hi, just a long shot here..
I've been battling sudo for a couple days now and found that my issue was one related to symlinks on centos7 'which cat' says /bin/cat but on centos /bin is a symlink to /usr/bin and sudo knows a symlink when it sees one and to prevent abuse it requires the 'real' path for the sudo rule : <user> ALL=(ALL) /usr/bin/cat on centos6 which cat also says /bin/cat but since /bin is not a symlink it requires the sudo rule to be <user> ALL=(ALL) /bin/cat so for the sudo to work on both centos6 and centos7 you would require 2 sudo rules. Ignore me if this is irrelevant. Just my 2 cents Rob 2016-07-14 10:38 GMT+02:00 Lukas Slebodnik <lsleb...@redhat.com>: > On (14/07/16 10:09), Tomas Simecek wrote: > >Thanks all of you guys, > >I have updated to: > >sssd-krb5-common-1.13.3-22.el6_8.4.x86_64 > >sssd-1.13.3-22.el6_8.4.x86_64 > >sssd-ldap-1.13.3-22.el6_8.4.x86_64 > >sssd-client-1.13.3-22.el6_8.4.x86_64 > >sssd-ad-1.13.3-22.el6_8.4.x86_64 > >sssd-proxy-1.13.3-22.el6_8.4.x86_64 > >libsss_idmap-1.13.3-22.el6_8.4.x86_64 > >sssd-common-1.13.3-22.el6_8.4.x86_64 > >sssd-ipa-1.13.3-22.el6_8.4.x86_64 > >python-sssdconfig-1.13.3-22.el6_8.4.noarch > >sssd-krb5-1.13.3-22.el6_8.4.x86_64 > >sssd-common-pac-1.13.3-22.el6_8.4.x86_64 > >(there does not seem to be libsss_sudo in Centos as suggested by Danila). > >and restarted sssd. > > > >There are two rules enabled. One HBAC as I presented earlier: > > Rule name: Unixari na test servery > > Enabled: TRUE > > User Groups: grpunixadmins > > Hosts: spcss-2t-www.linuxdomain.cz, zp-cml-test.linuxdomain.cz > > Services: login, sshd, sudo, sudo-i, su, su-l > > > >and one sudo rule: > >Rule name: Pokusne > > Enabled: TRUE > > Command category: all > > User Groups: grpunixadmins > > Hosts: spcss-2t-www.linuxdomain.cz, zp-cml-test.linuxdomain.cz > > > >Default "all-access" rules are disabled. > > > >When I try to sudo as AD user (member of grpunixadmins) on Centos 6.6, I > >still get: > > > >[simecek.to...@sd-stc.cz@zp-cml-test ~]$ sudo cat /etc/nsswitch.conf > >[sudo] password for simecek.to...@sd-stc.cz: > >simecek.to...@sd-stc.cz is not in the sudoers file. This incident will > be > >reported. > > > >It works fine on Centos 7 (spcss-2t-www.linuxdomain.cz). > > > >sssd.conf: > >[domain/linuxdomain.cz] > >cache_credentials = True > >krb5_store_password_if_offline = True > >ipa_domain = linuxdomain.cz > >id_provider = ipa > >krb5_realm = LINUXDOMAIN.CZ > >auth_provider = ipa > >access_provider = ipa > >ipa_hostname = zp-cml-test.linuxdomain.cz > >chpass_provider = ipa > >ipa_server = svlxxipap.linuxdomain.cz > >ldap_tls_cacert = /etc/ipa/ca.crt > >override_shell = /bin/bash > >sudo_provider = ipa > >ldap_uri = ldap://svlxxipap.linuxdomain.cz > >ldap_sudo_search_base = ou=sudoers,dc=linuxdomain,dc=cz > >ldap_sasl_mech = GSSAPI > >#ldap_sasl_authid = host/zp-cml-test.linuxdomain...@linuxdomain.cz > >ldap_sasl_authid = host/zp-cml-test.linuxdomain.cz > >ldap_sasl_realm = LINUXDOMAIN.CZ > >krb5_server = svlxxipap.linuxdomain.cz > >debug_level = 0x3ff0 > >[sssd] > >services = nss, sudo, pam, ssh > >config_file_version = 2 > >domains = linuxdomain.cz > >[nss] > >homedir_substring = /home > >[pam] > >[sudo] > >debug_level = 0x3ff0 > >[autofs] > >[ssh] > >[pac] > >[ifp] > > > > > >sssd_sudo.log from the moment I tried sudo: > >(Thu Jul 14 09:53:41 2016) [sssd[sudo]] [sysdb_search_group_by_gid] > >(0x0400): No such entry > >(Thu Jul 14 09:53:41 2016) [sssd[sudo]] > [sudosrv_get_sudorules_query_cache] > >(0x0200): Searching sysdb with > >[(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser= > >simecek.to...