Re: [SSSD-users] sssd_sudo receives 0 rules but ldap search returns 5, what is wrong?

Fri, 18 Jul 2014 08:54:28 -0700 

On 18/07/14 16:18, Jakub Hrozek wrote:

On Thu, Jul 10, 2014 at 11:20:10AM +0100, Rowland Penny wrote:

Any suggest to what I check next??

Sorry for the delayed reply.

Looks like an ACI problem to me, the first search binds as
NETBOOK$@EXAMPLE.COM, the second as
cn=Administrator,cn=Users,dc=example,dc=com
_______________________________________________
sssd-users mailing list
sssd-users@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
ER, could you please expand 'ACI' for me, I haven't a clue what you are talking about ;-)
As for the part that I did understand, from what I have read, the first search is what sssd does and does not get any results, but by searching as the Administrator( and I suppose as any user) all the rules are found.
I have since tried again on a Linux Mint 17 (aka Ubuntu 14.04) laptop with the standard sssd packages and I still cannot get sudo to work, sssd seems to check for sudo rules but does not find any: 

if I examine sssd_example.com.log, I find this:

[sdap_sudo_refresh_connect_done] (0x0400): SUDO LDAP connection successful
[sdap_sudo_load_sudoers_next_base] (0x0400): Searching for sudo rules with base [ou=sudoers,dc=example,dc=com] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(objectClass=sudoRole)(|(!(sudoHost=*))(sudoHost=ALL)(sudoHost=ThinkPad)(sudoHost=ThinkPad.example.com)(sudoHost=192.168.0.215)(sudoHost=192.168.0.0/24)(sudoHost=fe80::86a6:c8ff:fe3b:da7b)(sudoHost=fe80::/64)(sudoHost=+*)(|(sudoHost=*\\*)(sudoHost=*?*)(sudoHost=*\**)(sudoHost=*[*]*))))][ou=sudoers,dc=example,dc=com]. 
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sudoCommand]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sudoHost]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sudoUser]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sudoOption]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sudoRunAsUser]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sudoRunAsGroup]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sudoNotBefore]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sudoNotAfter]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sudoOrder]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uSNChanged]
[sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 6
[sdap_id_op_connect_done] (0x4000): caching successful connection after 2 notifies [be_run_unconditional_online_cb] (0x4000): List of unconditional online callbacks is empty, nothing to do. 

would you like the entire sssd logs for the domain ?
I would like to add that sssd works for users and groups, so it it connecting to AD, it just doesn't seem to want to find any sudo rules. 

I also take it that sssd & sudo work like this:
sudo rules are put into AD, sssd searches AD and pulls any rules that are relevant to the client, sssd then stores these rules in a cache, when the sudo command is run it first reads the sudo files on the client and then (provided it is set in nssswitch.conf) it reads the cache. 

Rowland
_______________________________________________
sssd-users mailing list
sssd-users@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-users

Reply via email to