Re: [Freeipa-users] FreeIPA sudo not working on ububtu xenial sssd version 1.13.4-1ubuntu1.1
Hi,Was there any out-come to this? I running: sudo1.8.12-1ubuntu3, which is well behind up to date releases. Many thanks,James Harrison From: James Harrison <jamesaharriso...@yahoo.co.uk> To: "freeipa-users@redhat.com" <freeipa-users@redhat.com>; "pbrez...@redhat.com" <pbrez...@redhat.com> Cc: "pbrez...@redhat.com" <pbrez...@redhat.com> Sent: Monday, 9 January 2017, 15:18 Subject: Re: [Freeipa-users] FreeIPA sudo not working on ububtu xenial sssd version 1.13.4-1ubuntu1.1 Hi All,I have attached three files from running sudo -i on the same machine enrolled into Free IPA. They have the output from various versions of sudo. tail -f sudo_debug, syslog, auth.log and sssd/*.log from /var/log to show chronological order of events. The attached files are: sudo-1.8.19-1.txt --- from Debian sudo-1.8.16-0ubuntu1.2.txt --- Current released Xenial sudo sudo1.8.12-1ubuntu3.txt --- Previous sudo from "wily" https://launchpad.net/ubuntu/wily/amd64/sudo/1.8.12-1ubuntu3 The machine's /etc/sudo.conf has:Debug sudo /var/log/sudo_debug all@debug Debug sudoers.so /var/log/sudo_debug all@debug Plugin sudoers_policy sudoers.so Plugin sudoers_io sudoers.so Hope this helps. Regards,James Harrison From: Lukas Slebodnik <lsleb...@redhat.com> To: James Harrison <jamesaharriso...@yahoo.co.uk> Cc: "freeipa-users@redhat.com" <freeipa-users@redhat.com>; pbrez...@redhat.com Sent: Monday, 9 January 2017, 13:09 Subject: Re: [Freeipa-users] FreeIPA sudo not working on ububtu xenial sssd version 1.13.4-1ubuntu1.1 On (09/01/17 12:44), James Harrison wrote: >All,debian 1.8.19-1 doesnt work, but Ubuntu 1.8.12-1ubuntu3 does. > Could you provide sudo logs with 1.8.19-1 https://fedorahosted.org/sssd/wiki/HOWTO_Troubleshoot_SUDO sssd log files will be helpfull as well. LS -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] FreeIPA sudo not working on ububtu xenial sssd version 1.13.4-1ubuntu1.1
On (09/01/17 12:44), James Harrison wrote: >All,debian 1.8.19-1 doesnt work, but Ubuntu 1.8.12-1ubuntu3 does. > Could you provide sudo logs with 1.8.19-1 https://fedorahosted.org/sssd/wiki/HOWTO_Troubleshoot_SUDO sssd log files will be helpfull as well. LS -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] FreeIPA sudo not working on ububtu xenial sssd version 1.13.4-1ubuntu1.1
All,debian 1.8.19-1 doesnt work, but Ubuntu 1.8.12-1ubuntu3 does. James From: Lukas Slebodnik <lsleb...@redhat.com> To: James Harrison <jamesaharriso...@yahoo.co.uk> Cc: "freeipa-users@redhat.com" <freeipa-users@redhat.com> Sent: Saturday, 7 January 2017, 15:34 Subject: Re: [Freeipa-users] FreeIPA sudo not working on ububtu xenial sssd version 1.13.4-1ubuntu1.1 On (06/01/17 17:15), James Harrison wrote: >Any ideas? > From: James Harrison <jamesaharriso...@yahoo.co.uk> > To: "freeipa-users@redhat.com" <freeipa-users@redhat.com> > Sent: Thursday, 5 January 2017, 13:36 > Subject: FreeIPA sudo not working on ububtu xenial sssd version > 1.13.4-1ubuntu1.1 > >Hi all,I having problems with a FreeIPA client running Ububtu Xenial. >I can authenticate OK, I get a kerberos ticket, but cannot run sudo. >I get 1 rule returned, which I expect. >Many thanks,James Harrison > > >(Thu Jan 5 12:09:57 2017) [sssd[sudo]] [sudosrv_get_user] (0x0400): Returning >info for user [x_james.harri...@domain.com] >(Thu Jan 5 12:09:57 2017) [sssd[sudo]] [sudosrv_get_rules] (0x0400): >Retrieving rules for [x_james.harrison] from [domain.com] >(Thu Jan 5 12:09:57 2017) [sssd[sudo]] [ldb] (0x4000): Added timed event >"ltdb_callback": 0x1c11d70 >(Thu Jan 5 12:09:57 2017) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] >(0x0200): Searching sysdb with >[(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=x_james.harrison)(sudoUser=#1082600012)(sudoUser=%admins)(sudoUser=%ipausers)(sudoUser=%x_james.harrison)(sudoUser=+*))(&(dataExpireTimestamp<=1483618197)))] >(Thu Jan 5 12:09:57 2017) [sssd[sudo]] [sudosrv_get_rules] (0x2000): About to >get sudo rules from cache >(Thu Jan 5 12:09:57 2017) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] >(0x0200): Searching sysdb with >[(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=x_james.harrison)(sudoUser=#1082600012)(sudoUser=%admins)(sudoUser=%ipausers)(sudoUser=%x_james.harrison)(sudoUser=+*)))] >(Thu Jan 5 12:09:57 2017) [sssd[sudo]] [sort_sudo_rules] (0x0400): Sorting >rules with higher-wins logic >(Thu Jan 5 12:09:57 2017) [sssd[sudo]] [sudosrv_get_sudorules_from_cache] >(0x0400): Returning 1 rules for [x_james.harri...