Hi all, I use SSSD with OpenLDAP and I am able to authenticate users. I am trying to configure SSSD for managing and caching sudo but I can't use sudo and the system reply me with this:
Sorry, user xxx is not allowed to execute '/usr/bin/apt-get update' as root on MACHINE. This is my sssd.conf [nss] filter_groups = root,andrea filter_users = root,andrea reconnection_retries = 3 debug_level = 4 [pam] reconnection_retries = 3 debug_level = 4 offline_credentials_expiration = 90 [sudo] debug_level = 7 # valori di default in secondi #ldap_sudo_full_refresh_interval=21600 #ldap_sudo_smart_refresh_interval=900 ldap_sudo_full_refresh_interval=10 ldap_sudo_smart_refresh_interval=10 [sssd] config_file_version = 2 reconnection_retries = 3 services = nss, pam, sudo domains = mydomain.com [domain/mydomain.com] debug_level = 7 cache_credentials = true account_cache_expiration = 90 # With this as false, a simple "getent passwd" for testing won't work. You must do getent passwd u...@domain.com # enumerate = false enumerate = true id_provider = ldap auth_provider = ldap access_provider = ldap sudo_provider = ldap # chpass_provider = ldap ldap_id_use_start_tls = true ldap_tls_reqcert = demand ldap_tls_cacert = /etc/ssl/certs/ca-certificates.crt ldap_uri = ldap://LDAPSERVER ldap_search_base = dc=mydomain,dc=com ldap_access_filter = (uidNumber=*) ldap_sudo_search_base = ou=sudoers,dc=mydomain,dc=com This is my nssswitch.conf passwd: compat sss group: compat sss shadow: compat sss sudoers: files sss This is the log's output tail -f /var/log/auth.log /var/log/sssd/sssd_sudo.log /var/log/sssd/sssd_widegroup.eu.log ==> /var/log/auth.log <== Nov 8 15:50:46 andrea-X550LA sudo: pam_unix(sudo:auth): authentication failure; logname=MYUSER uid=1126 euid=0 tty=/dev/pts/7 ruser=MYUSER rhost= user=MYUSER ==> /var/log/sssd/sssd_mydomain.com.log <== (Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [be_get_account_info] (0x0200): Got request for [0x3][BE_REQ_INITGROUPS][1][name=MYUSER] (Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [be_req_set_domain] (0x0400): Changing request domain from [mydomain.com] to [mydomain.com] (Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [sdap_get_initgr_next_base] (0x0400): Searching for users with base [dc=mydomain,dc=eu] (Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(uid=MYUSER)(objectclass=posixAccount)(&(uidNumber=*)(! (uidNumber=0))))][dc=mydomain,dc=eu]. (Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uid] (Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPassword] (Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uidNumber] (Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber] (Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gecos] (Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [homeDirectory] (Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginShell] (Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbPrincipalName] (Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp] (Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp] (Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowLastChange] (Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMin] (Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMax] (Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowWarning] (Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowInactive] (Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowExpire] (Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowFlag] (Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbLastPwdChange] (Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbPasswordExpiration] (Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [pwdAttribute] (Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [authorizedService] (Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [accountExpires] (Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userAccountControl] (Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [nsAccountLock] (Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [host] (Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginDisabled] (Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginExpirationTime] (Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginAllowedTimeMap] (Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sshPublicKey] (Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [sdap_parse_entry] (0x1000): OriginalDN: [uid=MYUSER,ou=people,dc=mydomain,dc=eu]. (Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [sdap_save_user] (0x0400): Save user (Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [sdap_attrs_get_sid_str] (0x1000): No [objectSID] attribute. [0][Success] (Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [sdap_get_primary_name] (0x0400): Processing object MYUSER (Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [sdap_save_user] (0x0400): Processing user MYUSER (Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [sdap_save_user] (0x0400): Original memberOf is not available for [MYUSER]. (Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [sdap_save_user] (0x0400): User principal is not available for [MYUSER]. (Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [sdap_save_user] (0x0400): Storing info for user MYUSER (Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [sdap_initgr_rfc2307_next_base] (0x0400): Searching for groups with base [dc=mydomain,dc=eu] (Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(memberuid=MYUSER)(objectClass=posixGroup)(cn=*)( &(gidNumber=*)(!