Re: [Freeipa-users] Sudo entry not found by sssd in the cache db
"Pavel Březina" írta: >On 09/15/2015 09:10 AM, Molnár Domokos wrote: >> >> "Molnár Domokos" írta: >> >> On 09/14/2015 03:08 PM, Pavel Březina wrote: >>> On 09/11/2015 02:40 PM, Molnár Domokos wrote: >>>> Full log attached. >>>> "Molnár Domokos" írta: >>>> >>>> >>>> "Pavel Březina" írta: >>>> >>>> On 09/09/2015 09:31 PM, Molnár Domokos wrote: >>>> > I have a working IPA server and a working client >>>> config on an OpenSuse >>>> > 13.2 with the following versions: >>>> > nappali:~ # rpm -qa |grep sssd >>>> > sssd-tools-1.12.2-3.4.1.i586 >>>> > sssd-krb5-1.12.2-3.4.1.i586 >>>> > python-sssd-config-1.12.2-3.4.1.i586 >>>> > sssd-ipa-1.12.2-3.4.1.i586 >>>> > sssd-1.12.2-3.4.1.i586 >>>> > sssd-dbus-1.12.2-3.4.1.i586 >>>> > sssd-krb5-common-1.12.2-3.4.1.i586 >>>> > sssd-ldap-1.12.2-3.4.1.i586 >>>> > sssd is confihured for nss, pam, sudo >>>> > There is a test sudo rule defined in the ipa server, >>>> which applies to >>>> > user "doma". However when the user tries to use sudo >>>> the rule does not >>>> > work. >>>> > doma@nappali:/home/doma> sudo ls >>>> > doma's password: >>>> > doma is not allowed to run sudo on nappali. This >>>> incident will be reported. >>>> > The corresponding log in the sssd_sudo.log is this: >>>> > (Wed Sep 9 21:25:25 2015) [sssd[sudo]] >>>> [sss_cmd_get_version] (0x0200): >>>> > Received client version [1]. >>>> > (Wed Sep 9 21:25:25 2015) [sssd[sudo]] >>>> [sss_cmd_get_version] (0x0200): >>>> > Offered version [1]. >>>> > (Wed Sep 9 21:25:25 2015) [sssd[sudo]] >>>> [sss_parse_name_for_domains] >>>> > (0x0200): name 'doma' matched without domain, user >>>> is doma >>>> > (Wed Sep 9 21:25:25 2015) [sssd[sudo]] >>>> [sss_parse_name_for_domains] >>>> > (0x0200): name 'doma' matched without domain, user >>>> is doma >>>> > (Wed Sep 9 21:25:25 2015) [sssd[sudo]] >>>> [sudosrv_cmd_parse_query_done] >>>> > (0x0200): Requesting default options for [doma] from >>>> [] >>>> > (Wed Sep 9 21:25:25 2015) [sssd[sudo]] >>>> [sudosrv_get_user] (0x0200): >>>> > Requesting info about [doma@szilva] >>>> > (Wed Sep 9 21:25:25 2015) [sssd[sudo]] >>>> > [sudosrv_get_sudorules_query_cache] (0x0200): >>>> Searching sysdb with >>>> > >>>> >>>> [(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=doma)(sudoUser=#181643)(sudoUser=%ipausers)(sudoUser=%picture_access)(sudoUser=%doma)(sudoUser=+*))(&(dataExpireTimestamp<=1441826725)))] >>>> > (Wed Sep 9 21:25:25 2015) [sssd[sudo]] >>>> > [sudosrv_get_sudorules_query_cache] (0x0200): >>>> Searching sysdb with >>>> > [(&(objectClass=sudoRule)(|(name=defaults)))] >>>> > (Wed Sep 9 21:25:25 2015) [sssd[sudo]] >>>> [sss_parse_name_for_domains] >>>> > (0x0200): name 'doma' matched without domain, user >>>> is doma >>>> > (Wed Sep 9 21:25:25 2015) [sssd[sudo]] >>>> [sss_parse_name_for_domains] >>>> > (0x0200): name 'doma' matched without domain, user >>>> is doma >>>> > (Wed Sep 9 21:25:25 2015) [sssd[sudo]] >>>> [sudosrv_cmd_parse_query_done] >>>> > (0x0200): Requesting rules for [doma] from [] >>>> > (Wed Sep 9 21:25:25 2015) [sssd[sudo]] >>>> [sudosrv_get_user] (0x0200): >>>> > Reques
Re: [Freeipa-users] Sudo entry not found by sssd in the cache db
