I've not set this up but it looks as though you have the system configured correctly to leverage sssd. At this point, it looks like you may want to ask on the sudoers list what needs to be done on the ldap side as well. Also, the link Lukas pointed to may help. Looking at the original log snippets provided, I see no reference to the ldap_sudo_search_base string. I would have expected to see a search request for sudo like you see for other queries. This is stretching my expertise at this point. If it were me, I would focus on the ldap pieces now and figure out a) is the ldap config correct (ldapsearch is your friend here) and b) what I may have misconfigured in the sssd ldap configs. In general, I tend to bump the debug up to 10 (sss_debug is helpful), run a quick test, then drop the debug back down so I can minimize the noise.
=G= On Fri, Nov 10, 2017 at 8:17 AM, Andrea Passuello < andrea.passue...@widegroup.eu> wrote: > Thanks for the hint. > > Ok the output is this > > $ sudo sudo --version | grep sssd > Configure options: --prefix=/usr -v --with-all-insults --with-pam > --with-fqdn --with-logging=syslog --with-logfac=authpriv --with-env-editor > --with-editor=/usr/bin/editor --with-exampledir=/usr/share/doc/sudo/examples > --with-timeout=15 --with-password-timeout=0 --with-passprompt=[sudo] > password for %p: --without-lecture --with-tty-tickets > --disable-root-mailer --enable-admin-flag --with-sendmail=/usr/sbin/sendmail > --with-rundir=/var/run/sudo --mandir=/usr/share/man > --libexecdir=/usr/lib/sudo --with-sssd > --with-sssd-lib=/usr/lib/x86_64-linux-gnu > --with-selinux --with-linux-audit > > > Is it ok? > > What can I check now? > > > > > > > > > > 2017-11-10 13:58 GMT+01:00 Galen Johnson <solita...@gmail.com>: > >> Try 'sudo sudo --version'. I got the same output as you until I ran sudo >> --version with root privs. >> >> =G= >> >> On Fri, Nov 10, 2017 at 3:45 AM, Andrea Passuello < >> andrea.passue...@widegroup.eu> wrote: >> >>> Thanks for the answers. >>> >>> # dpkg -l | grep sudo >>> ii libsss-sudo >>> 1.13.4-1ubuntu1.8 >>> amd64 Communicator library for sudo >>> ii sudo >>> 1.8.16-0ubuntu1.5 >>> amd64 Provide limited super user privileges to specific users >>> >>> I don't have sudo-ldap installed. >>> >>> # sudo --version | grep sssd >>> doesn't return anything >>> >>> # sudo --version >>> Sudo version 1.8.16 >>> Sudoers policy plugin version 1.8.16 >>> Sudoers file grammar version 45 >>> Sudoers I/O plugin version 1.8.16 >>> >>> What do I miss? >>> >>> Thanks a lot. >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> 2017-11-09 21:45 GMT+01:00 Michael Ströder <mich...@stroeder.com>: >>> >>>> Lukas Slebodnik wrote: >>>> > On (08/11/17 16:01), Andrea Passuello wrote: >>>> >> Hi all, >>>> >> I use SSSD with OpenLDAP and I am able to authenticate users. >>>> >> I am trying to configure SSSD for managing and caching sudo but I >>>> can't use >>>> >> sudo and the system reply me with this: >>>> >> >>>> >> Sorry, user xxx is not allowed to execute '/usr/bin/apt-get update' >>>> as root >>>> >> on MACHINE. >>>> >> >>>> > A) ensure that you have right version of sudo installed on >>>> debian/ubuntu >>>> > It need to be compiled with sssd support >>>> > sudo --version | grep sssd >>>> For whatever reason Debian has to different sudo packages: >>>> sudo - Provide limited super user privileges to specific users >>>> sudo-ldap - Provide limited super user privileges to specific users >>>> >>>> For "sudoers: sss" in nsswitch.conf you need package "sudo" and *not* >>>> "sudo-ldap" even if you have your sudoers entries in LDAP directory. >>>> >>>> Ciao, Michael. >>>> >>>> >>>> _______________________________________________ >>>> sssd-users mailing list -- sssd-users@lists.fedorahosted.org >>>> To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org >>>> >>>> >>> >>> Avvertenze ai sensi del D.Lgs.196 del 