All,1.8.19-1 from Debian does not appear to work too.
James
From: Lukas Slebodnik <[email protected]>
To: James Harrison <[email protected]>
Cc: "[email protected]" <[email protected]>
Sent: Saturday, 7 January 2017, 15:34
Subject: Re: [Freeipa-users] FreeIPA sudo not working on ububtu xenial sssd
version 1.13.4-1ubuntu1.1
On (06/01/17 17:15), James Harrison wrote:
>Any ideas?
> From: James Harrison <[email protected]>
> To: "[email protected]" <[email protected]>
> Sent: Thursday, 5 January 2017, 13:36
> Subject: FreeIPA sudo not working on ububtu xenial sssd version
> 1.13.4-1ubuntu1.1
>
>Hi all,I having problems with a FreeIPA client running Ububtu Xenial.
>I can authenticate OK, I get a kerberos ticket, but cannot run sudo.
>I get 1 rule returned, which I expect.
>Many thanks,James Harrison
>
>
>(Thu Jan 5 12:09:57 2017) [sssd[sudo]] [sudosrv_get_user] (0x0400): Returning
>info for user [[email protected]]
>(Thu Jan 5 12:09:57 2017) [sssd[sudo]] [sudosrv_get_rules] (0x0400):
>Retrieving rules for [x_james.harrison] from [domain.com]
>(Thu Jan 5 12:09:57 2017) [sssd[sudo]] [ldb] (0x4000): Added timed event
>"ltdb_callback": 0x1c11d70
>(Thu Jan 5 12:09:57 2017) [sssd[sudo]] [sudosrv_get_sudorules_query_cache]
>(0x0200): Searching sysdb with
>[(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=x_james.harrison)(sudoUser=#1082600012)(sudoUser=%admins)(sudoUser=%ipausers)(sudoUser=%x_james.harrison)(sudoUser=+*))(&(dataExpireTimestamp<=1483618197)))]
>(Thu Jan 5 12:09:57 2017) [sssd[sudo]] [sudosrv_get_rules] (0x2000): About to
>get sudo rules from cache
>(Thu Jan 5 12:09:57 2017) [sssd[sudo]] [sudosrv_get_sudorules_query_cache]
>(0x0200): Searching sysdb with
>[(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=x_james.harrison)(sudoUser=#1082600012)(sudoUser=%admins)(sudoUser=%ipausers)(sudoUser=%x_james.harrison)(sudoUser=+*)))]
>(Thu Jan 5 12:09:57 2017) [sssd[sudo]] [sort_sudo_rules] (0x0400): Sorting
>rules with higher-wins logic
>(Thu Jan 5 12:09:57 2017) [sssd[sudo]] [sudosrv_get_sudorules_from_cache]
>(0x0400): Returning 1 rules for [[email protected]]
>(Thu Jan 5 12:09:57 2017) [sssd[sudo]] [reset_idle_timer] (0x4000): Idle
>timer re-set for client [0x1c0e770][18]
>
Yes, 1 rule was returned for user x_james.harrison.
Can you see something in output of "sudo -l"
>==> sssd/sssd_pam.log <==
>(Thu Jan 5 12:10:17 2017) [sssd[pam]] [get_client_cred] (0x4000): Client
>creds: euid[0] egid[1082600012] pid[5470].
>(Thu Jan 5 12:10:17 2017) [sssd[pam]] [reset_idle_timer] (0x4000): Idle timer
>re-set for client [0x2466e50][19]
>(Thu Jan 5 12:10:17 2017) [sssd[pam]] [accept_fd_handler] (0x0400): Client
>connected!
>(Thu Jan 5 12:10:17 2017) [sssd[pam]] [reset_idle_timer] (0x4000): Idle timer
>re-set for client [0x2466e50][19]
>(Thu Jan 5 12:10:17 2017) [sssd[pam]] [sss_cmd_get_version] (0x0200):
>Received client version [3].
>(Thu Jan 5 12:10:17 2017) [sssd[pam]] [sss_cmd_get_version] (0x0200): Offered
>version [3].
>(Thu Jan 5 12:10:17 2017) [sssd[pam]] [reset_idle_timer] (0x4000): Idle timer
>re-set for client [0x2466e50][19]
>
>==> auth.log <==
>Jan 5 12:10:17 pul-lp-sql-00 sudo: pam_unix(sudo:auth): authentication
>failure; logname=x_james.harrison uid=1082600012 euid=0 tty=/dev/pts/1
>ruser=x_james.harrison rhost= user=x_james.harrison
>
I do not understand a reason why there is a failure in auth.log;
because there isn't sssd_pam.log @see above.