@domain.com] >(Thu Jan 5 12:09:57 2017) [sssd[sudo]] [reset_idle_timer] (0x4000): Idle >timer re-set for client [0x1c0e770][18] > Yes, 1 rule was returned for user x_james.harrison. Can you see something in output of "sudo -l" >==> sssd/sssd_pam.log <== >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [get_client_cred] (0x4000): Client >creds: euid[0] egid[1082600012] pid[5470]. >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [reset_idle_timer] (0x4000): Idle timer >re-set for client [0x2466e50][19] >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [accept_fd_handler] (0x0400): Client >connected! >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [reset_idle_timer] (0x4000): Idle timer >re-set for client [0x2466e50][19] >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [sss_cmd_get_version] (0x0200): >Received client version [3]. >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [sss_cmd_get_version] (0x0200): Offered >version [3]. >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [reset_idle_timer] (0x4000): Idle timer >re-set for client [0x2466e50][19] > >==> auth.log <== >Jan 5 12:10:17 pul-lp-sql-00 sudo: pam_unix(sudo:auth): authentication >failure; logname=x_james.harrison uid=1082600012 euid=0 tty=/dev/pts/1 >ruser=x_james.harrison rhost= user=x_james.harrison > I do not understand a reason why there is a failure in auth.log; because there isn't sssd_pam.log @see above. >==> sssd/sssd_pam.log <== >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [reset_idle_timer] (0x4000): Idle timer >re-set for client [0x2466e50][19] >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_cmd_authenticate] (0x0100): >entering pam_cmd_authenticate >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [sss_parse_name_for_domains] (0x0200): >name 'x_james.harrison' matched without domain, user is x_james.harrison >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): command: >SSS_PAM_AUTHENTICATE >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): domain: not >set >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): user: >x_james.harrison >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): service: sudo >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): tty: >/dev/pts/1 >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): ruser: >x_james.harrison >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): rhost: not >set >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): aut
Re: [Freeipa-users] FreeIPA sudo not working on ububtu xenial sssd version 1.13.4-1ubuntu1.1
All,1.8.19-1 from Debian does not appear to work too. James From: Lukas Slebodnik <lsleb...@redhat.com> To: James Harrison <jamesaharriso...@yahoo.co.uk> Cc: "freeipa-users@redhat.com" <freeipa-users@redhat.com> Sent: Saturday, 7 January 2017, 15:34 Subject: Re: [Freeipa-users] FreeIPA sudo not working on ububtu xenial sssd version 1.13.4-1ubuntu1.1 On (06/01/17 17:15), James Harrison wrote: >Any ideas? > From: James Harrison <jamesaharriso...@yahoo.co.uk> > To: "freeipa-users@redhat.com" <freeipa-users@redhat.com> > Sent: Thursday, 5 January 2017, 13:36 > Subject: FreeIPA sudo not working on ububtu xenial sssd version > 1.13.4-1ubuntu1.1 > >Hi all,I having problems with a FreeIPA client running Ububtu Xenial. >I can authenticate OK, I get a kerberos ticket, but cannot run sudo. >I get 1 rule returned, which I expect. >Many thanks,James Harrison > > >(Thu Jan 5 12:09:57 2017) [sssd[sudo]] [sudosrv_get_user] (0x0400): Returning >info for user [x_james.harri...