On 09/15/2015 01:37 PM, Jakub Hrozek wrote: >On Tue, Sep 15, 2015 at 01:58:07PM +0300, Alexander Bokovoy wrote: >>On Tue, 15 Sep 2015, Molnár Domokos wrote: >>>>#hostnamectl set-hostname nappali.silva on modern systems. >>>>>doma@nappali:/home/doma> hostname --fqdn nappali.szilva >>>doma@nappali:/home/doma> su Password: nappali:/home/doma # hostnamectl >>>set-hostname nappali.szilva nappali:/home/doma # hostname nappali.szilva >>>nappali:/home/doma # hostname --fqdn nappali.szilvanappali:/home/doma # su >>>doma sh-4.2$ sudo ls doma's password: 20140921.ZIP >>>Oracle_VM_VirtualBox_Extension_Pack-4.3.26-98988.vbox-extpack >>>42646515_eb8d7dcabe416247463f1bc8652adced.pdf Now it works, the rule is >>>matched.I'm not sure this is the intended way especially seeing the fqdn >>>mechanism in the sudo code but I'll just keep it that way.Thank you. >>sudo doesn't do normalization and IPA's way of exposing host names is >>by using by default fqdn. So sudo compares local hostname with fqdn-based >>one, guess which way it will succeed? You theoretically could have every >>hostname in IPA registered non-fqdn but what you cannot have is a mix between >>fqdn- and non-fqdn names. >You can have registered a different hostname with IPA than what hostname(1) >reports, we have an ipa_hostname parameter for that. But there's no way >for sudo to learn about it.. You may well be right but I still think this is a bug in sudo/sssd plugin. Here's why I think so: @line 582 in sssd.c when calling hostname_matches it is a clear intention of the code that the hostname matching is done both against the fqdn and the naked hostname. @lines 773-790 the implementation of hostname_matches(..) is done correctly. It guesses intelligently and chooses to match either against the fqdn or the naked hostname based on the format of the hostname provided by IPA. If there is a '.' in the IPA provided hostname name then the hostname compared to the fqdn otherwise it is compared to the bare hostname. @line 805 in sudoers.c in set_fqdn the fqdn is correctly retrieved for the host during initialization - so sudo is indeed aware of both host name versions. I tested this part it it works OK. The bug - I think - is that the information correctly retrieved during init through set_fqdn in sudoers.c somehow does not make its way to line 582 in sssd.c. There both user_shost and user_host seem to contain the naked hostname unless the bare hostaname contains the fqdn itself. I do not have enough time to find out why this happens but the above evidence suggests that there is a bug somewhere in the process. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Sudo entry not found by sssd in the cache db
Jakub Hrozek írta: >On Tue, Sep 15, 2015 at 09:13:09AM +0200, Molnár Domokos wrote: >> >> Jakub Hrozek írta: >> >On Tue, Sep 15, 2015 at 07:25:17AM +0200, Molnár Domokos wrote: >> >> On 09/14/2015 03:08 PM, Pavel Březina wrote: >> >> >On 09/11/2015 02:40 PM, Molnár Domokos wrote: >> >> >> >> >>Full log attached. >> >> >>"Molnár Domokos" írta: >> >> >> >> >> >> >> >> >>"Pavel Březina" írta: >> >> >> >> >> >>On 09/09/2015 09:31 PM, Molnár Domokos wrote: >> >> >> > I have a working IPA server and a working client config on >> >> >> an OpenSuse >> >> >> > 13.2 with the following versions: >> >> >> > nappali:~ # rpm -qa |grep sssd >> >> >> > sssd-tools-1.12.2-3.4.1.i586 >> >> >> > sssd-krb5-1.12.2-3.4.1.i586 >> >> >> > python-sssd-config-1.12.2-3.4.1.i586 >> >> >> > sssd-ipa-1.12.2-3.4.1.i586 >> >> >> > sssd-1.12.2-3.4.1.i586 >> >> >> > sssd-dbus-1.12.2-3.4.1.i586 >> >> >> > sssd-krb5-common-1.12.2-3.4.1.i586 >> >> >> > sssd-ldap-1.12.2-3.4.1.i586 >> >> >> > sssd is confihured for nss, pam, sudo >> >> >> > There is a test sudo rule defined in the ipa server, which >> >> >> applies to >> >> >> > user "doma". However when the user