Sudo seems to be configured correctly but somehow it's not working Even if I do a sudo -l under the admin user
[admin@ironhide tmp]$ sudo -l [sudo] password for admin: Matching Defaults entries for admin on this host: requiretty, !visiblepw, always_set_home, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin User admin may run the following commands on this host: (admin, chamambom, kamoyob, kumalop, machangeteb, masaitit, masvivic, matangiraa, nyahumap, pedzisail, tayengwaj : ALL) /usr/bin/vim, /usr/bin/less [admin@ironhide tmp]$ tail -f /var/log/sssd/sssd_sudo.log [root@ironhide ~]# tail -f /var/log/sssd/sssd_sudo.log (Wed Apr 8 13:35:27 2015) [sssd[sudo]] [sysdb_domain_init_internal] (0x0200): DB File for ai.co.zw: /var/lib/sss/db/cache_ai.co.zw.ldb (Wed Apr 8 13:35:27 2015) [sssd[sudo]] [ldb] (0x0400): asq: Unable to register control with rootdse! (Wed Apr 8 13:35:27 2015) [sssd[sudo]] [sss_process_init] (0x0400): Responder Initialization complete (Wed Apr 8 13:35:27 2015) [sssd[sudo]] [sudo_process_init] (0x0400): SUDO Initialization complete (Wed Apr 8 13:35:27 2015) [sssd[sudo]] [sss_dp_issue_request] (0x0400): Issuing request for [0x40c900:doma...@ai.co.zw] (Wed Apr 8 13:35:27 2015) [sssd[sudo]] [sss_dp_get_domains_msg] (0x0400): Sending get domains request for [ai.co.zw][forced][] (Wed Apr 8 13:35:27 2015) [sssd[sudo]] [sss_dp_internal_get_send] (0x0400): Entering request [0x40c900:doma...@ai.co.zw] (Wed Apr 8 13:35:27 2015) [sssd[sudo]] [dp_id_callback] (0x0100): Got id ack and version (1) from DP (Wed Apr 8 13:35:27 2015) [sssd[sudo]] [id_callback] (0x0100): Got id ack and version (1) from Monitor (Wed Apr 8 13:35:28 2015) [sssd[sudo]] [sss_dp_req_destructor] (0x0400): Deleting request: [0x40c900:doma...@ai.co.zw] (Wed Apr 8 13:35:37 2015) [sssd[sudo]] [accept_fd_handler] (0x0400): Client connected! (Wed Apr 8 13:35:37 2015) [sssd[sudo]] [sss_cmd_get_version] (0x0200): Received client version [1]. (Wed Apr 8 13:35:37 2015) [sssd[sudo]] [sss_cmd_get_version] (0x0200): Offered version [1]. (Wed Apr 8 13:35:37 2015) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'admin' matched without domain, user is admin (Wed Apr 8 13:35:37 2015) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): using default domain [(null)] (Wed Apr 8 13:35:37 2015) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'admin' matched without domain, user is admin (Wed Apr 8 13:35:37 2015) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): using default domain [(null)] (Wed Apr 8 13:35:37 2015) [sssd[sudo]] [sudosrv_cmd_parse_query_done] (0x0200): Requesting default options for [admin] from [<ALL>] (Wed Apr 8 13:35:37 2015) [sssd[sudo]] [sudosrv_get_user] (0x0200): Requesting info about [ad...@ai.co.zw] (Wed Apr 8 13:35:37 2015) [sssd[sudo]] [sudosrv_get_user] (0x0400): Returning info for user [ad...@ai.co.zw] (Wed Apr 8 13:35:37 2015) [sssd[sudo]] [sudosrv_get_rules] (0x0400): Retrieving default options for [admin] from [ai.co.zw] (Wed Apr 8 13:35:37 2015) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=admin)(sud oUser=#1468200000)(sudoUser=%admins)(sudoUser=%trust admins)(sudoUser=%admins)(sudoUser=+*))(&(dataExpireTimestamp<=1428492937))) ] (Wed Apr 8 13:35:37 2015) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(name=defaults)))] (Wed Apr 8 13:35:37 2015) [sssd[sudo]] [sudosrv_get_sudorules_from_cache] (0x0400): Returning 0 rules for [<default options>@ai.co.zw] (Wed Apr 8 13:35:37 2015) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'admin' matched without domain, user is admin (Wed Apr 8 13:35:37 2015) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): using default domain [(null)] (Wed Apr 8 13:35:37 2015) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'admin' matched without domain, user is admin (Wed Apr 8 13:35:37 2015) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): using default domain [(null)] (Wed Apr 8 13:35:37 2015) [sssd[sudo]] [sudosrv_cmd_parse_query_done] (0x0200): Requesting rules for [admin] from [<ALL>] (Wed Apr 8 13:35:37 2015) [sssd[sudo]] [sudosrv_get_user] (0x0200): Requesting info about [ad...