@domain.com] >(Thu Jan 5 12:09:57 2017) [sssd[sudo]] [sudosrv_get_rules] (0x0400): >Retrieving rules for [x_james.harrison] from [domain.com] >(Thu Jan 5 12:09:57 2017) [sssd[sudo]] [ldb] (0x4000): Added timed event >"ltdb_callback": 0x1c11d70 >(Thu Jan 5 12:09:57 2017) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] >(0x0200): Searching sysdb with >[(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=x_james.harrison)(sudoUser=#1082600012)(sudoUser=%admins)(sudoUser=%ipausers)(sudoUser=%x_james.harrison)(sudoUser=+*))(&(dataExpireTimestamp<=1483618197)))] >(Thu Jan 5 12:09:57 2017) [sssd[sudo]] [sudosrv_get_rules] (0x2000): About to >get sudo rules from cache >(Thu Jan 5 12:09:57 2017) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] >(0x0200): Searching sysdb with >[(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=x_james.harrison)(sudoUser=#1082600012)(sudoUser=%admins)(sudoUser=%ipausers)(sudoUser=%x_james.harrison)(sudoUser=+*)))] >(Thu Jan 5 12:09:57 2017) [sssd[sudo]] [sort_sudo_rules] (0x0400): Sorting >rules with higher-wins logic >(Thu Jan 5 12:09:57 2017) [sssd[sudo]] [sudosrv_get_sudorules_from_cache] >(0x0400): Returning 1 rules for [x_james.harri...@domain.com] >(Thu Jan 5 12:09:57 2017) [sssd[sudo]] [reset_idle_timer] (0x4000): Idle >timer re-set for client [0x1c0e770][18] > Yes, 1 rule was returned for user x_james.harrison. Can you see something in output of "sudo -l" >==> sssd/sssd_pam.log <== >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [get_client_cred] (0x4000): Client >creds: euid[0] egid[1082600012] pid[5470]. >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [reset_idle_timer] (0x4000): Idle timer >re-set for client [0x2466e50][19] >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [accept_fd_handler] (0x0400): Client >connected! >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [reset_idle_timer] (0x4000): Idle timer >re-set for client [0x2466e50][19] >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [sss_cmd_get_version] (0x0200): >Received client version [3]. >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [sss_cmd_get_version] (0x0200): Offered >version [3]. >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [reset_idle_timer] (0x4000): Idle timer >re-set for client [0x2466e50][19] > >==> auth.log <== >Jan 5 12:10:17 pul-lp-sql-00 sudo: pam_unix(sudo:auth): authentication >failure; logname=x_james.harrison uid=1082600012 euid=0 tty=/dev/pts/1 >ruser=x_james.harrison rhost= user=x_james.harrison > I do not understand a reason why there is a failure in auth.log; because there isn't sssd_pam.log @see above. >==> sssd/sssd_pam.log <== >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [reset_idle_timer] (0x4000): Idle timer >re-set for client [0x2466e50][19] >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_cmd_authenticate] (0x0100): >entering pam_cmd_authenticate >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [sss_parse_name_for_domains] (0x0200): >name 'x_james.harrison' matched without domain, user is x_james.harrison >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): command: >SSS_PAM_AUTHENTICATE >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): domain: not >set >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): user: >x_james.harrison >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): service: sudo >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): tty: >/dev/pts/1 >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): ruser: >x_james.harrison >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): rhost: not >set >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): authtok
Re: [Freeipa-users] FreeIPA sudo not working on ububtu xenial sssd version 1.13.4-1ubuntu1.1