tries to use sudo the >> >> >> rule does not >> >> >> > work. >> >> >> > doma@nappali:/home/doma> sudo ls >> >> >> > doma's password: >> >> >> > doma is not allowed to run sudo on nappali. This incident >> >> >> will be reported. >> >> >> > The corresponding log in the sssd_sudo.log is this: >> >> >> > (Wed Sep 9 21:25:25 2015) [sssd[sudo]] >> >> >> [sss_cmd_get_version] (0x0200): >> >> >> > Received client version [1]. >> >> >> > (Wed Sep 9 21:25:25 2015) [sssd[sudo]] >> >> >> [sss_cmd_get_version] (0x0200): >> >> >> > Offered version [1]. >> >> >> > (Wed Sep 9 21:25:25 2015) [sssd[sudo]] >> >> >> [sss_parse_name_for_domains] >> >> >> > (0x0200): name 'doma' matched without domain, user >> >> >> is doma >> >> >> > (Wed Sep 9 21:25:25 2015) [sssd[sudo]] >> >> >> [sss_parse_name_for_domains] >> >> >> > (0x0200): name 'doma' matched without domain, user >> >> >> is doma >> >> >> > (Wed Sep 9 21:25:25 2015) [sssd[sudo]] >> >> >> [sudosrv_cmd_parse_query_done] >> >> >> > (0x0200): Requesting default options for [doma] from [] >> >> >> > (Wed Sep 9 21:25:25 2015) [sssd[sudo]] [sudosrv_get_user] >> >> >> (0x0200): >> >> >> > Requesting info about [doma@szilva] >> >> >> > (Wed Sep 9 21:25:25 2015) [sssd[sudo]] >> >> >> > [sudosrv_get_sudorules_query_cache] (0x0200): Searching >> >> >> sysdb with >> >> >> > >> >> >> [(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=doma)(sudoUser=#181643)(sudoUser=%ipausers)(sudoUser=%picture_access)(sudoUser=%doma)(sudoUser=+*))(&(dataExpireTimestamp<=1441826725)))] >> >> >> > (Wed Sep 9 21:25:25 2015) [sssd[sudo]] >> >> >> > [sudosrv_get_sudorules_query_cache] (0x0200): Searching >> >> >> sysdb with >> >> >> > [(&(objectClass=sudoRule)(|(name=defaults)))] >> >> >> > (Wed Sep 9 21:25:25 2015) [sssd[sudo]] >> >> >> [sss_parse_name_for_domains] >> >> >> > (0x0200): name 'doma' matched without domain, user >> >> >> is doma >> >> >> > (Wed Sep 9 21:25:25 2015) [sssd[sudo]] >> >> >> [sss_parse_name_for_domains] >> >> >> > (0x0200): name '
Re: [Freeipa-users] Sudo entry not found by sssd in the cache db
Jakub Hrozek írta: >On Tue, Sep 15, 2015 at 07:25:17AM +0200, Molnár Domokos wrote: >> On 09/14/2015 03:08 PM, Pavel Březina wrote: >> >On 09/11/2015 02:40 PM, Molnár Domokos wrote: >> >> >>Full log attached. >> >>"Molnár Domokos" írta: >> >> >> >> >> >>"Pavel Březina" írta: >> >> >> >>On 09/09/2015 09:31 PM, Molnár Domokos wrote: >> >> > I have a working IPA server and a working client config on an >> >> OpenSuse >> >> > 13.2 with the following versions: >> >> > nappali:~ # rpm -qa |grep sssd >> >> > sssd-tools-1.12.2-3.4.1.i586 >> >> > sssd-krb5-1.12.2-3.4.1.i586 >> >> > python-sssd-config-1.12.2-3.4.1.i586 >> >> > sssd-ipa-1.12.2-3.4.1.i586 >> >> > sssd-1.12.2-3.4.1.i586 >> >> > sssd-dbus-1.12.2-3.4.1.i586 >> >> > sssd-krb5-common-1.12.2-3.4.1.i586 >> >> > sssd-ldap-1.12.2-3.4.1.i586 >> >> > sssd is confihured for nss, pam, sudo >> >> > There is a test sudo rule defined in the ipa server, which >> >> applies to >> >> > user "doma". However when the user tries to use sudo the rule >> >> does not >> >> > work. >> >> > doma@nappali:/home/doma> sudo ls >> >> > doma's password: >> >> > doma is not allowed to run sudo on nappali. This incident will >> >> be reported. >> >> > The corresponding log in the sssd_sudo.log is this: >> >> > (Wed Sep 9 21:25:25 2015) [sssd[sudo]] [sss_cmd_get_version] >> >> (0x0200): >> >> > Received client version [1]. >> >> > (Wed Sep 9 21:25:25 2015) [sssd[sudo]] [sss_cmd_get_version] >> >> (0x0200): >> >> > Offered