Ah, since you’re using local sudo rules and not stored in AD, I think only the sudo log would be most interesting. Plus, is the user either a member of wheel or linux_admin? (iow, do either of these group show up if you run ‘id’ as the user?)
> On 22 Dec 2017, at 15:09, Jakub Hrozek <jhro...@redhat.com> wrote: > > If you follow > https://docs.pagure.org/SSSD.sssd/users/sudo_troubleshooting.html and > generate the sssd logs, does that shed some more light? > >> On 22 Dec 2017, at 14:48, Viktor Ekl <viktorekl...@gmail.com> wrote: >> >> Hello. >> >> Sssd 1.15.2-50 on Centos 7. I'm trying to grant sudo access to members of >> known AD group (say, "linux_admin"), but with no success: >> "<user> is not allowed to run sudo on <host>. This incident will be >> reported" >> Can't understand why, according to sssd_domain.log group and members found ? >> >> My configuration, /etc/sudoers: >> %wheel ALL=(ALL) ALL >> %linux_admin ALL=(ALL) ALL >> >> part of /etc/sssd/sssd.conf: >> sudo_provider = ldap >> >> Part of sudo_debug log: >> sudo[1069] sudo_getgrnam: group linux_admin [] -> gid 10001 [] (cached) >> ... >> sudo[1069] sudo_get_gidlist: looking up group IDs for testadmin >> ... >> sudo[1069] user_in_group: user testadmin NOT in group linux_admin >> >> Part of sssd_testdomain.com.log: >> [sssd[be[testdomain.com]]] [dp_get_account_info_handler] (0x0200): Got >> request for [0x2][BE_REQ_GROUP][name=linux_ad...@testdomain.com] >> [sssd[be[testdomain.com]]] [dp_attach_req] (0x0400): DP Request [Account >> #11]: New request. Flags [0x0001]. >> [sssd[be[testdomain.com]]] [dp_attach_req] (0x0400): Number of active DP >> request: 1 >> [sssd[be[testdomain.com]]] [sss_domain_get_state] (0x1000): Domain >> testdomain.com is Active >> [sssd[be[testdomain.com]]] [sdap_get_groups_next_base] (0x0400): Searching >> for groups with base [cn=users,dc=testdomain,dc=com] >> [sssd[be[testdomain.com]]] [sdap_get_generic_ext_step] (0x0400): calling >> ldap_search_ext with >> [(&(cn=linux_admin)(objectClass=posixGroup)(cn=*)(&(gidNumber=*)(!(gidNumber=0))))][cn=users,dc=testdomain,dc=com]. >> [sssd[be[testdomain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting >> attrs: [objectClass] >> [sssd[be[testdomain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting >> attrs: [cn] >> [sssd[be[testdomain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting >> attrs: [userPassword] >> [sssd[be[testdomain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting >> attrs: [gidNumber] >> [sssd[be[testdomain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting >> attrs: [memberUid] >> [sssd[be[testdomain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting >> attrs: [modifyTimestamp] >> [sssd[be[testdomain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting >> attrs: [uSNChanged] >> [sssd[be[testdomain.com]]] [sdap_parse_entry] (0x1000): OriginalDN: >> [CN=linux_admin,CN=Users,DC=testdomain,DC=com]. >> [sssd[be[testdomain.com]]] [sdap_get_generic_op_finished] (0x0400): Search >> result: Success(0), no errmsg set >> [sssd[be[testdomain.com]]] [sdap_get_groups_process] (0x0400): Search for >> groups, returned 1 results. >> [sssd[be[testdomain.com]]] [sdap_has_deref_support] (0x0400): The server >> supports deref method ASQ >> [sssd[be[testdomain.com]]] [sdap_nested_group_recv] (0x0400): 0 users found >> in the hash table >> [sssd[be[testdomain.com]]] [sdap_nested_group_recv] (0x0400): 1 groups found >> in the hash table >> [sssd[be[testdomain.com]]] [sdap_attrs_get_sid_str] (0x1000): No [objectSID] >> attribute. [0][Success] >> [sssd[be[testdomain.com]]] [sdap_get_primary_name] (0x0400): Processing >> object linux_admin >> [sssd[be[testdomain.com]]] [sdap_save_group] (0x0400): Processing group >> linux_ad...@testdomain.com >> [sssd[be[testdomain.com]]] [sdap_process_ghost_members] (0x0400): The group >> has 1 members >> [sssd[be[testdomain.com]]] [sdap_process_ghost_members] (0x0400): Group has >> 1 members >> [sssd[be[testdomain.com]]] [sdap_save_group] (0x0400): Storing info for >> group linux_ad...@testdomain.com >> [sssd[be[testdomain.com]]] [sysdb_store_group] (0x1000): The group record of >> linux_ad...@testdomain.com did not change, only updated the timestamp cache >> [sssd[be[testdomain.com]]] [sdap_attrs_get_sid_str] (0x1000): No [objectSID] >> attribute. [0][Success] >> [sssd[be[testdomain.com]]] [sdap_save_grpmem] (0x0400): Failed to get group >> sid >> [sssd[be[testdomain.com]]] [sdap_get_primary_name] (0x0400): Processing >> object linux_admin >> [sssd[be[testdomain.com]]] [sdap_save_grpmem] (0x0400): Processing group >> linux_ad...@testdomain.com >> [sssd[be[testdomain.com]]] [sdap_save_grpmem] (0x0400): Adding member users >> to group [linux_ad...@testdomain.com] >> [sssd[be[testdomain.com]]] [sdap_fill_memberships] (0x0080): Member >> [testadmin] is it out of domain scope? >> [sssd[be[testdomain.com]]] [sdap_fill_memberships] (0x0080): Member >> [testadmin] was not found in cache. Is it out of scope? >> [sssd[be[testdomain.com]]] [sysdb_set_entry_attr] (0x0200): Entry >> [name=linux_ad...@testdomain.com,cn=groups,cn=testdomain.com,cn=sysdb] has >> set [ts_cache] attrs. >> [sssd[be[testdomain.com]]] [dp_req_done] (0x0400): DP Request [Account #11]: >> Request handler finished [0]: Success >> [sssd[be[testdomain.com]]] [_dp_req_recv] (0x0400): DP Request [Account >> #11]: Receiving request data. >> [sssd[be[testdomain.com]]] [dp_req_reply_list_success] (0x0400): DP Request >> [Account #11]: Finished. Success. >> [sssd[be[testdomain.com]]] [dp_req_reply_std] (0x1000): DP Request [Account >> #11]: Returning [Success]: 0,0,Success >> _______________________________________________ >> sssd-users mailing list -- sssd-users@lists.fedorahosted.org >> To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org > _______________________________________________ > sssd-users mailing list -- sssd-users@lists.fedorahosted.org > To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
