Hi!
I've reinstalled ipa-client on a workstation and for some reason now ipa users are not part of sudoers File `/etc/nsswitch.conf` contains `sudoers: files sss` File '/etc/sssd/sssd.conf' contains `[sssd] services = nss, pam, ssh, sudo, autofs` There is no 'sudo_provider' within sssd.conf
I've tried to go through provided troubleshooting guide but even seeing discrepancies, I am not sure what should i do about it.
Here are snippets of what troubleshooting was suggesting to look for:
[sssd[sudo]] [sudosrv_fetch_rules] (0x0400): Returning 0 default options for [myipauser@home.mydomain.com@home.mydomain.com] [sssd[sudo]] [sudosrv_fetch_rules] (0x0400): Returning 0 rules for [myipauser@home.mydomain.com@home.mydomain.com]
[sssd[sudo]] [sudosrv_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(sudoUser=+*)(!(|(sudoUser=ALL)(sudoUser=myipauser@home.mydomain.com)(sudoUser=#1907400001)(sudoUser=%editors@home.mydomain.com)(sudoUser=%trust\20admins@home.mydomain.com)(sudoUser=%admins@home.mydomain.com)(sudoUser=%ipausers@home.mydomain.com)(sudoUser=%mymaingroup@home.mydomain.com)(sudoUser=%gogs_users@home.mydomain.com)(sudoUser=%admins@home.mydomain.com))))]
# record 28 dn: name=su,cn=hbac_services,cn=custom,cn=home.mydomain.com,cn=sysdb # record 29 dn: name=myipauser@home.mydomain.com,cn=users,cn=home.mydomain.com,cn=sysdb
[sdap_search_bases_ex_done] (0x0400): Receiving data from base [cn=sudo,dc=home,dc=mydomain,dc=com] [sssd[be[home.mydomain.com]]] [ipa_sudo_fetch_rules_done] (0x0040): Received 1 sudo rules [sysdb_sudo_store_rule] (0x0400): Adding sudo rule All [sssd[be[home.mydomain.com]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(objectClass=ipasudocmdgrp)(entryUSN>=24976))][cn=sudo,dc=home,dc=mydomain,dc=com].
I do not have '[sdap_sudo_refresh_load_done]' within sssd_$domain.log
ldapsearch -x -H ldap://ipaserver.home.mydomain.com -b dc=ipaserver,dc=home,dc=mydomain,dc=com '$filter'
# extended LDIF # # LDAPv3 # base <dc=ipaserver,dc=home,dc=mydomain,dc=com> with scope subtree # filter: (objectclass=*) # requesting: $filter # # search result search: 2 result: 0 Success # numResponses: 1
ldapsearch -x -D "cn=Directory Manager" -w "$password" -H ldap://ipaserver.home.mydomain.com -b dc=ipaserver,dc=home,dc=mydomain,dc=com '$filter'
ldap_bind: Server is unwilling to perform (53) additional info: Unauthenticated binds are not allowed
ldapsearch -Y GSSAPI -H ldap://ipaserver.home.mydomain.com -b dc=ipaserver,dc=home,dc=mydomain,dc=com '$filter'
SASL/GSSAPI authentication started SASL username: host/myworkstation.home.mydomain.com@HOME.MYDOMAIN.COM SASL SSF: 256 SASL data security layer installed. # extended LDIF # # LDAPv3 # base <dc=ipaserver,dc=home,dc=mydomain,dc=com> with scope subtree # filter: (objectclass=*) # requesting: $filter # # search result search: 4 result: 0 Success # numResponses: 1
sudo[411] -> sudo_parseln_v2 @ ./parseln.c:59 sudo[411] <- sudo_parseln_v2 @ ./parseln.c:129 := 0 sudo[411] <- sudo_sss_open @ ./sssd.c:628 := 0 sudo[411] Looking for cn=default sudo[411] Received 0 rule(s)
Any help would be appreciated! Cheers!
On 9/6/19 11:04 AM, Albert Szostkiewicz via FreeIPA-users wrote:
Hi!
I've reinstalled ipa-client on a workstation and for some reason now ipa users are not part of sudoers File `/etc/nsswitch.conf` contains `sudoers: files sss` File '/etc/sssd/sssd.conf' contains `[sssd] services = nss, pam, ssh, sudo, autofs` There is no 'sudo_provider' within sssd.conf
I've tried to go through provided troubleshooting guide but even seeing discrepancies, I am not sure what should i do about it.
