4:04 a.m.
Hi!
I've reinstalled ipa-client on a workstation and for some reason now ipa users are not
part of sudoers
File `/etc/nsswitch.conf` contains `sudoers: files sss`
File '/etc/sssd/sssd.conf' contains `[sssd] services = nss, pam, ssh, sudo,
autofs`
There is no 'sudo_provider' within sssd.conf
I've tried to go through provided troubleshooting guide but even seeing discrepancies,
I am not sure what should i do about it.
Here are snippets of what troubleshooting was suggesting to look for:
[sssd[sudo]] [sudosrv_fetch_rules] (0x0400): Returning 0 default options for
[myipauser@home.mydomain.com(a)home.mydomain.com]
[sssd[sudo]] [sudosrv_fetch_rules] (0x0400): Returning 0 rules for
[myipauser@home.mydomain.com(a)home.mydomain.com]
[sssd[sudo]] [sudosrv_query_cache] (0x0200): Searching sysdb with
[(&(objectClass=sudoRule)(sudoUser=+*)(!(|(sudoUser=ALL)(sudoUser=myipauser@home.mydomain.com)(sudoUser=#1907400001)(sudoUser=%editors@home.mydomain.com)(sudoUser=%trust\20admins@home.mydomain.com)(sudoUser=%admins@home.mydomain.com)(sudoUser=%ipausers@home.mydomain.com)(sudoUser=%mymaingroup@home.mydomain.com)(sudoUser=%gogs_users@home.mydomain.com)(sudoUser=%admins(a)home.mydomain.com))))]
# record 28
dn: name=su,cn=hbac_services,cn=custom,cn=home.mydomain.com,cn=sysdb
# record 29
dn: name=myipauser(a)home.mydomain.com,cn=users,cn=home.mydomain.com,cn=sysdb
[sdap_search_bases_ex_done] (0x0400): Receiving data from base
[cn=sudo,dc=home,dc=mydomain,dc=com]
[sssd[be[home.mydomain.com]]] [ipa_sudo_fetch_rules_done] (0x0040): Received 1 sudo rules
[sysdb_sudo_store_rule] (0x0400): Adding sudo rule All
[sssd[be[home.mydomain.com]]] [sdap_get_generic_ext_step] (0x0400): calling
ldap_search_ext with
[(&(objectClass=ipasudocmdgrp)(entryUSN>=24976))][cn=sudo,dc=home,dc=mydomain,dc=com].
I do not have '[sdap_sudo_refresh_load_done]' within sssd_$domain.log
ldapsearch -x -H ldap://ipaserver.home.mydomain.com -b
dc=ipaserver,dc=home,dc=mydomain,dc=com '$filter'
# extended LDIF
#
# LDAPv3
# base <dc=ipaserver,dc=home,dc=mydomain,dc=com> with scope subtree
# filter: (objectclass=*)
# requesting: $filter
#
# search result
search: 2
result: 0 Success
# numResponses: 1
ldapsearch -x -D "cn=Directory Manager" -w
"$password" -H ldap://ipaserver.home.mydomain.com -b
dc=ipaserver,dc=home,dc=mydomain,dc=com '$filter'
ldap_bind: Server is
unwilling to perform (53)
additional info: Unauthenticated binds are not allowed
ldapsearch -Y GSSAPI -H ldap://ipaserver.home.mydomain.com -b
dc=ipaserver,dc=home,dc=mydomain,dc=com '$filter'
SASL/GSSAPI authentication
started
SASL username: host/myworkstation.home.mydomain.com(a)HOME.MYDOMAIN.COM
SASL SSF: 256
SASL data security layer installed.
# extended LDIF
#
# LDAPv3
# base <dc=ipaserver,dc=home,dc=mydomain,dc=com> with scope subtree
# filter: (objectclass=*)
# requesting: $filter
#
# search result
search: 4
result: 0 Success
# numResponses: 1
sudo[411] -> sudo_parseln_v2 @ ./parseln.c:59
sudo[411] <- sudo_parseln_v2 @ ./parseln.c:129 := 0
sudo[411] <- sudo_sss_open @ ./sssd.c:628 := 0
sudo[411] Looking for cn=default
sudo[411] Received 0 rule(s)
Any help would be appreciated!
