All,1.8.19-1 from Debian does not appear to work too.
James

      From: Lukas Slebodnik <lsleb...@redhat.com>
 To: James Harrison <jamesaharriso...@yahoo.co.uk> 
Cc: "freeipa-users@redhat.com" <freeipa-users@redhat.com>
 Sent: Saturday, 7 January 2017, 15:34
 Subject: Re: [Freeipa-users] FreeIPA sudo not working on ububtu xenial sssd 
version 1.13.4-1ubuntu1.1
   
On (06/01/17 17:15), James Harrison wrote:
>Any ideas?
>      From: James Harrison <jamesaharriso...@yahoo.co.uk>
> To: "freeipa-users@redhat.com" <freeipa-users@redhat.com> 
> Sent: Thursday, 5 January 2017, 13:36
> Subject: FreeIPA sudo not working on ububtu xenial sssd version 
> 1.13.4-1ubuntu1.1
>  
>Hi all,I having problems with a FreeIPA client running Ububtu Xenial.
>I can authenticate OK, I get a kerberos ticket, but cannot run sudo.
>I get 1 rule returned, which I expect.
>Many thanks,James Harrison
>
>
>(Thu Jan  5 12:09:57 2017) [sssd[sudo]] [sudosrv_get_user] (0x0400): Returning 
>info for user [x_james.harri...@domain.com]
>(Thu Jan  5 12:09:57 2017) [sssd[sudo]] [sudosrv_get_rules] (0x0400): 
>Retrieving rules for [x_james.harrison] from [domain.com]
>(Thu Jan  5 12:09:57 2017) [sssd[sudo]] [ldb] (0x4000): Added timed event 
>"ltdb_callback": 0x1c11d70
>(Thu Jan  5 12:09:57 2017) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] 
>(0x0200): Searching sysdb with 
>[(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=x_james.harrison)(sudoUser=#1082600012)(sudoUser=%admins)(sudoUser=%ipausers)(sudoUser=%x_james.harrison)(sudoUser=+*))(&(dataExpireTimestamp<=1483618197)))]
>(Thu Jan  5 12:09:57 2017) [sssd[sudo]] [sudosrv_get_rules] (0x2000): About to 
>get sudo rules from cache
>(Thu Jan  5 12:09:57 2017) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] 
>(0x0200): Searching sysdb with 
>[(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=x_james.harrison)(sudoUser=#1082600012)(sudoUser=%admins)(sudoUser=%ipausers)(sudoUser=%x_james.harrison)(sudoUser=+*)))]
>(Thu Jan  5 12:09:57 2017) [sssd[sudo]] [sort_sudo_rules] (0x0400): Sorting 
>rules with higher-wins logic
>(Thu Jan  5 12:09:57 2017) [sssd[sudo]] [sudosrv_get_sudorules_from_cache] 
>(0x0400): Returning 1 rules for [x_james.harri...@domain.com]
>(Thu Jan  5 12:09:57 2017) [sssd[sudo]] [reset_idle_timer] (0x4000): Idle 
>timer re-set for client [0x1c0e770][18]
>
Yes, 1 rule was returned for user x_james.harrison.
Can you see something in output of "sudo -l"


>==> sssd/sssd_pam.log <==
>(Thu Jan  5 12:10:17 2017) [sssd[pam]] [get_client_cred] (0x4000): Client 
>creds: euid[0] egid[1082600012] pid[5470].
>(Thu Jan  5 12:10:17 2017) [sssd[pam]] [reset_idle_timer] (0x4000): Idle timer 
>re-set for client [0x2466e50][19]
>(Thu Jan  5 12:10:17 2017) [sssd[pam]] [accept_fd_handler] (0x0400): Client 
>connected!
>(Thu Jan  5 12:10:17 2017) [sssd[pam]] [reset_idle_timer] (0x4000): Idle timer 
>re-set for client [0x2466e50][19]
>(Thu Jan  5 12:10:17 2017) [sssd[pam]] [sss_cmd_get_version] (0x0200): 
>Received client version [3].
>(Thu Jan  5 12:10:17 2017) [sssd[pam]] [sss_cmd_get_version] (0x0200): Offered 
>version [3].
>(Thu Jan  5 12:10:17 2017) [sssd[pam]] [reset_idle_timer] (0x4000): Idle timer 
>re-set for client [0x2466e50][19]
>
>==> auth.log <==
>Jan  5 12:10:17 pul-lp-sql-00 sudo: pam_unix(sudo:auth): authentication 
>failure; logname=x_james.harrison uid=1082600012 euid=0 tty=/dev/pts/1 
>ruser=x_james.harrison rhost=  user=x_james.harrison
>
I do not understand a reason why there is a failure in auth.log;
because there isn't sssd_pam.log @see above.

