Re: [Freeipa-users] Sudo entry not found by sssd in the cache db

2015-10-01 Thread Molnár Domokos
 
"Pavel Březina"  írta:
>On 09/15/2015 09:10 AM, Molnár Domokos wrote:
>>
>> "Molnár Domokos"  írta:
>>
>> On 09/14/2015 03:08 PM, Pavel Březina wrote:
>>> On 09/11/2015 02:40 PM, Molnár Domokos wrote:
 Full log attached.
 "Molnár Domokos"  írta:


 "Pavel Březina"  írta:

 On 09/09/2015 09:31 PM, Molnár Domokos wrote:
  > I have a working IPA server and a working client
 config on an OpenSuse
  > 13.2 with the following versions:
  > nappali:~ # rpm -qa |grep sssd
  > sssd-tools-1.12.2-3.4.1.i586
  > sssd-krb5-1.12.2-3.4.1.i586
  > python-sssd-config-1.12.2-3.4.1.i586
  > sssd-ipa-1.12.2-3.4.1.i586
  > sssd-1.12.2-3.4.1.i586
  > sssd-dbus-1.12.2-3.4.1.i586
  > sssd-krb5-common-1.12.2-3.4.1.i586
  > sssd-ldap-1.12.2-3.4.1.i586
  > sssd is confihured for nss, pam, sudo
  > There is a test sudo rule defined in the ipa server,
 which applies to
  > user "doma".  However when the user tries to use sudo
 the rule does not
  > work.
  > doma@nappali:/home/doma> sudo ls
  > domas password:
  > doma is not allowed to run sudo on nappali.  This
 incident will be reported.
  > The corresponding log in the sssd_sudo.log is this:
  > (Wed Sep  9 21:25:25 2015) [sssd[sudo]]
 [sss_cmd_get_version] (0x0200):
  > Received client version [1].
  > (Wed Sep  9 21:25:25 2015) [sssd[sudo]]
 [sss_cmd_get_version] (0x0200):
  > Offered version [1].
  > (Wed Sep  9 21:25:25 2015) [sssd[sudo]]
 [sss_parse_name_for_domains]
  > (0x0200): name doma matched without domain, user 
 is doma
  > (Wed Sep  9 21:25:25 2015) [sssd[sudo]]
 [sss_parse_name_for_domains]
  > (0x0200): name doma matched without domain, user 
 is doma
  > (Wed Sep  9 21:25:25 2015) [sssd[sudo]]
 [sudosrv_cmd_parse_query_done]
  > (0x0200): Requesting default options for [doma] from
 []
  > (Wed Sep  9 21:25:25 2015) [sssd[sudo]]
 [sudosrv_get_user] (0x0200):
  > Requesting info about [doma@szilva]
  > (Wed Sep  9 21:25:25 2015) [sssd[sudo]]
  > [sudosrv_get_sudorules_query_cache] (0x0200):
 Searching sysdb with
  >
 
 [(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=doma)(sudoUser=#181643)(sudoUser=%ipausers)(sudoUser=%picture_access)(sudoUser=%doma)(sudoUser=+*))(&(dataExpireTimestamp<=1441826725)))]
  > (Wed Sep  9 21:25:25 2015) [sssd[sudo]]
  > [sudosrv_get_sudorules_query_cache] (0x0200):
 Searching sysdb with
  > [(&(objectClass=sudoRule)(|(name=defaults)))]
  > (Wed Sep  9 21:25:25 2015) [sssd[sudo]]
 [sss_parse_name_for_domains]
  > (0x0200): name doma matched without domain, user 
 is doma
  > (Wed Sep  9 21:25:25 2015) [sssd[sudo]]
 [sss_parse_name_for_domains]
  > (0x0200): name doma matched without domain, user 
 is doma
  > (Wed Sep  9 21:25:25 2015) [sssd[sudo]]
 [sudosrv_cmd_parse_query_done]
  > (0x0200): Requesting rules for [doma] from []
  > (Wed Sep  9 21:25:25 2015) [sssd[sudo]]
 [sudosrv_get_user] (0x0200):
  > Requesting info about [doma@szilva]
  > (Wed Sep  9 21:25:25 2015) [sssd[sudo]]
  > [sudosrv_get_sudorules_query_cache] (0x0200):
 Searching sysdb with
  >
 
 [(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=doma)(sudoUser=#181643)(sudoUser=%ipausers)(sudoUser=%picture_access)(sudoUser=%doma)(sudoUser=+*))(&(dataExpireTimestamp<=1441826725)))]
  > (Wed Sep  9 21:25:25 2015) [sssd[sudo]]
  > [sudosrv_get_sudorules_query_cache] (0x0200):
 Searching sysdb with
  >
 
 [(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=doma)(sudoUser=#181643)(sudoUser=%ipausers)(sudoUser=%picture_access)(sudoUser=%doma)(sudoUser=+*)))]
  > (Wed Sep  9 21:25:30 2015) [sssd[sudo]] [client_recv]
 (0x0200): Client
  > disconnected!
  > This seems perfectly OK with one exception. The query
 against the sysdb
  > does not find the entry. This is strange because the
 entry is there.

Re: [Freeipa-users] Sudo entry not found by sssd in the cache db

2015-09-29 Thread Pavel Březina

On 09/15/2015 09:10 AM, Molnár Domokos wrote:


"Molnár Domokos"  írta:

On 09/14/2015 03:08 PM, Pavel Březina wrote:

On 09/11/2015 02:40 PM, Molnár Domokos wrote:

Full log attached.
"Molnár Domokos"  írta:


"Pavel Březina"  írta:

On 09/09/2015 09:31 PM, Molnár Domokos wrote:
 > I have a working IPA server and a working client
config on an OpenSuse
 > 13.2 with the following versions:
 > nappali:~ # rpm -qa |grep sssd
 > sssd-tools-1.12.2-3.4.1.i586
 > sssd-krb5-1.12.2-3.4.1.i586
 > python-sssd-config-1.12.2-3.4.1.i586
 > sssd-ipa-1.12.2-3.4.1.i586
 > sssd-1.12.2-3.4.1.i586
 > sssd-dbus-1.12.2-3.4.1.i586
 > sssd-krb5-common-1.12.2-3.4.1.i586
 > sssd-ldap-1.12.2-3.4.1.i586
 > sssd is confihured for nss, pam, sudo
 > There is a test sudo rule defined in the ipa server,
which applies to
 > user "doma".  However when the user tries to use sudo
the rule does not
 > work.
 > doma@nappali:/home/doma> sudo ls
 > doma's password:
 > doma is not allowed to run sudo on nappali.  This
incident will be reported.
 > The corresponding log in the sssd_sudo.log is this:
 > (Wed Sep  9 21:25:25 2015) [sssd[sudo]]
[sss_cmd_get_version] (0x0200):
 > Received client version [1].
 > (Wed Sep  9 21:25:25 2015) [sssd[sudo]]
[sss_cmd_get_version] (0x0200):
 > Offered version [1].
 > (Wed Sep  9 21:25:25 2015) [sssd[sudo]]
[sss_parse_name_for_domains]
 > (0x0200): name 'doma' matched without domain, user is doma
 > (Wed Sep  9 21:25:25 2015) [sssd[sudo]]
[sss_parse_name_for_domains]
 > (0x0200): name 'doma' matched without domain, user is doma
 > (Wed Sep  9 21:25:25 2015) [sssd[sudo]]
[sudosrv_cmd_parse_query_done]
 > (0x0200): Requesting default options for [doma] from
[]
 > (Wed Sep  9 21:25:25 2015) [sssd[sudo]]
[sudosrv_get_user] (0x0200):
 > Requesting info about [doma@szilva]
 > (Wed Sep  9 21:25:25 2015) [sssd[sudo]]
 > [sudosrv_get_sudorules_query_cache] (0x0200):
Searching sysdb with
 >

[(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=doma)(sudoUser=#181643)(sudoUser=%ipausers)(sudoUser=%picture_access)(sudoUser=%doma)(sudoUser=+*))(&(dataExpireTimestamp<=1441826725)))]
 > (Wed Sep  9 21:25:25 2015) [sssd[sudo]]
 > [sudosrv_get_sudorules_query_cache] (0x0200):
Searching sysdb with
 > [(&(objectClass=sudoRule)(|(name=defaults)))]
 > (Wed Sep  9 21:25:25 2015) [sssd[sudo]]
[sss_parse_name_for_domains]
 > (0x0200): name 'doma' matched without domain, user is doma
 > (Wed Sep  9 21:25:25 2015) [sssd[sudo]]
[sss_parse_name_for_domains]
 > (0x0200): name 'doma' matched without domain, user is doma
 > (Wed Sep  9 21:25:25 2015) [sssd[sudo]]
[sudosrv_cmd_parse_query_done]
 > (0x0200): Requesting rules for [doma] from []
 > (Wed Sep  9 21:25:25 2015) [sssd[sudo]]
[sudosrv_get_user] (0x0200):
 > Requesting info about [doma@szilva]
 > (Wed Sep  9 21:25:25 2015) [sssd[sudo]]
 > [sudosrv_get_sudorules_query_cache] (0x0200):
Searching sysdb with
 >