30/06/2003 >>> Le informazioni contenute in questo messaggio di posta elettronica e/o >>> files allegati, sono da considerarsi strettamente riservati. Il loro >>> utilizzo è consentito esclusivamente al destinatario del messaggio, per le >>> finalità indicate nello stesso. Costituisce violazione ai principi dettati >>> dal D.Lgs. 196/2003: trattenere il messaggio stesso oltre il tempo >>> necessario, divulgarlo anche in parte, distribuirlo ad altri soggetti, >>> copiarlo od utilizzarlo per finalità diverse. In ogni momento potrà >>> richiederci la sospensione dell'impiego dei suoi dati, ad esclusione delle >>> comunicazioni effettuate in esecuzione di obblighi di legge. Qualora avesse >>> ricevuto questo messaggio senza esserne il destinatario La preghiamo >>> cortesemente di darcene notizia via e-mail e di procedere alla distruzione >>> del messaggio stesso dal Suo sistema. Se desidera presentare un reclamo, >>> può trovare informazioni e supporto sul nostro sito >>> www.widegroup.eu/reclami o può scrivere a recl...@widegroup.eu. Grazie. >>> This message is confidential. It may also be privileged or otherwise >>> protected by work, product, immunity or other legal rules. If you have >>> received it by mistake, please let us know by e-mail reply and delete it >>> from your system; you may not copy this message or disclose its contents to >>> anyone. The integrity and security of this message cannot be guaranteed on >>> the Internet. If you want to submit a formal complaint, you can find >>> information and support on our website www.widegroup.eu/reclami or >>> writing to recl...@widegroup.eu. Thank you. >>> >>> _______________________________________________ >>> sssd-users mailing list -- sssd-users@lists.fedorahosted.org >>> To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org >>> >>> >> >> _______________________________________________ >> sssd-users mailing list -- sssd-users@lists.fedorahosted.org >> To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org >> >> > > Avvertenze ai sensi del D.Lgs.196 del 30/06/2003 > Le informazioni contenute in questo messaggio di posta elettronica e/o > files allegati, sono da considerarsi strettamente riservati. Il loro > utilizzo è consentito esclusivamente al destinatario del messaggio, per le > finalità indicate nello stesso. Costituisce violazione ai principi dettati > dal D.Lgs. 196/2003: trattenere il messaggio stesso oltre il tempo > necessario, divulgarlo anche in parte, distribuirlo ad altri soggetti, > copiarlo od utilizzarlo per finalità diverse. In ogni momento potrà > richiederci la sospensione dell'impiego dei suoi dati, ad esclusione delle > comunicazioni effettuate in esecuzione di obblighi di legge. Qualora avesse > ricevuto questo messaggio senza esserne il destinatario La preghiamo > cortesemente di darcene notizia via e-mail e di procedere alla distruzione > del messaggio stesso dal Suo sistema. Se desidera presentare un reclamo, > può trovare informazioni e supporto sul nostro sito > www.widegroup.eu/reclami o può scrivere a recl...@widegroup.eu. Grazie. > This message is confidential. It may also be privileged or otherwise > protected by work, product, immunity or other legal rules. If you have > received it by mistake, please let us know by e-mail reply and delete it > from your system; you may not copy this message or disclose its contents to > anyone. The integrity and security of this message cannot be guaranteed on > the Internet. If you want to submit a formal complaint, you can find > information and support on our website www.widegroup.eu/reclami or > writing to recl...@widegroup.eu. Thank you. > > _______________________________________________ > sssd-users mailing list -- sssd-users@lists.fedorahosted.org > To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org > >
_______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
