If you follow https://docs.pagure.org/SSSD.sssd/users/sudo_troubleshooting.html and generate the sssd logs, does that shed some more light?
> On 22 Dec 2017, at 14:48, Viktor Ekl <viktorekl...@gmail.com> wrote: > > Hello. > > Sssd 1.15.2-50 on Centos 7. I'm trying to grant sudo access to members of > known AD group (say, "linux_admin"), but with no success: > "<user> is not allowed to run sudo on <host>. This incident will be reported" > Can't understand why, according to sssd_domain.log group and members found ? > > My configuration, /etc/sudoers: > %wheel ALL=(ALL) ALL > %linux_admin ALL=(ALL) ALL > > part of /etc/sssd/sssd.conf: > sudo_provider = ldap > > Part of sudo_debug log: > sudo[1069] sudo_getgrnam: group linux_admin [] -> gid 10001 [] (cached) > ... > sudo[1069] sudo_get_gidlist: looking up group IDs for testadmin > ... > sudo[1069] user_in_group: user testadmin NOT in group linux_admin > > Part of sssd_testdomain.com.log: > [sssd[be[testdomain.com]]] [dp_get_account_info_handler] (0x0200): Got > request for [0x2][BE_REQ_GROUP][name=linux_ad...@testdomain.com] > [sssd[be[testdomain.com]]] [dp_attach_req] (0x0400): DP Request [Account > #11]: New request. Flags [0x0001]. > [sssd[be[testdomain.com]]] [dp_attach_req] (0x0400): Number of active DP > request: 1 > [sssd[be[testdomain.com]]] [sss_domain_get_state] (0x1000): Domain > testdomain.com is Active > [sssd[be[testdomain.com]]] [sdap_get_groups_next_base] (0x0400): Searching > for groups with base [cn=users,dc=testdomain,dc=com] > [sssd[be[testdomain.com]]] [sdap_get_generic_ext_step] (0x0400): calling > ldap_search_ext with > [(&(cn=linux_admin)(objectClass=posixGroup)(cn=*)(&(gidNumber=*)(!(gidNumber=0))))][cn=users,dc=testdomain,dc=com]. > [sssd[be[testdomain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting > attrs: [objectClass] > [sssd[be[testdomain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting > attrs: [cn] > [sssd[be[testdomain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting > attrs: [userPassword] > [sssd[be[testdomain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting > attrs: [gidNumber] > [sssd[be[testdomain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting > attrs: [memberUid] > [sssd[be[testdomain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting > attrs: [modifyTimestamp] > [sssd[be[testdomain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting > attrs: [uSNChanged] > [sssd[be[testdomain.com]]] [sdap_parse_entry] (0x1000): OriginalDN: > [CN=linux_admin,CN=Users,DC=testdomain,DC=com]. > [sssd[be[testdomain.com]]] [sdap_get_generic_op_finished] (0x0400): Search > result: Success(0), no errmsg set > [sssd[be[testdomain.com]]] [sdap_get_groups_process] (0x0400): Search for > groups, returned 1 results. > [sssd[be[testdomain.com]]] [sdap_has_deref_support] (0x0400): The server > supports deref method ASQ > [sssd[be[testdomain.com]]] [sdap_nested_group_recv] (0x0400): 0 users found > in the hash table > [sssd[be[testdomain.com]]] [sdap_nested_group_recv] (0x0400): 1 groups found > in the hash table > [sssd[be[testdomain.com]]] [sdap_attrs_get_sid_str] (0x1000): No [objectSID] > attribute. [0][Success] > [sssd[be[testdomain.com]]] [sdap_get_primary_name] (0x0400): Processing > object linux_admin > [sssd[be[testdomain.com]]] [sdap_save_group] (0x0400): Processing group > linux_ad...@testdomain.com > [sssd[be[testdomain.com]]] [sdap_process_ghost_members] (0x0400): The group > has 1 members > [sssd[be[testdomain.com]]] [sdap_process_ghost_members] (0x0400): Group has 1 > members > [sssd[be[testdomain.com]]] [sdap_save_group] (0x0400): Storing info for group > linux_ad...@testdomain.com > [sssd[be[testdomain.com]]] [sysdb_store_group] (0x1000): The group record of > linux_ad...@testdomain.com did not change, only updated the timestamp cache > [sssd[be[testdomain.com]]] [sdap_attrs_get_sid_str] (0x1000): No [objectSID] > attribute. [0][Success] > [sssd[be[testdomain.com]]] [sdap_save_grpmem] (0x0400): Failed to get group > sid > [sssd[be[testdomain.com]]] [sdap_get_primary_name] (0x0400): Processing > object linux_admin > [sssd[be[testdomain.com]]] [sdap_save_grpmem] (0x0400): Processing group > linux_ad...@testdomain.com > [sssd[be[testdomain.com]]] [sdap_save_grpmem] (0x0400): Adding member users > to group [linux_ad...@testdomain.com] > [sssd[be[testdomain.com]]] [sdap_fill_memberships] (0x0080): Member > [testadmin] is it out of domain scope? > [sssd[be[testdomain.com]]] [sdap_fill_memberships] (0x0080): Member > [testadmin] was not found in cache. Is it out of scope? > [sssd[be[testdomain.com]]] [sysdb_set_entry_attr] (0x0200): Entry > [name=linux_ad...@testdomain.com,cn=groups,cn=testdomain.com,cn=sysdb] has > set [ts_cache] attrs. > [sssd[be[testdomain.com]]] [dp_req_done] (0x0400): DP Request [Account #11]: > Request handler finished [0]: Success > [sssd[be[testdomain.com]]] [_dp_req_recv] (0x0400): DP Request [Account #11]: > Receiving request data. > [sssd[be[testdomain.com]]] [dp_req_reply_list_success] (0x0400): DP Request > [Account #11]: Finished. Success. > [sssd[be[testdomain.com]]] [dp_req_reply_std] (0x1000): DP Request [Account > #11]: Returning [Success]: 0,0,Success > _______________________________________________ > sssd-users mailing list -- sssd-users@lists.fedorahosted.org > To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org