[(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=doma)(sudoUser=#181643)(sudoUser=%ipausers)(sudoUser=%picture_access)(sudoUser=%doma)(sudoUser=+*))(&(dataExpireTimestamp<=1441826725)))]
 > (Wed Sep  9 21:25:25 2015) [sssd[sudo]]
 > [sudosrv_get_sudorules_query_cache] (0x0200):
Searching sysdb with
 >

[(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=doma)(sudoUser=#181643)(sudoUser=%ipausers)(sudoUser=%picture_access)(sudoUser=%doma)(sudoUser=+*)))]
 > (Wed Sep  9 21:25:30 2015) [sssd[sudo]] [client_recv]
(0x0200): Client
 > disconnected!
 > This seems perfectly OK with one exception. The query
against the sysdb
 > does not find the entry. This is strange because the
entry is there.
 > Log in sssd.log:
 > (Wed Sep  2 08:52:13 2015) [sssd]
[sysdb_domain_init_internal] (0x0200):
 > DB File for szilva: /var/lib/sss/db/cache_szilva.ldb
 > So we know that the sysdb is
/var/lib/sss/db/cache_szilva.ldb
 > Running the exact same query seen above in the
sssd_sudo.log against the
 > db returns:
 > ldbsearch -H /var/lib/sss/db/cache_szilva.ldb
 >


Re: [Freeipa-users] Sudo entry not found by sssd in the cache db

2015-09-15 Thread Jakub Hrozek
On Tue, Sep 15, 2015 at 07:25:17AM +0200, Molnár Domokos wrote:
> On 09/14/2015 03:08 PM, Pavel Březina wrote:
> >On 09/11/2015 02:40 PM, Molnár Domokos wrote:
> 
> >>Full log attached.
> >>"Molnár Domokos"  írta:
> >>
> >>
> >>"Pavel Březina"  írta:
> >>
> >>On 09/09/2015 09:31 PM, Molnár Domokos wrote:
> >> > I have a working IPA server and a working client config on an 
> >> OpenSuse
> >> > 13.2 with the following versions:
> >> > nappali:~ # rpm -qa |grep sssd
> >> > sssd-tools-1.12.2-3.4.1.i586
> >> > sssd-krb5-1.12.2-3.4.1.i586
> >> > python-sssd-config-1.12.2-3.4.1.i586
> >> > sssd-ipa-1.12.2-3.4.1.i586
> >> > sssd-1.12.2-3.4.1.i586
> >> > sssd-dbus-1.12.2-3.4.1.i586
> >> > sssd-krb5-common-1.12.2-3.4.1.i586
> >> > sssd-ldap-1.12.2-3.4.1.i586
> >> > sssd is confihured for nss, pam, sudo
> >> > There is a test sudo rule defined in the ipa server, which 
> >> applies to
> >> > user "doma".  However when the user tries to use sudo the rule 
> >> does not
> >> > work.
> >> > doma@nappali:/home/doma> sudo ls
> >> > domas password:
> >> > doma is not allowed to run sudo on nappali.  This incident will 
> >> be reported.
> >> > The corresponding log in the sssd_sudo.log is this:
> >> > (Wed Sep  9 21:25:25 2015) [sssd[sudo]] [sss_cmd_get_version] 
> >> (0x0200):
> >> > Received client version [1].
> >> > (Wed Sep  9 21:25:25 2015) [sssd[sudo]] [sss_cmd_get_version] 
> >> (0x0200):
> >> > Offered version [1].
> >> > (Wed Sep  9 21:25:25 2015) [sssd[sudo]] 
> >> [sss_parse_name_for_domains]
> >> > (0x0200): name doma matched without domain, user is 
> >> doma
> >> > (Wed Sep  9 21:25:25 2015) [sssd[sudo]] 
> >> [sss_parse_name_for_domains]
> >> > (0x0200): name doma matched without domain, user is 
> >> doma
> >> > (Wed Sep  9 21:25:25 2015) [sssd[sudo]] 
> >> [sudosrv_cmd_parse_query_done]
> >> > (0x0200): Requesting default options for [doma] from []
> >> > (Wed Sep  9 21:25:25 2015) [sssd[sudo]] [sudosrv_get_user] 
> >> (0x0200):
> >> > Requesting info about [doma@szilva]
> >> > (Wed Sep  9 21:25:25 2015) [sssd[sudo]]
> >> > [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb 
> >> with
> >> > 
> >> [(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=doma)(sudoUser=#181643)(sudoUser=%ipausers)(sudoUser=%picture_access)(sudoUser=%doma)(sudoUser=+*))(&(dataExpireTimestamp<=1441826725)))]
> >> > (Wed Sep  9 21:25:25 2015) [sssd[sudo]]
> >> > [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb 
> >> with
> >> > [(&(objectClass=sudoRule)(|(name=defaults)))]
> >> > (Wed Sep  9 21:25:25 2015) [sssd[sudo]] 
> >> [sss_parse_name_for_domains]
> >> > (0x0200): name doma matched without domain, user is 
> >> doma
> >> > (Wed Sep  9 21:25:25 2015) [sssd[sudo]] 
> >> [sss_parse_name_for_domains]
> >> > (0x0200): name doma matched without domain, user is 
> >> doma
> >> > (Wed Sep  9 21:25:25 2015) [sssd[sudo]] 
> >> [sudosrv_cmd_parse_query_done]
> >> > (0x0200): Requesting rules for [doma] from []
> >> > (Wed Sep  9 21:25:25 2015) [sssd[sudo]] [sudosrv_get_user] 
> >> (0x0200):
> >> > Requesting info about [doma@szilva]
> >> > (Wed Sep  9 21:25:25 2015) [sssd[sudo]]
> >> > [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb 
> >> with
> >> > 
> >> [(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=doma)(sudoUser=#181643)(sudoUser=%ipausers)(sudoUser=%picture_access)(sudoUser=%doma)(sudoUser=+*))(&(dataExpireTimestamp<=1441826725)))]
> >> > (Wed Sep  9 21:25:25 2015) [sssd[sudo]]
> >> > [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb 
> >> with
> >> > 
> >> [(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=doma)(sudoUser=#181643)(sudoUser=%ipausers)(sudoUser=%picture_access)(sudoUser=%doma)(sudoUser=+*)))]
> >> > (Wed Sep  9 21:25:30 2015) [sssd[sudo]] [client_recv] (0x0200): 
> >> Client
> >> > disconnected!
> >> > This seems perfectly OK with one exception. The query against 
> >> the sysdb
> >> > does not find the entry. This is strange because the entry is 
> >> there.
> >> > Log in sssd.log:
> >> > (Wed Sep  2 08:52:13 2015) [sssd] [sysdb_domain_init_internal] 
> >> (0x0200):
> >> > DB File for szilva: /var/lib/sss/db/cache_szilva.ldb
> >> > So we know that the sysdb is /var/lib/sss/db/cache_szilva.ldb
> >> > Running the exact same query seen above in the sssd_sudo.log 
> >> against the
> >> > db returns:
> >> > ldbsearch -H /var/lib/sss/db/cache_szilva.ldb
> >> > 
> >> 