Cheers!
5:43 a.m.
On 9/6/19 11:04 AM, Albert Szostkiewicz via FreeIPA-users wrote:
Hi!
I've reinstalled ipa-client on a workstation and for some reason now ipa users are
not part of sudoers
File `/etc/nsswitch.conf` contains `sudoers: files sss`
File '/etc/sssd/sssd.conf' contains `[sssd] services = nss, pam, ssh, sudo,
autofs`
There is no 'sudo_provider' within sssd.conf
I've tried to go through provided troubleshooting guide but even seeing
discrepancies, I am not sure what should i do about it.
Here are snippets of what troubleshooting was suggesting to look for:
[sssd[sudo]] [sudosrv_fetch_rules] (0x0400): Returning 0 default options for
[myipauser@home.mydomain.com(a)home.mydomain.com]
[sssd[sudo]] [sudosrv_fetch_rules] (0x0400): Returning 0 rules for
[myipauser@home.mydomain.com(a)home.mydomain.com]
[sssd[sudo]] [sudosrv_query_cache] (0x0200): Searching sysdb with
[(&(objectClass=sudoRule)(sudoUser=+*)(!(|(sudoUser=ALL)(sudoUser=myipauser@home.mydomain.com)(sudoUser=#1907400001)(sudoUser=%editors@home.mydomain.com)(sudoUser=%trust\20admins@home.mydomain.com)(sudoUser=%admins@home.mydomain.com)(sudoUser=%ipausers@home.mydomain.com)(sudoUser=%mymaingroup@home.mydomain.com)(sudoUser=%gogs_users@home.mydomain.com)(sudoUser=%admins(a)home.mydomain.com))))]
# record 28
dn: name=su,cn=hbac_services,cn=custom,cn=home.mydomain.com,cn=sysdb
# record 29
dn: name=myipauser(a)home.mydomain.com,cn=users,cn=home.mydomain.com,cn=sysdb
[sdap_search_bases_ex_done] (0x0400): Receiving data from base
[cn=sudo,dc=home,dc=mydomain,dc=com]
[sssd[be[home.mydomain.com]]] [ipa_sudo_fetch_rules_done] (0x0040): Received 1 sudo
rules
[sysdb_sudo_store_rule] (0x0400): Adding sudo rule All
[sssd[be[home.mydomain.com]]] [sdap_get_generic_ext_step] (0x0400): calling
ldap_search_ext with
[(&(objectClass=ipasudocmdgrp)(entryUSN>=24976))][cn=sudo,dc=home,dc=mydomain,dc=com].
I do not have '[sdap_sudo_refresh_load_done]' within sssd_$domain.log
> ldapsearch -x -H ldap://ipaserver.home.mydomain.com -b
dc=ipaserver,dc=home,dc=mydomain,dc=com '$filter'
# extended LDIF
#
# LDAPv3
# base <dc=ipaserver,dc=home,dc=mydomain,dc=com> with scope subtree
# filter: (objectclass=*)
# requesting: $filter
#
# search result
search: 2
result: 0 Success
# numResponses: 1
> ldapsearch -x -D "cn=Directory Manager" -w "$password" -H
ldap://ipaserver.home.mydomain.com -b dc=ipaserver,dc=home,dc=mydomain,dc=com
'$filter'
ldap_bind: Server is unwilling to perform (53)
additional info: Unauthenticated binds are not allowed
> ldapsearch -Y GSSAPI -H ldap://ipaserver.home.mydomain.com -b
dc=ipaserver,dc=home,dc=mydomain,dc=com '$filter'
SASL/GSSAPI authentication started
SASL username: host/myworkstation.home.mydomain.com(a)HOME.MYDOMAIN.COM
SASL SSF: 256
SASL data security layer installed.