@sd-stc.cz)(sudoUser=#988604700)(sudoUser=%domain\ > >20us...@sd-stc.cz)(sudoUser=%unixadm...@sd-stc.cz > >)(sudoUser=%grpunixadmins)(sudoUser=%mfcr_...@sd-stc.cz)(sudoUser=% > >acco...@sd-stc.cz)(sudoUser=%wifiadm...@sd-stc.cz > >)(sudoUser=+*))(&(dataExpireTimestamp<=1468482821)))] > >(Thu Jul 14 09:53:41 2016) [sssd[sudo]] [sudosrv_get_rules] (0x2000): > About > >to get sudo rules from cache > >(Thu Jul 14 09:53:41 2016) [sssd[sudo]] [sysdb_search_group_by_gid] > >(0x0400): No such entry > >(Thu Jul 14 09:53:41 2016) [sssd[sudo]] > [sudosrv_get_sudorules_query_cache] > >(0x0200): Searching sysdb with > >[(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser= > simecek.to...@sd-stc.cz > >)(sudoUser=#988604700)(sudoUser=%domain\20us...@sd-stc.cz)(sudoUser=% > >unixadm...@sd-stc.cz)(sudoUser=%grpunixadmins)(sudoUser=% > mfcr_...@sd-stc.cz > >)(sudoUser=%acco...@sd-stc.cz)(sudoUser=%wifiadm...@sd-stc.cz > >)(sudoUser=+*)))] > >(Thu Jul 14 09:53:41 2016) [sssd[sudo]] [sudosrv_get_sudorules_from_cache] > >(0x0400): Returning 0 rules for [simecek.to...@sd-stc.cz] > >(Thu Jul 14 09:53:47 2016) [sssd[sudo]] [client_recv] (0x0200): Client > >disconnected! > >(Thu Jul 14 09:53:47 2016) [sssd[sudo]] [client_destructor] (0x2000): > >Terminated client [0x260b690][17] > >(Thu Jul 14 09:53:51 2016) [sssd[sudo]] [sbus_message_handler] (0x2000): > >Received SBUS method org.freedesktop.sssd.service.ping on path > >/org/freedesktop/sssd/service > >(Thu Jul 14 09:53:51 2016) [sssd[sudo]] [sbus_get_sender_id_send] > (0x2000): > >Not a sysbus message, quit > >(Thu Jul 14 09:53:55 2016) [sssd[sudo]] [accept_fd_handler] (0x0400): > >Client connected! > >(Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sss_cmd_get_version] (0x0200): > >Received client version [1]. > >(Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sss_cmd_get_version] (0x0200): > >Offered version [1]. > >(Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sudosrv_cmd] (0x2000): Using > >protocol version [1] > >(Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sss_parse_name_for_domains] > >(0x0200): name 'simecek.to...@sd-stc.cz' matched expression for domain ' > >sd-stc.cz', user is simecek.tomas > >(Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sss_parse_name_for_domains] > >(0x0200): name 'simecek.to...@sd-stc.cz' matched expression for domain ' > >sd-stc.cz', user is simecek.tomas > >(Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sudosrv_cmd_parse_query_done] > >(0x0200): Requesting default options for [simecek.tomas] from [sd-stc.cz] > >(Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sss_ncache_check_str] (0x2000): > >Checking negative cache for [NCE/USER/sd-stc.cz/simecek.tomas] > >(Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sudosrv_get_user] (0x0200): > >Requesting info about [simecek.to...@sd-stc.cz] > >(Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sudosrv_get_user] (0x0400): > >Returning info for user [simecek.to...@sd-stc.cz] > >(Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sudosrv_get_rules] (0x0400): > >Retrieving default options for [simecek.to...@sd-stc.cz] from [sd-stc.cz] > >(Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sysdb_search_group_by_gid] > >(0x0400): No such entry > >(Thu Jul 14 09:53:55 2016) [sssd[sudo]] > [sudosrv_get_sudorules_query_cache] > >(0x0200): Searching sysdb with > >[(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser= > >simecek.to...@sd-stc.cz)(sudoUser=#988604700)(sudoUser=%domain\ > >20us...@sd-stc.cz)(sudoUser=%unixadm...