Re: [Freeipa-users] Sudo entry not found by sssd in the cache db

2015-09-15 Thread Molnár Domokos
 
Jakub Hrozek  írta:
>On Tue, Sep 15, 2015 at 07:25:17AM +0200, Molnár Domokos wrote:
>> On 09/14/2015 03:08 PM, Pavel Březina wrote:
>> >On 09/11/2015 02:40 PM, Molnár Domokos wrote:
>> 
>> >>Full log attached.
>> >>"Molnár Domokos"  írta:
>> >>
>> >>
>> >>"Pavel Březina"  írta:
>> >>
>> >>On 09/09/2015 09:31 PM, Molnár Domokos wrote:
>> >> > I have a working IPA server and a working client config on an 
>> >> OpenSuse
>> >> > 13.2 with the following versions:
>> >> > nappali:~ # rpm -qa |grep sssd
>> >> > sssd-tools-1.12.2-3.4.1.i586
>> >> > sssd-krb5-1.12.2-3.4.1.i586
>> >> > python-sssd-config-1.12.2-3.4.1.i586
>> >> > sssd-ipa-1.12.2-3.4.1.i586
>> >> > sssd-1.12.2-3.4.1.i586
>> >> > sssd-dbus-1.12.2-3.4.1.i586
>> >> > sssd-krb5-common-1.12.2-3.4.1.i586
>> >> > sssd-ldap-1.12.2-3.4.1.i586
>> >> > sssd is confihured for nss, pam, sudo
>> >> > There is a test sudo rule defined in the ipa server, which 
>> >> applies to
>> >> > user "doma".  However when the user tries to use sudo the rule 
>> >> does not
>> >> > work.
>> >> > doma@nappali:/home/doma> sudo ls
>> >> > domas password:
>> >> > doma is not allowed to run sudo on nappali.  This incident will 
>> >> be reported.
>> >> > The corresponding log in the sssd_sudo.log is this:
>> >> > (Wed Sep  9 21:25:25 2015) [sssd[sudo]] [sss_cmd_get_version] 
>> >> (0x0200):
>> >> > Received client version [1].
>> >> > (Wed Sep  9 21:25:25 2015) [sssd[sudo]] [sss_cmd_get_version] 
>> >> (0x0200):
>> >> > Offered version [1].
>> >> > (Wed Sep  9 21:25:25 2015) [sssd[sudo]] 
>> >> [sss_parse_name_for_domains]
>> >> > (0x0200): name doma matched without domain, user is 
>> >> doma
>> >> > (Wed Sep  9 21:25:25 2015) [sssd[sudo]] 
>> >> [sss_parse_name_for_domains]
>> >> > (0x0200): name doma matched without domain, user is 
>> >> doma
>> >> > (Wed Sep  9 21:25:25 2015) [sssd[sudo]] 
>> >> [sudosrv_cmd_parse_query_done]
>> >> > (0x0200): Requesting default options for [doma] from []
>> >> > (Wed Sep  9 21:25:25 2015) [sssd[sudo]] [sudosrv_get_user] 
>> >> (0x0200):
>> >> > Requesting info about [doma@szilva]
>> >> > (Wed Sep  9 21:25:25 2015) [sssd[sudo]]
>> >> > [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb 
>> >> with
>> >> > 
>> >> [(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=doma)(sudoUser=#181643)(sudoUser=%ipausers)(sudoUser=%picture_access)(sudoUser=%doma)(sudoUser=+*))(&(dataExpireTimestamp<=1441826725)))]
>> >> > (Wed Sep  9 21:25:25 2015) [sssd[sudo]]
>> >> > [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb 
>> >> with
>> >> > [(&(objectClass=sudoRule)(|(name=defaults)))]
>> >> > (Wed Sep  9 21:25:25 2015) [sssd[sudo]] 
>> >> [sss_parse_name_for_domains]
>> >> > (0x0200): name doma matched without domain, user is 
>> >> doma
>> >> > (Wed Sep  9 21:25:25 2015) [sssd[sudo]] 
>> >> [sss_parse_name_for_domains]
>> >> > (0x0200): name doma matched without domain, user is 
>> >> doma
>> >> > (Wed Sep  9 21:25:25 2015) [sssd[sudo]] 
>> >> [sudosrv_cmd_parse_query_done]
>> >> > (0x0200): Requesting rules for [doma] from []
>> >> > (Wed Sep  9 21:25:25 2015) [sssd[sudo]] [sudosrv_get_user] 
>> >> (0x0200):
>> >> > Requesting info about [doma@szilva]
>> >> > (Wed Sep  9 21:25:25 2015) [sssd[sudo]]
>> >> > [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb 
>> >> with
>> >> > 
>> >> [(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=doma)(sudoUser=#181643)(sudoUser=%ipausers)(sudoUser=%picture_access)(sudoUser=%doma)(sudoUser=+*))(&(dataExpireTimestamp<=1441826725)))]
>> >> > (Wed Sep  9 21:25:25 2015) [sssd[sudo]]
>> >> > [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb 
>> >> with
>> >> > 
>> >> [(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=doma)(sudoUser=#181643)(sudoUser=%ipausers)(sudoUser=%picture_access)(sudoUser=%doma)(sudoUser=+*)))]
>> >> > (Wed Sep  9 21:25:30 2015) [sssd[sudo]] [client_recv] (0x0200): 
>> >> Client
>> >> > disconnected!
>> >> > This seems perfectly OK with one exception. The query against 
>> >> the sysdb
>> >> > does not find the entry. This is strange because the entry is 
>> >> there.
>> >> > Log in sssd.log:
>> >> > (Wed Sep  2 08:52:13 2015) [sssd] [sysdb_domain_init_internal] 
>> >> (0x0200):
>> >> > DB File for szilva: /var/lib/sss/db/cache_szilva.ldb
>> >> > So we know that the sysdb is /var/lib/sss/db/cache_szilva.ldb
>> >> > Running the exact same query seen above in the 

Re: [Freeipa-users] Sudo entry not found by sssd in the cache db

2015-09-15 Thread Molnár Domokos
 
"Molnár Domokos"  írta:
>On 09/14/2015 03:08 PM, Pavel Březina wrote:

>>On 09/11/2015 02:40 PM, Molnár Domokos wrote:

>>>Full log attached.
>>>"Molnár Domokos"  írta:
>>>
>>>
>>>"Pavel Březina"  írta:
>>>
>>>On 09/09/2015 09:31 PM, Molnár Domokos wrote:
>>> > I have a working IPA server and a working client config on an 
>>> OpenSuse
>>> > 13.2 with the following versions:
>>> > nappali:~ # rpm -qa |grep sssd
>>> > sssd-tools-1.12.2-3.4.1.i586
>>> > sssd-krb5-1.12.2-3.4.1.i586
>>> > python-sssd-config-1.12.2-3.4.1.i586
>>> > sssd-ipa-1.12.2-3.4.1.i586
>>> > sssd-1.12.2-3.4.1.i586
>>> > sssd-dbus-1.12.2-3.4.1.i586
>>> > sssd-krb5-common-1.12.2-3.4.1.i586
>>> > sssd-ldap-1.12.2-3.4.1.i586
>>> > sssd is confihured for nss, pam, sudo
>>> > There is a test sudo rule defined in the ipa server, which 
>>> applies to
>>> > user "doma".  However when the user tries to use sudo the rule 
>>> does not
>>> > work.
>>> > doma@nappali:/home/doma> sudo ls
>>> > domas password:
>>> > doma is not allowed to run sudo on nappali.  This incident will 
>>> be reported.
>>> > The corresponding log in the sssd_sudo.log is this:
>>> > (Wed Sep  9 21:25:25 2015) [sssd[sudo]] [sss_cmd_get_version] 
>>> (0x0200):
>>> > Received client version [1].
>>> > (Wed Sep  9 21:25:25 2015) [sssd[sudo]] [sss_cmd_get_version] 
>>> (0x0200):
>>> > Offered version [1].
>>> > (Wed Sep  9 21:25:25 2015) [sssd[sudo]] 
>>> [sss_parse_name_for_domains]
>>> > (0x0200): name doma matched without domain, user is doma
>>> > (Wed Sep  9 21:25:25 2015) [sssd[sudo]] 
>>> [sss_parse_name_for_domains]
>>> > (0x0200): name doma matched without domain, user is doma
>>> > (Wed Sep  9 21:25:25 2015) [sssd[sudo]] 
>>> [sudosrv_cmd_parse_query_done]
>>> > (0x0200): Requesting default options for [doma] from []
>>> > (Wed Sep  9 21:25:25 2015) [sssd[sudo]] [sudosrv_get_user] 
>>> (0x0200):
>>> > Requesting info about [doma@szilva]
>>> > (Wed Sep  9 21:25:25 2015) [sssd[sudo]]
>>> > [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with
>>> > 
>>> [(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=doma)(sudoUser=#181643)(sudoUser=%ipausers)(sudoUser=%picture_access)(sudoUser=%doma)(sudoUser=+*))(&(dataExpireTimestamp<=1441826725)))]
>>> > (Wed Sep  9 21:25:25 2015) [sssd[sudo]]
>>> > [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with
>>> > [(&(objectClass=sudoRule)(|(name=defaults)))]
>>> > (Wed Sep  9 21:25:25 2015) [sssd[sudo]] 
>>> [sss_parse_name_for_domains]
>>> > (0x0200): name doma matched without domain, user is doma
>>> > (Wed Sep  9 21:25:25 2015) [sssd[sudo]] 
>>> [sss_parse_name_for_domains]
>>> > (0x0200): name doma matched without domain, user is doma
>>> > (Wed Sep  9 21:25:25 2015) [sssd[sudo]] 
>>> [sudosrv_cmd_parse_query_done]
>>> > (0x0200): Requesting rules for [doma] from []
>>> > (Wed Sep  9 21:25:25 2015) [sssd[sudo]] [sudosrv_get_user] 
>>> (0x0200):
>>> > Requesting info about [doma@szilva]
>>> > (Wed Sep  9 21:25:25 2015) [sssd[sudo]]
>>> > [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with
>>> > 
>>> [(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=doma)(sudoUser=#181643)(sudoUser=%ipausers)(sudoUser=%picture_access)(sudoUser=%doma)(sudoUser=+*))(&(dataExpireTimestamp<=1441826725)))]
>>> > (Wed Sep  9 21:25:25 2015) [sssd[sudo]]
>>> > [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with
>>> > 
>>> [(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=doma)(sudoUser=#181643)(sudoUser=%ipausers)(sudoUser=%picture_access)(sudoUser=%doma)(sudoUser=+*)))]
>>> > (Wed Sep  9 21:25:30 2015) [sssd[sudo]] [client_recv] (0x0200): 
>>> Client
>>> > disconnected!
>>> > This seems perfectly OK with one exception. The query against the 
>>> sysdb
>>> > does not find the entry. This is strange because the entry is 
>>> there.
>>> > Log in sssd.log:
>>> > (Wed Sep  2 08:52:13 2015) [sssd] [sysdb_domain_init_internal] 
>>> (0x0200):
>>> > DB File for szilva: /var/lib/sss/db/cache_szilva.ldb
>>> > So we know that the sysdb is /var/lib/sss/db/cache_szilva.ldb
>>> > Running the exact same query seen above in the sssd_sudo.log 
>>> against the
>>> > db returns:
>>> > ldbsearch -H /var/lib/sss/db/cache_szilva.ldb
>>> > 
>>> "(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=doma)(sudoUser=#181643)(sudoUser=%ipausers)(sudoUser=%picture_access)(sudoUser=%doma)(sudoUser=+*)))"
>>> > 

