Hi Jakub,

That is correct, I have 2 users, one is a member of DOMAIN1, the other is a member of DOMAIN2. The options for both domains is similar as we use automatic deployment system. One of the users is hfa-joswel-tehnicom ( test account ), the other one is azapravdin.

I thought local domain is required, I use it to inject a local emergency user on all servers. But I can remove local domain if it is recommended.

Thank you
Mario

On 10/20/2016 03:36 AM, Jakub Hrozek wrote:

On Wed, Oct 19, 2016 at 11:54:39AM -0400, Mario Rossi wrote:

Hi sssd-users list,

I am facing a strange issue on several CentOS servers. It seems that after a
while ( days ) sudo does not work any more for some of my users. We keep
rudo rules in OpenLDAP. If a user uses 'sudo su - ' , he gets a an error
message ( "User abc is not allowed to run sudo on ....") however if he user
runs 'id'  followed by 'sudo su -'  then in some of the cases, it works
fine, user can get root access. I even upgraded to the unofficial repo
hoping that the issue we see is similar/same to
https://fedorahosted.org/sssd/ticket/2970. But I think it's a different
issue.

Any ideas? Next I will be looking at dumping the local sssd cache files. I
can provide debug =9 log files offline if needed.

I think this is the best course of action..

btw does the user come from DOMAIN1 or DOMAIN2?

and do you need the local domain? It's really code that mostly has
meaning for testing or experiments, I've never seen anyone using it in
production..

Thank you

root@server yum.repos.d # rpm -qa | egrep sssd
sssd-common-pac-1.13.4-4.el6.x86_64
sssd-ldap-1.13.4-4.el6.x86_64
sssd-tools-1.13.4-4.el6.x86_64
sssd-client-1.13.4-4.el6.x86_64
sssd-ad-1.13.4-4.el6.x86_64
python-sssdconfig-1.13.4-4.el6.noarch
sssd-common-1.13.4-4.el6.x86_64
sssd-ipa-1.13.4-4.el6.x86_64
sssd-proxy-1.13.4-4.el6.x86_64
sssd-krb5-common-1.13.4-4.el6.x86_64
sssd-krb5-1.13.4-4.el6.x86_64
sssd-1.13.4-4.el6.x86_64

root@server sssd # vim /etc/sssd/sssd.conf  # set debug = 9

root@server sssd # sudo -U abc -l*
**User abc is not allowed to run sudo on **server**.*

root@server sssd # egrep sudo /etc/nsswitch.conf
sudoers:    sss

root@server sssd # ip a s dev eth0 | egrep global
    inet 216.X.Y.Z/26 brd 216.X.Y.Z scope global eth0


root@server sssd # id abc
uid=100001044(abc) gid=1009(...) groups=1202(...),1168(...),1191(...),1102(...),1009(...),1101(...),1127(...),1167(...),1111(...),1178(...),1109(...),1199(...),1208(stage),1117(...),1198(...),1192(...),1206(...),1176(...),1404(...),1183(...),1103(...),1110(...),1205

root@abc sssd # sudo -U abc -l
Matching Defaults entries for abc on this host:
[...]

*User **abc**may run the following commands on this host:**
**    (ALL) PASSWD: ALL*


# LDAP Sudo def
dn: cn=stage,ou=sudoers,o=Domain,dc=domain,dc=com
sudoOrder: 42
[...]
sudoUser: %stage
sudoRunAs: ALL
cn: stage
description: Allow Trusted Senior stuff become root
sudoCommand: ALL
sudoHost: 216.X.Y.Z
[...]
objectClass: top
objectClass: sudoRole
sudoOption: authenticate



# Group def
dn: cn=stage,ou=groups,o=Domain,dc=domain,dc=com
gidNumber: 1208
cn: stage
description: stage Group
objectClass: posixGroup
objectClass: top
memberUid: abc
hMemberDN: uid=abc,ou=users,o=Domain,dc=domain,dc=com


Sanitized sssd.conf:

[sssd]
config_file_version = 2
sbus_timeout = 30
services = nss, pam, sudo, ssh
domains = LOCAL, DOMAIN1, DOMAIN2

