Re: [Freeipa-users] sudo rules question on ubuntu 16.0.1

Thu, 11 Aug 2016 11:45:02 -0700 

Hello,
Could you increase the debug level to 9, restart sssd + clear the cache and reproduce the problem then provide the sssd_<domain>.log as well as the sssd_sudo.log ? 

Also you may want to rule out HBAC issues with the below command:

     # ipa hbactest --user 'jgoddard' --host $(hostname) --service sudo

Kind regards,

Justin Stephenson

On 08/11/2016 02:24 PM, Jeff Goddard wrote:

Here is relevant configuration files:

*nsswitch.conf:*

passwd:         compat sss
group:          compat sss
shadow:         compat sss
gshadow:        files

hosts:          files dns
networks:       files

protocols:      db files
services:       db files sss
ethers:         db files
rpc:            db files

netgroup:       nis sss
sudoers: sss files

*sssd.conf:*

[domain/internal.emerlyn.com <http://internal.emerlyn.com>]

cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = internal.emerlyn.com <http://internal.emerlyn.com>
id_provider = ipa
auth_provider = ipa
access_provider = ipa

ipa_hostname = docker-dev-01.internal.emerlyn.com 
<http://docker-dev-01.internal.emerlyn.com>

chpass_provider = ipa

ipa_server = _srv_, id-management-1.internal.emerlyn.com 
<http://id-management-1.internal.emerlyn.com>

ldap_tls_cacert = /etc/ipa/ca.crt
sudo_provider=ipa

ldap_uri=ldap://id-management-1.internal.emerlyn.com 
<http://id-management-1.internal.emerlyn.com>

ldap_sudo_search_base=ou=sudoers,dc=internal,dc=emerlyn,dc=com
debug_level=7

[sssd]
services = nss, pam, sudo, ssh
debug_level=7
domains = internal.emerlyn.com <http://internal.emerlyn.com>

[nss]
homedir_substring = /home

[pam]

[sudo]
debug_level=7
[autofs]

[ssh]
debug_level=7
[pac]

[ifp]

*Log output - /var/log/sssd/sssd_sudo.log:


