Hello,
Could you increase the debug level to 9, restart sssd + clear the cache
and reproduce the problem then provide the sssd_<domain>.log as well as
the sssd_sudo.log ?
Also you may want to rule out HBAC issues with the below command:
# ipa hbactest --user 'jgoddard' --host $(hostname) --service sudo
Kind regards,
Justin Stephenson
On 08/11/2016 02:24 PM, Jeff Goddard wrote:
Here is relevant configuration files:
*nsswitch.conf:*
passwd: compat sss
group: compat sss
shadow: compat sss
gshadow: files
hosts: files dns
networks: files
protocols: db files
services: db files sss
ethers: db files
rpc: db files
netgroup: nis sss
sudoers: sss files
*sssd.conf:*
[domain/internal.emerlyn.com <http://internal.emerlyn.com>]
cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = internal.emerlyn.com <http://internal.emerlyn.com>
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = docker-dev-01.internal.emerlyn.com
<http://docker-dev-01.internal.emerlyn.com>
chpass_provider = ipa
ipa_server = _srv_, id-management-1.internal.emerlyn.com
<http://id-management-1.internal.emerlyn.com>
ldap_tls_cacert = /etc/ipa/ca.crt
sudo_provider=ipa
ldap_uri=ldap://id-management-1.internal.emerlyn.com
<http://id-management-1.internal.emerlyn.com>
ldap_sudo_search_base=ou=sudoers,dc=internal,dc=emerlyn,dc=com
debug_level=7
[sssd]
services = nss, pam, sudo, ssh
debug_level=7
domains = internal.emerlyn.com <http://internal.emerlyn.com>
[nss]
homedir_substring = /home
[pam]
[sudo]
debug_level=7
[autofs]
[ssh]
debug_level=7
[pac]
[ifp]
*Log output - /var/log/sssd/sssd_sudo.log:
*(Thu Aug 11 12:21:43 2016) [sssd[sudo]] [accept_fd_handler] (0x0400):
Client connected!
(Thu Aug 11 12:21:43 2016) [sssd[sudo]] [sss_cmd_get_version]
(0x0200): Received client version [1].
(Thu Aug 11 12:21:43 2016) [sssd[sudo]] [sss_cmd_get_version]
(0x0200): Offered version [1].
(Thu Aug 11 12:21:43 2016) [sssd[sudo]] [sss_parse_name_for_domains]
(0x0200): name 'jgoddard' matched without domain, user is jgoddard
(Thu Aug 11 12:21:43 2016) [sssd[sudo]] [sss_parse_name_for_domains]
(0x0200): name 'jgoddard' matched without domain, user is jgoddard
(Thu Aug 11 12:21:43 2016) [sssd[sudo]] [sudosrv_cmd_parse_query_done]
(0x0200): Requesting default options for [jgoddard] from [<ALL>]
(Thu Aug 11 12:21:43 2016) [sssd[sudo]] [sudosrv_get_user] (0x0200):
Requesting info about [jgodd...@internal.emerlyn.com
<mailto:jgodd...@internal.emerlyn.com>]
(Thu Aug 11 12:21:43 2016) [sssd[sudo]] [sudosrv_get_user] (0x0400):
Returning info for user [jgodd...@internal.emerlyn.com
<mailto:jgodd...@internal.emerlyn.com>]
(Thu Aug 11 12:21:43 2016) [sssd[sudo]] [sudosrv_get_rules] (0x0400):
Retrieving default options for [jgoddard] from [internal.emerlyn.com
<http://internal.emerlyn.com>]
(Thu Aug 11 12:21:43 2016) [sssd[sudo]]
[sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with
[(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=jgoddard)(sudoUser=#320000001)(sudoUser=%developers)(sudoUser=%jira-administrators)(sudoUser=%admins)(sudoUser=%ipausers)(sudoUser=%jgoddard)(sudoUser=+*))(&(dataExpireTimestamp<=1470932503)))]
(Thu Aug 11 12:21:43 2016) [sssd[sudo]]
[sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with
[(&(objectClass=sudoRule)(|(name=defaults)))]
(Thu Aug 11 12:21:43 2016) [sssd[sudo]]
[sudosrv_get_sudorules_from_cache] (0x0400): Returning 0 rules for
[<default options>@internal.emerlyn.com <http://internal.emerlyn.com>]
(Thu Aug 11 12:21:43 2016) [sssd[sudo]] [sss_parse_name_for_domains]