[nss]
filter_users = adm,apache,avahi,bin,daemon,dbus,ecryptfs,ftp,git,games,gopher,haldaemon,halt,hfallback,ldap,lp,mail,mailnull,named,news,nfsnobody,nobody,nscd,nslcd,ntp,operator,oprofile,ossec,postfix,puppet,puppet-dashboard,pulse,pulse-access,radiusd,root,rpc,rpcuser,rtkit,saslauth,sfallback,shutdown,slocate,smmsp,sshd,sync,tcpdump,tss,uucp,vcsa
filter_groups = adm,apache,audio,bin,cdrom,cgred,daemon,dbus,dialout,dip,disk,ecryptfs,floppy,fuse,git,hfallback,kmem,ldap,lock,lp,mail,mailnull,man,mem,nfsnobody,nobody,nscd,ntp,ossec,oprofile,postdrop,postfix,puppet,puppet-dashboard,pulse,pulse-access,root,rpc,rpcuser,rtkit,saslauth,sfallback,slocate,smmsp,sshd,sys,tape,tcpdump,tss,tty,users,utempter,utmp,vcsa,video
override_shell = /bin/bash

[pam]
debug_level = 3
reconnection_retries = 3
offline_credentials_expiration = 2
offline_failed_login_attempts = 3
offline_failed_login_delay = 5
pam_verbosity = 1
pam_pwd_expiration_warning = 21
pam_account_expired_message = Account expired, please use selfservice portal
to change your password and extend account.

[sudo]
debug_level=9

[ssh]
# debug_level=9

[domain/LOCAL]
description = LOCAL Users domain
id_provider = local
enumerate = true
min_id = 500
max_id = 999
default_shell = /bin/bash
base_directory = /home
create_homedir = false
remove_homedir = true
homedir_umask = 077
skel_dir = /etc/skel
mail_dir = /var/spool/mail


######### SECTION: DOMAIN1
[domain/DOMAIN1]
min_id = 499
debug_level = 9
cache_credentials = True
entry_cache_timeout = 864000

auth_provider = ldap
id_provider = ldap
access_provider = ldap
#chpass_provider = ldap
sudo_provider = ldap
selinux_provider = none
autofs_provider = none


# LDAP Search
ldap_search_base = dc=domain,dc=com
ldap_group_search_base = ou=groups,o=Domain,dc=domain,dc=com
ldap_user_search_base = ou=users,o=Domain,dc=domain,dc=com?subtree?(|(description=cn=stage,ou=groups,o=Domain,dc=domain,dc=com)(.....)(.....))


# LDAP Custom Schema
ldap_group_member = hMemberDN
ldap_user_member_of = description
# this should really be rfc2307
ldap_schema = rfc2307bis

ldap_network_timeout = 3
ldap_id_use_start_tls = False
ldap_tls_reqcert = never
ldap_tls_cacertdir = /etc/openldap/cacerts

ldap_uri = ldaps://s1.sec.domain.com, ldaps://s2.sec.domain.com,
ldaps://s3.sec.domain.com
ldap_backup_uri = ldaps://66.X.Y.Z

ldap_default_authtok_type = obfuscated_password
ldap_default_bind_dn = uid=MYDN
ldap_default_authtok = MYPASS


ldap_user_ssh_public_key = sshPublicKey

ldap_pwd_policy = none
ldap_account_expire_policy = shadow
ldap_user_shadow_expire   = shadowExpire
# shadowExpire: days since Jan 1, 1970 that account is disabled: $ echo
$(($(date --utc --date "$1" +%s)/86400))

ldap_chpass_update_last_change = false

ldap_access_order = filter, expire
ldap_access_filter = (&(objectClass=posixAccount)(uidNumber=*)(hAccountInitialSetup=1)(|(description=cn=stage,ou=groups,o=Domain,dc=domain,dc=com)))

# SUDO
ldap_sudo_search_base = ou=sudoers,o=Domain,dc=domain,dc=com
ldap_sudo_full_refresh_interval = 86400
ldap_sudo_smart_refresh_interval = 3600
#entry_cache_sudo_timeout = 5400

The same options for DOMAIN2 except filters and user/group base.

hMemberDN is defined in nis.schema, a relic of OpenLDAP 2.2, a workaround
applied before transitioning to 2.4.40.

# Modification to posixGroup
attributetype ( 1.3.6.1.1.1.1.28 NAME 'hMemberDN'
        DESC 'RFC2256: member of a group'
        SUP distinguishedName )

objectclass ( 1.3.6.1.1.1.2.2 NAME 'posixGroup'
        DESC 'Abstraction of a group of accounts'
        SUP top STRUCTURAL
        MUST ( cn $ gidNumber )
        MAY ( userPassword $ memberUid $ hMemberDN $ description ) )

hMemberDN: uid=abc,ou=users,o=Domain,dc=domain,dc=com

_______________________________________________
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org

_______________________________________________
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org

_______________________________________________
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org