On Sun, Jun 30, 2019 at 09:31:17AM -0000, Bruno Monteiro wrote: > Hello, > > Below my configuration and errors :) > > (I've adapted some strings for the sake of example - domain is not real) > > cat /etc/sssd/sssd.conf > [sssd] > services = nss, pam,ssh, sudo > debug_level = 0x7FFF > domains = LDAP_MY.COM > > [sudo] > debug_level = 0x3ff0 > > [domain/LDAP_MY.COM] > debug_level = 0x3ff0 > access_provider = ldap > id_provider = ldap > sudo_provider = ldap > ldap_uri = ldap://<IP> > ldap_default_bind_dn = <user>@my.com > ldap_default_authtok = <password> > ldap_sudo_search_base = OU=SUDOers,DC=my,DC=com > > /etc/nsswitch.conf > ... > sudoers: sss files > .... > > > ldbsearch -H /var/lib/sss/db/cache_LDAP_MY.COM/ldb contains Microsoft AD > records: > > # record 2 > dn: name=r2,cn=sudorules,cn=custom,cn=LDAP_MY.COM,cn=sysdb
the config snippet says the sudo search base is ou=sudoers, but the rule example is at cn=sudoers,cn=custom.. > cn: r2 > dataExpireTimestamp: 1561891358 > entryUSN: 245385 > name: r2 > objectClass: sudoRule > originalDN: CN=r2,OU=SUDOers,DC=my,DC=com > sudoCommand: ALL > sudoHost: ALL > sudoOption: !authenticate > sudoUser: [email protected] > distinguishedName: name=r2,cn=sudorules,cn=custom,cn=LDAP_MY.COM, > cn=sysdb > > AD sudoRole is sudoRule in local SSSD DB cache. > > > But getting this below when trying to test 'sudo -l' or 'sudo su' > > [sssd[sudo]] [sudosrv_fetch_rules] (0x0400): Returning 0 rules for > [[email protected]@my.com] > > from /var/log/sssd/sssd_sudo.log > > Duplicate domain ? That's just a minor bug in the debug message (at one point we switched to using qualified names everywhere internally, but some debug messages were qualifying the names on their own..) > > I can see the rules been updated in the SSSD cache file from Microsoft AD. > > But I cannot use them because maybe some misconfiguration ? You're using the plain ldap sudo provider, but you're not using case_sensitive=false so you need to make sure the case matches exactly; AD is case-insensitive, but Linux is case-sensitive. Also, I'm not sure if the plain LDAP provider is able to match the name qualified with the domain name ([email protected]) in sudoUser or only username (Admin). Posting more context from the logs might be helpful as well. > > setup for sudo logs: > /etc/sudo.conf and put down the following lines: > Debug sudo /var/log/sudo_debug all@debug > Debug sudoers.so /var/log/sudo_debug all@debug > > from /var/log/sudo_debug I have this: > ... > user_in_group: user [email protected] NOT in group sudo > ... > > Thx a lot! > > Cheers! > _______________________________________________ > sssd-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] _______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
