Hi sssd-users list,

I am facing a strange issue on several CentOS servers. It seems that after a while ( days ) sudo does not work any more for some of my users. We keep rudo rules in OpenLDAP. If a user uses 'sudo su - ' , he gets a an error message ( "User abc is not allowed to run sudo on ....") however if he user runs 'id'  followed by 'sudo su -'  then in some of the cases, it works fine, user can get root access. I even upgraded to the unofficial repo hoping that the issue we see is similar/same to https://fedorahosted.org/sssd/ticket/2970. But I think it's a different issue.

Any ideas? Next I will be looking at dumping the local sssd cache files. I can provide debug =9 log files offline if needed.

Thank you

root@server yum.repos.d # rpm -qa | egrep sssd
sssd-common-pac-1.13.4-4.el6.x86_64
sssd-ldap-1.13.4-4.el6.x86_64
sssd-tools-1.13.4-4.el6.x86_64
sssd-client-1.13.4-4.el6.x86_64
sssd-ad-1.13.4-4.el6.x86_64
python-sssdconfig-1.13.4-4.el6.noarch
sssd-common-1.13.4-4.el6.x86_64
sssd-ipa-1.13.4-4.el6.x86_64
sssd-proxy-1.13.4-4.el6.x86_64
sssd-krb5-common-1.13.4-4.el6.x86_64
sssd-krb5-1.13.4-4.el6.x86_64
sssd-1.13.4-4.el6.x86_64

root@server sssd # vim /etc/sssd/sssd.conf  # set debug = 9

root@server sssd # sudo -U abc -l
User abc is not allowed to run sudo on server.

root@server sssd # egrep sudo /etc/nsswitch.conf
sudoers:    sss

root@server sssd # ip a s dev eth0 | egrep global
    inet 216.X.Y.Z/26 brd 216.X.Y.Z scope global eth0


root@server sssd # id abc
uid=100001044(abc) gid=1009(...) groups=1202(...),1168(...),1191(...),1102(...),1009(...),1101(...),1127(...),1167(...),1111(...),1178(...),1109(...),1199(...),1208(stage),1117(...),1198(...),1192(...),1206(...),1176(...),1404(...),1183(...),1103(...),1110(...),1205

root@abc sssd # sudo -U abc -l
Matching Defaults entries for abc on this host:
[...]

User abc may run the following commands on this host:
    (ALL) PASSWD: ALL


# LDAP Sudo def
dn: cn=stage,ou=sudoers,o=Domain,dc=domain,dc=com
sudoOrder: 42
[...]
sudoUser: %stage
sudoRunAs: ALL
cn: stage
description: Allow Trusted Senior stuff become root
sudoCommand: ALL
sudoHost: 216.X.Y.Z
[...]
objectClass: top
objectClass: sudoRole
sudoOption: authenticate



# Group def
dn: cn=stage,ou=groups,o=Domain,dc=domain,dc=com
gidNumber: 1208
cn: stage
description: stage Group
objectClass: posixGroup
objectClass: top
memberUid: abc
hMemberDN: uid=abc,ou=users,o=Domain,dc=domain,dc=com



Sanitized sssd.conf:

[sssd]
config_file_version = 2
sbus_timeout = 30
services = nss, pam, sudo, ssh
domains = LOCAL, DOMAIN1, DOMAIN2

[nss]
filter_users = adm,apache,avahi,bin,daemon,dbus,ecryptfs,ftp,git,games,gopher,haldaemon,halt,hfallback,ldap,lp,mail,mailnull,named,news,nfsnobody,nobody,nscd,nslcd,ntp,operator,oprofile,ossec,postfix,puppet,puppet-dashboard,pulse,pulse-access,radiusd,root,rpc,rpcuser,rtkit,saslauth,sfallback,shutdown,slocate,smmsp,sshd,sync,tcpdump,tss,uucp,vcsa
filter_groups = adm,apache,audio,bin,cdrom,cgred,daemon,dbus,dialout,dip,disk,ecryptfs,floppy,fuse,git,hfallback,kmem,ldap,lock,lp,mail,mailnull,man,mem,nfsnobody,nobody,nscd,ntp,ossec,oprofile,postdrop,postfix,puppet,puppet-dashboard,pulse,pulse-access,root,rpc,rpcuser,rtkit,saslauth,sfallback,slocate,smmsp,sshd,sys,tape,tcpdump,tss,tty,users,utempter,utmp,vcsa,video
override_shell = /bin/bash

