Sorry for the confusion. Sudo groups are in AD. We just add the AD group under sudoers .
E.g users from AD group ABC, XYZ can log in but only members of XYZ can "sudo
su".
%XYZ is added under /etc/sudoers
Thanks,
~abhi
On May 17, 2017, at 3:21 PM, Striker Leggette
<striker(a)terranforge.com> wrote:
Where are your sudo rules stored? You give sudo debug log from SSSD, but also say that
the user's group is in /etc/sudoers. Are sudo rules in AD or local to the system?
> On 05/17/2017 02:17 PM, Abhijit Tikekar wrote:
> Hi,
>
> On multiple machines where SSSD is being used, “sudo” has stopped working.
Users can authenticate successfully based on their group memberships, but are unable to
elevate privileges.
>
> [first.last@hostname ~]$ sudo su
> [sudo] password for first.last:
> Sorry, try again.
> [sudo] password for first.last:
>
>
> Here is the SSSD Configuration:
>
> [sssd]
> domains = X.Y.LOCAL
> services = nss, pam, sudo
> config_file_version = 2
> debug_level = 0
> [nss]
> [pam]
> [sudo]
> debug_level=10
> [domain/x.y.local]
> debug_level=0
> ad_server = AD.x.y.local
> id_provider = ad
> auth_provider = ad
> access_provider = ad
> sudo_provider = ad
> ldap_id_mapping = true
> ldap_use_tokengroups = False
> ldap_sasl_mech = GSSAPI
> krb5_realm = X.Y.LOCAL
> ldap_uri = ldap://AD.x.y.local
> ldap_sudo_search_base = ou=
> ldap_user_search_base = dc=
> ldap_user_object_class = user
> ldap_group_search_base = ou
> ldap_group_object_class = group
> ldap_user_home_directory = unixHomeDirectory
> ldap_user_principal = userPrincipalName
> ldap_access_order = filter, expire
> ldap_account_expire_policy = ad
> ldap_access_filter =
> cache_credentials = true
> override_homedir = /home/%d/%u
> default_shell = /bin/bash
> ldap_schema = ad
>
>
>
> Here is sssd_sudo.log with level set to 10
>
> (Wed May 17 13:33:51 2017) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200):
Searching sysdb with
[(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=first.last)(sudoUser=first.last)(sudoUser=#xxxxxxxxx)(sudoUser=%yyyyyyyy)(sudoUser=%zzzzzz)]
> (Wed May 17 13:33:51 2017) [sssd[sudo]] [ldb] (0x4000): Added timed event
"ltdb_callback": 0x24216e0
> (Wed May 17 13:33:51 2017) [sssd[sudo]] [ldb] (0x4000): Added timed event
"ltdb_timeout": 0x241d2f0
> (Wed May 17 13:33:51 2017) [sssd[sudo]] [ldb] (0x4000): Running timer event 0x24216e0
"ltdb_callback"
> (Wed May 17 13:33:51 2017) [sssd[sudo]] [ldb] (0x4000): Destroying timer event
0x241d2f0 "ltdb_timeout"
> (Wed May 17 13:33:51 2017) [sssd[sudo]] [ldb] (0x4000): Ending timer event 0x24216e0
"ltdb_callback"
> (Wed May 17 13:33:51 2017) [sssd[sudo]] [sudosrv_get_rules] (0x2000): About to get
sudo rules from cache
> (Wed May 17 13:33:51 2017) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200):
Searching sysdb with [(&(objectClass=sudoRule)(|(name=defaults)))]
> (Wed May 17 13:33:51 2017) [sssd[sudo]] [ldb] (0x4000): Added timed event
"ltdb_callback": 0x2421880
> (Wed May 17 13:33:51 2017) [sssd[sudo]] [ldb] (0x4000): Added timed event
"ltdb_timeout": 0x241bd70
> (Wed May 17 13:33:51 2017) [sssd[sudo]] [ldb] (0x4000): Running timer event 0x2421880
"ltdb_callback"
> (Wed May 17 13:33:51 2017) [sssd[sudo]] [ldb] (0x4000): Destroying timer event
0x241bd70 "ltdb_timeout"
> (Wed May 17 13:33:51 2017) [sssd[sudo]] [ldb] (0x4000): Ending timer event 0x2421880