>==> sssd/sssd_pam.log <==
>(Thu Jan  5 12:10:17 2017) [sssd[pam]] [reset_idle_timer] (0x4000): Idle timer 
>re-set for client [0x2466e50][19]
>(Thu Jan  5 12:10:17 2017) [sssd[pam]] [pam_cmd_authenticate] (0x0100): 
>entering pam_cmd_authenticate
>(Thu Jan  5 12:10:17 2017) [sssd[pam]] [sss_parse_name_for_domains] (0x0200): 
>name 'x_james.harrison' matched without domain, user is x_james.harrison
>(Thu Jan  5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): command: 
>SSS_PAM_AUTHENTICATE
>(Thu Jan  5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): domain: not 
>set
>(Thu Jan  5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): user: 
>x_james.harrison
>(Thu Jan  5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): service: sudo
>(Thu Jan  5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): tty: 
>/dev/pts/1
>(Thu Jan  5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): ruser: 
>x_james.harrison
>(Thu Jan  5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): rhost: not 
>set
>(Thu Jan  5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): authtok 
>type: 1
>(Thu Jan  5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): newauthtok 
>type: 0
>(Thu Jan  5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): priv: 0
>(Thu Jan  5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): cli_pid: 5470
>(Thu Jan  5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): logon name: 
>x_james.harrison
>(Thu Jan  5 12:10:17 2017) [sssd[pam]] [sss_ncache_check_str] (0x2000): 
>Checking negative cache for [NCE/USER/domain.com/x_james.harrison]
>(Thu Jan  5 12:10:17 2017) [sssd[pam]] [pam_initgr_check_timeout] (0x4000): 
>User [x_james.harrison] not found in PAM cache.
>(Thu Jan  5 12:10:17 2017) [sssd[pam]] [sss_dp_issue_request] (0x0400): 
>Issuing request for [0x410090:3:x_james.harri...@domain.com]
>(Thu Jan  5 12:10:17 2017) [sssd[pam]] [sss_dp_get_account_msg] (0x0400): 
>Creating request for 
>[domain.com][0x3][BE_REQ_INITGROUPS][1][name=x_james.harrison]
>(Thu Jan  5 12:10:17 2017) [sssd[pam]] [sbus_add_timeout] (0x2000): 0x2469f20
>(Thu Jan  5 12:10:17 2017) [sssd[pam]] [sss_dp_internal_get_send] (0x0400): 
>Entering request [0x410090:3:x_james.harri...@domain.com]
>(Thu Jan  5 12:10:17 2017) [sssd[pam]] [sbus_remove_timeout] (0x2000): 
>0x2469f20
>(Thu Jan  5 12:10:17 2017) [sssd[pam]] [sbus_dispatch] (0x4000): dbus conn: 
>0x2467e60
>(Thu Jan  5 12:10:17 2017) [sssd[pam]] [sbus_dispatch] (0x4000): Dispatching.
>(Thu Jan  5 12:10:17 2017) [sssd[pam]] [sss_dp_get_reply] (0x1000): Got reply 
>from Data Provider - DP error code: 0 errno: 0 error message: Success
>(Thu Jan  5 12:10:17 2017) [sssd[pam]] [pam_check_user_search] (0x0100): 
>Requesting info for [x_james.harri...@domain.com]
>(Thu Jan  5 12:10:17 2017) [sssd[pam]] [pam_check_user_search] (0x0400): 
>Returning info for user [x_james.harri...@domain.com]
>(Thu Jan  5 12:10:17 2017) [sssd[pam]] [pam_initgr_cache_set] (0x2000): 
>[x_james.harrison] added to PAM initgroup cache
>(Thu Jan  5 12:10:17 2017) [sssd[pam]] [pam_dp_send_req] (0x0100): Sending 
>request with the following data:
>(Thu Jan  5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): command: 
>SSS_PAM_AUTHENTICATE
>(Thu Jan  5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): domain: 
>domain.com
>(Thu Jan  5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): user: 
>x_james.harrison
>(Thu Jan  5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): service: sudo
>(Thu Jan  5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): tty: 
>/dev/pts/1
>(Thu Jan  5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): ruser: 
>x_james.harrison
>(Thu Jan  5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): rhost: not 
>set
>(Thu Jan  5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): authtok 
>type: 1
>(Thu Jan  5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): newauthtok 
>type: 0
>(Thu Jan  5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): priv: 0
>(Thu Jan  5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): cli_pid: 5470
>(Thu Jan  5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): logon name: 
>x_james.harrison
>(Thu Jan  5 12:10:17 2017) [sssd[pam]] [sbus_add_timeout] (0x2000): 0x2470c00
>(Thu Jan  5 12:10:17 2017) [sssd[pam]] [pam_dom_forwarder] (0x0100): 
>pam_dp_send_req returned 0
>(Thu Jan  5 12:10:17 2017) [sssd[pam]] [sss_dp_req_destructor] (0x0400): 
>Deleting request: [0x410090:3:x_james.harri...@domain.com]
>
>==> syslog <==
>Jan  5 12:10:17 pul-lp-sql-00 kernel: [ 1272.582518] audit: type=1400 
>audit(1483618217.180:43): apparmor="ALLOWED" operation="open" 
>profile="/usr/sbin/sssd" name="/run/systemd/users/1082600012" pid=5570 
>comm="krb5_child" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
>
>==> sssd/sssd_pam.log <==
>(Thu Jan  5 12:10:17 2017) [sssd[pam]] [sbus_remove_timeout] (0x2000): 
>0x2470c00
>(Thu Jan  5 12:10:17 2017) [sssd[pam]] [sbus_dispatch] (0x4000): dbus conn: 
>0x2467e60
>(Thu Jan  5 12:10:17 2017) [sssd[pam]] [sbus_dispatch] (0x4000): Dispatching.
>(Thu Jan  5 12:10:17 2017) [sssd[pam]] [pam_dp_process_reply] (0x0200): 
>received: [0 (Success)][domain.com]
Authentication was succesfull for sudo service.