version [1]. >> >> > (Wed Sep 9 21:25:25 2015) [sssd[sudo]] >> >> [sss_parse_name_for_domains] >> >> > (0x0200): name 'doma' matched without domain, user is >> >> doma >> >> > (Wed Sep 9 21:25:25 2015) [sssd[sudo]] >> >> [sss_parse_name_for_domains] >> >> > (0x0200): name 'doma' matched without domain, user is >> >> doma >> >> > (Wed Sep 9 21:25:25 2015) [sssd[sudo]] >> >> [sudosrv_cmd_parse_query_done] >> >> > (0x0200): Requesting default options for [doma] from [] >> >> > (Wed Sep 9 21:25:25 2015) [sssd[sudo]] [sudosrv_get_user] >> >> (0x0200): >> >> > Requesting info about [doma@szilva] >> >> > (Wed Sep 9 21:25:25 2015) [sssd[sudo]] >> >> > [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb >> >> with >> >> > >> >> [(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=doma)(sudoUser=#181643)(sudoUser=%ipausers)(sudoUser=%picture_access)(sudoUser=%doma)(sudoUser=+*))(&(dataExpireTimestamp<=1441826725)))] >> >> > (Wed Sep 9 21:25:25 2015) [sssd[sudo]] >> >> > [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb >> >> with >> >> > [(&(objectClass=sudoRule)(|(name=defaults)))] >> >> > (Wed Sep 9 21:25:25 2015) [sssd[sudo]] >> >> [sss_parse_name_for_domains] >> >> > (0x0200): name 'doma' matched without domain, user is >> >> doma >> >> > (Wed Sep 9 21:25:25 2015) [sssd[sudo]] >> >> [sss_parse_name_for_domains] >> >> > (0x0200): name 'doma' matched without domain, user is >> >> doma >> >> > (Wed Sep 9 21:25:25 2015) [sssd[sudo]] >> >> [sudosrv_cmd_parse_query_done] >> >> > (0x0200): Requesting rules for [doma] from [] >> >> > (Wed Sep 9 21:25:25 2015) [sssd[sudo]] [sudosrv_get_user] >> >> (0x0200): >> >> > Requesting info about [doma@szilva] >> >> > (Wed Sep 9 21:25:25 2015) [sssd[sudo]] >> >> > [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb >> >> with >> >> > >> >> [(&(objectClass=sudoRule)(|(sudoUser=ALL)(
Re: [Freeipa-users] Sudo entry not found by sssd in the cache db
"Molnár Domokos" írta: >On 09/14/2015 03:08 PM, Pavel Březina wrote: >>On 09/11/2015 02:40 PM, Molnár Domokos wrote: >>>Full log attached. >>>"Molnár Domokos" írta: >>> >>> >>>"Pavel Březina" írta: >>> >>>On 09/09/2015 09:31 PM, Molnár Domokos wrote: >>> > I have a working IPA server and a working client config on an >>> OpenSuse >>> > 13.2 with the following versions: >>> > nappali:~ # rpm -qa |grep sssd >>> > sssd-tools-1.12.2-3.4.1.i586 >>> > sssd-krb5-1.12.2-3.4.1.i586 >>> > python-sssd-config-1.12.2-3.4.1.i586 >>> > sssd-ipa-1.12.2-3.4.1.i586 >>> > sssd-1.12.2-3.4.1.i586 >>> > sssd-dbus-1.12.2-3.4.1.i586 >>> > sssd-krb5-common-1.12.2-3.4.1.i586 >>> > sssd-ldap-1.12.2-3.4.1.i586 >>> > sssd is confihured for nss, pam, sudo >>> > There is a test sudo rule defined in the ipa server, which >>> applies to >>> > user "doma". However when the user tries to use sudo the rule >>> does not >>> > work. >>> > doma@nappali:/home/doma> sudo ls >>> > doma's password: >>> > doma is not allowed to run sudo on nappali. This incident will >>> be reported. >>> > The corresponding log in the sssd_sudo.log is this: >>> > (Wed Sep 9 21:25:25 2015) [sssd[sudo]] [sss_cmd_get_version] >>> (0x0200): >>> > Received client version [1]. >>> > (Wed Sep 9 21:25:25 2015) [sssd[sudo]] [sss_cmd_get_version] >>> (0x0200): >>> > Offered version [1]. >>> > (Wed Sep 9 21:25:25 2015) [sssd[sudo]] >>> [sss_parse_name_for_domains] >>> > (0x0200): name 'doma' matched without domain, user is doma >>> > (Wed Sep 9 21:25:25 2015) [sssd[sudo]] >>> [sss_parse_name_for_domains] >>> > (0x0200): name 