] >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [accept_fd_handler] (0x0400): Client >connected! >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [reset_idle_timer] (0x4000): Idle timer >re-set for client [0x2466e50][19] >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [sss_cmd_get_version] (0x0200): >Received client version [3]. >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [sss_cmd_get_version] (0x0200): Offered >version [3]. >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [reset_idle_timer] (0x4000): Idle timer >re-set for client [0x2466e50][19] > >==> auth.log <== >Jan 5 12:10:17 pul-lp-sql-00 sudo: pam_unix(sudo:auth): authentication >failure; logname=x_james.harrison uid=1082600012 euid=0 tty=/dev/pts/1 >ruser=x_james.harrison rhost= user=x_james.harrison > I do not understand a reason why there is a failure in auth.log; because there isn't sssd_pam.log @see above. >==> sssd/sssd_pam.log <== >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [reset_idle_timer] (0x4000): Idle timer >re-set for client [0x2466e50][19] >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_cmd_authenticate] (0x0100): >entering pam_cmd_authenticate >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [sss_parse_name_for_domains] (0x0200): >name 'x_james.harrison' matched without domain, user is x_james.harrison >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): command: >SSS_PAM_AUTHENTICATE >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): domain: not >set >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): user: >x_james.harrison >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): service: sudo >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): tty: >/dev/pts/1 >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): ruser: >x_james.harrison >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): rhost: not >set >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): authtok >type: 1 >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): newauthtok >type: 0 >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): priv: 0 >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): cli_pid: 5470 >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): logon name: >x_james.harrison >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [sss_ncache_check_str] (0x2000): >Checking negative cache for [NCE/USER/domain.com/x_james.harrison] >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_initgr_check_timeout] (0x4000): >User [x_james.harrison] not found in PAM cache. >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [sss_dp_issue_request] (0x0400): >Issuing request for [0x410090:3:[email protected]] >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [sss_dp_get_account_msg] (0x0400): >Creating request for >[domain.com][0x3][BE_REQ_INITGROUPS][1][name=x_james.harrison] >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [sbus_add_timeout] (0x2000): 0x2469f20 >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [sss_dp_internal_get_send] (0x0400): >Entering request [0x410090:3:[email protected]] >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [sbus_remove_timeout] (0x2000): >0x2469f20 >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [sbus_dispatch] (0x4000): dbus conn: >0x2467e60 >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [sbus_dispatch] (0x4000): Dispatching. >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [sss_dp_get_reply] (0x1000): Got reply >from Data Provider - DP error code: 0 errno: 0 error message: Success >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_check_user_search] (0x0100): >Requesting info for [[email protected]] >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_check_user_search] (0x0400): >Returning info for user [[email protected]] >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_initgr_cache_set] (0x2000): >[x_james.harrison] added to PAM initgroup cache >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_dp_send_req] (0x0100): Sending >request with the following data: >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): command: >SSS_PAM_AUTHENTICATE >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): domain: >domain.com >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): user: >x_james.harrison >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): service: sudo >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): tty: >/dev/pts/1 >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): ruser: >x_james.harrison >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): rhost: not >set >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): authtok >type: 1 >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): newauthtok >type: 0 >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): priv: 0 >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): cli_pid: 5470 >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): logon name: >x_james.harrison >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [sbus_add_timeout] (0x2000): 0x2470c00 >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_dom_forwarder] (0x0100): >pam_dp_send_req returned 0 >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [sss_dp_req_destructor] (0x0400): >Deleting request: [0x410090:3:[email protected]] > >==> syslog <== >Jan 5 12:10:17 pul-lp-sql-00 kernel: [ 1272.582518] audit: type=1400 >audit(1483618217.180:43): apparmor="ALLOWED" operation="open" >profile="/usr/sbin/sssd" name="/run/systemd/users/1082600012" pid=5570 >comm="krb5_child" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 > >==> sssd/sssd_pam.log <== >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [sbus_remove_timeout] (0x2000): >0x2470c00 >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [sbus_dispatch] (0x4000): dbus conn: >0x2467e60 >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [sbus_dispatch] (0x4000): Dispatching. >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_dp_process_reply] (0x0200): >received: [0 (Success)][domain.com] Authentication was succesfull for sudo service. >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_reply] (0x0200): pam_reply called >with result [0]: Success. >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_reply] (0x0200): pam_reply called >with result [0]: Success. >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_reply] (0x0200): blen: 84 >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [reset_idle_timer] (0x4000): Idle timer >re-set for client [0x2466e50][19] > >==> auth.log <== >Jan 5 12:10:17 pul-lp-sql-00 sudo: pam_sss(sudo:auth): authentication >success; logname=x_james.harrison uid=1082600012 euid=0 tty=/dev/pts/1 >ruser=x_james.harrison rhost= user=x_james.harrison > >==> sssd/sssd_pam.log <== >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [reset_idle_timer] (0x4000): Idle timer >re-set for client [0x2466e50][19] >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_cmd_acct_mgmt] (0x0100): entering >pam_cmd_acct_mgmt >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [sss_parse_name_for_domains] (0x0200): >name 'x_james.harrison' matched without domain, user is x_james.harrison >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): command: >SSS_PAM_ACCT_MGMT >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): domain: not >set >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): user: >x_james.harrison >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): service: sudo >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): tty: >/dev/pts/1 >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): ruser: >x_james.harrison >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): rhost: not >set >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): authtok >type: 0 >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): newauthtok >type: 0 >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): priv: 0 >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): cli_pid: 5470 >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): logon name: >x_james.harrison >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [sss_ncache_check_str] (0x2000): >Checking negative cache for [NCE/USER/domain.com/x_james.harrison] >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_initgr_check_timeout] (0x2000): >User [x_james.harrison] found in PAM cache. >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_check_user_search] (0x0100): >Requesting info for [[email protected]] >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_check_user_search] (0x0400): >Returning info for user [[email protected]] >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_dp_send_req] (0x0100): Sending >request with the following data: >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): command: >SSS_PAM_ACCT_MGMT >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): domain: >domain.com >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): user: >x_james.harrison >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): service: sudo >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): tty: >/dev/pts/1 >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): ruser: >x_james.harrison >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): rhost: not >set >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): authtok >type: 0 >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): newauthtok >type: 0 >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): priv: 0 >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): cli_pid: 5470 >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): logon name: >x_james.harrison >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [sbus_add_timeout] (0x2000): 0x246dd70 >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_dom_forwarder] (0x0100): >pam_dp_send_req returned 0 >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [sbus_remove_timeout] (0x2000): >0x246dd70 >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [sbus_dispatch] (0x4000): dbus conn: >0x2467e60 >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [sbus_dispatch] (0x4000): Dispatching. >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_dp_process_reply] (0x0200): >received: [0 (Success)][domain.com] Authorisation was successful for sudo >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_reply] (0x0200): pam_reply called >with result [0]: Success. >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_reply] (0x0200): blen: 35 >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [reset_idle_timer] (0x4000): Idle timer >re-set for client [0x2466e50][19] > >==> auth.log <== >Jan 5 12:10:17 pul-lp-sql-00 sudo: x_james.harrison : user NOT authorized on >host ; TTY=pts/1 ; PWD=/home/x_james.harrison ; USER=root ; COMMAND=/bin/bash > auth.log says something different the sssd_pam.log I suspect some problem with sudo itself. https://www.redhat.com/archives/freeipa-users/2016-August/msg00489.html And here is importnatn message from the mail: >unfortunately sudo 1.8.16 introduced a bug in sssd plugin. 1.8.16 contains > a new option called netgroup_tuple, which tells whether a full netgroup > tuply is check or only the host/user part in host/user check. However, > the patch didn't make the sssd plugin to obey this option and it always > check both hostname and username. > >It is fixed in 1.8.17 by this patch: >https://www.sudo.ws/repos/sudo/rev/2eab4070dcf7 > Please, report bug against Ubuntu sudo to backport this patch or rebase sudo. Workaround mught be to install newer package from debian 1.8.19-1 https://packages.debian.org/stretch/sudo LS -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