# extended LDIF
#
# LDAPv3
# base <dc=ipaserver,dc=home,dc=mydomain,dc=com> with scope subtree
# filter: (objectclass=*)
# requesting: $filter
#
# search result
search: 4
result: 0 Success
# numResponses: 1
sudo[411] -> sudo_parseln_v2 @ ./parseln.c:59
sudo[411] <- sudo_parseln_v2 @ ./parseln.c:129 := 0
sudo[411] <- sudo_sss_open @ ./sssd.c:628 := 0
sudo[411] Looking for cn=default
sudo[411] Received 0 rule(s)
Any help would be appreciated!
Cheers!
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
Hi, can you share sanitized sssd_$domain.log please?
10:42 a.m.
while I was checking logs and runnign services, Sudo suddenly started working. So I guess
it was a caching issue.
How can I enforce re-caching ?
It's already working now, but just in case if you see something odd, here is my
sssd_$domain.log , those line are just repeating
[sssd[be[home.mydomain.com]]] [talloc_log_fn] (0x0010): talloc: access after free error -
first free may be at src/providers/ipa/ipa_session.c:846
[sssd[be[home.mydomain.com]]] [talloc_log_fn] (0x0010): Bad talloc magic value - access
after free
[sssd[be[home.mydomain.com]]] [orderly_shutdown] (0x0010): SIGTERM: killing children
[sssd[be[home.mydomain.com]]] [talloc_log_fn] (0x0010): Bad talloc magic value - unknown
value
Thanks!
11:46 a.m.
Hi Albert
I use sss_cache to drop a client's cache when testing some change I've applied.
sss_cache -E to drop all cache.
Take a look at the man page for other options.
Regards
Angus
________________________________
From: Albert Szostkiewicz via FreeIPA-users <freeipa-users(a)lists.fedorahosted.org>
Sent: Monday, September 9, 2019 5:42:37 PM
To: freeipa-users(a)lists.fedorahosted.org <freeipa-users(a)lists.fedorahosted.org>
Cc: Albert Szostkiewicz <tmdag(a)tmdag.com>
Subject: [Freeipa-users] Re: ipausers unable to sudo
while I was checking logs and runnign services, Sudo suddenly started working. So I guess
it was a caching issue.
How can I enforce re-caching ?
It's already working now, but just in case if you see something odd, here is my
sssd_$domain.log , those line are just repeating
[sssd[be[home.mydomain.com]]] [talloc_log_fn] (0x0010): talloc: access after free error -
first free may be at src/providers/ipa/ipa_session.c:846
[sssd[be[home.mydomain.com]]] [talloc_log_fn] (0x0010): Bad talloc magic value - access
after free
[sssd[be[home.mydomain.com]]] [orderly_shutdown] (0x0010): SIGTERM: killing children
[sssd[be[home.mydomain.com]]] [talloc_log_fn] (0x0010): Bad talloc magic value - unknown
value
Thanks!
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
2:28 a.m.
On 9/9/19 5:42 PM, Albert Szostkiewicz via FreeIPA-users wrote:
while I was checking logs and runnign services, Sudo suddenly started
working. So I guess it was a caching issue.
How can I enforce re-caching ?
Sudo rules will be reloaded completely upon SSSD restart (or when full
refresh is triggered, see man sssd-sudo). You can also use sss_cache to
invalidate specific rules.
It's already working now, but just in case if you see something
odd, here is my sssd_$domain.log , those line are just repeating
[sssd[be[home.mydomain.com]]] [talloc_log_fn] (0x0010): talloc: access after free error -
first free may be at src/providers/ipa/ipa_session.c:846
[sssd[be[home.mydomain.com]]] [talloc_log_fn] (0x0010): Bad talloc magic value - access
after free
[sssd[be[home.mydomain.com]]] [orderly_shutdown] (0x0010): SIGTERM: killing children
[sssd[be[home.mydomain.com]]] [talloc_log_fn] (0x0010): Bad talloc magic value - unknown
value
This looks strange. Did you forgot to attach the log? I need to see at
least few line above this message.
Thank you.
Thanks!
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
10:25 a.m.
On 9/9/19 5:42 PM, Albert Szostkiewicz via FreeIPA-users wrote:
Sudo rules will be reloaded completely upon SSSD restart (or when full
refresh is triggered, see man sssd-sudo). You can also use sss_cache to
invalidate specific rules.