"ltdb_callback"
> (Wed May 17 13:33:51 2017) [sssd[sudo]] [sudosrv_get_sudorules_from_cache] (0x0400):
Returning 0 rules for [<default options>(a)x.y.local]
> (Wed May 17 13:33:51 2017) [sssd[sudo]] [reset_idle_timer] (0x4000): Idle timer
re-set for client [0x241dbe0][17]
> (Wed May 17 13:33:51 2017) [sssd[sudo]] [reset_idle_timer] (0x4000): Idle timer
re-set for client [0x241dbe0][17]
> (Wed May 17 13:33:51 2017) [sssd[sudo]] [sudosrv_cmd] (0x2000): Using protocol
version [1]
> (Wed May 17 13:33:51 2017) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name
'first.last' matched without domain, user is first.last
> (Wed May 17 13:33:51 2017) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name
'first.last' matched without domain, user is first.last
> (Wed May 17 13:33:51 2017) [sssd[sudo]] [sudosrv_cmd_parse_query_done] (0x0200):
Requesting rules for [first.last] from [<ALL>]
> (Wed May 17 13:33:51 2017) [sssd[sudo]] [sss_ncache_check_str] (0x2000): Checking
negative cache for [NCE/USER/x.y.local/first.last]
> (Wed May 17 13:33:51 2017) [sssd[sudo]] [sudosrv_get_user] (0x0200): Requesting info
about [first.last(a)x.y.local]
> (Wed May 17 13:33:51 2017) [sssd[sudo]] [ldb] (0x4000): Added timed event
"ltdb_callback": 0x2411ce0
> (Wed May 17 13:33:51 2017) [sssd[sudo]] [ldb] (0x4000): Added timed event
"ltdb_timeout": 0x241bcf0
> (Wed May 17 13:33:51 2017) [sssd[sudo]] [ldb] (0x4000): Running timer event 0x2411ce0
"ltdb_callback"
> (Wed May 17 13:33:51 2017) [sssd[sudo]] [ldb] (0x4000): Destroying timer event
0x241bcf0 "ltdb_timeout"
> (Wed May 17 13:33:51 2017) [sssd[sudo]] [ldb] (0x4000): Ending timer event 0x2411ce0
"ltdb_callback"
> (Wed May 17 13:33:51 2017) [sssd[sudo]] [sudosrv_get_user] (0x0400): Returning info
for user [first.last(a)x.y.local]
> (Wed May 17 13:33:51 2017) [sssd[sudo]] [sudosrv_get_rules] (0x0400): Retrieving
rules for [first.last] from [x.y.local]
> (Wed May 17 13:33:51 2017) [sssd[sudo]] [ldb] (0x4000): Added timed event
"ltdb_callback": 0x2416450
> (Wed May 17 13:33:51 2017) [sssd[sudo]] [ldb] (0x4000): Added timed event
"ltdb_timeout": 0x241a150
> (Wed May 17 13:33:51 2017) [sssd[sudo]] [ldb] (0x4000): Running timer event 0x2416450
"ltdb_callback"
> (Wed May 17 13:33:51 2017) [sssd[sudo]] [ldb] (0x4000): Destroying timer event
0x241a150 "ltdb_timeout"
> (Wed May 17 13:33:51 2017) [sssd[sudo]] [ldb] (0x4000): Ending timer event 0x2416450
"ltdb_callback"
> (Wed May 17 13:33:51 2017) [sssd[sudo]] [ldb] (0x4000): Added timed event
"ltdb_callback": 0x2412df0
> (Wed May 17 13:33:51 2017) [sssd[sudo]] [ldb] (0x4000): Added timed event
"ltdb_timeout": 0x2421340
> (Wed May 17 13:33:51 2017) [sssd[sudo]] [ldb] (0x4000): Running timer event 0x2412df0
"ltdb_callback"
> (Wed May 17 13:33:51 2017) [sssd[sudo]] [ldb] (0x4000): Destroying timer event
0x2421340 "ltdb_timeout"
> (Wed May 17 13:33:51 2017) [sssd[sudo]] [ldb] (0x4000): Ending timer event 0x2412df0
"ltdb_callback"
> (Wed May 17 13:33:51 2017) [sssd[sudo]] [sysdb_search_group_by_gid] (0x0400): No such
entry
>
>
> Verified that correct %groupname entry exists under /etc/sudoers file.
>
> What else can be checked?
>
> Thanks,
>
> ~ abhi
>
>
> _______________________________________________
> sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
> To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org