'doma' matched without domain, user is doma >>> > (Wed Sep 9 21:25:25 2015) [sssd[sudo]] >>> [sudosrv_cmd_parse_query_done] >>> > (0x0200): Requesting default options for [doma] from [] >>> > (Wed Sep 9 21:25:25 2015) [sssd[sudo]] [sudosrv_get_user] >>> (0x0200): >>> > Requesting info about [doma@szilva] >>> > (Wed Sep 9 21:25:25 2015) [sssd[sudo]] >>> > [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with >>> > >>> [(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=doma)(sudoUser=#181643)(sudoUser=%ipausers)(sudoUser=%picture_access)(sudoUser=%doma)(sudoUser=+*))(&(dataExpireTimestamp<=1441826725)))] >>> > (Wed Sep 9 21:25:25 2015) [sssd[sudo]] >>> > [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with >>> > [(&(objectClass=sudoRule)(|(name=defaults)))] >>> > (Wed Sep 9 21:25:25 2015) [sssd[sudo]] >>> [sss_parse_name_for_domains] >>> > (0x0200): name 'doma' matched without domain, user is doma >>> > (Wed Sep 9 21:25:25 2015) [sssd[sudo]] >>> [sss_parse_name_for_domains] >>> > (0x0200): name 'doma' matched without domain, user is doma >>> > (Wed Sep 9 21:25:25 2015) [sssd[sudo]] >>> [sudosrv_cmd_parse_query_done] >>> > (0x0200): Requesting rules for [doma] from [] >>> > (Wed Sep 9 21:25:25 2015) [sssd[sudo]] [sudosrv_get_user] >>> (0x0200): >>> > Requesting info about [doma@szilva] >>> > (Wed Sep 9 21:25:25 2015) [sssd[sudo]] >>> > [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with >>> > >>> [(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=doma)(sudoUser=#181643)(sudoUser=%ipausers)(sudoUser=%picture_access)(sudoUser=%doma)(sudoUser=+*))(&(dataExpireTimestamp<=1441826725)))] >>> > (Wed Sep 9 21:25:25 2015) [sssd[sudo]] >>> > [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with >>> > >>> [(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=doma)(sudoUser=#181643)(sudoUser=%ipausers)(sudoUser=%picture_access)(sudoUser=%doma)(sudoUser=+*)))] >>>
Re: [Freeipa-users] Sudo entry not found by sssd in the cache db
On 09/14/2015 03:08 PM, Pavel Březina wrote: >On 09/11/2015 02:40 PM, Molnár Domokos wrote: >>Full log attached. >>"Molnár Domokos" írta: >> >> >>"Pavel Březina" írta: >> >>On 09/09/2015 09:31 PM, Molnár Domokos wrote: >> > I have a working IPA server and a working client config on an >> OpenSuse >> > 13.2 with the following versions: >> > nappali:~ # rpm -qa |grep sssd >> > sssd-tools-1.12.2-3.4.1.i586 >> > sssd-krb5-1.12.2-3.4.1.i586 >> > python-sssd-config-1.12.2-3.4.1.i586 >> > sssd-ipa-1.12.2-3.4.1.i586 >> > sssd-1.12.2-3.4.1.i586 >> > sssd-dbus-1.12.2-3.4.1.i586 >> > sssd-krb5-common-1.12.2-3.4.1.i586 >> > sssd-ldap-1.12.2-3.4.1.i586 >> > sssd is confihured for nss, pam, sudo >> > There is a test sudo rule defined in the ipa server, which applies >> to >> > user "doma". However when the user tries to use sudo the rule >> does not >> > work. >> > doma@nappali:/home/doma> sudo ls >> > doma's password: >> > doma is not allowed to run sudo on nappali. This incident will be >> reported. >> > The corresponding log in the sssd_sudo.log is this: >> > (Wed Sep 9 21:25:25 2015) [sssd[sudo]] [sss_cmd_get_version] >> (0x0200): >> > Received client version [1]. >> > (Wed Sep 9 21:25:25 2015) [sssd[sudo]] [sss_cmd_get_version] >> (0x0200): >> > Offered version [1]. >> > (Wed Sep 9 21:25:25 2015) [sssd[sudo]] >> [sss_parse_name_for_domains] >> > (0x0200): name 'doma' matched without domain, user is doma >> > (Wed Sep 9 21:25:25 2015) [sssd[sudo]] >> [sss_parse_name_for_domains] >> > (0x0200): name 'doma' matched without domain, user