@ai.co.zw] (Wed Apr 8 13:35:37 2015) [sssd[sudo]] [sudosrv_get_user] (0x0400): Returning info for user [ad...@ai.co.zw] (Wed Apr 8 13:35:37 2015) [sssd[sudo]] [sudosrv_get_rules] (0x0400): Retrieving rules for [admin] from [ai.co.zw] (Wed Apr 8 13:35:37 2015) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=admin)(sud oUser=#1468200000)(sudoUser=%admins)(sudoUser=%trust admins)(sudoUser=%admins)(sudoUser=+*))(&(dataExpireTimestamp<=1428492937))) ] (Wed Apr 8 13:35:37 2015) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=admin)(sudoUser=#14682000 00)(sudoUser=%admins)(sudoUser=%trust admins)(sudoUser=%admins)(sudoUser=+*)))] (Wed Apr 8 13:35:37 2015) [sssd[sudo]] [sudosrv_get_sudorules_from_cache] (0x0400): Returning 1 rules for [ad...@ai.co.zw] (Wed Apr 8 13:35:44 2015) [sssd[sudo]] [client_recv] (0x0200): Client disconnected! -----Original Message----- From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Chamambo Martin Sent: Wednesday, April 08, 2015 10:49 AM To: 'Jakub Hrozek' Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] FreeIPA, version: 4.1.0 and sudo configuration I have done below and its giving me the correct results and at the moment LET ME enable debugging in sudo itself and see if that will get me somewhere [root@ironhide ~]# getent netgroup mailservers mailservers (ironhide.ai.co.zw,-,ai.co.zw) (alvin.ai.co.zw,-,ai.co.zw) (madagascar.ai.co.zw,-,ai.co.zw) (nemo.ai.co.zw,-,ai.co.zw) [root@ironhide ~]# -----Original Message----- From: Jakub Hrozek [mailto:jhro...@redhat.com] Sent: Wednesday, April 08, 2015 10:35 AM To: Chamambo Martin Cc: freeipa-users@redhat.com; 'Lukas Slebodnik' Subject: Re: [Freeipa-users] FreeIPA, version: 4.1.0 and sudo configuration On Wed, Apr 08, 2015 at 10:17:59AM +0200, Chamambo Martin wrote: > I have this log after doing a debug_level=6 in the sudo section and > have attached a txt file for the ldbsearch -H > /var/lib/sss/db/cache_ai.co.zw.ldb > > (Wed Apr 8 10:14:52 2015) [sssd[sudo]] > [sudosrv_get_sudorules_query_cache] > (0x0200): Searching sysdb with > [(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=admi > n)(sud oUser=#1468200000)(sudoUser=%admins)(sudoUser=%trust > admins)(sudoUser=%admins)(sudoUser=+*))(&(dataExpireTimestamp<=1428480 > 892))) > ] > (Wed Apr 8 10:14:52 2015) [sssd[sudo]] > [sudosrv_get_sudorules_query_cache] > (0x0200): Searching sysdb with > [(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=admin)(sudoUser=#14 > 682000 > 00)(sudoUser=%admins)(sudoUser=%trust > admins)(sudoUser=%admins)(sudoUser=+*)))] The above are the cache searches sssd ran. This is how the sudo rule looks in your cache: # record 29 dn: name=file-commands,cn=sudorules,cn=custom,cn=ai.co.zw,cn=sysdb cn: file-commands dataExpireTimestamp: 1428486013 entryUSN: 28714 name: file-commands objectClass: sudoRule originalDN: cn=file-commands,ou=sudoers,dc=ai,dc=co,dc=zw sudoCommand: /usr/bin/vim sudoCommand: /usr/bin/less sudoHost: +mailservers sudoRunAsGroup: ALL sudoRunAsUser: admin sudoRunAsUser: chamambom sudoRunAsUser: kamoyob sudoRunAsUser: kumalop sudoRunAsUser: machangeteb sudoRunAsUser: masaitit sudoRunAsUser: masvivic sudoRunAsUser: matangiraa sudoRunAsUser: nyahumap sudoRunAsUser: pedzisail sudoRunAsUser: tayengwaj sudoUser: ALL distinguishedName: name=file-commands,cn=sudorules,cn=custom,cn=ai.co.zw,cn=sy sdb > (Wed Apr 8 10:14:52 2015) [sssd[sudo]] > [sudosrv_get_sudorules_from_cache] > (0x0400): Returning 1 rules for [ad...@ai.co.zw] And here we see that the sudo rule was returned from SSSD to sudo. But then in sudo, it didn't match for some reason. I expect it's because of the netgroup, can you check if nisdomainname is really set correctly and getent netgroup mailservers reports the FQDN of your client? Also, you can enable debugging in sudo itself. See man sudo.conf and search for the option "Debug". That will show you how exactly sudo matches the rules. > (Wed Apr 8 10:15:02 2015) [sssd[sudo]] [client_recv] (0x0200): Client > disconnected! -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project