I've tried restarting sssd on a server and server itself back then but that wasn't
helpful. I haven't tried sss_cache.
But it suddenly started working by itself.
This looks strange. Did you forgot to attach the log? I need to see
at
least few line above this message.
Unfortunately, there is not much more than that - it's repeating over and over, here
is full 3 days of sssd_{$domain).log:
(7 00:43:37) [sssd[be[home.mydomain.com]]] [orderly_shutdown] (0x0010): SIGTERM: killing
children
(7 00:45:32) [sssd[be[home.mydomain.com]]] [talloc_log_fn] (0x0010): talloc: access after
free error - first free may be at src/providers/ipa/ipa_session.c:846
(7 00:45:32) [sssd[be[home.mydomain.com]]] [talloc_log_fn] (0x0010): Bad talloc magic
value - access after free
(7 12:53:23) [sssd[be[home.mydomain.com]]] [talloc_log_fn] (0x0010): talloc: access after
free error - first free may be at src/providers/ipa/ipa_session.c:846
(7 12:53:23) [sssd[be[home.mydomain.com]]] [talloc_log_fn] (0x0010): Bad talloc magic
value - access after free
(7 22:57:51) [sssd[be[home.mydomain.com]]] [talloc_log_fn] (0x0010): Bad talloc magic
value - unknown value
(7 23:18:31) [sssd[be[home.mydomain.com]]] [talloc_log_fn] (0x0010): talloc: access after
free error - first free may be at src/providers/ipa/ipa_session.c:846
(7 23:18:31) [sssd[be[home.mydomain.com]]] [talloc_log_fn] (0x0010): Bad talloc magic
value - access after free
(7 23:18:46) [sssd[be[home.mydomain.com]]] [orderly_shutdown] (0x0010): SIGTERM: killing
children
(7 23:21:04) [sssd[be[home.mydomain.com]]] [talloc_log_fn] (0x0010): talloc: access after
free error - first free may be at src/providers/ipa/ipa_session.c:846
(7 23:21:04) [sssd[be[home.mydomain.com]]] [talloc_log_fn] (0x0010): Bad talloc magic
value - access after free
(7 23:41:40) [sssd[be[home.mydomain.com]]] [orderly_shutdown] (0x0010): SIGTERM: killing
children
(7 23:44:50) [sssd[be[home.mydomain.com]]] [talloc_log_fn] (0x0010): talloc: access after
free error - first free may be at src/providers/ipa/ipa_session.c:846
(7 23:44:50) [sssd[be[home.mydomain.com]]] [talloc_log_fn] (0x0010): Bad talloc magic
value - access after free
(7 23:51:49) [sssd[be[home.mydomain.com]]] [orderly_shutdown] (0x0010): SIGTERM: killing
children
(7 23:58:34) [sssd[be[home.mydomain.com]]] [talloc_log_fn] (0x0010): Bad talloc magic
value - unknown value
(8 02:33:49) [sssd[be[home.mydomain.com]]] [talloc_log_fn] (0x0010): Bad talloc magic
value - unknown value
(8 02:57:48) [sssd[be[home.mydomain.com]]] [talloc_log_fn] (0x0010): Bad talloc magic
value - unknown value
(8 19:35:49) [sssd[be[home.mydomain.com]]] [talloc_log_fn] (0x0010): Bad talloc magic
value - unknown value
(9 21:29:28) [sssd[be[home.mydomain.com]]] [orderly_shutdown] (0x0010): SIGTERM: killing
children
(9 21:32:21) [sssd[be[home.mydomain.com]]] [talloc_log_fn] (0x0010): Bad talloc magic
value - unknown value
I should mention that currently I do have some new/different issue in ipa server that may
overlap those logs and might (or might not be related).
In case if that's related - https://pagure.io/freeipa/issue/8065
Many thanks for your help!
1690
days inactive
1694
days old
freeipa-users@lists.fedorahosted.org
5 comments
3 participants
participants (3)
-
Albert Szostkiewicz -
Angus Clarke -
Pavel Březina