*(Thu Aug 11 12:21:43 2016) [sssd[sudo]] [accept_fd_handler] (0x0400): 
Client connected!
(Thu Aug 11 12:21:43 2016) [sssd[sudo]] [sss_cmd_get_version] 
(0x0200): Received client version [1].
(Thu Aug 11 12:21:43 2016) [sssd[sudo]] [sss_cmd_get_version] 
(0x0200): Offered version [1].
(Thu Aug 11 12:21:43 2016) [sssd[sudo]] [sss_parse_name_for_domains] 
(0x0200): name 'jgoddard' matched without domain, user is jgoddard
(Thu Aug 11 12:21:43 2016) [sssd[sudo]] [sss_parse_name_for_domains] 
(0x0200): name 'jgoddard' matched without domain, user is jgoddard
(Thu Aug 11 12:21:43 2016) [sssd[sudo]] [sudosrv_cmd_parse_query_done] 
(0x0200): Requesting default options for [jgoddard] from [<ALL>]
(Thu Aug 11 12:21:43 2016) [sssd[sudo]] [sudosrv_get_user] (0x0200): 
Requesting info about [jgodd...@internal.emerlyn.com 
<mailto:jgodd...@internal.emerlyn.com>]
(Thu Aug 11 12:21:43 2016) [sssd[sudo]] [sudosrv_get_user] (0x0400): 
Returning info for user [jgodd...@internal.emerlyn.com 
<mailto:jgodd...@internal.emerlyn.com>]
(Thu Aug 11 12:21:43 2016) [sssd[sudo]] [sudosrv_get_rules] (0x0400): 
Retrieving default options for [jgoddard] from [internal.emerlyn.com 
<http://internal.emerlyn.com>]
(Thu Aug 11 12:21:43 2016) [sssd[sudo]] 
[sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with 
[(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=jgoddard)(sudoUser=#320000001)(sudoUser=%developers)(sudoUser=%jira-administrators)(sudoUser=%admins)(sudoUser=%ipausers)(sudoUser=%jgoddard)(sudoUser=+*))(&(dataExpireTimestamp<=1470932503)))]
(Thu Aug 11 12:21:43 2016) [sssd[sudo]] 
[sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with 
[(&(objectClass=sudoRule)(|(name=defaults)))]
(Thu Aug 11 12:21:43 2016) [sssd[sudo]] 
[sudosrv_get_sudorules_from_cache] (0x0400): Returning 0 rules for 
[<default options>@internal.emerlyn.com <http://internal.emerlyn.com>]
(Thu Aug 11 12:21:43 2016) [sssd[sudo]] [sss_parse_name_for_domains] 
(0x0200): name 'jgoddard' matched without domain, user is jgoddard*
(*Thu Aug 11 12:21:43 2016) [sssd[sudo]] [sss_parse_name_for_domains] 
(0x0200): name 'jgoddard' matched without domain, user is jgoddard
(Thu Aug 11 12:21:43 2016) [sssd[sudo]] [sudosrv_cmd_parse_query_done] 
(0x0200): Requesting rules for [jgoddard] from [<ALL>]
(Thu Aug 11 12:21:43 2016) [sssd[sudo]] [sudosrv_get_user] (0x0200): 
Requesting info about [jgodd...@internal.emerlyn.com 
<mailto:jgodd...@internal.emerlyn.com>]
(Thu Aug 11 12:21:43 2016) [sssd[sudo]] [sudosrv_get_user] (0x0400): 
Returning info for user [jgodd...@internal.emerlyn.com 
<mailto:jgodd...@internal.emerlyn.com>]
(Thu Aug 11 12:21:43 2016) [sssd[sudo]] [sudosrv_get_rules] (0x0400): 
Retrieving rules for [jgoddard] from [internal.emerlyn.com 
<http://internal.emerlyn.com>]
(Thu Aug 11 12:21:43 2016) [sssd[sudo]] 
[sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with 
[(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=jgoddard)(sudoUser=#320000001)(sudoUser=%developers)(sudoUser=%jira-administrators)(sudoUser=%admins)(sudoUser=%ipausers)(sudoUser=%jgoddard)(sudoUser=+*))(&(dataExpireTimestamp<=1470932503)))]
(Thu Aug 11 12:21:43 2016) [sssd[sudo]] 
[sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with 
[(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=jgoddard)(sudoUser=#320000001)(sudoUser=%developers)(sudoUser=%jira-administrators)(sudoUser=%admins)(sudoUser=%ipausers)(sudoUser=%jgoddard)(sudoUser=+*)))]
(Thu Aug 11 12:21:43 2016) [sssd[sudo]] [sort_sudo_rules] (0x0400): 
Sorting rules with higher-wins logic
(Thu Aug 11 12:21:43 2016) [sssd[sudo]] 
[sudosrv_get_sudorules_from_cache] (0x0400): Returning 1 rules for 
[jgodd...@internal.emerlyn.com <mailto:jgodd...@internal.emerlyn.com>]
(Thu Aug 11 12:21:47 2016) [sssd[sudo]] [client_recv] (0x0200): Client 
disconnected!
(Thu Aug 11 12:22:12 2016) [sssd[sudo]] [accept_fd_handler] (0x0400): 
Client connected!
(Thu Aug 11 12:22:12 2016) [sssd[sudo]] [sss_cmd_get_version] 
(0x0200): Received client version [1].
(Thu Aug 11 12:22:12 2016) [sssd[sudo]] [sss_cmd_get_version] 
(0x0200): Offered version [1].
(Thu Aug 11 12:22:12 2016) [sssd[sudo]] [sss_parse_name_for_domains] 
(0x0200): name 'jgoddard' matched without domain, user is jgoddard
(Thu Aug 11 12:22:12 2016) [sssd[sudo]] [sss_parse_name_for_domains] 
(0x0200): name 'jgoddard' matched without domain, user is jgoddard
(Thu Aug 11 12:22:12 2016) [sssd[sudo]] [sudosrv_cmd_parse_query_done] 
(0x0200): Requesting default options for [jgoddard] from [<ALL>]
(Thu Aug 11 12:22:12 2016) [sssd[sudo]] [sudosrv_get_user] (0x0200): 
Requesting info about [jgodd...@internal.emerlyn.com 
<mailto:jgodd...@internal.emerlyn.com>]
(Thu Aug 11 12:22:12 2016) [sssd[sudo]] [sudosrv_get_user] (0x0400): 
Returning info for user [jgodd...@internal.emerlyn.com 
<mailto:jgodd...@internal.emerlyn.com>]
(Thu Aug 11 12:22:12 2016) [sssd[sudo]] [sudosrv_get_rules] (0x0400): 
Retrieving default options for [jgoddard] from [internal.emerlyn.com 
<http://internal.emerlyn.com>]
(Thu Aug 11 12:22:12 2016) [sssd[sudo]] 
[sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with 
[(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=jgoddard)(sudoUser=#320000001)(sudoUser=%developers)(sudoUser=%jira-administrators)(sudoUser=%admins)(sudoUser=%ipausers)(sudoUser=%jgoddard)(sudoUser=+*))(&(dataExpireTimestamp<=1470932532)))]
(Thu Aug 11 12:22:12 2016) [sssd[sudo]] 
[sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with 
[(&(objectClass=sudoRule)(|(name=defaults)))]
(Thu Aug 11 12:22:12 2016) [sssd[sudo]] 
[sudosrv_get_sudorules_from_cache] (0x0400): Returning 0 rules for 
[<default options>@internal.emerlyn.com <http://internal.emerlyn.com>]
(Thu Aug 11 12:22:12 2016) [sssd[sudo]] [sss_parse_name_for_domains] 
(0x0200): name 'jgoddard' matched without domain, user is jgoddard
(Thu Aug 11 12:22:12 2016) [sssd[sudo]] [sss_parse_name_for_domains] 
(0x0200): name 'jgoddard' matched without domain, user is jgoddard
(Thu Aug 11 12:22:12 2016) [sssd[sudo]] [sudosrv_cmd_parse_query_done] 
(0x0200): Requesting rules for [jgoddard] from [<ALL>]
(Thu Aug 11 12:22:12 2016) [sssd[sudo]] [sudosrv_get_user] (0x0200): 
Requesting info about [jgodd...@internal.emerlyn.com 
<mailto:jgodd...@internal.emerlyn.com>]
(Thu Aug 11 12:22:12 2016) [sssd[sudo]] [sudosrv_get_user] (0x0400): 
Returning info for user [jgodd...@internal.emerlyn.com 
<mailto:jgodd...@internal.emerlyn.com>]
(Thu Aug 11 12:22:12 2016) [sssd[sudo]] [sudosrv_get_rules] (0x0400): 
Retrieving rules for [jgoddard] from [internal.emerlyn.com 
<http://internal.emerlyn.com>]
(Thu Aug 11 12:22:12 2016) [sssd[sudo]] 
[sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with 
[(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=jgoddard)(sudoUser=#320000001)(sudoUser=%developers)(sudoUser=%jira-administrators)(sudoUser=%admins)(sudoUser=%ipausers)(sudoUser=%jgoddard)(sudoUser=+*))(&(dataExpireTimestamp<=1470932532)))]
(Thu Aug 11 12:22:12 2016) [sssd[sudo]] 
[sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with 
[(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=jgoddard)(sudoUser=#320000001)(sudoUser=%developers)(sudoUser=%jira-administrators)(sudoUser=%admins)(sudoUser=%ipausers)(sudoUser=%jgoddard)(sudoUser=+*)))]
(Thu Aug 11 12:22:12 2016) [sssd[sudo]] [sort_sudo_rules] (0x0400): 
Sorting rules with higher-wins logic
(Thu Aug 11 12:22:12 2016) [sssd[sudo]] 
[sudosrv_get_sudorules_from_cache] (0x0400): Returning 1 rules for 
[jgodd...@internal.emerlyn.com <mailto:jgodd...@internal.emerlyn.com>]*