Re: [Freeipa-users] Sudo entry not found by sssd in the cache db

2015-09-15 Thread Jakub Hrozek
On Tue, Sep 15, 2015 at 09:13:09AM +0200, Molnár Domokos wrote:
>  
> Jakub Hrozek  írta:
> >On Tue, Sep 15, 2015 at 07:25:17AM +0200, Molnár Domokos wrote:
> >> On 09/14/2015 03:08 PM, Pavel Březina wrote:
> >> >On 09/11/2015 02:40 PM, Molnár Domokos wrote:
> >> 
> >> >>Full log attached.
> >> >>"Molnár Domokos"  írta:
> >> >>
> >> >>
> >> >>"Pavel Březina"  írta:
> >> >>
> >> >>On 09/09/2015 09:31 PM, Molnár Domokos wrote:
> >> >> > I have a working IPA server and a working client config on an 
> >> >> OpenSuse
> >> >> > 13.2 with the following versions:
> >> >> > nappali:~ # rpm -qa |grep sssd
> >> >> > sssd-tools-1.12.2-3.4.1.i586
> >> >> > sssd-krb5-1.12.2-3.4.1.i586
> >> >> > python-sssd-config-1.12.2-3.4.1.i586
> >> >> > sssd-ipa-1.12.2-3.4.1.i586
> >> >> > sssd-1.12.2-3.4.1.i586
> >> >> > sssd-dbus-1.12.2-3.4.1.i586
> >> >> > sssd-krb5-common-1.12.2-3.4.1.i586
> >> >> > sssd-ldap-1.12.2-3.4.1.i586
> >> >> > sssd is confihured for nss, pam, sudo
> >> >> > There is a test sudo rule defined in the ipa server, which 
> >> >> applies to
> >> >> > user "doma".  However when the user tries to use sudo the 
> >> >> rule does not
> >> >> > work.
> >> >> > doma@nappali:/home/doma> sudo ls
> >> >> > domas password:
> >> >> > doma is not allowed to run sudo on nappali.  This incident 
> >> >> will be reported.
> >> >> > The corresponding log in the sssd_sudo.log is this:
> >> >> > (Wed Sep  9 21:25:25 2015) [sssd[sudo]] [sss_cmd_get_version] 
> >> >> (0x0200):
> >> >> > Received client version [1].
> >> >> > (Wed Sep  9 21:25:25 2015) [sssd[sudo]] [sss_cmd_get_version] 
> >> >> (0x0200):
> >> >> > Offered version [1].
> >> >> > (Wed Sep  9 21:25:25 2015) [sssd[sudo]] 
> >> >> [sss_parse_name_for_domains]
> >> >> > (0x0200): name doma matched without domain, user is 
> >> >> doma
> >> >> > (Wed Sep  9 21:25:25 2015) [sssd[sudo]] 
> >> >> [sss_parse_name_for_domains]
> >> >> > (0x0200): name doma matched without domain, user is 
> >> >> doma
> >> >> > (Wed Sep  9 21:25:25 2015) [sssd[sudo]] 
> >> >> [sudosrv_cmd_parse_query_done]
> >> >> > (0x0200): Requesting default options for [doma] from []
> >> >> > (Wed Sep  9 21:25:25 2015) [sssd[sudo]] [sudosrv_get_user] 
> >> >> (0x0200):
> >> >> > Requesting info about [doma@szilva]
> >> >> > (Wed Sep  9 21:25:25 2015) [sssd[sudo]]
> >> >> > [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb 
> >> >> with
> >> >> > 
> >> >> [(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=doma)(sudoUser=#181643)(sudoUser=%ipausers)(sudoUser=%picture_access)(sudoUser=%doma)(sudoUser=+*))(&(dataExpireTimestamp<=1441826725)))]
> >> >> > (Wed Sep  9 21:25:25 2015) [sssd[sudo]]
> >> >> > [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb 
> >> >> with
> >> >> > [(&(objectClass=sudoRule)(|(name=defaults)))]
> >> >> > (Wed Sep  9 21:25:25 2015) [sssd[sudo]] 
> >> >> [sss_parse_name_for_domains]
> >> >> > (0x0200): name doma matched without domain, user is 
> >> >> doma
> >> >> > (Wed Sep  9 21:25:25 2015) [sssd[sudo]] 
> >> >> [sss_parse_name_for_domains]
> >> >> > (0x0200): name doma matched without domain, user is 
> >> >> doma
> >> >> > (Wed Sep  9 21:25:25 2015) [sssd[sudo]] 
> >> >> [sudosrv_cmd_parse_query_done]
> >> >> > (0x0200): Requesting rules for [doma] from []
> >> >> > (Wed Sep  9 21:25:25 2015) [sssd[sudo]] [sudosrv_get_user] 
> >> >> (0x0200):
> >> >> > Requesting info about [doma@szilva]
> >> >> > (Wed Sep  9 21:25:25 2015) [sssd[sudo]]
> >> >> > [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb 
> >> >> with
> >> >> > 
> >> >> [(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=doma)(sudoUser=#181643)(sudoUser=%ipausers)(sudoUser=%picture_access)(sudoUser=%doma)(sudoUser=+*))(&(dataExpireTimestamp<=1441826725)))]
> >> >> > (Wed Sep  9 21:25:25 2015) [sssd[sudo]]
> >> >> > [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb 
> >> >> with
> >> >> > 
> >> >> [(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=doma)(sudoUser=#181643)(sudoUser=%ipausers)(sudoUser=%picture_access)(sudoUser=%doma)(sudoUser=+*)))]
> >> >> > (Wed Sep  9 21:25:30 2015) [sssd[sudo]] [client_recv] 
> >> >> (0x0200): Client
> >> >> > disconnected!
> >> >> > This seems perfectly OK with one exception. The query against 
> >> >> the sysdb
> >> >> > does not find the entry. This is strange because the entry is 
> >> >> there.
> >> >> > Log in sssd.log:
> >> >> > (Wed Sep  2 08:52:13 2015) [sssd] 
> >> 