Here are snippets of what troubleshooting was suggesting to look for:
[sssd[sudo]] [sudosrv_fetch_rules] (0x0400): Returning 0 default options for [myipauser@home.mydomain.com@home.mydomain.com] [sssd[sudo]] [sudosrv_fetch_rules] (0x0400): Returning 0 rules for [myipauser@home.mydomain.com@home.mydomain.com]
[sssd[sudo]] [sudosrv_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(sudoUser=+*)(!(|(sudoUser=ALL)(sudoUser=myipauser@home.mydomain.com)(sudoUser=#1907400001)(sudoUser=%editors@home.mydomain.com)(sudoUser=%trust\20admins@home.mydomain.com)(sudoUser=%admins@home.mydomain.com)(sudoUser=%ipausers@home.mydomain.com)(sudoUser=%mymaingroup@home.mydomain.com)(sudoUser=%gogs_users@home.mydomain.com)(sudoUser=%admins@home.mydomain.com))))]
# record 28 dn: name=su,cn=hbac_services,cn=custom,cn=home.mydomain.com,cn=sysdb # record 29 dn: name=myipauser@home.mydomain.com,cn=users,cn=home.mydomain.com,cn=sysdb
[sdap_search_bases_ex_done] (0x0400): Receiving data from base [cn=sudo,dc=home,dc=mydomain,dc=com] [sssd[be[home.mydomain.com]]] [ipa_sudo_fetch_rules_done] (0x0040): Received 1 sudo rules [sysdb_sudo_store_rule] (0x0400): Adding sudo rule All [sssd[be[home.mydomain.com]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(objectClass=ipasudocmdgrp)(entryUSN>=24976))][cn=sudo,dc=home,dc=mydomain,dc=com].
I do not have '[sdap_sudo_refresh_load_done]' within sssd_$domain.log
ldapsearch -x -H ldap://ipaserver.home.mydomain.com -b dc=ipaserver,dc=home,dc=mydomain,dc=com '$filter'
# extended LDIF # # LDAPv3 # base <dc=ipaserver,dc=home,dc=mydomain,dc=com> with scope subtree # filter: (objectclass=*) # requesting: $filter # # search result search: 2 result: 0 Success # numResponses: 1
ldapsearch -x -D "cn=Directory Manager" -w "$password" -H ldap://ipaserver.home.mydomain.com -b dc=ipaserver,dc=home,dc=mydomain,dc=com '$filter'
ldap_bind: Server is unwilling to perform (53) additional info: Unauthenticated binds are not allowed
ldapsearch -Y GSSAPI -H ldap://ipaserver.home.mydomain.com -b dc=ipaserver,dc=home,dc=mydomain,dc=com '$filter'
SASL/GSSAPI authentication started SASL username: host/myworkstation.home.mydomain.com@HOME.MYDOMAIN.COM SASL SSF: 256 SASL data security layer installed. # extended LDIF # # LDAPv3 # base <dc=ipaserver,dc=home,dc=mydomain,dc=com> with scope subtree # filter: (objectclass=*) # requesting: $filter # # search result search: 4 result: 0 Success # numResponses: 1
sudo[411] -> sudo_parseln_v2 @ ./parseln.c:59 sudo[411] <- sudo_parseln_v2 @ ./parseln.c:129 := 0 sudo[411] <- sudo_sss_open @ ./sssd.c:628 := 0 sudo[411] Looking for cn=default sudo[411] Received 0 rule(s)
Any help would be appreciated! Cheers! _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
Hi, can you share sanitized sssd_$domain.log please?
while I was checking logs and runnign services, Sudo suddenly started working. So I guess it was a caching issue. How can I enforce re-caching ?
It's already working now, but just in case if you see something odd, here is my sssd_$domain.log , those line are just repeating
[sssd[be[home.mydomain.com]]] [talloc_log_fn] (0x0010): talloc: access after free error - first free may be at src/providers/ipa/ipa_session.c:846 [sssd[be[home.mydomain.com]]] [talloc_log_fn] (0x0010): Bad talloc magic value - access after free [sssd[be[home.mydomain.com]]] [orderly_shutdown] (0x0010): SIGTERM: killing children [sssd[be[home.mydomain.com]]] [talloc_log_fn] (0x0010): Bad talloc magic value - unknown value
Thanks!
Hi Albert
I use sss_cache to drop a client's cache when testing some change I've applied.
sss_cache -E to drop all cache.
Take a look at the man page for other options.
Regards Angus
________________________________ From: Albert Szostkiewicz via FreeIPA-users freeipa-users@lists.fedorahosted.org Sent: Monday, September 9, 2019 5:42:37 PM To: freeipa-users@lists.fedorahosted.org freeipa-users@lists.fedorahosted.org Cc: Albert Szostkiewicz tmdag@tmdag.com Subject: [Freeipa-users] Re: ipausers unable to sudo
while I was checking logs and runnign services, Sudo suddenly started working. So I guess it was a caching issue. How can I enforce re-caching ?
It's already working now, but just in case if you see something odd, here is my sssd_$domain.log , those line are just repeating
[sssd[be[home.mydomain.com]]] [talloc_log_fn] (0x0010): talloc: access after free error - first free may be at src/providers/ipa/ipa_session.c:846 [sssd[be[home.mydomain.com]]] [talloc_log_fn] (0x0010): Bad talloc magic value - access after free [sssd[be[home.mydomain.com]]] [orderly_shutdown] (0x0010): SIGTERM: killing children [sssd[be[home.mydomain.com]]] [talloc_log_fn] (0x0010): Bad talloc magic value - unknown value
Thanks! _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
On 9/9/19 5:42 PM, Albert Szostkiewicz via FreeIPA-users wrote:
while I was checking logs and runnign services, Sudo suddenly started working. So I guess it was a caching issue. How can I enforce re-caching ?
