[SSSD-users] sudo for Active Directory group

Viktor Ekl Fri, 22 Dec 2017 05:49:02 -0800

Hello. 

Sssd 1.15.2-50 on Centos 7. I'm trying to grant sudo access to members of known 
AD group (say, "linux_admin"), but with no success:
"<user> is not allowed to run sudo on <host>.  This incident will be reported"
Can't understand why, according to sssd_domain.log group and members found ?


My configuration, /etc/sudoers:
%wheel  ALL=(ALL)       ALL
%linux_admin    ALL=(ALL)        ALL

part of /etc/sssd/sssd.conf:
sudo_provider = ldap

Part of sudo_debug log:
sudo[1069] sudo_getgrnam: group linux_admin [] -> gid 10001 [] (cached)
...
sudo[1069] sudo_get_gidlist: looking up group IDs for testadmin
...
sudo[1069] user_in_group: user testadmin NOT in group linux_admin

Part of sssd_testdomain.com.log:
[sssd[be[testdomain.com]]] [dp_get_account_info_handler] (0x0200): Got request 
for [0x2][BE_REQ_GROUP][[email protected]]
[sssd[be[testdomain.com]]] [dp_attach_req] (0x0400): DP Request [Account #11]: 
New request. Flags [0x0001].
[sssd[be[testdomain.com]]] [dp_attach_req] (0x0400): Number of active DP 
request: 1
[sssd[be[testdomain.com]]] [sss_domain_get_state] (0x1000): Domain 
testdomain.com is Active
[sssd[be[testdomain.com]]] [sdap_get_groups_next_base] (0x0400): Searching for 
groups with base [cn=users,dc=testdomain,dc=com]
[sssd[be[testdomain.com]]] [sdap_get_generic_ext_step] (0x0400): calling 
ldap_search_ext with 
[(&(cn=linux_admin)(objectClass=posixGroup)(cn=*)(&(gidNumber=*)(!(gidNumber=0))))][cn=users,dc=testdomain,dc=com].
[sssd[be[testdomain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting 
attrs: [objectClass]
[sssd[be[testdomain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting 
attrs: [cn]
[sssd[be[testdomain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting 
attrs: [userPassword]
[sssd[be[testdomain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting 
attrs: [gidNumber]
[sssd[be[testdomain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting 
attrs: [memberUid]
[sssd[be[testdomain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting 
attrs: [modifyTimestamp]
[sssd[be[testdomain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting 
attrs: [uSNChanged]
[sssd[be[testdomain.com]]] [sdap_parse_entry] (0x1000): OriginalDN: 
[CN=linux_admin,CN=Users,DC=testdomain,DC=com].
[sssd[be[testdomain.com]]] [sdap_get_generic_op_finished] (0x0400): Search 
result: Success(0), no errmsg set
[sssd[be[testdomain.com]]] [sdap_get_groups_process] (0x0400): Search for 
groups, returned 1 results.
[sssd[be[testdomain.com]]] [sdap_has_deref_support] (0x0400): The server 
supports deref method ASQ
[sssd[be[testdomain.com]]] [sdap_nested_group_recv] (0x0400): 0 users found in 
the hash table
[sssd[be[testdomain.com]]] [sdap_nested_group_recv] (0x0400): 1 groups found in 
the hash table
[sssd[be[testdomain.com]]] [sdap_attrs_get_sid_str] (0x1000): No [objectSID] 
attribute. [0][Success]
[sssd[be[testdomain.com]]] [sdap_get_primary_name] (0x0400): Processing object 
linux_admin
[sssd[be[testdomain.com]]] [sdap_save_group] (0x0400): Processing group 
[email protected]
[sssd[be[testdomain.com]]] [sdap_process_ghost_members] (0x0400): The group has 
1 members
[sssd[be[testdomain.com]]] [sdap_process_ghost_members] (0x0400): Group has 1 
members
[sssd[be[testdomain.com]]] [sdap_save_group] (0x0400): Storing info for group 
[email protected]
[sssd[be[testdomain.com]]] [sysdb_store_group] (0x1000): The group record of 
[email protected] did not change, only updated the timestamp cache
[sssd[be[testdomain.com]]] [sdap_attrs_get_sid_str] (0x1000): No [objectSID] 
attribute. [0][Success]
[sssd[be[testdomain.com]]] [sdap_save_grpmem] (0x0400): Failed to get group sid
[sssd[be[testdomain.com]]] [sdap_get_primary_name] (0x0400): Processing object 
linux_admin
[sssd[be[testdomain.com]]] [sdap_save_grpmem] (0x0400): Processing group 
[email protected]
[sssd[be[testdomain.com]]] [sdap_save_grpmem] (0x0400): Adding member users to 
group [[email protected]]
[sssd[be[testdomain.com]]] [sdap_fill_memberships] (0x0080): Member [testadmin] 
is it out of domain scope?
[sssd[be[testdomain.com]]] [sdap_fill_memberships] (0x0080): Member [testadmin] 
was not found in cache. Is it out of scope?
[sssd[be[testdomain.com]]] [sysdb_set_entry_attr] (0x0200): Entry 
[[email protected],cn=groups,cn=testdomain.com,cn=sysdb] has set 
[ts_cache] attrs.
[sssd[be[testdomain.com]]] [dp_req_done] (0x0400): DP Request [Account #11]: 
Request handler finished [0]: Success
[sssd[be[testdomain.com]]] [_dp_req_recv] (0x0400): DP Request [Account #11]: 
Receiving request data.
[sssd[be[testdomain.com]]] [dp_req_reply_list_success] (0x0400): DP Request 
[Account #11]: Finished. Success.
[sssd[be[testdomain.com]]] [dp_req_reply_std] (0x1000): DP Request [Account 
#11]: Returning [Success]: 0,0,Success
_______________________________________________
sssd-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]

[SSSD-users] sudo for Active Directory group

Reply via email to