*


On Thu, Aug 11, 2016 at 2:15 PM, Rob Crittenden <rcrit...@redhat.com 
<mailto:rcrit...@redhat.com>> wrote:


    Jeff Goddard wrote:

        I've looked though these but not found anything helpful. It
        appears as
        though my previous statement about the 1 group being found was
        misleading as the sssd.$mydomain.com.log file reports that no
        sudo rules
        are found. Does this mean that the LDAP tree being searched is
        different
        on ubuntu vs centos?


    I find that extremely unlikely.

    You may want to outline more what you've already checked.

    For example, is sss in sudoers in /etc/nsswitch.conf?

    You can check the 389-ds access log to see what, if any queries
    are being made. I'd clean the sssd cache in advance.

    rob


        Jeff

        On Wed, Aug 10, 2016 at 2:13 PM, Rob Crittenden
        <rcrit...@redhat.com <mailto:rcrit...@redhat.com>
        <mailto:rcrit...@redhat.com <mailto:rcrit...@redhat.com>>> wrote:

            Jeff Goddard wrote:

                Sean,

                Thanks for the reply. I don't think that's my problem
        but I'm
                posting a
                redacted copy of the sssd.conf file for review below.


            I'd start here:
        https://fedorahosted.org/sssd/wiki/HOWTO_Troubleshoot_SUDO
        <https://fedorahosted.org/sssd/wiki/HOWTO_Troubleshoot_SUDO>

           
        <https://fedorahosted.org/sssd/wiki/HOWTO_Troubleshoot_SUDO

        <https://fedorahosted.org/sssd/wiki/HOWTO_Troubleshoot_SUDO>>

            rob









--
Jeff Goddard
Director of Information Technology
Emerlyn Technology

Email: jgodd...@emerlyn.com <mailto:jgodd...@emerlyn.com>
Telephone: (603) 447-8571
Toll free: (888) 363-7596 ext. 108
Fax: (603) 356-3346






-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project





















					Reply via email to