>(Thu Jan  5 12:10:17 2017) [sssd[pam]] [pam_reply] (0x0200): pam_reply called 
>with result [0]: Success.
>(Thu Jan  5 12:10:17 2017) [sssd[pam]] [pam_reply] (0x0200): pam_reply called 
>with result [0]: Success.
>(Thu Jan  5 12:10:17 2017) [sssd[pam]] [pam_reply] (0x0200): blen: 84
>(Thu Jan  5 12:10:17 2017) [sssd[pam]] [reset_idle_timer] (0x4000): Idle timer 
>re-set for client [0x2466e50][19]
>
>==> auth.log <==
>Jan  5 12:10:17 pul-lp-sql-00 sudo: pam_sss(sudo:auth): authentication 
>success; logname=x_james.harrison uid=1082600012 euid=0 tty=/dev/pts/1 
>ruser=x_james.harrison rhost= user=x_james.harrison
>
>==> sssd/sssd_pam.log <==
>(Thu Jan  5 12:10:17 2017) [sssd[pam]] [reset_idle_timer] (0x4000): Idle timer 
>re-set for client [0x2466e50][19]
>(Thu Jan  5 12:10:17 2017) [sssd[pam]] [pam_cmd_acct_mgmt] (0x0100): entering 
>pam_cmd_acct_mgmt
>(Thu Jan  5 12:10:17 2017) [sssd[pam]] [sss_parse_name_for_domains] (0x0200): 
>name 'x_james.harrison' matched without domain, user is x_james.harrison
>(Thu Jan  5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): command: 
>SSS_PAM_ACCT_MGMT
>(Thu Jan  5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): domain: not 
>set
>(Thu Jan  5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): user: 
>x_james.harrison
>(Thu Jan  5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): service: sudo
>(Thu Jan  5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): tty: 
>/dev/pts/1
>(Thu Jan  5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): ruser: 
>x_james.harrison
>(Thu Jan  5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): rhost: not 
>set
>(Thu Jan  5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): authtok 
>type: 0
>(Thu Jan  5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): newauthtok 
>type: 0
>(Thu Jan  5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): priv: 0
>(Thu Jan  5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): cli_pid: 5470
>(Thu Jan  5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): logon name: 
>x_james.harrison
>(Thu Jan  5 12:10:17 2017) [sssd[pam]] [sss_ncache_check_str] (0x2000): 
>Checking negative cache for [NCE/USER/domain.com/x_james.harrison]
>(Thu Jan  5 12:10:17 2017) [sssd[pam]] [pam_initgr_check_timeout] (0x2000): 
>User [x_james.harrison] found in PAM cache.
>(Thu Jan  5 12:10:17 2017) [sssd[pam]] [pam_check_user_search] (0x0100): 
>Requesting info for [x_james.harri...@domain.com]
>(Thu Jan  5 12:10:17 2017) [sssd[pam]] [pam_check_user_search] (0x0400): 
>Returning info for user [x_james.harri...@domain.com]
>(Thu Jan  5 12:10:17 2017) [sssd[pam]] [pam_dp_send_req] (0x0100): Sending 
>request with the following data:
>(Thu Jan  5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): command: 
>SSS_PAM_ACCT_MGMT
>(Thu Jan  5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): domain: 
>domain.com
>(Thu Jan  5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): user: 
>x_james.harrison
>(Thu Jan  5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): service: sudo
>(Thu Jan  5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): tty: 
>/dev/pts/1
>(Thu Jan  5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): ruser: 
>x_james.harrison
>(Thu Jan  5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): rhost: not 
>set
>(Thu Jan  5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): authtok 
>type: 0
>(Thu Jan  5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): newauthtok 
>type: 0
>(Thu Jan  5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): priv: 0
>(Thu Jan  5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): cli_pid: 5470
>(Thu Jan  5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): logon name: 
>x_james.harrison
>(Thu Jan  5 12:10:17 2017) [sssd[pam]] [sbus_add_timeout] (0x2000): 0x246dd70
>(Thu Jan  5 12:10:17 2017) [sssd[pam]] [pam_dom_forwarder] (0x0100): 
>pam_dp_send_req returned 0
>(Thu Jan  5 12:10:17 2017) [sssd[pam]] [sbus_remove_timeout] (0x2000): 
>0x246dd70
>(Thu Jan  5 12:10:17 2017) [sssd[pam]] [sbus_dispatch] (0x4000): dbus conn: 
>0x2467e60
>(Thu Jan  5 12:10:17 2017) [sssd[pam]] [sbus_dispatch] (0x4000): Dispatching.
>(Thu Jan  5 12:10:17 2017) [sssd[pam]] [pam_dp_process_reply] (0x0200): 
>received: [0 (Success)][domain.com]
Authorisation was successful for sudo