(0x0200): name 'jgoddard' matched without domain, user is jgoddard*
(*Thu Aug 11 12:21:43 2016) [sssd[sudo]] [sss_parse_name_for_domains]
(0x0200): name 'jgoddard' matched without domain, user is jgoddard
(Thu Aug 11 12:21:43 2016) [sssd[sudo]] [sudosrv_cmd_parse_query_done]
(0x0200): Requesting rules for [jgoddard] from [<ALL>]
(Thu Aug 11 12:21:43 2016) [sssd[sudo]] [sudosrv_get_user] (0x0200):
Requesting info about [jgodd...@internal.emerlyn.com
<mailto:jgodd...@internal.emerlyn.com>]
(Thu Aug 11 12:21:43 2016) [sssd[sudo]] [sudosrv_get_user] (0x0400):
Returning info for user [jgodd...@internal.emerlyn.com
<mailto:jgodd...@internal.emerlyn.com>]
(Thu Aug 11 12:21:43 2016) [sssd[sudo]] [sudosrv_get_rules] (0x0400):
Retrieving rules for [jgoddard] from [internal.emerlyn.com
<http://internal.emerlyn.com>]
(Thu Aug 11 12:21:43 2016) [sssd[sudo]]
[sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with
[(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=jgoddard)(sudoUser=#320000001)(sudoUser=%developers)(sudoUser=%jira-administrators)(sudoUser=%admins)(sudoUser=%ipausers)(sudoUser=%jgoddard)(sudoUser=+*))(&(dataExpireTimestamp<=1470932503)))]
(Thu Aug 11 12:21:43 2016) [sssd[sudo]]
[sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with
[(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=jgoddard)(sudoUser=#320000001)(sudoUser=%developers)(sudoUser=%jira-administrators)(sudoUser=%admins)(sudoUser=%ipausers)(sudoUser=%jgoddard)(sudoUser=+*)))]
(Thu Aug 11 12:21:43 2016) [sssd[sudo]] [sort_sudo_rules] (0x0400):
Sorting rules with higher-wins logic
(Thu Aug 11 12:21:43 2016) [sssd[sudo]]
[sudosrv_get_sudorules_from_cache] (0x0400): Returning 1 rules for
[jgodd...@internal.emerlyn.com <mailto:jgodd...@internal.emerlyn.com>]
(Thu Aug 11 12:21:47 2016) [sssd[sudo]] [client_recv] (0x0200): Client
disconnected!
(Thu Aug 11 12:22:12 2016) [sssd[sudo]] [accept_fd_handler] (0x0400):
Client connected!
(Thu Aug 11 12:22:12 2016) [sssd[sudo]] [sss_cmd_get_version]
(0x0200): Received client version [1].
(Thu Aug 11 12:22:12 2016) [sssd[sudo]] [sss_cmd_get_version]
(0x0200): Offered version [1].
(Thu Aug 11 12:22:12 2016) [sssd[sudo]] [sss_parse_name_for_domains]
(0x0200): name 'jgoddard' matched without domain, user is jgoddard
(Thu Aug 11 12:22:12 2016) [sssd[sudo]] [sss_parse_name_for_domains]
(0x0200): name 'jgoddard' matched without domain, user is jgoddard
(Thu Aug 11 12:22:12 2016) [sssd[sudo]] [sudosrv_cmd_parse_query_done]
(0x0200): Requesting default options for [jgoddard] from [<ALL>]
(Thu Aug 11 12:22:12 2016) [sssd[sudo]] [sudosrv_get_user] (0x0200):
Requesting info about [jgodd...@internal.emerlyn.com
<mailto:jgodd...@internal.emerlyn.com>]
(Thu Aug 11 12:22:12 2016) [sssd[sudo]] [sudosrv_get_user] (0x0400):
Returning info for user [jgodd...@internal.emerlyn.com
<mailto:jgodd...@internal.emerlyn.com>]
(Thu Aug 11 12:22:12 2016) [sssd[sudo]] [sudosrv_get_rules] (0x0400):
Retrieving default options for [jgoddard] from [internal.emerlyn.com
<http://internal.emerlyn.com>]
(Thu Aug 11 12:22:12 2016) [sssd[sudo]]
[sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with
[(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=jgoddard)(sudoUser=#320000001)(sudoUser=%developers)(sudoUser=%jira-administrators)(sudoUser=%admins)(sudoUser=%ipausers)(sudoUser=%jgoddard)(sudoUser=+*))(&(dataExpireTimestamp<=1470932532)))]
(Thu Aug 11 12:22:12 2016) [sssd[sudo]]
[sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with
[(&(objectClass=sudoRule)(|(name=defaults)))]
(Thu Aug 11 12:22:12 2016) [sssd[sudo]]