Re: [Freeipa-users] Sudo entry not found by sssd in the cache db

2015-09-15 Thread Molnár Domokos
 
Jakub Hrozek  írta:
>On Tue, Sep 15, 2015 at 09:13:09AM +0200, Molnár Domokos wrote:
>>  
>> Jakub Hrozek  írta:
>> >On Tue, Sep 15, 2015 at 07:25:17AM +0200, Molnár Domokos wrote:
>> >> On 09/14/2015 03:08 PM, Pavel Březina wrote:
>> >> >On 09/11/2015 02:40 PM, Molnár Domokos wrote:
>> >> 
>> >> >>Full log attached.
>> >> >>"Molnár Domokos"  írta:
>> >> >>
>> >> >>
>> >> >>"Pavel Březina"  írta:
>> >> >>
>> >> >>On 09/09/2015 09:31 PM, Molnár Domokos wrote:
>> >> >> > I have a working IPA server and a working client config on 
>> >> >> an OpenSuse
>> >> >> > 13.2 with the following versions:
>> >> >> > nappali:~ # rpm -qa |grep sssd
>> >> >> > sssd-tools-1.12.2-3.4.1.i586
>> >> >> > sssd-krb5-1.12.2-3.4.1.i586
>> >> >> > python-sssd-config-1.12.2-3.4.1.i586
>> >> >> > sssd-ipa-1.12.2-3.4.1.i586
>> >> >> > sssd-1.12.2-3.4.1.i586
>> >> >> > sssd-dbus-1.12.2-3.4.1.i586
>> >> >> > sssd-krb5-common-1.12.2-3.4.1.i586
>> >> >> > sssd-ldap-1.12.2-3.4.1.i586
>> >> >> > sssd is confihured for nss, pam, sudo
>> >> >> > There is a test sudo rule defined in the ipa server, which 
>> >> >> applies to
>> >> >> > user "doma".  However when the user tries to use sudo the 
>> >> >> rule does not
>> >> >> > work.
>> >> >> > doma@nappali:/home/doma> sudo ls
>> >> >> > domas password:
>> >> >> > doma is not allowed to run sudo on nappali.  This incident 
>> >> >> will be reported.
>> >> >> > The corresponding log in the sssd_sudo.log is this:
>> >> >> > (Wed Sep  9 21:25:25 2015) [sssd[sudo]] 
>> >> >> [sss_cmd_get_version] (0x0200):
>> >> >> > Received client version [1].
>> >> >> > (Wed Sep  9 21:25:25 2015) [sssd[sudo]] 
>> >> >> [sss_cmd_get_version] (0x0200):
>> >> >> > Offered version [1].
>> >> >> > (Wed Sep  9 21:25:25 2015) [sssd[sudo]] 
>> >> >> [sss_parse_name_for_domains]
>> >> >> > (0x0200): name doma matched without domain, user 
>> >> >> is doma
>> >> >> > (Wed Sep  9 21:25:25 2015) [sssd[sudo]] 
>> >> >> [sss_parse_name_for_domains]
>> >> >> > (0x0200): name doma matched without domain, user 
>> >> >> is doma
>> >> >> > (Wed Sep  9 21:25:25 2015) [sssd[sudo]] 
>> >> >> [sudosrv_cmd_parse_query_done]
>> >> >> > (0x0200): Requesting default options for [doma] from []
>> >> >> > (Wed Sep  9 21:25:25 2015) [sssd[sudo]] [sudosrv_get_user] 
>> >> >> (0x0200):
>> >> >> > Requesting info about [doma@szilva]
>> >> >> > (Wed Sep  9 21:25:25 2015) [sssd[sudo]]
>> >> >> > [sudosrv_get_sudorules_query_cache] (0x0200): Searching 
>> >> >> sysdb with
>> >> >> > 
>> >> >> [(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=doma)(sudoUser=#181643)(sudoUser=%ipausers)(sudoUser=%picture_access)(sudoUser=%doma)(sudoUser=+*))(&(dataExpireTimestamp<=1441826725)))]
>> >> >> > (Wed Sep  9 21:25:25 2015) [sssd[sudo]]
>> >> >> > [sudosrv_get_sudorules_query_cache] (0x0200): Searching 
>> >> >> sysdb with
>> >> >> > [(&(objectClass=sudoRule)(|(name=defaults)))]
>> >> >> > (Wed Sep  9 21:25:25 2015) [sssd[sudo]] 
>> >> >> [sss_parse_name_for_domains]
>> >> >> > (0x0200): name doma matched without domain, user 
>> >> >> is doma
>> >> >> > (Wed Sep  9 21:25:25 2015) [sssd[sudo]] 
>> >> >> [sss_parse_name_for_domains]
>> >> >> > (0x0200): name doma matched without domain, user 
>> >> >> is doma
>> >> >> > (Wed Sep  9 21:25:25 2015) [sssd[sudo]] 
>> >> >> [sudosrv_cmd_parse_query_done]
>> >> >> > (0x0200): Requesting rules for [doma] from []
>> >> >> > (Wed Sep  9 21:25:25 2015) [sssd[sudo]] [sudosrv_get_user] 
>> >> >> (0x0200):
>> >> >> > Requesting info about [doma@szilva]
>> >> >> > (Wed Sep  9 21:25:25 2015) [sssd[sudo]]
>> >> >> > [sudosrv_get_sudorules_query_cache] (0x0200): Searching 
>> >> >> sysdb with
>> >> >> > 
>> >> >> [(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=doma)(sudoUser=#181643)(sudoUser=%ipausers)(sudoUser=%picture_access)(sudoUser=%doma)(sudoUser=+*))(&(dataExpireTimestamp<=1441826725)))]
>> >> >> > (Wed Sep  9 21:25:25 2015) [sssd[sudo]]
>> >> >> > [sudosrv_get_sudorules_query_cache] (0x0200): Searching 
>> >> >> sysdb with
>> >> >> > 
>> >> >> [(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=doma)(sudoUser=#181643)(sudoUser=%ipausers)(sudoUser=%picture_access)(sudoUser=%doma)(sudoUser=+*)))]
>> >> >> > (Wed Sep  9 21:25:30 2015) [sssd[sudo]] [client_recv] 
>> >> >> (0x0200): Client
>> >> >> > disconnected!
>> >> >> > This seems perfectly OK with one exception. The query 
>> >> >> against the sysdb
>> >> >> > does not find the entry. This is 

Re: [Freeipa-users] Sudo entry not found by sssd in the cache db

2015-09-15 Thread Jakub Hrozek
On Tue, Sep 15, 2015 at 01:58:07PM +0300, Alexander Bokovoy wrote:
> On Tue, 15 Sep 2015, Molnár Domokos wrote:
> >>#hostnamectl set-hostname nappali.silva
> >>on modern systems.
> >>
> >>>doma@nappali:/home/doma> hostname --fqdn
> >>>nappali.szilva
> >doma@nappali:/home/doma> su
> >Password:
> >nappali:/home/doma # hostnamectl set-hostname nappali.szilva
> >nappali:/home/doma # hostname
> >nappali.szilva
> >nappali:/home/doma # hostname --fqdn
> >nappali.szilvanappali:/home/doma # su doma
> >sh-4.2$ sudo ls
> >domas password:
> >20140921.ZIP
> >Oracle_VM_VirtualBox_Extension_Pack-4.3.26-98988.vbox-extpack
> >42646515_eb8d7dcabe416247463f1bc8652adced.pdf
> > Now it works, the rule is matched.Im not sure this is the
> > intended way especially seeing the fqdn mechanism in the sudo code
> > but Ill just keep it that way.Thank you.
> sudo doesn't do normalization and IPA's way of exposing host names is
> by using by default fqdn. So sudo compares local hostname with
> fqdn-based one, guess which way it will succeed?
> 
> You theoretically could have every hostname in IPA registered non-fqdn
> but what you cannot have is a mix between fqdn- and non-fqdn names.

You can have registered a different hostname with IPA than what
hostname(1) reports, we have an ipa_hostname parameter for that. But
there's no way for sudo to learn about it..

> -- 
> / Alexander Bokovoy

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project


Re: [Freeipa-users] Sudo entry not found by sssd in the cache db

2015-09-15 Thread Molnár Domokos

On 09/15/2015 01:37 PM, Jakub Hrozek wrote:
>On Tue, Sep 15, 2015 at 01:58:07PM +0300, Alexander Bokovoy wrote:

>>On Tue, 15 Sep 2015, Molnár Domokos wrote:



#hostnamectl set-hostname nappali.silva on modern systems.

>doma@nappali:/home/doma> hostname --fqdn nappali.szilva



>>>doma@nappali:/home/doma> su Password: nappali:/home/doma # hostnamectl 
>>>set-hostname nappali.szilva nappali:/home/doma # hostname nappali.szilva 
>>>nappali:/home/doma # hostname --fqdn nappali.szilvanappali:/home/doma # su 
>>>doma sh-4.2$ sudo ls domas password: 20140921.ZIP 
>>>Oracle_VM_VirtualBox_Extension_Pack-4.3.26-98988.vbox-extpack 
>>>42646515_eb8d7dcabe416247463f1bc8652adced.pdf Now it works, the rule is 
>>>matched.Im not sure this is the intended way especially seeing the fqdn 
>>>mechanism in the sudo code but Ill just keep it that way.Thank you.