Sudo rules will be reloaded completely upon SSSD restart (or when full refresh is triggered, see man sssd-sudo). You can also use sss_cache to invalidate specific rules.
It's already working now, but just in case if you see something odd, here is my sssd_$domain.log , those line are just repeating
[sssd[be[home.mydomain.com]]] [talloc_log_fn] (0x0010): talloc: access after free error - first free may be at src/providers/ipa/ipa_session.c:846 [sssd[be[home.mydomain.com]]] [talloc_log_fn] (0x0010): Bad talloc magic value - access after free [sssd[be[home.mydomain.com]]] [orderly_shutdown] (0x0010): SIGTERM: killing children [sssd[be[home.mydomain.com]]] [talloc_log_fn] (0x0010): Bad talloc magic value - unknown value
This looks strange. Did you forgot to attach the log? I need to see at least few line above this message.
Thank you.
Thanks! _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
On 9/9/19 5:42 PM, Albert Szostkiewicz via FreeIPA-users wrote:
Sudo rules will be reloaded completely upon SSSD restart (or when full refresh is triggered, see man sssd-sudo). You can also use sss_cache to invalidate specific rules.
I've tried restarting sssd on a server and server itself back then but that wasn't helpful. I haven't tried sss_cache. But it suddenly started working by itself.
This looks strange. Did you forgot to attach the log? I need to see at least few line above this message.
Unfortunately, there is not much more than that - it's repeating over and over, here is full 3 days of sssd_{$domain).log:
(7 00:43:37) [sssd[be[home.mydomain.com]]] [orderly_shutdown] (0x0010): SIGTERM: killing children (7 00:45:32) [sssd[be[home.mydomain.com]]] [talloc_log_fn] (0x0010): talloc: access after free error - first free may be at src/providers/ipa/ipa_session.c:846 (7 00:45:32) [sssd[be[home.mydomain.com]]] [talloc_log_fn] (0x0010): Bad talloc magic value - access after free (7 12:53:23) [sssd[be[home.mydomain.com]]] [talloc_log_fn] (0x0010): talloc: access after free error - first free may be at src/providers/ipa/ipa_session.c:846 (7 12:53:23) [sssd[be[home.mydomain.com]]] [talloc_log_fn] (0x0010): Bad talloc magic value - access after free (7 22:57:51) [sssd[be[home.mydomain.com]]] [talloc_log_fn] (0x0010): Bad talloc magic value - unknown value (7 23:18:31) [sssd[be[home.mydomain.com]]] [talloc_log_fn] (0x0010): talloc: access after free error - first free may be at src/providers/ipa/ipa_session.c:846 (7 23:18:31) [sssd[be[home.mydomain.com]]] [talloc_log_fn] (0x0010): Bad talloc magic value - access after free (7 23:18:46) [sssd[be[home.mydomain.com]]] [orderly_shutdown] (0x0010): SIGTERM: killing children (7 23:21:04) [sssd[be[home.mydomain.com]]] [talloc_log_fn] (0x0010): talloc: access after free error - first free may be at src/providers/ipa/ipa_session.c:846 (7 23:21:04) [sssd[be[home.mydomain.com]]] [talloc_log_fn] (0x0010): Bad talloc magic value - access after free (7 23:41:40) [sssd[be[home.mydomain.com]]] [orderly_shutdown] (0x0010): SIGTERM: killing children (7 23:44:50) [sssd[be[home.mydomain.com]]] [talloc_log_fn] (0x0010): talloc: access after free error - first free may be at src/providers/ipa/ipa_session.c:846 (7 23:44:50) [sssd[be[home.mydomain.com]]] [talloc_log_fn] (0x0010): Bad talloc magic value - access after free (7 23:51:49) [sssd[be[home.mydomain.com]]] [orderly_shutdown] (0x0010): SIGTERM: killing children (7 23:58:34) [sssd[be[home.mydomain.com]]] [talloc_log_fn] (0x0010): Bad talloc magic value - unknown value (8 02:33:49) [sssd[be[home.mydomain.com]]] [talloc_log_fn] (0x0010): Bad talloc magic value - unknown value (8 02:57:48) [sssd[be[home.mydomain.com]]] [talloc_log_fn] (0x0010): Bad talloc magic value - unknown value (8 19:35:49) [sssd[be[home.mydomain.com]]] [talloc_log_fn] (0x0010): Bad talloc magic value - unknown value (9 21:29:28) [sssd[be[home.mydomain.com]]] [orderly_shutdown] (0x0010): SIGTERM: killing children (9 21:32:21) [sssd[be[home.mydomain.com]]] [talloc_log_fn] (0x0010): Bad talloc magic value - unknown value
I should mention that currently I do have some new/different issue in ipa server that may overlap those logs and might (or might not be related). In case if that's related - https://pagure.io/freeipa/issue/8065
Many thanks for your help!
freeipa-users@lists.fedorahosted.org
-
Albert Szostkiewicz -
Angus Clarke -
Pavel Březina