(gidNumber=0))))][dc=mydomain,dc=eu]. (Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPassword] (Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber] (Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp] (Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp] (Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [sdap_parse_entry] (0x1000): OriginalDN: [cn=netsudo,ou=groups,dc=mydomain,dc=eu]. (Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [sdap_get_initgr_done] (0x0400): Primary group already cached, nothing to do. (Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success (Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [be_req_set_domain] (0x0400): Changing request domain from [mydomain.com] to [mydomain.com] (Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [be_pam_handler] (0x0100): Got request with the following data (Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [pam_print_data] (0x0100): command: SSS_PAM_AUTHENTICATE (Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [pam_print_data] (0x0100): domain: mydomain.com (Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [pam_print_data] (0x0100): user: MYUSER (Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [pam_print_data] (0x0100): service: sudo (Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [pam_print_data] (0x0100): tty: /dev/pts/7 (Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [pam_print_data] (0x0100): ruser: MYUSER (Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [pam_print_data] (0x0100): rhost: (Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [pam_print_data] (0x0100): authtok type: 1 (Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [pam_print_data] (0x0100): newauthtok type: 0 (Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [pam_print_data] (0x0100): priv: 0 (Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [pam_print_data] (0x0100): cli_pid: 7144 (Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [pam_print_data] (0x0100): logon name: not set (Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'LDAP' (Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [get_server_status] (0x1000): Status of server 'LDAPSERVER' is 'working' (Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [get_port_status] (0x1000): Port status of port 389 for server 'LDAPSERVER' is 'working' (Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [get_server_status] (0x1000): Status of server 'LDAPSERVER' is 'working' (Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [be_resolve_server_process] (0x1000): Saving the first resolved server (Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [be_resolve_server_process] (0x0200): Found address for server LDAPSERVER: [xxx.xxx.xxx.xxx] TTL 2222 (Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [sdap_uri_callback] (0x0400): Constructed uri 'ldap://LDAPSERVER' (Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [sss_ldap_init_send] (0x0400): Setting 6 seconds timeout for connecting (Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [sdap_ldap_connect_callback_add] (0x1000): New LDAP connection to [ldap://LDAPSERVER:389/??base] with fd [24]. (Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [sdap_sys_connect_done] (0x0100): Executing START TLS (Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [sdap_connect_done] (0x0080): START TLS result: Success(0), (null) (Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [fo_set_port_status] (0x0100): Marking port 389 of server 'LDAPSERVER' as 'working' (Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [set_server_common_status] (0x0100): Marking server 'LDAPSERVER' as 'working' (Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [fo_set_port_status] (0x0400): Marking port 389 of duplicate server 'LDAPSERVER' as 'working' (Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [simple_bind_send] (0x0100): Executing simple bind as: uid=MYUSER,ou=people,dc=mydomain,dc=eu (Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [simple_bind_done] (0x1000): Password Policy Response: expire [-1] grace [-1] error [No error]. (Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [simple_bind_done] (0x0400): Bind result: Success(0), no errmsg set (Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [sdap_pam_auth_done] (0x0100): Password successfully cached for MYUSER (Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [be_pam_handler_callback] (0x0100): Backend returned: (0, 0, <NULL>) [Success] (Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [be_pam_handler_callback] (0x0100): Sending result [0][mydomain.com] (Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [be_pam_handler_callback] (0x0100): Sent result [0][mydomain.com] ==> /var/log/auth.log <== Nov 8 15:50:46 andrea-X550LA sudo: pam_sss(sudo:auth): authentication success; logname=MYUSER uid=1126 euid=0 tty=/dev/pts/7 ruser=MYUSER rhost= user=MYUSER ==> /var/log/sssd/sssd_mydomain.com.log <== (Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [be_req_set_domain] (0x0400): Changing request domain from [mydomain.com] to [mydomain.com] (Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [be_pam_handler] (0x0100): Got request with the following data (Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [pam_print_data] (0x0100): command: SSS_PAM_ACCT_MGMT (Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [pam_print_data] (0x0100): domain: mydomain.com (Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [pam_print_data] (0x0100): user: MYUSER (Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [pam_print_data] (0x0100): service: sudo (Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [pam_print_data] (0x0100): tty: /dev/pts/7 (Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [pam_print_data] (0x0100): ruser: MYUSER (Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [pam_print_data] (0x0100): rhost: (Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [pam_print_data] (0x0100): authtok type: 0 (Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [pam_print_data] (0x0100): newauthtok type: 0 (Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [pam_print_data] (0x0100): priv: 0 (Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [pam_print_data] (0x0100): cli_pid: 7144 (Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [pam_print_data] (0x0100): logon name: not set (Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [sdap_access_send] (0x0400): Performing access check for user [MYUSER] (Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [sdap_access_filter_send] (0x0400): Performing access filter check for user [MYUSER] (Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [sdap_access_filter_send] (0x0400): Checking filter against LDAP (Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(uid=MYUSER)(objectclass=posixAccount)(uidNumber=*))][ uid=MYUSER,ou=people,dc=mydomain,dc=eu]. (Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [sdap_parse_entry] (0x1000): OriginalDN: [uid=MYUSER,ou=people,dc=mydomain,dc=eu]. (Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [sdap_access_filter_done] (0x0400): Access granted by online lookup (Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [be_pam_handler_callback] (0x0100): Backend returned: (0, 0, <NULL>) [Success] (Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [be_pam_handler_callback] (0x0400): SELinux provider doesn't exist, not sending the request to it. (Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [be_pam_handler_callback] (0x0100): Sending result [0][mydomain.com] (Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [be_pam_handler_callback] (0x0100): Sent result [0][mydomain.com] ==> /var/log/auth.log <== Nov 8 15:50:46 andrea-X550LA sudo: MYUSER : command not allowed ; TTY=pts/7 ; PWD=/home/MYUSER ; USER=root ; COMMAND=/usr/bin/apt-get update ==> /var/log/sssd/sssd_sudo.log <== (Wed Nov 8 15:50:46 2017) [sssd[sudo]] [client_recv] (0x0200): Client disconnected! Please, could you help me to understand what's wrong? Many thanks in advance and any help is appreciated. Regards. -- Avvertenze ai sensi del D.Lgs.196 del 30/06/2003 Le informazioni contenute in questo messaggio di posta elettronica e/o files allegati, sono da considerarsi strettamente riservati. Il loro utilizzo è consentito esclusivamente al destinatario del messaggio, per le finalità indicate nello stesso. Costituisce violazione ai principi dettati dal D.Lgs. 196/2003: trattenere il messaggio stesso oltre il tempo necessario, divulgarlo anche in parte, distribuirlo ad altri soggetti, copiarlo od utilizzarlo per finalità diverse. In ogni momento potrà richiederci la sospensione dell'impiego dei suoi dati, ad esclusione delle comunicazioni effettuate in esecuzione di obblighi di legge. Qualora avesse ricevuto questo messaggio senza esserne il destinatario La preghiamo cortesemente di darcene notizia via e-mail e di procedere alla distruzione del messaggio stesso dal Suo sistema. Se desidera presentare un reclamo, può trovare informazioni e supporto sul nostro sito www.widegroup.eu/reclami o può scrivere a recl...@widegroup.eu. Grazie. -- This message is confidential. It may also be privileged or otherwise protected by work, product, immunity or other legal rules. If you have received it by mistake, please let us know by e-mail reply and delete it from your system; you may not copy this message or disclose its contents to anyone. The integrity and security of this message cannot be guaranteed on the Internet. If you want to submit a formal complaint, you can find information and support on our website www.widegroup.eu/reclami or writing to recl...@widegroup.eu. Thank you.
_______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