>(Thu Jan  5 12:10:17 2017) [sssd[pam]] [pam_reply] (0x0200): pam_reply called 
>with result [0]: Success.
>(Thu Jan  5 12:10:17 2017) [sssd[pam]] [pam_reply] (0x0200): blen: 35
>(Thu Jan  5 12:10:17 2017) [sssd[pam]] [reset_idle_timer] (0x4000): Idle timer 
>re-set for client [0x2466e50][19]
>
>==> auth.log <==
>Jan  5 12:10:17 pul-lp-sql-00 sudo: x_james.harrison : user NOT authorized on 
>host ; TTY=pts/1 ; PWD=/home/x_james.harrison ; USER=root ; COMMAND=/bin/bash
>
auth.log says something different the sssd_pam.log

I suspect some problem with sudo itself.
https://www.redhat.com/archives/freeipa-users/2016-August/msg00489.html

And here is importnatn message from the mail:
>unfortunately sudo 1.8.16 introduced a bug in sssd plugin. 1.8.16 contains
> a new option called netgroup_tuple, which tells whether a full netgroup
> tuply is check or only the host/user part in host/user check. However,
> the patch didn't make the sssd plugin to obey this option and it always
> check both hostname and username.
>
>It is fixed in 1.8.17 by this patch:
>https://www.sudo.ws/repos/sudo/rev/2eab4070dcf7
>
Please, report bug against Ubuntu sudo to backport this patch or rebase sudo.

Workaround mught be to install newer package from debian 1.8.19-1
https://packages.debian.org/stretch/sudo

LS


   
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to