is doma >> > (Wed Sep 9 21:25:25 2015) [sssd[sudo]] >> [sudosrv_cmd_parse_query_done] >> > (0x0200): Requesting default options for [doma] from [] >> > (Wed Sep 9 21:25:25 2015) [sssd[sudo]] [sudosrv_get_user] >> (0x0200): >> > Requesting info about [doma@szilva] >> > (Wed Sep 9 21:25:25 2015) [sssd[sudo]] >> > [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with >> > >> [(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=doma)(sudoUser=#181643)(sudoUser=%ipausers)(sudoUser=%picture_access)(sudoUser=%doma)(sudoUser=+*))(&(dataExpireTimestamp<=1441826725)))] >> > (Wed Sep 9 21:25:25 2015) [sssd[sudo]] >> > [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with >> > [(&(objectClass=sudoRule)(|(name=defaults)))] >> > (Wed Sep 9 21:25:25 2015) [sssd[sudo]] >> [sss_parse_name_for_domains] >> > (0x0200): name 'doma' matched without domain, user is doma >> > (Wed Sep 9 21:25:25 2015) [sssd[sudo]] >> [sss_parse_name_for_domains] >> > (0x0200): name 'doma' matched without domain, user is doma >> > (Wed Sep 9 21:25:25 2015) [sssd[sudo]] >> [sudosrv_cmd_parse_query_done] >> > (0x0200): Requesting rules for [doma] from [] >> > (Wed Sep 9 21:25:25 2015) [sssd[sudo]] [sudosrv_get_user] >> (0x0200): >> > Requesting info about [doma@szilva] >> > (Wed Sep 9 21:25:25 2015) [sssd[sudo]] >> > [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with >> > >> [(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=doma)(sudoUser=#181643)(sudoUser=%ipausers)(sudoUser=%picture_access)(sudoUser=%doma)(sudoUser=+*))(&(dataExpireTimestamp<=1441826725)))] >> > (Wed Sep 9 21:25:25 2015) [sssd[sudo]] >> > [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with >> > >> [(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=doma)(sudoUser=#181643)(sudoUser=%ipausers)(sudoUser=%picture_access)(sudoUser=%doma)(sudoUser=+*)))] >> > (Wed Sep 9 21:25:30 2015) [sssd[sudo]] [client_recv] (0x0200): >> Client >> > disconnected! >> > This seems perfectly OK with one exception. The query against the >> sysdb >> > does not find the entry. This is strange because the entry is >> there. >> >
Re: [Freeipa-users] Sudo entry not found by sssd in the cache db
"Pavel Březina" írta: >On 09/09/2015 09:31 PM, Molnár Domokos wrote: >> I have a working IPA server and a working client config on an OpenSuse >> 13.2 with the following versions: >> nappali:~ # rpm -qa |grep sssd >> sssd-tools-1.12.2-3.4.1.i586 >> sssd-krb5-1.12.2-3.4.1.i586 >> python-sssd-config-1.12.2-3.4.1.i586 >> sssd-ipa-1.12.2-3.4.1.i586 >> sssd-1.12.2-3.4.1.i586 >> sssd-dbus-1.12.2-3.4.1.i586 >> sssd-krb5-common-1.12.2-3.4.1.i586 >> sssd-ldap-1.12.2-3.4.1.i586 >> sssd is confihured for nss, pam, sudo >> There is a test sudo rule defined in the ipa server, which applies to >> user "doma". However when the user tries to use sudo the rule does not >> work. >> doma@nappali:/home/doma> sudo ls >> doma's password: >> doma is not allowed to run sudo on nappali. This incident will be reported. >> The corresponding log in the sssd_sudo.log is this: >> (Wed Sep 9 21:25:25 2015) [sssd[sudo]] [sss_cmd_get_version] (0x0200): >> Received client version [1]. >> (Wed Sep 9 21:25:25 2015) [sssd[sudo]] [sss_cmd_get_version] (0x0200): >> Offered version [1]. >> (Wed Sep 9 21:25:25 2015) [sssd[sudo]] [sss_parse_name_for_domains] >> (0x0200): name 'doma' matched without domain, user is doma >> (Wed Sep 9 21:25:25 2015) [sssd[sudo]] [sss_parse_name_for_domains] >> (0x0200): name 'doma' matched without domain, user is doma >> (Wed Sep 9 21:25:25 