[pam]
debug_level = 3
reconnection_retries = 3
offline_credentials_expiration = 2
offline_failed_login_attempts = 3
offline_failed_login_delay = 5
pam_verbosity = 1
pam_pwd_expiration_warning = 21
pam_account_expired_message = Account expired, please use selfservice portal to change your password and extend account.

[sudo]
debug_level=9

[ssh]
# debug_level=9

[domain/LOCAL]
description = LOCAL Users domain
id_provider = local
enumerate = true
min_id = 500
max_id = 999
default_shell = /bin/bash
base_directory = /home
create_homedir = false
remove_homedir = true
homedir_umask = 077
skel_dir = /etc/skel
mail_dir = /var/spool/mail


######### SECTION: DOMAIN1
[domain/DOMAIN1]
min_id = 499
debug_level = 9
cache_credentials = True
entry_cache_timeout = 864000

auth_provider = ldap
id_provider = ldap
access_provider = ldap
#chpass_provider = ldap
sudo_provider = ldap
selinux_provider = none
autofs_provider = none


# LDAP Search
ldap_search_base = dc=domain,dc=com
ldap_group_search_base = ou=groups,o=Domain,dc=domain,dc=com
ldap_user_search_base = ou=users,o=Domain,dc=domain,dc=com?subtree?(|(description=cn=stage,ou=groups,o=Domain,dc=domain,dc=com)(.....)(.....))


# LDAP Custom Schema
ldap_group_member = hMemberDN
ldap_user_member_of = description
# this should really be rfc2307
ldap_schema = rfc2307bis

ldap_network_timeout = 3
ldap_id_use_start_tls = False
ldap_tls_reqcert = never
ldap_tls_cacertdir = /etc/openldap/cacerts

ldap_uri = ldaps://s1.sec.domain.com, ldaps://s2.sec.domain.com, ldaps://s3.sec.domain.com
ldap_backup_uri = ldaps://66.X.Y.Z

ldap_default_authtok_type = obfuscated_password
ldap_default_bind_dn = uid=MYDN
ldap_default_authtok = MYPASS


ldap_user_ssh_public_key = sshPublicKey

ldap_pwd_policy = none
ldap_account_expire_policy = shadow
ldap_user_shadow_expire   = shadowExpire
# shadowExpire: days since Jan 1, 1970 that account is disabled: $ echo $(($(date --utc --date "$1" +%s)/86400))

ldap_chpass_update_last_change = false

ldap_access_order = filter, expire
ldap_access_filter = (&(objectClass=posixAccount)(uidNumber=*)(hAccountInitialSetup=1)(|(description=cn=stage,ou=groups,o=Domain,dc=domain,dc=com)))

# SUDO
ldap_sudo_search_base = ou=sudoers,o=Domain,dc=domain,dc=com
ldap_sudo_full_refresh_interval = 86400
ldap_sudo_smart_refresh_interval = 3600
#entry_cache_sudo_timeout = 5400

The same options for DOMAIN2 except filters and user/group base.

hMemberDN is defined in nis.schema, a relic of OpenLDAP 2.2, a workaround applied before transitioning to 2.4.40.

# Modification to posixGroup
attributetype ( 1.3.6.1.1.1.1.28 NAME 'hMemberDN'
        DESC 'RFC2256: member of a group'
        SUP distinguishedName )

objectclass ( 1.3.6.1.1.1.2.2 NAME 'posixGroup'
        DESC 'Abstraction of a group of accounts'
        SUP top STRUCTURAL
        MUST ( cn $ gidNumber )
        MAY ( userPassword $ memberUid $ hMemberDN $ description ) )

hMemberDN: uid=abc,ou=users,o=Domain,dc=domain,dc=com