On (06/01/17 17:15), James Harrison wrote: >Any ideas? > From: James Harrison> To: "freeipa-users@redhat.com" > Sent: Thursday, 5 January 2017, 13:36 > Subject: FreeIPA sudo not working on ububtu xenial sssd version > 1.13.4-1ubuntu1.1 > >Hi all,I having problems with a FreeIPA client running Ububtu Xenial. >I can authenticate OK, I get a kerberos ticket, but cannot run sudo. >I get 1 rule returned, which I expect. >Many thanks,James Harrison > > >(Thu Jan 5 12:09:57 2017) [sssd[sudo]] [sudosrv_get_user] (0x0400): Returning >info for user [x_james.harri...@domain.com] >(Thu Jan 5 12:09:57 2017) [sssd[sudo]] [sudosrv_get_rules] (0x0400): >Retrieving rules for [x_james.harrison] from [domain.com] >(Thu Jan 5 12:09:57 2017) [sssd[sudo]] [ldb] (0x4000): Added timed event >"ltdb_callback": 0x1c11d70 >(Thu Jan 5 12:09:57 2017) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] >(0x0200): Searching sysdb with >[(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=x_james.harrison)(sudoUser=#1082600012)(sudoUser=%admins)(sudoUser=%ipausers)(sudoUser=%x_james.harrison)(sudoUser=+*))(&(dataExpireTimestamp<=1483618197)))] >(Thu Jan 5 12:09:57 2017) [sssd[sudo]] [sudosrv_get_rules] (0x2000): About to >get sudo rules from cache >(Thu Jan 5 12:09:57 2017) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] >(0x0200): Searching sysdb with >[(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=x_james.harrison)(sudoUser=#1082600012)(sudoUser=%admins)(sudoUser=%ipausers)(sudoUser=%x_james.harrison)(sudoUser=+*)))] >(Thu Jan 5 12:09:57 2017) [sssd[sudo]] [sort_sudo_rules] (0x0400): Sorting >rules with higher-wins logic >(Thu Jan 5 12:09:57 2017) [sssd[sudo]] [sudosrv_get_sudorules_from_cache] >(0x0400): Returning 1 rules for [x_james.harri...@domain.com] >(Thu Jan 5 12:09:57 2017) [sssd[sudo]] [reset_idle_timer] (0x4000): Idle >timer re-set for client [0x1c0e770][18] > Yes, 1 rule was returned for user x_james.harrison. Can you see something in output of "sudo -l" >==> sssd/sssd_pam.log <== >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [get_client_cred] (0x4000): Client >creds: euid[0] egid[1082600012] pid[5470]. >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [reset_idle_timer] (0x4000): Idle timer >re-set for client [0x2466e50][19] >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [accept_fd_handler] (0x0400): Client >connected! >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [reset_idle_timer] (0x4000): Idle timer >re-set for client [0x2466e50][19] >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [sss_cmd_get_version] (0x0200): >Received client version [3]. >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [sss_cmd_get_version] (0x0200): Offered >version [3]. >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [reset_idle_timer] (0x4000): Idle timer >re-set for client [0x2466e50][19] > >==> auth.log <== >Jan 5 12:10:17 pul-lp-sql-00 sudo: pam_unix(sudo:auth): authentication >failure; logname=x_james.harrison uid=1082600012 euid=0 tty=/dev/pts/1 >ruser=x_james.harrison rhost= user=x_james.harrison > I do not understand a reason why there is a failure in auth.log; because there isn't sssd_pam.log @see above. >==> sssd/sssd_pam.log <== >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [reset_idle_timer] (0x4000): Idle timer >re-set for client [0x2466e50][19] >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_cmd_authenticate] (0x0100): >entering pam_cmd_authenticate >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [sss_parse_name_for_domains] (0x0200): >name 'x_james.harrison' matched without domain, user is x_james.harrison >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): command: >SSS_PAM_AUTHENTICATE >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): domain: not >set >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): user: >x_james.harrison >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): service: sudo >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): tty: >/dev/pts/1 >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): ruser: >x_james.harrison >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): rhost: not >set >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): authtok >type: 1 >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): newauthtok >type: 0 >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): priv: 0 >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): cli_pid: 5470 >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): logon name: >x_james.harrison >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [sss_ncache_check_str] (0x2000): >Checking negative cache for [NCE/USER/domain.com/x_james.harrison] >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_initgr_check_timeout] (0x4000): >User [x_james.harrison] not found in PAM cache. >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [sss_dp_issue_request] (0x0400): >Issuing
Re: [Freeipa-users] FreeIPA sudo not working on ububtu xenial sssd version 1.13.4-1ubuntu1.1
Any ideas? From: James HarrisonTo: "freeipa-users@redhat.com" Sent: Thursday, 5 January 2017, 13:36 Subject: FreeIPA sudo not working on ububtu xenial sssd version 1.13.4-1ubuntu1.1 Hi all,I having problems with a FreeIPA client running Ububtu Xenial. I can authenticate OK, I get a kerberos ticket, but cannot run sudo. I get 1 rule returned, which I expect. Many thanks,James Harrison (Thu Jan 5 12:09:57 2017) [sssd[sudo]] [ldb] (0x4000): Destroying timer event 0x1c11e30 "ltdb_timeout" (Thu Jan 5 12:09:57 2017) [sssd[sudo]] [ldb] (0x4000): Ending timer event 0x1c11d70 "ltdb_callback" (Thu Jan 5 12:09:57 2017) [sssd[sudo]] [sudosrv_get_user] (0x0400): Returning info for user [x_james.harri...@domain.com] (Thu Jan 5 12:09:57 2017) [sssd[sudo]] [sudosrv_get_rules] (0x0400): Retrieving rules for [x_james.harrison] from [domain.com] (Thu Jan 5 12:09:57 2017) [sssd[sudo]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x1c11d70 (Thu Jan 5 12:09:57 2017) [sssd[sudo]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x1c11e30 (Thu Jan 5 12:09:57 2017) [sssd[sudo]] [ldb] (0x4000): Running timer event 0x1c11d70 "ltdb_callback" (Thu Jan 5 12:09:57 2017) [sssd[sudo]] [ldb] (0x4000): Destroying timer event 0x1c11e30 "ltdb_timeout" (Thu Jan 5 12:09:57 2017) [sssd[sudo]] [ldb] (0x4000): Ending timer event 0x1c11d70 "ltdb_callback" (Thu Jan 5 12:09:57 2017) [sssd[sudo]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x1c0f550 (Thu Jan 5 12:09:57 2017) [sssd[sudo]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x1c1da40 (Thu Jan 5 12:09:57 2017) [sssd[sudo]] [ldb] (0x4000): Running timer event 0x1c0f550 "ltdb_callback" (Thu Jan 5 12:09:57 2017) [sssd[sudo]] [ldb] (0x4000): Destroying timer event 0x1c1da40 "ltdb_timeout" (Thu Jan 5 12:09:57 2017) [sssd[sudo]] [ldb] (0x4000): Ending timer event 0x1c0f550 "ltdb_callback" (Thu Jan 5 12:09:57 2017) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=x_james.harrison)(sudoUser=#1082600012)(sudoUser=%admins)(sudoUser=%ipausers)(sudoUser=%x_james.harrison)(sudoUser=+*))(&(dataExpireTimestamp<=1483618197)))] (Thu Jan 5 12:09:57 2017) [sssd[sudo]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x1c11d70 (Thu Jan 5 12:09:57 2017) [sssd[sudo]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x1c11e30 (Thu Jan 5 12:09:57 2017) [sssd[sudo]] [ldb] (0x4000): Running timer event 0x1c11d70 "ltdb_callback" (Thu Jan 5 12:09:57 2017) [sssd[sudo]] [ldb] (0x4000): Destroying timer event 0x1c11e30 "ltdb_timeout" (Thu Jan 5 12:09:57 2017) [sssd[sudo]] [ldb] (0x4000): Ending timer event 0x1c11d70 "ltdb_callback" (Thu Jan 5 12:09:57 2017) [sssd[sudo]] [sudosrv_get_rules] (0x2000): About to get sudo rules from cache (Thu Jan 5 12:09:57 2017) [sssd[sudo]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x1c18790 (Thu Jan 5 12:09:57 2017) [sssd[sudo]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x1c1b720 (Thu Jan 5 12:09:57 2017) [sssd[sudo]] [ldb] (0x4000): Running timer event 0x1c18790 "ltdb_callback" (Thu Jan 5 12:09:57 2017) [sssd[sudo]] [ldb] (0x4000): Destroying timer event 0x1c1b720 "ltdb_timeout" (Thu Jan 5 12:09:57 2017) [sssd[sudo]] [ldb] (0x4000): Ending timer event 