2015) [sssd[sudo]] [sudosrv_cmd_parse_query_done] >> (0x0200): Requesting default options for [doma] from [] >> (Wed Sep 9 21:25:25 2015) [sssd[sudo]] [sudosrv_get_user] (0x0200): >> Requesting info about [doma@szilva] >> (Wed Sep 9 21:25:25 2015) [sssd[sudo]] >> [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with >> [(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=doma)(sudoUser=#181643)(sudoUser=%ipausers)(sudoUser=%picture_access)(sudoUser=%doma)(sudoUser=+*))(&(dataExpireTimestamp<=1441826725)))] >> (Wed Sep 9 21:25:25 2015) [sssd[sudo]] >> [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with >> [(&(objectClass=sudoRule)(|(name=defaults)))] >> (Wed Sep 9 21:25:25 2015) [sssd[sudo]] [sss_parse_name_for_domains] >> (0x0200): name 'doma' matched without domain, user is doma >> (Wed Sep 9 21:25:25 2015) [sssd[sudo]] [sss_parse_name_for_domains] >> (0x0200): name 'doma' matched without domain, user is doma >> (Wed Sep 9 21:25:25 2015) [sssd[sudo]] [sudosrv_cmd_parse_query_done] >> (0x0200): Requesting rules for [doma] from [] >> (Wed Sep 9 21:25:25 2015) [sssd[sudo]] [sudosrv_get_user] (0x0200): >> Requesting info about [doma@szilva] >> (Wed Sep 9 21:25:25 2015) [sssd[sudo]] >> [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with >> [(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=doma)(sudoUser=#181643)(sudoUser=%ipausers)(sudoUser=%picture_access)(sudoUser=%doma)(sudoUser=+*))(&(dataExpireTimestamp<=1441826725)))] >> (Wed Sep 9 21:25:25 2015) [sssd[sudo]] >> [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with >> [(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=doma)(sudoUser=#181643)(sudoUser=%ipausers)(sudoUser=%picture_access)(sudoUser=%doma)(sudoUser=+*)))] >> (Wed Sep 9 21:25:30 2015) [sssd[sudo]] [client_recv] (0x0200): Client >> disconnected! >> This seems perfectly OK with one exception. The query against the sysdb >> does not find the entry. This is strange because the entry is there. >> Log in sssd.log: >> (Wed Sep 2 08:52:13 2015) [sssd] [sysdb_domain_init_internal] (0x0200): >> DB File for szilva: /var/lib/sss/db/cache_szilva.ldb >> So we know that the sysdb is /var/lib/sss/db/cache_szilva.ldb >> Running the exact same query seen above in the sssd_sudo.log against the >> db returns: >> ldbsearch -H /var/lib/sss/db/cache_szilva.ldb >> "(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=doma)(sudoUser=#181643)(sudoUser=%ipausers)(sudoUser=%picture_access)(sudoUser=%doma)(sudoUser=+*)))" >> asq: Unable to register control with rootdse! >> # record 1 >> dn: name=Doma_ls,cn=sudorules,cn=custom,cn=szilva,cn=sysdb >> cn: Doma_ls >> dataExpireTimestamp: 1441830262 >> entryUSN: 20521 >> name: Doma_ls >> objectClass: sudoRule >> originalDN: cn=Doma_ls,ou=sudoers,dc=szilva >> sudoCommand: ls >> sudoHost: nappali.szilva >> sudoRunAsGroup: ALL >> sudoRunAsUser: ALL >> sudoUser: doma >> distinguishedName: name=Doma_ls,cn=sudorules,cn=custom,cn=szilva,cn=sysdb >> # returne
[Freeipa-users] Sudo entry not found by sssd in the cache db
