On (13/11/17 11:20), Andrea Passuello wrote: >Thanks all for the answers. > >This is the debug with level=10. > > >(Mon Nov 13 10:35:40 2017) [sssd[be[MYDOMAIN.COM]]] [sbus_dispatch] >(0x4000): dbus conn: 0xe76180 >(Mon Nov 13 10:35:40 2017) [sssd[be[MYDOMAIN.COM]]] [sbus_dispatch] >(0x4000): Dispatching. >(Mon Nov 13 10:35:40 2017) [sssd[be[MYDOMAIN.COM]]] [sbus_message_handler] >(0x2000): Received SBUS method org.freedesktop.sssd.service.ping on path >/org/freedesktop/sssd/service >(Mon Nov 13 10:35:40 2017) [sssd[be[MYDOMAIN.COM]]] >[sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit > >==> sssd_sudo.log <== >(Mon Nov 13 10:35:47 2017) [sssd[sudo]] [reset_idle_timer] (0x4000): Idle >timer re-set for client [0x1f4b430][19] >(Mon Nov 13 10:35:47 2017) [sssd[sudo]] [client_recv] (0x0200): Client >disconnected! >(Mon Nov 13 10:35:47 2017) [sssd[sudo]] [client_destructor] (0x2000): >Terminated client [0x1f4b430][19] > >==> sssd_MYDOMAIN.COM.log <== >(Mon Nov 13 10:35:50 2017) [sssd[be[MYDOMAIN.COM]]] [sbus_dispatch] >(0x4000): dbus conn: 0xe76180 >(Mon Nov 13 10:35:50 2017) [sssd[be[MYDOMAIN.COM]]] [sbus_dispatch] >(0x4000): Dispatching. >(Mon Nov 13 10:35:50 2017) [sssd[be[MYDOMAIN.COM]]] [sbus_message_handler] >(0x2000): Received SBUS method org.freedesktop.sssd.service.ping on path >/org/freedesktop/sssd/service >(Mon Nov 13 10:35:50 2017) [sssd[be[MYDOMAIN.COM]]] >[sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit > >==> sssd_sudo.log <== >(Mon Nov 13 10:35:50 2017) [sssd[sudo]] [sbus_dispatch] (0x4000): dbus >conn: 0x1f3d6d0 >(Mon Nov 13 10:35:50 2017) [sssd[sudo]] [sbus_dispatch] (0x4000): >Dispatching. >(Mon Nov 13 10:35:50 2017) [sssd[sudo]] [sbus_message_handler] (0x2000): >Received SBUS method org.freedesktop.sssd.service.ping on path >/org/freedesktop/sssd/service >(Mon Nov 13 10:35:50 2017) [sssd[sudo]] [sbus_get_sender_id_send] (0x2000): >Not a sysbus message, quit >
You didn't provided sudo logs only sssd logs. > >This is the output of "sudo -l" > >$ sudo -l >Matching Defaults entries for MYUSER on andrea-X550LA: > env_reset, mail_badpass, secure_path=/usr/local/sbin\:/ >usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin > >User MYUSER may run the following commands on andrea-X550LA: > (root) NOPASSWD: /usr/lib/linuxmint/mintUpdate/checkAPT.py > (ALL : ALL) > OK, sudo says that you are allowed to run some commands. I cannot see any problem. > > >My sudo version is 1.8.16, I think it should be quite up-to-date. Isn't it? > > >If i check the MYUSER's groups I can see the SystemAdmin group that is the >group I set in LDAP and it's referred by LDAP's sudoers. > >$ groups >MYUSER adm cdrom dip plugdev lpadmin sambashare wireshark SystemAdmin > > > >This is the ldapsearch's output > >$ ldapsearch -H ldap://LDAPSERVER -b ou=sudoers,dc=MYDOMAIN,dc=COM -ZZ >'(&(objectClass=sudoRole))' -x ># extended LDIF ># ># LDAPv3 ># base <ou=sudoers,dc=MYDOMAIN,dc=COM> with scope subtree ># filter: (&(objectClass=sudoRole)) ># requesting: ALL ># > ># SystemAdmin, sudoers, MYDOMAIN.COM >dn: cn=SystemAdmin,ou=sudoers,dc=MYDOMAIN,dc=COM >cn: SystemAdmin >sudoRunAsUser: ALL >sudoRunAsGroup: ALL >sudoHost: ALL >sudoUser: %SystemAdmin >sudoOrder: 0 >objectClass: sudoRole > Ahh, you want check this rule. Is that sudo rule stored in sssd cache? You can check with ldbsearch ldbsearch -H /var/lib/sss/db/cache_${domain}.ldb Output looks like LDIF but it is not the same as stored in directory sarver. Because it is sssd internal cache and not mirror of directory server. BTW is your user member of group SystemAdmin? call "id" without any parameters in the same shell as sudo. I would also recommend to check sudo logs https://docs.pagure.org/SSSD.sssd/users/sudo_troubleshooting.html -> "a) How do I get sudo logs?" LS _______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected]