@sd-stc.cz)(sudoUser=% > >wifiadm...@sd-stc.cz)(sudoUser=%grpunixadmins)(sudoUser=% > mfcr_...@sd-stc.cz > >)(sudoUser=+*))(&(dataExpireTimestamp<=1468482835)))] > >(Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sudosrv_get_rules] (0x2000): > About > >to get sudo rules from cache > >(Thu Jul 14 09:53:55 2016) [sssd[sudo]] > [sudosrv_get_sudorules_query_cache] > >(0x0200): Searching sysdb with > [(&(objectClass=sudoRule)(|(name=defaults)))] > >(Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sudosrv_get_sudorules_from_cache] > >(0x0400): Returning 0 rules for [<default options>@sd-stc.cz] > >(Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sudosrv_cmd] (0x2000): Using > >protocol version [1] > >(Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sss_parse_name_for_domains] > >(0x0200): name 'simecek.to...@sd-stc.cz' matched expression for domain ' > >sd-stc.cz', user is simecek.tomas > >(Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sss_parse_name_for_domains] > >(0x0200): name 'simecek.to...@sd-stc.cz' matched expression for domain ' > >sd-stc.cz', user is simecek.tomas > >(Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sudosrv_cmd_parse_query_done] > >(0x0200): Requesting rules for [simecek.tomas] from [sd-stc.cz] > >(Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sss_ncache_check_str] (0x2000): > >Checking negative cache for [NCE/USER/sd-stc.cz/simecek.tomas] > >(Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sudosrv_get_user] (0x0200): > >Requesting info about [simecek.to...@sd-stc.cz] > >(Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sudosrv_get_user] (0x0400): > >Returning info for user [simecek.to...@sd-stc.cz] > >(Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sudosrv_get_rules] (0x0400): > >Retrieving rules for [simecek.to...@sd-stc.cz] from [sd-stc.cz] > >(Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sysdb_search_group_by_gid] > >(0x0400): No such entry > >(Thu Jul 14 09:53:55 2016) [sssd[sudo]] > [sudosrv_get_sudorules_query_cache] > >(0x0200): Searching sysdb with > >[(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser= > >simecek.to...@sd-stc.cz)(sudoUser=#988604700)(sudoUser=%domain\ > >20us...@sd-stc.cz)(sudoUser=%unixadm...@sd-stc.cz)(sudoUser=% > >wifiadm...@sd-stc.cz)(sudoUser=%grpunixadmins)(sudoUser=% > mfcr_...@sd-stc.cz > >)(sudoUser=+*))(&(dataExpireTimestamp<=1468482835)))] > >(Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sudosrv_get_rules] (0x2000): > About > >to get sudo rules from cache > >(Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sysdb_search_group_by_gid] > >(0x0400): No such entry > >(Thu Jul 14 09:53:55 2016) [sssd[sudo]] > [sudosrv_get_sudorules_query_cache] > >(0x0200): Searching sysdb with > >[(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser= > simecek.to...@sd-stc.cz > >)(sudoUser=#988604700)(sudoUser=%domain\20us...@sd-stc.cz)(sudoUser=% > >unixadm...@sd-stc.cz)(sudoUser=%wifiadm...@sd-stc.cz > >)(sudoUser=%grpunixadmins)(sudoUser=%mfcr_...@sd-stc.cz)(sudoUser=+*)))] > >(Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sudosrv_get_sudorules_from_cache] > >(0x0400): Returning 0 rules for [simecek.to...@sd-stc.cz] > Your user does not have any valid sudo rules. > It might be caused by wrong group membership. > Are you sure that user simecek.to...@sd-stc.cz is member of group > grpunixadmins > > BTW this is described in sudo troubleshooting wiki > > https://fedorahosted.org/sssd/wiki/HOWTO_Troubleshoot_SUDO > > LS > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project