I have a working IPA server and a working client config on an OpenSuse 13.2 with the following versions: nappali:~ # rpm -qa |grep sssd sssd-tools-1.12.2-3.4.1.i586 sssd-krb5-1.12.2-3.4.1.i586 python-sssd-config-1.12.2-3.4.1.i586 sssd-ipa-1.12.2-3.4.1.i586 sssd-1.12.2-3.4.1.i586 sssd-dbus-1.12.2-3.4.1.i586 sssd-krb5-common-1.12.2-3.4.1.i586 sssd-ldap-1.12.2-3.4.1.i586 sssd is confihured for nss, pam, sudo There is a test sudo rule defined in the ipa server, which applies to user "doma". However when the user tries to use sudo the rule does not work. doma@nappali:/home/doma> sudo ls doma's password: doma is not allowed to run sudo on nappali. This incident will be reported. The corresponding log in the sssd_sudo.log is this: (Wed Sep 9 21:25:25 2015) [sssd[sudo]] [sss_cmd_get_version] (0x0200): Received client version [1]. (Wed Sep 9 21:25:25 2015) [sssd[sudo]] [sss_cmd_get_version] (0x0200): Offered version [1]. (Wed Sep 9 21:25:25 2015) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'doma' matched without domain, user is doma (Wed Sep 9 21:25:25 2015) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'doma' matched without domain, user is doma (Wed Sep 9 21:25:25 2015) [sssd[sudo]] [sudosrv_cmd_parse_query_done] (0x0200): Requesting default options for [doma] from [] (Wed Sep 9 21:25:25 2015) [sssd[sudo]] [sudosrv_get_user] (0x0200): Requesting info about [doma@szilva] (Wed Sep 9 21:25:25 2015) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=doma)(sudoUser=#181643)(sudoUser=%ipausers)(sudoUser=%picture_access)(sudoUser=%doma)(sudoUser=+*))(&(dataExpireTimestamp<=1441826725)))] (Wed Sep 9 21:25:25 2015) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(name=defaults)))] (Wed Sep 9 21:25:25 2015) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'doma' matched without domain, user is doma (Wed Sep 9 21:25:25 2015) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'doma' matched without domain, user is doma (Wed Sep 9 21:25:25 2015) [sssd[sudo]] [sudosrv_cmd_parse_query_done] (0x0200): Requesting rules for [doma] from [] (Wed Sep 9 21:25:25 2015) [sssd[sudo]] [sudosrv_get_user] (0x0200): Requesting info about [doma@szilva] (Wed Sep 9 21:25:25 2015) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=doma)(sudoUser=#181643)(sudoUser=%ipausers)(sudoUser=%picture_access)(sudoUser=%doma)(sudoUser=+*))(&(dataExpireTimestamp<=1441826725)))] (Wed Sep 9 21:25:25 2015) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=doma)(sudoUser=#181643)(sudoUser=%ipausers)(sudoUser=%picture_access)(sudoUser=%doma)(sudoUser=+*)))] (Wed Sep 9 21:25:30 2015) [sssd[sudo]] [client_recv] (0x0200): Client disconnected! This seems perfectly OK with one exception. The query against the sysdb does not find the entry. This is strange because the entry is there. Log in sssd.log:(Wed Sep 2 08:52:13 2015) [sssd] [sysdb_domain_init_internal] (0x0200): DB File for szilva: /var/lib/sss/db/cache_szilva.ldb So we know that the sysdb is /var/lib/sss/db/cache_szilva.ldb Running the exact same query seen above in the sssd_sudo.log against the db returns: ldbsearch -H /var/lib/sss/db/cache_szilva.ldb "(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=doma)(sudoUser=#181643)(sudoUser=%ipausers)(sudoUser=%picture_access)(sudoUser=%doma)(sudoUser=+*)))" asq: Unable to register control with rootdse! # record 1 dn: name=Doma_ls,cn=sudorules,cn=custom,cn=szilva,cn=sysdb cn: Doma_ls dataExpireTimestamp: 1441830262 entryUSN: 20521 name: Doma_ls objectClass: sudoRule originalDN: cn=Doma_ls,ou=sudoers,dc=szilva sudoCommand: ls sudoHost: nappali.szilva sudoRunAsGroup: ALL sudoRunAsUser: ALL sudoUser: doma distinguishedName: name=Doma_ls,cn=sudorules,cn=custom,cn=szilva,cn=sysdb# returned 1 records # 1 entries # 0 referrals This confirms that the entry is indeed there in the db. Why is it found with ldbsearch and why does sssd_sudo not find it? I am pretty much stuck with this one. Anyone has an idea? -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project