>==> sssd/sssd_pam.log <==
>(Thu Jan 5 12:10:17 2017) [sssd[pam]] [reset_idle_timer] (0x4000): Idle timer
>re-set for client [0x2466e50][19]
>(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_cmd_authenticate] (0x0100):
>entering pam_cmd_authenticate
>(Thu Jan 5 12:10:17 2017) [sssd[pam]] [sss_parse_name_for_domains] (0x0200):
>name 'x_james.harrison' matched without domain, user is x_james.harrison
>(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): command:
>SSS_PAM_AUTHENTICATE
>(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): domain: not
>set
>(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): user:
>x_james.harrison
>(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): service: sudo
>(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): tty:
>/dev/pts/1
>(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): ruser:
>x_james.harrison
>(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): rhost: not
>set
>(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): authtok
>type: 1
>(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): newauthtok
>type: 0
>(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): priv: 0
>(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): cli_pid: 5470
>(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): logon name:
>x_james.harrison
>(Thu Jan 5 12:10:17 2017) [sssd[pam]] [sss_ncache_check_str] (0x2000):
>Checking negative cache for [NCE/USER/domain.com/x_james.harrison]
>(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_initgr_check_timeout] (0x4000):
>User [x_james.harrison] not found in PAM cache.
>(Thu Jan 5 12:10:17 2017) [sssd[pam]] [sss_dp_issue_request] (0x0400):
>Issuing request for [0x410090:3:[email protected]]
>(Thu Jan 5 12:10:17 2017) [sssd[pam]] [sss_dp_get_account_msg] (0x0400):
>Creating request for
>[domain.com][0x3][BE_REQ_INITGROUPS][1][name=x_james.harrison]
>(Thu Jan 5 12:10:17 2017) [sssd[pam]] [sbus_add_timeout] (0x2000): 0x2469f20
>(Thu Jan 5 12:10:17 2017) [sssd[pam]] [sss_dp_internal_get_send] (0x0400):
>Entering request [0x410090:3:[email protected]]
>(Thu Jan 5 12:10:17 2017) [sssd[pam]] [sbus_remove_timeout] (0x2000):
>0x2469f20
>(Thu Jan 5 12:10:17 2017) [sssd[pam]] [sbus_dispatch] (0x4000): dbus conn:
>0x2467e60
>(Thu Jan 5 12:10:17 2017) [sssd[pam]] [sbus_dispatch] (0x4000): Dispatching.
>(Thu Jan 5 12:10:17 2017) [sssd[pam]] [sss_dp_get_reply] (0x1000): Got reply
>from Data Provider - DP error code: 0 errno: 0 error message: Success
>(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_check_user_search] (0x0100):
>Requesting info for [[email protected]]
>(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_check_user_search] (0x0400):
>Returning info for user [[email protected]]
>(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_initgr_cache_set] (0x2000):
>[x_james.harrison] added to PAM initgroup cache
>(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_dp_send_req] (0x0100): Sending
>request with the following data:
>(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): command:
>SSS_PAM_AUTHENTICATE
>(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): domain:
>domain.com
>(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): user:
>x_james.harrison
>(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): service: sudo
>(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): tty:
>/dev/pts/1
>(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): ruser:
>x_james.harrison
>(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): rhost: not
>set
>(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): authtok
>type: 1
>(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): newauthtok
>type: 0
>(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): priv: 0
>(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): cli_pid: 5470
>(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): logon name:
>x_james.harrison
>(Thu Jan 5 12:10:17 2017) [sssd[pam]] [sbus_add_timeout] (0x2000): 0x2470c00
>(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_dom_forwarder] (0x0100):
>pam_dp_send_req returned 0
>(Thu Jan 5 12:10:17 2017) [sssd[pam]] [sss_dp_req_destructor] (0x0400):
>Deleting request: [0x410090:3:[email protected]]
>
>==> syslog <==
>Jan 5 12:10:17 pul-lp-sql-00 kernel: [ 1272.582518] audit: type=1400
>audit(1483618217.180:43): apparmor="ALLOWED" operation="open"
>profile="/usr/sbin/sssd" name="/run/systemd/users/1082600012" pid=5570
>comm="krb5_child" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
>
>==> sssd/sssd_pam.log <==
>(Thu Jan 5 12:10:17 2017) [sssd[pam]] [sbus_remove_timeout] (0x2000):
>0x2470c00
>(Thu Jan 5 12:10:17 2017) [sssd[pam]] [sbus_dispatch] (0x4000): dbus conn:
>0x2467e60
>(Thu Jan 5 12:10:17 2017) [sssd[pam]] [sbus_dispatch] (0x4000): Dispatching.
>(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_dp_process_reply] (0x0200):
>received: [0 (Success)][domain.com]
Authentication was succesfull for sudo service.
>(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_reply] (0x0200): pam_reply called
>with result [0]: Success.
