On (13/11/17 11:20), Andrea Passuello wrote:
Thanks all for the answers.
This is the debug with level=10.
(Mon Nov 13 10:35:40 2017) [sssd[be[MYDOMAIN.COM]]] [sbus_dispatch]
(0x4000): dbus conn: 0xe76180
(Mon Nov 13 10:35:40 2017) [sssd[be[MYDOMAIN.COM]]] [sbus_dispatch]
(0x4000): Dispatching.
(Mon Nov 13 10:35:40 2017) [sssd[be[MYDOMAIN.COM]]] [sbus_message_handler]
(0x2000): Received SBUS method org.freedesktop.sssd.service.ping on path
/org/freedesktop/sssd/service
(Mon Nov 13 10:35:40 2017) [sssd[be[MYDOMAIN.COM]]]
[sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit
==> sssd_sudo.log <==
(Mon Nov 13 10:35:47 2017) [sssd[sudo]] [reset_idle_timer] (0x4000): Idle
timer re-set for client [0x1f4b430][19]
(Mon Nov 13 10:35:47 2017) [sssd[sudo]] [client_recv] (0x0200): Client
disconnected!
(Mon Nov 13 10:35:47 2017) [sssd[sudo]] [client_destructor] (0x2000):
Terminated client [0x1f4b430][19]
==> sssd_MYDOMAIN.COM.log <==
(Mon Nov 13 10:35:50 2017) [sssd[be[MYDOMAIN.COM]]] [sbus_dispatch]
(0x4000): dbus conn: 0xe76180
(Mon Nov 13 10:35:50 2017) [sssd[be[MYDOMAIN.COM]]] [sbus_dispatch]
(0x4000): Dispatching.
(Mon Nov 13 10:35:50 2017) [sssd[be[MYDOMAIN.COM]]] [sbus_message_handler]
(0x2000): Received SBUS method org.freedesktop.sssd.service.ping on path
/org/freedesktop/sssd/service
(Mon Nov 13 10:35:50 2017) [sssd[be[MYDOMAIN.COM]]]
[sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit
==> sssd_sudo.log <==
(Mon Nov 13 10:35:50 2017) [sssd[sudo]] [sbus_dispatch] (0x4000): dbus
conn: 0x1f3d6d0
(Mon Nov 13 10:35:50 2017) [sssd[sudo]] [sbus_dispatch] (0x4000):
Dispatching.
(Mon Nov 13 10:35:50 2017) [sssd[sudo]] [sbus_message_handler] (0x2000):
Received SBUS method org.freedesktop.sssd.service.ping on path
/org/freedesktop/sssd/service
(Mon Nov 13 10:35:50 2017) [sssd[sudo]] [sbus_get_sender_id_send] (0x2000):
Not a sysbus message, quit
You didn't provided sudo logs only sssd logs.
This is the output of "sudo -l"
$ sudo -l
Matching Defaults entries for MYUSER on andrea-X550LA:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/
usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User MYUSER may run the following commands on andrea-X550LA:
(root) NOPASSWD: /usr/lib/linuxmint/mintUpdate/checkAPT.py
(ALL : ALL)
OK,
sudo says that you are allowed to run some commands.
I cannot see any problem.
My sudo version is 1.8.16, I think it should be quite up-to-date. Isn't it?
If i check the MYUSER's groups I can see the SystemAdmin group that is the
group I set in LDAP and it's referred by LDAP's sudoers.
$ groups
MYUSER adm cdrom dip plugdev lpadmin sambashare wireshark SystemAdmin
This is the ldapsearch's output
$ ldapsearch -H ldap://LDAPSERVER -b ou=sudoers,dc=MYDOMAIN,dc=COM -ZZ
'(&(objectClass=sudoRole))' -x
# extended LDIF
#
# LDAPv3
# base <ou=sudoers,dc=MYDOMAIN,dc=COM> with scope subtree
# filter: (&(objectClass=sudoRole))
# requesting: ALL
#
# SystemAdmin, sudoers,
MYDOMAIN.COM
dn: cn=SystemAdmin,ou=sudoers,dc=MYDOMAIN,dc=COM
cn: SystemAdmin
sudoRunAsUser: ALL
sudoRunAsGroup: ALL
sudoHost: ALL
sudoUser: %SystemAdmin
sudoOrder: 0
objectClass: sudoRole
Ahh, you want check this rule.
Is that sudo rule stored in sssd cache?
You can check with ldbsearch
ldbsearch -H /var/lib/sss/db/cache_${domain}.ldb
Output looks like LDIF but it is not the same as stored in directory sarver.
Because it is sssd internal cache and not mirror of directory server.
BTW is your user member of group SystemAdmin?
call "id" without any parameters in the same shell as sudo.
I would also recommend to check sudo logs
https://docs.pagure.org/SSSD.sssd/users/sudo_troubleshooting.html
-> "a) How do I get sudo logs?"
LS