0x1c18790 "ltdb_callback" (Thu Jan 5 12:09:57 2017) [sssd[sudo]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x1c12600 (Thu Jan 5 12:09:57 2017) [sssd[sudo]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x1c0f550 (Thu Jan 5 12:09:57 2017) [sssd[sudo]] [ldb] (0x4000): Running timer event 0x1c12600 "ltdb_callback" (Thu Jan 5 12:09:57 2017) [sssd[sudo]] [ldb] (0x4000): Destroying timer event 0x1c0f550 "ltdb_timeout" (Thu Jan 5 12:09:57 2017) [sssd[sudo]] [ldb] (0x4000): Ending timer event 0x1c12600 "ltdb_callback" (Thu Jan 5 12:09:57 2017) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=x_james.harrison)(sudoUser=#1082600012)(sudoUser=%admins)(sudoUser=%ipausers)(sudoUser=%x_james.harrison)(sudoUser=+*)))] (Thu Jan 5 12:09:57 2017) [sssd[sudo]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x1c0f550 (Thu Jan 5 12:09:57 2017) [sssd[sudo]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x1c0dfd0 (Thu Jan 5 12:09:57 2017) [sssd[sudo]] [ldb] (0x4000): Running timer event 0x1c0f550 "ltdb_callback" (Thu Jan 5 12:09:57 2017) [sssd[sudo]] [ldb] (0x4000): Destroying timer event 0x1c0dfd0 "ltdb_timeout" (Thu Jan 5 12:09:57 2017) [sssd[sudo]] [ldb] (0x4000): Ending timer event 0x1c0f550 "ltdb_callback" (Thu Jan 5 12:09:57 2017) [sssd[sudo]] [sort_sudo_rules] (0x0400): Sorting rules with higher-wins logic (Thu Jan 5 12:09:57 2017) [sssd[sudo]] [sudosrv_get_sudorules_from_cache] (0x0400): Returning 1 rules for [x_james.harri...@domain.com]
Re: [Freeipa-users] FreeIPA sudo not working on ububtu xenial sssd version 1.13.4-1ubuntu1.1
On (05/01/17 15:38), Jakub Hrozek wrote: >On Thu, Jan 05, 2017 at 01:36:56PM +, James Harrison wrote: >> Hi all,I having problems with a FreeIPA client running Ububtu Xenial. >> I can authenticate OK, I get a kerberos ticket, but cannot run sudo. >> I get 1 rule returned, which I expect. >> Many thanks,James Harrison > >I would check if (with the help of ldbsearch against the sssd cache or >with the help of the sudo logs) if the rule is really the one you are >expecting or if it's just the cn=defaults rule. > >If it's just cn=defaults, then I would check if the rules are downloaded >(sssd always downloads all rules applicable for the host IIRC) or if >they just don't match the filter that you can see in the debug message >from sudosrv_get_sudorules_query_cache. Keep in mind that this is a >filter that applies for the sssd cache, not LDAP. > >And lastly, if the rules are downloaded as expected, the sudo rules >would tell you why the rule didn't match. > >All in all, this document: >https://fedorahosted.org/sssd/wiki/HOWTO_Troubleshoot_SUDO >describes how to troubleshoot the sudo integration. > Or you might check older thread https://www.redhat.com/archives/freeipa-users/2016-August/msg00489.html LS -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] FreeIPA sudo not working on ububtu xenial sssd version 1.13.4-1ubuntu1.1
On Thu, Jan 05, 2017 at 01:36:56PM +, James Harrison wrote: > Hi all,I having problems with a FreeIPA client running Ububtu Xenial. > I can authenticate OK, I get a kerberos ticket, but cannot run sudo. > I get 1 rule returned, which I expect. > Many thanks,James Harrison I would check if (with the help of ldbsearch against the sssd cache or with the help of the sudo logs) if the rule is really the one you are expecting or if it's just the cn=defaults rule. If it's just cn=defaults, then I would check if the rules are downloaded (sssd always downloads all rules applicable for the host IIRC) or if they just don't match the filter that you can see in the debug message from sudosrv_get_sudorules_query_cache. Keep in mind that this is a filter that applies for the sssd cache, not LDAP. And lastly, if the rules are downloaded as expected, the sudo rules would tell you why the rule didn't match. All in all, this document: https://fedorahosted.org/sssd/wiki/HOWTO_Troubleshoot_SUDO describes how to troubleshoot the sudo integration. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project