We found that there was a Sudo change that requires fqdn for hostnames. Older versions used short names. Does having both fqdn and short names make it work?
Sent from my iPhone > On Dec 22, 2017, at 6:12 AM, Jakub Hrozek <[email protected]> wrote: > > EXTERNAL MAIL: [email protected] > > Ah, since you’re using local sudo rules and not stored in AD, I think only > the sudo log would be most interesting. Plus, is the user either a member of > wheel or linux_admin? (iow, do either of these group show up if you run ‘id’ > as the user?) > >> On 22 Dec 2017, at 15:09, Jakub Hrozek <[email protected]> wrote: >> >> If you follow >> https://docs.pagure.org/SSSD.sssd/users/sudo_troubleshooting.html and >> generate the sssd logs, does that shed some more light? >> >>> On 22 Dec 2017, at 14:48, Viktor Ekl <[email protected]> wrote: >>> >>> Hello. >>> >>> Sssd 1.15.2-50 on Centos 7. I'm trying to grant sudo access to members of >>> known AD group (say, "linux_admin"), but with no success: >>> "<user> is not allowed to run sudo on <host>. This incident will be >>> reported" >>> Can't understand why, according to sssd_domain.log group and members found ? >>> >>> My configuration, /etc/sudoers: >>> %wheel ALL=(ALL) ALL >>> %linux_admin ALL=(ALL) ALL >>> >>> part of /etc/sssd/sssd.conf: >>> sudo_provider = ldap >>> >>> Part of sudo_debug log: >>> sudo[1069] sudo_getgrnam: group linux_admin [] -> gid 10001 [] (cached) >>> ... >>> sudo[1069] sudo_get_gidlist: looking up group IDs for testadmin >>> ... >>> sudo[1069] user_in_group: user testadmin NOT in group linux_admin >>> >>> Part of sssd_testdomain.com.log: >>> [sssd[be[testdomain.com]]] [dp_get_account_info_handler] (0x0200): Got >>> request for [0x2][BE_REQ_GROUP][[email protected]] >>> [sssd[be[testdomain.com]]] [dp_attach_req] (0x0400): DP Request [Account >>> #11]: New request. Flags [0x0001]. >>> [sssd[be[testdomain.com]]] [dp_attach_req] (0x0400): Number of active DP >>> request: 1 >>> [sssd[be[testdomain.com]]] [sss_domain_get_state] (0x1000): Domain >>> testdomain.com is Active >>> [sssd[be[testdomain.com]]] [sdap_get_groups_next_base] (0x0400): Searching >>> for groups with base [cn=users,dc=testdomain,dc=com] >>> [sssd[be[testdomain.com]]] [sdap_get_generic_ext_step] (0x0400): calling >>> ldap_search_ext with >>> [(&(cn=linux_admin)(objectClass=posixGroup)(cn=*)(&(gidNumber=*)(!(gidNumber=0))))][cn=users,dc=testdomain,dc=com]. >>> [sssd[be[testdomain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting >>> attrs: [objectClass] >>> [sssd[be[testdomain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting >>> attrs: [cn] >>> [sssd[be[testdomain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting >>> attrs: [userPassword] >>> [sssd[be[testdomain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting >>> attrs: [gidNumber] >>> [sssd[be[testdomain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting >>> attrs: [memberUid] >>> [sssd[be[testdomain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting >>> attrs: [modifyTimestamp] >>> [sssd[be[testdomain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting >>> attrs: [uSNChanged] >>> [sssd[be[testdomain.com]]] [sdap_parse_entry] (0x1000): OriginalDN: >>> [CN=linux_admin,CN=Users,DC=testdomain,DC=com]. >>> [sssd[be[testdomain.com]]] [sdap_get_generic_op_finished] (0x0400): Search >>> result: Success(0), no errmsg set >>> [sssd[be[testdomain.com]]] [sdap_get_groups_process] (0x0400): Search for >>> groups, returned 1 results. >>> [sssd[be[testdomain.com]]] [sdap_has_deref_support] (0x0400): The server >>> supports deref method ASQ >>> [sssd[be[testdomain.com]]] [sdap_nested_group_recv] (0x0400): 0 users found >>> in the hash table >>> [sssd[be[testdomain.com]]] [sdap_nested_group_recv] (0x0400): 1 groups >>> found in the hash table >>> [sssd[be[testdomain.com]]] [sdap_attrs_get_sid_str] (0x1000): No >>> [objectSID] attribute. [0][Success] >>> [sssd[be[testdomain.com]]] [sdap_get_primary_name] (0x0400): Processing >>> object linux_admin >>> [sssd[be[testdomain.com]]] [sdap_save_group] (0x0400): Processing group >>> [email protected] >>> [sssd[be[testdomain.com]]] [sdap_process_ghost_members] (0x0400): The group >>> has 1 members >>> [sssd[be[testdomain.com]]] [sdap_process_ghost_members] (0x0400): Group has >>> 1 members >>> [sssd[be[testdomain.com]]] [sdap_save_group] (0x0400): Storing info for >>> group [email protected] >>> [sssd[be[testdomain.com]]] [sysdb_store_group] (0x1000): The group record >>> of [email protected] did not change, only updated the timestamp >>> cache >>> [sssd[be[testdomain.com]]] [sdap_attrs_get_sid_str] (0x1000): No >>> [objectSID] attribute. [0][Success] >>> [sssd[be[testdomain.com]]] [sdap_save_grpmem] (0x0400): Failed to get group >>> sid >>> [sssd[be[testdomain.com]]] [sdap_get_primary_name] (0x0400): Processing >>> object linux_admin >>> [sssd[be[testdomain.com]]] [sdap_save_grpmem] (0x0400): Processing group >>> [email protected] >>> [sssd[be[testdomain.com]]] [sdap_save_grpmem] (0x0400): Adding member users >>> to group [[email protected]] >>> [sssd[be[testdomain.com]]] [sdap_fill_memberships] (0x0080): Member >>> [testadmin] is it out of domain scope? >>> [sssd[be[testdomain.com]]] [sdap_fill_memberships] (0x0080): Member >>> [testadmin] was not found in cache. Is it out of scope? >>> [sssd[be[testdomain.com]]] [sysdb_set_entry_attr] (0x0200): Entry >>> [[email protected],cn=groups,cn=testdomain.com,cn=sysdb] has >>> set [ts_cache] attrs. >>> [sssd[be[testdomain.com]]] [dp_req_done] (0x0400): DP Request [Account >>> #11]: Request handler finished [0]: Success >>> [sssd[be[testdomain.com]]] [_dp_req_recv] (0x0400): DP Request [Account >>> #11]: Receiving request data. >>> [sssd[be[testdomain.com]]] [dp_req_reply_list_success] (0x0400): DP Request >>> [Account #11]: Finished. Success. >>> [sssd[be[testdomain.com]]] [dp_req_reply_std] (0x1000): DP Request [Account >>> #11]: Returning [Success]: 0,0,Success >>> _______________________________________________ >>> sssd-users mailing list -- [email protected] >>> To unsubscribe send an email to [email protected] >> _______________________________________________ >> sssd-users mailing list -- [email protected] >> To unsubscribe send an email to [email protected] > _______________________________________________ > sssd-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] _______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected]