>>sudo doesnt do normalization and IPAs way of exposing host names is 
>>by using by default fqdn. So sudo compares local hostname with fqdn-based 
>>one, guess which way it will succeed? You theoretically could have every 
>>hostname in IPA registered non-fqdn but what you cannot have is a mix between 
>>fqdn- and non-fqdn names.

>You can have registered a different hostname with IPA than what hostname(1) 
>reports, we have an ipa_hostname parameter for that. But theres no way 
>for sudo to learn about it..
You may well be right but I still think this is a bug in sudo/sssd plugin. 
Heres why I think so:

@line  582 in sssd.c when calling hostname_matches it is a clear intention of 
the code that the hostname matching is done both against the fqdn and the naked 
hostname.

@lines 773-790 the implementation of hostname_matches(..) is done correctly. It 
guesses intelligently and chooses to match either against the fqdn or the naked 
hostname based on the format of the hostname provided by IPA. If there is a 
. in the IPA provided hostname name then the hostname compared to the 
fqdn otherwise it is compared to the bare hostname.

@line 805 in sudoers.c in set_fqdn the fqdn is correctly retrieved for the host 
during initialization - so sudo is indeed aware of both host name versions. I 
tested this part it it works OK.

The bug - I think - is that the information correctly retrieved during init 
through set_fqdn in sudoers.c somehow does not make its way to line 582 in 
sssd.c. There both user_shost and user_host seem to contain the naked hostname 
unless the bare hostaname contains the fqdn itself.

I do not have enough time to find out why this happens but the above evidence 
suggests that there is a bug somewhere in the process.
 -- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Sudo entry not found by sssd in the cache db

2015-09-15 Thread Alexander Bokovoy

On Tue, 15 Sep 2015, Molnár Domokos wrote:

#hostnamectl set-hostname nappali.silva
on modern systems.


doma@nappali:/home/doma> hostname --fqdn
nappali.szilva

doma@nappali:/home/doma> su
Password:
nappali:/home/doma # hostnamectl set-hostname nappali.szilva
nappali:/home/doma # hostname
nappali.szilva
nappali:/home/doma # hostname --fqdn
nappali.szilvanappali:/home/doma # su doma
sh-4.2$ sudo ls
domas password:
20140921.ZIP
Oracle_VM_VirtualBox_Extension_Pack-4.3.26-98988.vbox-extpack
42646515_eb8d7dcabe416247463f1bc8652adced.pdf
 Now it works, the rule is matched.Im not sure this is the
 intended way especially seeing the fqdn mechanism in the sudo code
 but Ill just keep it that way.Thank you.

sudo doesn't do normalization and IPA's way of exposing host names is
by using by default fqdn. So sudo compares local hostname with
fqdn-based one, guess which way it will succeed?

You theoretically could have every hostname in IPA registered non-fqdn
but what you cannot have is a mix between fqdn- and non-fqdn names.
--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project


Re: [Freeipa-users] Sudo entry not found by sssd in the cache db

2015-09-14 Thread Pavel Březina

On 09/11/2015 02:40 PM, Molnár Domokos wrote:

Full log attached.
"Molnár Domokos"  írta:


"Pavel Březina"  írta:

On 09/09/2015 09:31 PM, Molnár Domokos wrote:
 > I have a working IPA server and a working client config on an 
OpenSuse
 > 13.2 with the following versions:
 > nappali:~ # rpm -qa |grep sssd
 > sssd-tools-1.12.2-3.4.1.i586
 > sssd-krb5-1.12.2-3.4.1.i586
 > python-sssd-config-1.12.2-3.4.1.i586
 > sssd-ipa-1.12.2-3.4.1.i586
 > sssd-1.12.2-3.4.1.i586
 > sssd-dbus-1.12.2-3.4.1.i586
 > sssd-krb5-common-1.12.2-3.4.1.i586
 > sssd-ldap-1.12.2-3.4.1.i586
 > sssd is confihured for nss, pam, sudo
 > There is a test sudo rule defined in the ipa server, which applies to
 > user "doma".  However when the user tries to use sudo the rule does 
not
 > work.
 > doma@nappali:/home/doma> sudo ls
 > doma's password:
 > doma is not allowed to run sudo on nappali.  This incident will be 
reported.
 > The corresponding log in the sssd_sudo.log is this:
 > (Wed Sep  9 21:25:25 2015) [sssd[sudo]] [sss_cmd_get_version] 
(0x0200):
 > Received client version [1].
 > (Wed Sep  9 21:25:25 2015) [sssd[sudo]] [sss_cmd_get_version] 
(0x0200):
 > Offered version [1].
 > (Wed Sep  9 21:25:25 2015) [sssd[sudo]] [sss_parse_name_for_domains]
 > (0x0200): name 'doma' matched without domain, user is doma
 > (Wed Sep  9 21:25:25 2015) [sssd[sudo]] [sss_parse_name_for_domains]
 > (0x0200): name 'doma' matched without domain, user is doma
 > (Wed Sep  9 21:25:25 2015) [sssd[sudo]] 
[sudosrv_cmd_parse_query_done]
 > (0x0200): Requesting default options for [doma] from []
 > (Wed Sep  9 21:25:25 2015) [sssd[sudo]] [sudosrv_get_user] (0x0200):
 > Requesting info about [doma@szilva]
 > (Wed Sep  9 21:25:25 2015) [sssd[sudo]]
 > [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with
 > 
[(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=doma)(sudoUser=#181643)(sudoUser=%ipausers)(sudoUser=%picture_access)(sudoUser=%doma)(sudoUser=+*))(&(dataExpireTimestamp<=1441826725)))]
 > (Wed Sep  9 21:25:25 2015) [sssd[sudo]]
 > [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with
 > [(&(objectClass=sudoRule)(|(name=defaults)))]
 > (Wed Sep  9 21:25:25 2015) [sssd[sudo]] [sss_parse_name_for_domains]
 > (0x0200): name 'doma' matched without domain, user is doma
 > (Wed Sep  9 21:25:25 2015) [sssd[sudo]] [sss_parse_name_for_domains]
 > (0x0200): name 'doma' matched without domain, user is doma
 > (Wed Sep  9 21:25:25 2015) [sssd[sudo]] 
[sudosrv_cmd_parse_query_done]
 > (0x0200): Requesting rules for [doma] from []
 > (Wed Sep  9 21:25:25 2015) [sssd[sudo]] [sudosrv_get_user] (0x0200):
 > Requesting info about [doma@szilva]
 > (Wed Sep  9 21:25:25 2015) [sssd[sudo]]
 > [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with
 > 
[(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=doma)(sudoUser=#181643)(sudoUser=%ipausers)(sudoUser=%picture_access)(sudoUser=%doma)(sudoUser=+*))(&(dataExpireTimestamp<=1441826725)))]
 > (Wed Sep  9 21:25:25 2015) [sssd[sudo]]
 > [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with
 > 
[(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=doma)(sudoUser=#181643)(sudoUser=%ipausers)(sudoUser=%picture_access)(sudoUser=%doma)(sudoUser=+*)))]
 > (Wed Sep  9 21:25:30 2015) [sssd[sudo]] [client_recv] (0x0200): 
Client
 > disconnected!
 > This seems perfectly OK with one exception. The query against the 
sysdb
 > does not find the entry. This is strange because the entry is there.
 > Log in sssd.log:
 > (Wed Sep  2 08:52:13 2015) [sssd] [sysdb_domain_init_internal] 
(0x0200):
 > DB File for szilva: /var/lib/sss/db/cache_szilva.ldb
 > So we know that the sysdb is /var/lib/sss/db/cache_szilva.ldb
 > Running the exact same query seen above in the sssd_sudo.log against 
the
 > db returns:
 > ldbsearch -H /var/lib/sss/db/cache_szilva.ldb
 > 
"(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=doma)(sudoUser=#181643)(sudoUser=%ipausers)(sudoUser=%picture_access)(sudoUser=%doma)(sudoUser=+*)))"
 > asq: Unable to register control with rootdse!
 > # record 1
 > dn: name=Doma_ls,cn=sudorules,cn=custom,cn=szilva,cn=sysdb
 > cn: Doma_ls
 > dataExpireTimestamp: 1441830262
 > entryUSN: 20521
 > name: Doma_ls
 > objectClass: sudoRule
 > originalDN: cn=Doma_ls,ou=sudoers,dc=szilva
 > sudoCommand: ls
 > sudoHost: 

Re: [Freeipa-users] Sudo entry not found by sssd in the cache db

2015-09-14 Thread Molnár Domokos
On 09/14/2015 03:08 PM, Pavel Březina wrote:
>On 09/11/2015 02:40 PM, Molnár Domokos wrote:

>>Full log attached.
>>"Molnár Domokos"  írta:
>>
>>
>>"Pavel Březina"  írta:
>>
>>On 09/09/2015 09:31 PM, Molnár Domokos wrote:
>> > I have a working IPA server and a working client config on an 
>> OpenSuse
>> > 13.2 with the following versions:
>> > nappali:~ # rpm -qa |grep sssd
>> > sssd-tools-1.12.2-3.4.1.i586
>> > sssd-krb5-1.12.2-3.4.1.i586
>> > python-sssd-config-1.12.2-3.4.1.i586
>> > sssd-ipa-1.12.2-3.4.1.i586
>> > sssd-1.12.2-3.4.1.i586
>> > sssd-dbus-1.12.2-3.4.1.i586
>> > sssd-krb5-common-1.12.2-3.4.1.i586
>> > sssd-ldap-1.12.2-3.4.1.i586
>> > sssd is confihured for nss, pam, sudo
>> > There is a test sudo rule defined in the ipa server, which applies 
>> to
>> > user "doma".  However when the user tries to use sudo the rule 
>> does not
>> > work.
>> > doma@nappali:/home/doma> sudo ls
>> > domas password:
>> > doma is not allowed to run sudo on nappali.  This incident will be 
>> reported.
>> > The corresponding log in the sssd_sudo.log is this:
>> > (Wed Sep  9 21:25:25 2015) [sssd[sudo]] [sss_cmd_get_version] 
>> (0x0200):
>> > Received client version [1].
>> > (Wed Sep  9 21:25:25 2015) [sssd[sudo]] [sss_cmd_get_version] 
>> (0x0200):
>> > Offered version [1].
>> > (Wed Sep  9 21:25:25 2015) [sssd[sudo]] 
>> [sss_parse_name_for_domains]
>> > (0x0200): name doma matched without domain, user is doma
>> > (Wed Sep  9 21:25:25 2015) [sssd[sudo]] 
>> [sss_parse_name_for_domains]
>> > (0x0200): name doma matched without domain, user is doma
>> > (Wed Sep  9 21:25:25 2015) [sssd[sudo]] 
>> [sudosrv_cmd_parse_query_done]
>> > (0x0200): Requesting default options for [doma] from []
>> > (Wed Sep  9 21:25:25 2015) [sssd[sudo]] [sudosrv_get_user] 
>> (0x0200):
>> > Requesting info about [doma@szilva]
>> > (Wed Sep  9 21:25:25 2015) [sssd[sudo]]
>> > [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with
>> > 
>> [(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=doma)(sudoUser=#181643)(sudoUser=%ipausers)(sudoUser=%picture_access)(sudoUser=%doma)(sudoUser=+*))(&(dataExpireTimestamp<=1441826725)))]
>> > (Wed Sep  9 21:25:25 2015) [sssd[sudo]]
>> > [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with
>> > [(&(objectClass=sudoRule)(|(name=defaults)))]
>> > (Wed Sep  9 21:25:25 2015) [sssd[sudo]] 
>> [sss_parse_name_for_domains]
>> > (0x0200): name doma matched without domain, user is doma
>> > (Wed Sep  9 21:25:25 2015) [sssd[sudo]] 
>> [sss_parse_name_for_domains]
>> > (0x0200): name doma matched without domain, user is doma
>> > (Wed Sep  9 21:25:25 2015) [sssd[sudo]] 
>> [sudosrv_cmd_parse_query_done]
>> > (0x0200): Requesting rules for [doma] from []
>> > (Wed Sep  9 21:25:25 2015) [sssd[sudo]] [sudosrv_get_user] 
>> (0x0200):
>> > Requesting info about [doma@szilva]
>> > (Wed Sep  9 21:25:25 2015) [sssd[sudo]]
>> > [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with
>> > 
>> [(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=doma)(sudoUser=#181643)(sudoUser=%ipausers)(sudoUser=%picture_access)(sudoUser=%doma)(sudoUser=+*))(&(dataExpireTimestamp<=1441826725)))]
>> > (Wed Sep  9 21:25:25 2015) [sssd[sudo]]
>> > [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with
>> > 
>> [(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=doma)(sudoUser=#181643)(sudoUser=%ipausers)(sudoUser=%picture_access)(sudoUser=%doma)(sudoUser=+*)))]
>> > (Wed Sep  9 21:25:30 2015) [sssd[sudo]] [client_recv] (0x0200): 
>> Client
>> > disconnected!
>> > This seems perfectly OK with one exception. The query against the 
>> sysdb
>> > does not find the entry. This is strange because the entry is 
>> there.
>> > Log in sssd.log:
>> > (Wed Sep  2 08:52:13 2015) [sssd] [sysdb_domain_init_internal] 
>> (0x0200):
>> > DB File for szilva: /var/lib/sss/db/cache_szilva.ldb
>> > So we know that the sysdb is /var/lib/sss/db/cache_szilva.ldb
>> > Running the exact same query seen above in the sssd_sudo.log 
>> against the
>> > db returns:
>> > ldbsearch -H /var/lib/sss/db/cache_szilva.ldb
>> > 
>> "(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=doma)(sudoUser=#181643)(sudoUser=%ipausers)(sudoUser=%picture_access)(sudoUser=%doma)(sudoUser=+*)))"
>> > asq: Unable to register control with rootdse!
>> > # record 1
>> > dn: name=Doma_ls,cn=sudorules,cn=custom,cn=szilva,cn=sysdb
>>  

Re: [Freeipa-users] Sudo entry not found by sssd in the cache db

2015-09-11 Thread Pavel Březina

On 09/09/2015 09:31 PM, Molnár Domokos wrote:

I have a working IPA server and a working client config on an OpenSuse
13.2 with the following versions:
nappali:~ # rpm -qa |grep sssd
sssd-tools-1.12.2-3.4.1.i586
sssd-krb5-1.12.2-3.4.1.i586
python-sssd-config-1.12.2-3.4.1.i586
sssd-ipa-1.12.2-3.4.1.i586
sssd-1.12.2-3.4.1.i586
sssd-dbus-1.12.2-3.4.1.i586
sssd-krb5-common-1.12.2-3.4.1.i586
sssd-ldap-1.12.2-3.4.1.i586
sssd is confihured for nss, pam, sudo
There is a test sudo rule defined in the ipa server, which applies to
user "doma".  However when the user tries to use sudo the rule does not
work.
doma@nappali:/home/doma> sudo ls
doma's password:
doma is not allowed to run sudo on nappali.  This incident will be reported.
The corresponding log in the sssd_sudo.log is this:
(Wed Sep  9 21:25:25 2015) [sssd[sudo]] [sss_cmd_get_version] (0x0200):
Received client version [1].
(Wed Sep  9 21:25:25 2015) [sssd[sudo]] [sss_cmd_get_version] (0x0200):
Offered version [1].
(Wed Sep  9 21:25:25 2015) [sssd[sudo]] [sss_parse_name_for_domains]
(0x0200): name 'doma' matched without domain, user is doma
(Wed Sep  9 21:25:25 2015) [sssd[sudo]] [sss_parse_name_for_domains]
(0x0200): name 'doma' matched without domain, user is doma
(Wed Sep  9 21:25:25 2015) [sssd[sudo]] [sudosrv_cmd_parse_query_done]
(0x0200): Requesting default options for [doma] from []
(Wed Sep  9 21:25:25 2015) [sssd[sudo]] [sudosrv_get_user] (0x0200):
Requesting info about [doma@szilva]
(Wed Sep  9 21:25:25 2015) [sssd[sudo]]
[sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with
[(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=doma)(sudoUser=#181643)(sudoUser=%ipausers)(sudoUser=%picture_access)(sudoUser=%doma)(sudoUser=+*))(&(dataExpireTimestamp<=1441826725)))]
(Wed Sep  9 21:25:25 2015) [sssd[sudo]]
[sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with
[(&(objectClass=sudoRule)(|(name=defaults)))]
(Wed Sep  9 21:25:25 2015) [sssd[sudo]] [sss_parse_name_for_domains]
(0x0200): name 'doma' matched without domain, user is doma
(Wed Sep  9 21:25:25 2015) [sssd[sudo]] [sss_parse_name_for_domains]
(0x0200): name 'doma' matched without domain, user is doma
(Wed Sep  9 21:25:25 2015) [sssd[sudo]] [sudosrv_cmd_parse_query_done]
(0x0200): Requesting rules for [doma] from []
(Wed Sep  9 21:25:25 2015) [sssd[sudo]] [sudosrv_get_user] (0x0200):
Requesting info about [doma@szilva]
(Wed Sep  9 21:25:25 2015) [sssd[sudo]]
[sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with
[(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=doma)(sudoUser=#181643)(sudoUser=%ipausers)(sudoUser=%picture_access)(sudoUser=%doma)(sudoUser=+*))(&(dataExpireTimestamp<=1441826725)))]
(Wed Sep  9 21:25:25 2015) [sssd[sudo]]
[sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with
[(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=doma)(sudoUser=#181643)(sudoUser=%ipausers)(sudoUser=%picture_access)(sudoUser=%doma)(sudoUser=+*)))]
(Wed Sep  9 21:25:30 2015) [sssd[sudo]] [client_recv] (0x0200): Client
disconnected!
This seems perfectly OK with one exception. The query against the sysdb
does not find the entry. This is strange because the entry is there.
Log in sssd.log:
(Wed Sep  2 08:52:13 2015) [sssd] [sysdb_domain_init_internal] (0x0200):
DB File for szilva: /var/lib/sss/db/cache_szilva.ldb
So we know that the sysdb is /var/lib/sss/db/cache_szilva.ldb
Running the exact same query seen above in the sssd_sudo.log against the
db returns:
ldbsearch -H /var/lib/sss/db/cache_szilva.ldb
"(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=doma)(sudoUser=#181643)(sudoUser=%ipausers)(sudoUser=%picture_access)(sudoUser=%doma)(sudoUser=+*)))"
asq: Unable to register control with rootdse!
# record 1
dn: name=Doma_ls,cn=sudorules,cn=custom,cn=szilva,cn=sysdb
cn: Doma_ls
dataExpireTimestamp: 1441830262
entryUSN: 20521
name: Doma_ls
objectClass: sudoRule
originalDN: cn=Doma_ls,ou=sudoers,dc=szilva
sudoCommand: ls
sudoHost: nappali.szilva
sudoRunAsGroup: ALL
sudoRunAsUser: ALL
sudoUser: doma
distinguishedName: name=Doma_ls,cn=sudorules,cn=custom,cn=szilva,cn=sysdb
# returned 1 records
# 1 entries
# 0 referrals
This confirms that the entry is indeed there in the db. Why is it found
with ldbsearch and why does sssd_sudo not find it?
I am pretty much stuck with this one. Anyone has an idea?



