On Wed, Apr 08, 2015 at 10:17:59AM +0200, Chamambo Martin wrote: > I have this log after doing a debug_level=6 in the sudo section and have > attached a txt file for the ldbsearch -H /var/lib/sss/db/cache_ai.co.zw.ldb >
> (Wed Apr 8 10:14:52 2015) [sssd[sudo]] [sudosrv_get_sudorules_query_cache]
> (0x0200): Searching sysdb with
> [(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=admin)(sud
> oUser=#1468200000)(sudoUser=%admins)(sudoUser=%trust
> admins)(sudoUser=%admins)(sudoUser=+*))(&(dataExpireTimestamp<=1428480892)))
> ]
> (Wed Apr 8 10:14:52 2015) [sssd[sudo]] [sudosrv_get_sudorules_query_cache]
> (0x0200): Searching sysdb with
> [(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=admin)(sudoUser=#14682000
> 00)(sudoUser=%admins)(sudoUser=%trust
> admins)(sudoUser=%admins)(sudoUser=+*)))]
The above are the cache searches sssd ran.
This is how the sudo rule looks in your cache:
# record 29
dn: name=file-commands,cn=sudorules,cn=custom,cn=ai.co.zw,cn=sysdb
cn: file-commands
dataExpireTimestamp: 1428486013
entryUSN: 28714
name: file-commands
objectClass: sudoRule
originalDN: cn=file-commands,ou=sudoers,dc=ai,dc=co,dc=zw
sudoCommand: /usr/bin/vim
sudoCommand: /usr/bin/less
sudoHost: +mailservers
sudoRunAsGroup: ALL
sudoRunAsUser: admin
sudoRunAsUser: chamambom
sudoRunAsUser: kamoyob
sudoRunAsUser: kumalop
sudoRunAsUser: machangeteb
sudoRunAsUser: masaitit
sudoRunAsUser: masvivic
sudoRunAsUser: matangiraa
sudoRunAsUser: nyahumap
sudoRunAsUser: pedzisail
sudoRunAsUser: tayengwaj
sudoUser: ALL
distinguishedName: name=file-commands,cn=sudorules,cn=custom,cn=ai.co.zw,cn=sy
sdb
> (Wed Apr 8 10:14:52 2015) [sssd[sudo]] [sudosrv_get_sudorules_from_cache]
> (0x0400): Returning 1 rules for [ad...@ai.co.zw]
And here we see that the sudo rule was returned from SSSD to sudo. But
then in sudo, it didn't match for some reason. I expect it's because of
the netgroup, can you check if nisdomainname is really set correctly and
getent netgroup mailservers reports the FQDN of your client?
Also, you can enable debugging in sudo itself. See man sudo.conf and search
for the option "Debug". That will show you how exactly sudo matches the rules.
> (Wed Apr 8 10:15:02 2015) [sssd[sudo]] [client_recv] (0x0200): Client
> disconnected!
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
