Re: [Freeipa-users] Sudo entry not found by sssd in the cache db

Pavel Březina Fri, 11 Sep 2015 03:40:44 -0700

On 09/09/2015 09:31 PM, Molnár Domokos wrote:

I have a working IPA server and a working client config on an OpenSuse
13.2 with the following versions:
nappali:~ # rpm -qa |grep sssd
sssd-tools-1.12.2-3.4.1.i586
sssd-krb5-1.12.2-3.4.1.i586
python-sssd-config-1.12.2-3.4.1.i586
sssd-ipa-1.12.2-3.4.1.i586
sssd-1.12.2-3.4.1.i586
sssd-dbus-1.12.2-3.4.1.i586
sssd-krb5-common-1.12.2-3.4.1.i586
sssd-ldap-1.12.2-3.4.1.i586
sssd is confihured for nss, pam, sudo
There is a test sudo rule defined in the ipa server, which applies to
user "doma".  However when the user tries to use sudo the rule does not
work.
doma@nappali:/home/doma> sudo ls
doma's password:
doma is not allowed to run sudo on nappali.  This incident will be reported.
The corresponding log in the sssd_sudo.log is this:
(Wed Sep  9 21:25:25 2015) [sssd[sudo]] [sss_cmd_get_version] (0x0200):
Received client version [1].
(Wed Sep  9 21:25:25 2015) [sssd[sudo]] [sss_cmd_get_version] (0x0200):
Offered version [1].
(Wed Sep  9 21:25:25 2015) [sssd[sudo]] [sss_parse_name_for_domains]
(0x0200): name 'doma' matched without domain, user is doma
(Wed Sep  9 21:25:25 2015) [sssd[sudo]] [sss_parse_name_for_domains]
(0x0200): name 'doma' matched without domain, user is doma
(Wed Sep  9 21:25:25 2015) [sssd[sudo]] [sudosrv_cmd_parse_query_done]
(0x0200): Requesting default options for [doma] from [<ALL>]
(Wed Sep  9 21:25:25 2015) [sssd[sudo]] [sudosrv_get_user] (0x0200):
Requesting info about [doma@szilva]
(Wed Sep  9 21:25:25 2015) [sssd[sudo]]
[sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with
[(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=doma)(sudoUser=#1816400003)(sudoUser=%ipausers)(sudoUser=%picture_access)(sudoUser=%doma)(sudoUser=+*))(&(dataExpireTimestamp<=1441826725)))]
(Wed Sep  9 21:25:25 2015) [sssd[sudo]]
[sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with
[(&(objectClass=sudoRule)(|(name=defaults)))]
(Wed Sep  9 21:25:25 2015) [sssd[sudo]] [sss_parse_name_for_domains]
(0x0200): name 'doma' matched without domain, user is doma
(Wed Sep  9 21:25:25 2015) [sssd[sudo]] [sss_parse_name_for_domains]
(0x0200): name 'doma' matched without domain, user is doma
(Wed Sep  9 21:25:25 2015) [sssd[sudo]] [sudosrv_cmd_parse_query_done]
(0x0200): Requesting rules for [doma] from [<ALL>]
(Wed Sep  9 21:25:25 2015) [sssd[sudo]] [sudosrv_get_user] (0x0200):
Requesting info about [doma@szilva]
(Wed Sep  9 21:25:25 2015) [sssd[sudo]]
[sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with
[(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=doma)(sudoUser=#1816400003)(sudoUser=%ipausers)(sudoUser=%picture_access)(sudoUser=%doma)(sudoUser=+*))(&(dataExpireTimestamp<=1441826725)))]
(Wed Sep  9 21:25:25 2015) [sssd[sudo]]
[sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with
[(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=doma)(sudoUser=#1816400003)(sudoUser=%ipausers)(sudoUser=%picture_access)(sudoUser=%doma)(sudoUser=+*)))]
(Wed Sep  9 21:25:30 2015) [sssd[sudo]] [client_recv] (0x0200): Client
disconnected!
This seems perfectly OK with one exception. The query against the sysdb
does not find the entry. This is strange because the entry is there.
Log in sssd.log:
(Wed Sep  2 08:52:13 2015) [sssd] [sysdb_domain_init_internal] (0x0200):
DB File for szilva: /var/lib/sss/db/cache_szilva.ldb
So we know that the sysdb is /var/lib/sss/db/cache_szilva.ldb
Running the exact same query seen above in the sssd_sudo.log against the
db returns:
ldbsearch -H /var/lib/sss/db/cache_szilva.ldb
"(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=doma)(sudoUser=#1816400003)(sudoUser=%ipausers)(sudoUser=%picture_access)(sudoUser=%doma)(sudoUser=+*)))"
asq: Unable to register control with rootdse!
# record 1
dn: name=Doma_ls,cn=sudorules,cn=custom,cn=szilva,cn=sysdb
cn: Doma_ls
dataExpireTimestamp: 1441830262
entryUSN: 20521
name: Doma_ls
objectClass: sudoRule
originalDN: cn=Doma_ls,ou=sudoers,dc=szilva
sudoCommand: ls
sudoHost: nappali.szilva
sudoRunAsGroup: ALL
sudoRunAsUser: ALL
sudoUser: doma
distinguishedName: name=Doma_ls,cn=sudorules,cn=custom,cn=szilva,cn=sysdb
# returned 1 records
# 1 entries
# 0 referrals
This confirms that the entry is indeed there in the db. Why is it found
with ldbsearch and why does sssd_sudo not find it?
I am pretty much stuck with this one. Anyone has an idea?

Hi,

this is strange. Can you provide the logs with debug level set to 0x3ff0please? Can you also send it as an attachment? Thanks!


--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Sudo entry not found by sssd in the cache db

Reply via email to