What format are your groups listed in /etc/sudoers? Use this example:
[striker-ad@el7client01 ~]$ id
uid=1672401105(striker-ad) gid=1672400513(domain users)
groups=1672400513(domain users)
context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
[striker-ad@el7client01 ~]$ sudo tail -n 1 /etc/sudoers
%win\\domain\ users ALL = NOPASSWD: ALL
[striker-ad@el7client01 ~]$
Groups should be listed as '%<netbios>\\<group>' or, if they have
spaces, '%<netbios>\\<group\ name>'.
On 05/17/2017 04:22 PM, Abhijit Tikekar wrote:
Sorry for the confusion. Sudo groups are in AD. We just add the AD
group under sudoers .
E.g users from AD group ABC, XYZ can log in but only members of XYZ
can "sudo su".
%XYZ is added under /etc/sudoers
Thanks,
~abhi
On May 17, 2017, at 3:21 PM, Striker Leggette <striker(a)terranforge.com
<mailto:striker@terranforge.com>> wrote:
> Where are your sudo rules stored? You give sudo debug log from SSSD,
> but also say that the user's group is in /etc/sudoers. Are sudo
> rules in AD or local to the system?
>
>
> On 05/17/2017 02:17 PM, Abhijit Tikekar wrote:
>>
>> Hi,
>>
>> On multiple machines where SSSD is being used, “sudo” has stopped
>> working. Users can authenticate successfully based on their group
>> memberships, but are unable to elevate privileges.
>>
>> [first.last@hostname ~]$ sudo su
>>
>> [sudo] password for first.last:
>>
>> Sorry, try again.
>>
>> [sudo] password for first.last:
>>
>> Here is the SSSD Configuration:
>>
>> [sssd]
>>
>> domains = X.Y.LOCAL
>>
>> services = nss, pam, sudo
>>
>> config_file_version = 2
>>
>> debug_level = 0
>>
>> [nss]
>>
>> [pam]
>>
>> [sudo]
>>
>> debug_level=10
>>
>> [domain/x.y.local]
>>
>> debug_level=0
>>
>> ad_server = AD.x.y.local
>>
>> id_provider = ad
>>
>> auth_provider = ad
>>
>> access_provider = ad
>>
>> sudo_provider = ad
>>
>> ldap_id_mapping = true
>>
>> ldap_use_tokengroups = False
>>
>> ldap_sasl_mech = GSSAPI
>>
>> krb5_realm = X.Y.LOCAL
>>
>> ldap_uri = ldap://AD.x.y.local
>>
>> ldap_sudo_search_base = ou=
>>
>> ldap_user_search_base = dc=
>>
>> ldap_user_object_class = user
>>
>> ldap_group_search_base = ou
>>
>> ldap_group_object_class = group
>>
>> ldap_user_home_directory = unixHomeDirectory
>>
>> ldap_user_principal = userPrincipalName
>>
>> ldap_access_order = filter, expire
>>
>> ldap_account_expire_policy = ad
>>
>> ldap_access_filter =
>>
>> cache_credentials = true
>>
>> override_homedir = /home/%d/%u
>>
>> default_shell = /bin/bash
>>
>> ldap_schema = ad
>>
>> Here is sssd_sudo.log with level set to 10
>>
>> (Wed May 17 13:33:51 2017) [sssd[sudo]]
>> [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with
>>
[(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=first.last)(sudoUser=first.last)(sudoUser=#xxxxxxxxx)(sudoUser=%yyyyyyyy)(sudoUser=%zzzzzz)]
>>
>> (Wed May 17 13:33:51 2017) [sssd[sudo]] [ldb] (0x4000): Added timed
>> event "ltdb_callback": 0x24216e0
>>
>> (Wed May 17 13:33:51 2017) [sssd[sudo]] [ldb] (0x4000): Added timed
>> event "ltdb_timeout": 0x241d2f0
>>
>> (Wed May 17 13:33:51 2017) [sssd[sudo]] [ldb] (0x4000): Running
>> timer event 0x24216e0 "ltdb_callback"
>>
>> (Wed May 17 13:33:51 2017) [sssd[sudo]] [ldb] (0x4000): Destroying
>> timer event 0x241d2f0 "ltdb_timeout"
>>
>> (Wed May 17 13:33:51 2017) [sssd[sudo]] [ldb] (0x4000): Ending timer
>> event 0x24216e0 "ltdb_callback"
>>
>> (Wed May 17 13:33:51 2017) [sssd[sudo]] [sudosrv_get_rules]
>> (0x2000): About to get sudo rules from cache
>>
>> (Wed May 17 13:33:51 2017) [sssd[sudo]]
>> [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with
>> [(&(objectClass=sudoRule)(|(name=defaults)))]
>>
>> (Wed May 17 13:33:51 2017) [sssd[sudo]] [ldb] (0x4000): Added timed
>> event "ltdb_callback": 0x2421880
>>
>> (Wed May 17 13:33:51 2017) [sssd[sudo]] [ldb] (0x4000): Added timed
>> event "ltdb_timeout": 0x241bd70
>>
>> (Wed May 17 13:33:51 2017) [sssd[sudo]] [ldb] (0x4000): Running
