On 9/6/19 11:04 AM, Albert Szostkiewicz via FreeIPA-users wrote:
Hi!
I've reinstalled ipa-client on a workstation and for some reason now ipa users are not part of sudoers File `/etc/nsswitch.conf` contains `sudoers: files sss` File '/etc/sssd/sssd.conf' contains `[sssd] services = nss, pam, ssh, sudo, autofs` There is no 'sudo_provider' within sssd.conf
I've tried to go through provided troubleshooting guide but even seeing discrepancies, I am not sure what should i do about it.
Here are snippets of what troubleshooting was suggesting to look for:
[sssd[sudo]] [sudosrv_fetch_rules] (0x0400): Returning 0 default options for [myipauser@home.mydomain.com@home.mydomain.com] [sssd[sudo]] [sudosrv_fetch_rules] (0x0400): Returning 0 rules for [myipauser@home.mydomain.com@home.mydomain.com]
[sssd[sudo]] [sudosrv_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(sudoUser=+*)(!(|(sudoUser=ALL)(sudoUser=myipauser@home.mydomain.com)(sudoUser=#1907400001)(sudoUser=%editors@home.mydomain.com)(sudoUser=%trust\20admins@home.mydomain.com)(sudoUser=%admins@home.mydomain.com)(sudoUser=%ipausers@home.mydomain.com)(sudoUser=%mymaingroup@home.mydomain.com)(sudoUser=%gogs_users@home.mydomain.com)(sudoUser=%admins@home.mydomain.com))))]
# record 28 dn: name=su,cn=hbac_services,cn=custom,cn=home.mydomain.com,cn=sysdb # record 29 dn: name=myipauser@home.mydomain.com,cn=users,cn=home.mydomain.com,cn=sysdb
[sdap_search_bases_ex_done] (0x0400): Receiving data from base [cn=sudo,dc=home,dc=mydomain,dc=com] [sssd[be[home.mydomain.com]]] [ipa_sudo_fetch_rules_done] (0x0040): Received 1 sudo rules [sysdb_sudo_store_rule] (0x0400): Adding sudo rule All [sssd[be[home.mydomain.com]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(objectClass=ipasudocmdgrp)(entryUSN>=24976))][cn=sudo,dc=home,dc=mydomain,dc=com].
I do not have '[sdap_sudo_refresh_load_done]' within sssd_$domain.log
ldapsearch -x -H ldap://ipaserver.home.mydomain.com -b dc=ipaserver,dc=home,dc=mydomain,dc=com '$filter'
# extended LDIF # # LDAPv3 # base <dc=ipaserver,dc=home,dc=mydomain,dc=com> with scope subtree # filter: (objectclass=*) # requesting: $filter # # search result search: 2 result: 0 Success # numResponses: 1
ldapsearch -x -D "cn=Directory Manager" -w "$password" -H ldap://ipaserver.home.mydomain.com -b dc=ipaserver,dc=home,dc=mydomain,dc=com '$filter'
ldap_bind: Server is unwilling to perform (53) additional info: Unauthenticated binds are not allowed
ldapsearch -Y GSSAPI -H ldap://ipaserver.home.mydomain.com -b dc=ipaserver,dc=home,dc=mydomain,dc=com '$filter'
SASL/GSSAPI authentication started SASL username: host/myworkstation.home.mydomain.com@HOME.MYDOMAIN.COM SASL SSF: 256 SASL data security layer installed. # extended LDIF # # LDAPv3 # base <dc=ipaserver,dc=home,dc=mydomain,dc=com> with scope subtree # filter: (objectclass=*) # requesting: $filter # # search result search: 4 result: 0 Success # numResponses: 1
sudo[411] -> sudo_parseln_v2 @ ./parseln.c:59 sudo[411] <- sudo_parseln_v2 @ ./parseln.c:129 := 0 sudo[411] <- sudo_sss_open @ ./sssd.c:628 := 0 sudo[411] Looking for cn=default sudo[411] Received 0 rule(s)
Any help would be appreciated! Cheers! _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
Hi, can you share sanitized sssd_$domain.log please?