[sudosrv_get_sudorules_from_cache] (0x0400): Returning 0 rules for
[<default options>@internal.emerlyn.com <http://internal.emerlyn.com>]
(Thu Aug 11 12:22:12 2016) [sssd[sudo]] [sss_parse_name_for_domains]
(0x0200): name 'jgoddard' matched without domain, user is jgoddard
(Thu Aug 11 12:22:12 2016) [sssd[sudo]] [sss_parse_name_for_domains]
(0x0200): name 'jgoddard' matched without domain, user is jgoddard
(Thu Aug 11 12:22:12 2016) [sssd[sudo]] [sudosrv_cmd_parse_query_done]
(0x0200): Requesting rules for [jgoddard] from [<ALL>]
(Thu Aug 11 12:22:12 2016) [sssd[sudo]] [sudosrv_get_user] (0x0200):
Requesting info about [jgodd...@internal.emerlyn.com
<mailto:jgodd...@internal.emerlyn.com>]
(Thu Aug 11 12:22:12 2016) [sssd[sudo]] [sudosrv_get_user] (0x0400):
Returning info for user [jgodd...@internal.emerlyn.com
<mailto:jgodd...@internal.emerlyn.com>]
(Thu Aug 11 12:22:12 2016) [sssd[sudo]] [sudosrv_get_rules] (0x0400):
Retrieving rules for [jgoddard] from [internal.emerlyn.com
<http://internal.emerlyn.com>]
(Thu Aug 11 12:22:12 2016) [sssd[sudo]]
[sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with
[(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=jgoddard)(sudoUser=#320000001)(sudoUser=%developers)(sudoUser=%jira-administrators)(sudoUser=%admins)(sudoUser=%ipausers)(sudoUser=%jgoddard)(sudoUser=+*))(&(dataExpireTimestamp<=1470932532)))]
(Thu Aug 11 12:22:12 2016) [sssd[sudo]]
[sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with
[(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=jgoddard)(sudoUser=#320000001)(sudoUser=%developers)(sudoUser=%jira-administrators)(sudoUser=%admins)(sudoUser=%ipausers)(sudoUser=%jgoddard)(sudoUser=+*)))]
(Thu Aug 11 12:22:12 2016) [sssd[sudo]] [sort_sudo_rules] (0x0400):
Sorting rules with higher-wins logic
(Thu Aug 11 12:22:12 2016) [sssd[sudo]]
[sudosrv_get_sudorules_from_cache] (0x0400): Returning 1 rules for
[jgodd...@internal.emerlyn.com <mailto:jgodd...@internal.emerlyn.com>]*
*
On Thu, Aug 11, 2016 at 2:15 PM, Rob Crittenden <rcrit...@redhat.com
<mailto:rcrit...@redhat.com>> wrote:
Jeff Goddard wrote:
I've looked though these but not found anything helpful. It
appears as
though my previous statement about the 1 group being found was
misleading as the sssd.$mydomain.com.log file reports that no
sudo rules
are found. Does this mean that the LDAP tree being searched is
different
on ubuntu vs centos?
I find that extremely unlikely.
You may want to outline more what you've already checked.
For example, is sss in sudoers in /etc/nsswitch.conf?
You can check the 389-ds access log to see what, if any queries
are being made. I'd clean the sssd cache in advance.
rob
Jeff
On Wed, Aug 10, 2016 at 2:13 PM, Rob Crittenden
<rcrit...@redhat.com <mailto:rcrit...@redhat.com>
<mailto:rcrit...@redhat.com <mailto:rcrit...@redhat.com>>> wrote:
Jeff Goddard wrote:
Sean,
Thanks for the reply. I don't think that's my problem
but I'm
posting a
redacted copy of the sssd.conf file for review below.
I'd start here:
https://fedorahosted.org/sssd/wiki/HOWTO_Troubleshoot_SUDO
<https://fedorahosted.org/sssd/wiki/HOWTO_Troubleshoot_SUDO>
<https://fedorahosted.org/sssd/wiki/HOWTO_Troubleshoot_SUDO
<https://fedorahosted.org/sssd/wiki/HOWTO_Troubleshoot_SUDO>>
rob
--
Jeff Goddard
Director of Information Technology
Emerlyn Technology
Email: jgodd...@emerlyn.com <mailto:jgodd...@emerlyn.com>
Telephone: (603) 447-8571
Toll free: (888) 363-7596 ext. 108
Fax: (603) 356-3346
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project