>> timer event 0x2421880 "ltdb_callback"
>>
>> (Wed May 17 13:33:51 2017) [sssd[sudo]] [ldb] (0x4000): Destroying
>> timer event 0x241bd70 "ltdb_timeout"
>>
>> (Wed May 17 13:33:51 2017) [sssd[sudo]] [ldb] (0x4000): Ending timer
>> event 0x2421880 "ltdb_callback"
>>
>> (Wed May 17 13:33:51 2017) [sssd[sudo]]
>> [sudosrv_get_sudorules_from_cache] (0x0400): Returning 0 rules for
>> [<default options>(a)x.y.local]
>>
>> (Wed May 17 13:33:51 2017) [sssd[sudo]] [reset_idle_timer] (0x4000):
>> Idle timer re-set for client [0x241dbe0][17]
>>
>> (Wed May 17 13:33:51 2017) [sssd[sudo]] [reset_idle_timer] (0x4000):
>> Idle timer re-set for client [0x241dbe0][17]
>>
>> (Wed May 17 13:33:51 2017) [sssd[sudo]] [sudosrv_cmd] (0x2000):
>> Using protocol version [1]
>>
>> (Wed May 17 13:33:51 2017) [sssd[sudo]] [sss_parse_name_for_domains]
>> (0x0200): name 'first.last' matched without domain, user is first.last
>>
>> (Wed May 17 13:33:51 2017) [sssd[sudo]] [sss_parse_name_for_domains]
>> (0x0200): name 'first.last' matched without domain, user is first.last
>>
>> (Wed May 17 13:33:51 2017) [sssd[sudo]]
>> [sudosrv_cmd_parse_query_done] (0x0200): Requesting rules for
>> [first.last] from [<ALL>]
>>
>> (Wed May 17 13:33:51 2017) [sssd[sudo]] [sss_ncache_check_str]
>> (0x2000): Checking negative cache for [NCE/USER/x.y.local/first.last]
>>
>> (Wed May 17 13:33:51 2017) [sssd[sudo]] [sudosrv_get_user] (0x0200):
>> Requesting info about [first.last(a)x.y.local
>> <mailto:first.last@x.y.local>]
>>
>> (Wed May 17 13:33:51 2017) [sssd[sudo]] [ldb] (0x4000): Added timed
>> event "ltdb_callback": 0x2411ce0
>>
>> (Wed May 17 13:33:51 2017) [sssd[sudo]] [ldb] (0x4000): Added timed
>> event "ltdb_timeout": 0x241bcf0
>>
>> (Wed May 17 13:33:51 2017) [sssd[sudo]] [ldb] (0x4000): Running
>> timer event 0x2411ce0 "ltdb_callback"
>>
>> (Wed May 17 13:33:51 2017) [sssd[sudo]] [ldb] (0x4000): Destroying
>> timer event 0x241bcf0 "ltdb_timeout"
>>
>> (Wed May 17 13:33:51 2017) [sssd[sudo]] [ldb] (0x4000): Ending timer
>> event 0x2411ce0 "ltdb_callback"
>>
>> (Wed May 17 13:33:51 2017) [sssd[sudo]] [sudosrv_get_user] (0x0400):
>> Returning info for user [first.last(a)x.y.local
>> <mailto:first.last@x.y.local>]
>>
>> (Wed May 17 13:33:51 2017) [sssd[sudo]] [sudosrv_get_rules]
>> (0x0400): Retrieving rules for [first.last] from [x.y.local]
>>
>> (Wed May 17 13:33:51 2017) [sssd[sudo]] [ldb] (0x4000): Added timed
>> event "ltdb_callback": 0x2416450
>>
>> (Wed May 17 13:33:51 2017) [sssd[sudo]] [ldb] (0x4000): Added timed
>> event "ltdb_timeout": 0x241a150
>>
>> (Wed May 17 13:33:51 2017) [sssd[sudo]] [ldb] (0x4000): Running
>> timer event 0x2416450 "ltdb_callback"
>>
>> (Wed May 17 13:33:51 2017) [sssd[sudo]] [ldb] (0x4000): Destroying
>> timer event 0x241a150 "ltdb_timeout"
>>
>> (Wed May 17 13:33:51 2017) [sssd[sudo]] [ldb] (0x4000): Ending timer
>> event 0x2416450 "ltdb_callback"
>>
>> (Wed May 17 13:33:51 2017) [sssd[sudo]] [ldb] (0x4000): Added timed
>> event "ltdb_callback": 0x2412df0
>>
>> (Wed May 17 13:33:51 2017) [sssd[sudo]] [ldb] (0x4000): Added timed
>> event "ltdb_timeout": 0x2421340
>>
>> (Wed May 17 13:33:51 2017) [sssd[sudo]] [ldb] (0x4000): Running
>> timer event 0x2412df0 "ltdb_callback"
>>
>> (Wed May 17 13:33:51 2017) [sssd[sudo]] [ldb] (0x4000): Destroying
>> timer event 0x2421340 "ltdb_timeout"
>>
>> (Wed May 17 13:33:51 2017) [sssd[sudo]] [ldb] (0x4000): Ending timer
>> event 0x2412df0 "ltdb_callback"
>>
>> (Wed May 17 13:33:51 2017) [sssd[sudo]] [sysdb_search_group_by_gid]
>> (0x0400): No such entry
>>
>>
>>
>> Verified that correct %groupname entry exists under /etc/sudoers file.
>>
>>
>> What else can be checked?
>>
>>
>> Thanks,
>>
>>
>> ~ abhi
>>
>>
>>
>> _______________________________________________
>> sssd-users mailing list --sssd-users(a)lists.fedorahosted.org
>> To unsubscribe send an email tosssd-users-leave(a)lists.fedorahosted.org
>