>(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_reply] (0x0200): pam_reply called
>with result [0]: Success.
>(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_reply] (0x0200): blen: 84
>(Thu Jan 5 12:10:17 2017) [sssd[pam]] [reset_idle_timer] (0x4000): Idle timer
>re-set for client [0x2466e50][19]
>
>==> auth.log <==
>Jan 5 12:10:17 pul-lp-sql-00 sudo: pam_sss(sudo:auth): authentication
>success; logname=x_james.harrison uid=1082600012 euid=0 tty=/dev/pts/1
>ruser=x_james.harrison rhost= user=x_james.harrison
>
>==> sssd/sssd_pam.log <==
>(Thu Jan 5 12:10:17 2017) [sssd[pam]] [reset_idle_timer] (0x4000): Idle timer
>re-set for client [0x2466e50][19]
>(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_cmd_acct_mgmt] (0x0100): entering
>pam_cmd_acct_mgmt
>(Thu Jan 5 12:10:17 2017) [sssd[pam]] [sss_parse_name_for_domains] (0x0200):
>name 'x_james.harrison' matched without domain, user is x_james.harrison
>(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): command:
>SSS_PAM_ACCT_MGMT
>(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): domain: not
>set
>(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): user:
>x_james.harrison
>(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): service: sudo
>(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): tty:
>/dev/pts/1
>(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): ruser:
>x_james.harrison
>(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): rhost: not
>set
>(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): authtok
>type: 0
>(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): newauthtok
>type: 0
>(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): priv: 0
>(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): cli_pid: 5470
>(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): logon name:
>x_james.harrison
>(Thu Jan 5 12:10:17 2017) [sssd[pam]] [sss_ncache_check_str] (0x2000):
>Checking negative cache for [NCE/USER/domain.com/x_james.harrison]
>(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_initgr_check_timeout] (0x2000):
>User [x_james.harrison] found in PAM cache.
>(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_check_user_search] (0x0100):
>Requesting info for [[email protected]]
>(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_check_user_search] (0x0400):
>Returning info for user [[email protected]]
>(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_dp_send_req] (0x0100): Sending
>request with the following data:
>(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): command:
>SSS_PAM_ACCT_MGMT
>(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): domain:
>domain.com
>(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): user:
>x_james.harrison
>(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): service: sudo
>(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): tty:
>/dev/pts/1
>(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): ruser:
>x_james.harrison
>(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): rhost: not
>set
>(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): authtok
>type: 0
>(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): newauthtok
>type: 0
>(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): priv: 0
>(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): cli_pid: 5470
>(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): logon name:
>x_james.harrison
>(Thu Jan 5 12:10:17 2017) [sssd[pam]] [sbus_add_timeout] (0x2000): 0x246dd70
>(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_dom_forwarder] (0x0100):
>pam_dp_send_req returned 0
>(Thu Jan 5 12:10:17 2017) [sssd[pam]] [sbus_remove_timeout] (0x2000):
>0x246dd70
>(Thu Jan 5 12:10:17 2017) [sssd[pam]] [sbus_dispatch] (0x4000): dbus conn:
>0x2467e60
>(Thu Jan 5 12:10:17 2017) [sssd[pam]] [sbus_dispatch] (0x4000): Dispatching.
>(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_dp_process_reply] (0x0200):
>received: [0 (Success)][domain.com]
Authorisation was successful for sudo
>(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_reply] (0x0200): pam_reply called
>with result [0]: Success.
>(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_reply] (0x0200): blen: 35
>(Thu Jan 5 12:10:17 2017) [sssd[pam]] [reset_idle_timer] (0x4000): Idle timer
>re-set for client [0x2466e50][19]
>
>==> auth.log <==
>Jan 5 12:10:17 pul-lp-sql-00 sudo: x_james.harrison : user NOT authorized on
>host ; TTY=pts/1 ; PWD=/home/x_james.harrison ; USER=root ; COMMAND=/bin/bash
>
auth.log says something different the sssd_pam.log
I suspect some problem with sudo itself.
https://www.redhat.com/archives/freeipa-users/2016-August/msg00489.html
And here is importnatn message from the mail:
>unfortunately sudo 1.8.16 introduced a bug in sssd plugin. 1.8.16 contains
> a new option called netgroup_tuple, which tells whether a full netgroup
> tuply is check or only the host/user part in host/user check. However,
> the patch didn't make the sssd plugin to obey this option and it always
> check both hostname and username.
>
>It is fixed in 1.8.17 by this patch:
>https://www.sudo.ws/repos/sudo/rev/2eab4070dcf7
>
Please, report bug against Ubuntu sudo to backport this patch or rebase sudo.
Workaround mught be to install newer package from debian 1.8.19-1
https://packages.debian.org/stretch/sudo
LS
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