Hi,
this is strange. Can you provide the logs with debug level set to 0x3ff0 
please? Can you also send it as an attachment? Thanks!


--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Sudo entry not found by sssd in the cache db

2015-09-11 Thread Molnár Domokos
 
"Pavel Březina"  írta:
>On 09/09/2015 09:31 PM, Molnár Domokos wrote:
>> I have a working IPA server and a working client config on an OpenSuse
>> 13.2 with the following versions:
>> nappali:~ # rpm -qa |grep sssd
>> sssd-tools-1.12.2-3.4.1.i586
>> sssd-krb5-1.12.2-3.4.1.i586
>> python-sssd-config-1.12.2-3.4.1.i586
>> sssd-ipa-1.12.2-3.4.1.i586
>> sssd-1.12.2-3.4.1.i586
>> sssd-dbus-1.12.2-3.4.1.i586
>> sssd-krb5-common-1.12.2-3.4.1.i586
>> sssd-ldap-1.12.2-3.4.1.i586
>> sssd is confihured for nss, pam, sudo
>> There is a test sudo rule defined in the ipa server, which applies to
>> user "doma".  However when the user tries to use sudo the rule does not
>> work.
>> doma@nappali:/home/doma> sudo ls
>> domas password:
>> doma is not allowed to run sudo on nappali.  This incident will be reported.
>> The corresponding log in the sssd_sudo.log is this:
>> (Wed Sep  9 21:25:25 2015) [sssd[sudo]] [sss_cmd_get_version] (0x0200):
>> Received client version [1].
>> (Wed Sep  9 21:25:25 2015) [sssd[sudo]] [sss_cmd_get_version] (0x0200):
>> Offered version [1].
>> (Wed Sep  9 21:25:25 2015) [sssd[sudo]] [sss_parse_name_for_domains]
>> (0x0200): name doma matched without domain, user is doma
>> (Wed Sep  9 21:25:25 2015) [sssd[sudo]] [sss_parse_name_for_domains]
>> (0x0200): name doma matched without domain, user is doma
>> (Wed Sep  9 21:25:25 2015) [sssd[sudo]] [sudosrv_cmd_parse_query_done]
>> (0x0200): Requesting default options for [doma] from []
>> (Wed Sep  9 21:25:25 2015) [sssd[sudo]] [sudosrv_get_user] (0x0200):
>> Requesting info about [doma@szilva]
>> (Wed Sep  9 21:25:25 2015) [sssd[sudo]]
>> [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with
>> [(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=doma)(sudoUser=#181643)(sudoUser=%ipausers)(sudoUser=%picture_access)(sudoUser=%doma)(sudoUser=+*))(&(dataExpireTimestamp<=1441826725)))]
>> (Wed Sep  9 21:25:25 2015) [sssd[sudo]]
>> [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with
>> [(&(objectClass=sudoRule)(|(name=defaults)))]
>> (Wed Sep  9 21:25:25 2015) [sssd[sudo]] [sss_parse_name_for_domains]
>> (0x0200): name doma matched without domain, user is doma
>> (Wed Sep  9 21:25:25 2015) [sssd[sudo]] [sss_parse_name_for_domains]
>> (0x0200): name doma matched without domain, user is doma
>> (Wed Sep  9 21:25:25 2015) [sssd[sudo]] [sudosrv_cmd_parse_query_done]
>> (0x0200): Requesting rules for [doma] from []
>> (Wed Sep  9 21:25:25 2015) [sssd[sudo]] [sudosrv_get_user] (0x0200):
>> Requesting info about [doma@szilva]
>> (Wed Sep  9 21:25:25 2015) [sssd[sudo]]
>> [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with
>> [(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=doma)(sudoUser=#181643)(sudoUser=%ipausers)(sudoUser=%picture_access)(sudoUser=%doma)(sudoUser=+*))(&(dataExpireTimestamp<=1441826725)))]
>> (Wed Sep  9 21:25:25 2015) [sssd[sudo]]
>> [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with
>> [(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=doma)(sudoUser=#181643)(sudoUser=%ipausers)(sudoUser=%picture_access)(sudoUser=%doma)(sudoUser=+*)))]
>> (Wed Sep  9 21:25:30 2015) [sssd[sudo]] [client_recv] (0x0200): Client
>> disconnected!
>> This seems perfectly OK with one exception. The query against the sysdb
>> does not find the entry. This is strange because the entry is there.
>> Log in sssd.log:
>> (Wed Sep  2 08:52:13 2015) [sssd] [sysdb_domain_init_internal] (0x0200):
>> DB File for szilva: /var/lib/sss/db/cache_szilva.ldb
>> So we know that the sysdb is /var/lib/sss/db/cache_szilva.ldb
>> Running the exact same query seen above in the sssd_sudo.log against the
>> db returns:
>> ldbsearch -H /var/lib/sss/db/cache_szilva.ldb
>> "(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=doma)(sudoUser=#181643)(sudoUser=%ipausers)(sudoUser=%picture_access)(sudoUser=%doma)(sudoUser=+*)))"
>> asq: Unable to register control with rootdse!
>> # record 1
>> dn: name=Doma_ls,cn=sudorules,cn=custom,cn=szilva,cn=sysdb
>> cn: Doma_ls
>> dataExpireTimestamp: 1441830262
>> entryUSN: 20521
>> name: Doma_ls
>> objectClass: sudoRule
>> originalDN: cn=Doma_ls,ou=sudoers,dc=szilva
>> sudoCommand: ls
>> sudoHost: nappali.szilva
>> sudoRunAsGroup: ALL
>> sudoRunAsUser: ALL
>> sudoUser: doma
>> distinguishedName: name=Doma_ls,cn=sudorules,cn=custom,cn=szilva,cn=sysdb
>> # returned 1 records
>> # 1 entries
>> # 0 referrals
>> This confirms that the entry is indeed there in the db. Why is it found
>> with ldbsearch and why does sssd_sudo not find it?
>> I am pretty much stuck with this one. Anyone has an idea?
>>
>>
>Hi,
>this is strange. Can you provide the logs with debug level set to 0x3ff0 
>please? Can you also send it as an attachment? Thanks!
 Sure. Here it is. Now I can see that the rule is returned. The question is why 
the rule does not match. Anyway much better :) (Fri Sep 11 14:19:57 2015) 
[sssd[sudo]] [sudosrv_get_user] (0x0200):