Hi,
On
multiple machines where SSSD is being used, “sudo” has
stopped working. Users can authenticate successfully
based on their group memberships, but are unable to
elevate privileges.
[first.last@hostname
~]$ sudo su
[sudo]
password for first.last:
Sorry,
try again.
[sudo]
password for first.last:
Here
is the SSSD Configuration:
[sssd]
domains
= X.Y.LOCAL
services
= nss, pam, sudo
config_file_version
= 2
debug_level
= 0
[nss]
[pam]
[sudo]
debug_level=10
[domain/x.y.local]
debug_level=0
ad_server
= AD.x.y.local
id_provider
= ad
auth_provider
= ad
access_provider
= ad
sudo_provider
= ad
ldap_id_mapping
= true
ldap_use_tokengroups
= False
ldap_sasl_mech
= GSSAPI
krb5_realm
= X.Y.LOCAL
ldap_uri
= ldap://AD.x.y.local
ldap_sudo_search_base
= ou=
ldap_user_search_base
= dc=
ldap_user_object_class
= user
ldap_group_search_base
= ou
ldap_group_object_class
= group
ldap_user_home_directory
= unixHomeDirectory
ldap_user_principal
= userPrincipalName
ldap_access_order
= filter, expire
ldap_account_expire_policy
= ad
ldap_access_filter
=
cache_credentials
= true
override_homedir
= /home/%d/%u
default_shell
= /bin/bash
ldap_schema
= ad
Here
is sssd_sudo.log with level set to 10
(Wed
May 17 13:33:51 2017) [sssd[sudo]]
[sudosrv_get_sudorules_query_cache] (0x0200): Searching
sysdb with
[(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=first.last)(sudoUser=first.last)(sudoUser=#xxxxxxxxx)(sudoUser=%yyyyyyyy)(sudoUser=%zzzzzz)]
(Wed
May 17 13:33:51 2017) [sssd[sudo]] [ldb] (0x4000): Added
timed event "ltdb_callback": 0x24216e0
(Wed
May 17 13:33:51 2017) [sssd[sudo]] [ldb] (0x4000): Added
timed event "ltdb_timeout": 0x241d2f0
(Wed
May 17 13:33:51 2017) [sssd[sudo]] [ldb] (0x4000):
Running timer event 0x24216e0 "ltdb_callback"
(Wed
May 17 13:33:51 2017) [sssd[sudo]] [ldb] (0x4000):
Destroying timer event 0x241d2f0 "ltdb_timeout"
(Wed
May 17 13:33:51 2017) [sssd[sudo]] [ldb] (0x4000):
Ending timer event 0x24216e0 "ltdb_callback"
(Wed
May 17 13:33:51 2017) [sssd[sudo]] [sudosrv_get_rules]
(0x2000): About to get sudo rules from cache
(Wed
May 17 13:33:51 2017) [sssd[sudo]]
[sudosrv_get_sudorules_query_cache] (0x0200): Searching
sysdb with
[(&(objectClass=sudoRule)(|(name=defaults)))]
(Wed
May 17 13:33:51 2017) [sssd[sudo]] [ldb] (0x4000): Added
timed event "ltdb_callback": 0x2421880
(Wed
May 17 13:33:51 2017) [sssd[sudo]] [ldb] (0x4000): Added
timed event "ltdb_timeout": 0x241bd70
(Wed
May 17 13:33:51 2017) [sssd[sudo]] [ldb] (0x4000):
Running timer event 0x2421880 "ltdb_callback"
(Wed
May 17 13:33:51 2017) [sssd[sudo]] [ldb] (0x4000):
Destroying timer event 0x241bd70 "ltdb_timeout"
(Wed
May 17 13:33:51 2017) [sssd[sudo]] [ldb] (0x4000):
Ending timer event 0x2421880 "ltdb_callback"
(Wed
May 17 13:33:51 2017) [sssd[sudo]]
[sudosrv_get_sudorules_from_cache] (0x0400): Returning 0
rules for [<default options>@x.y.local]
(Wed
May 17 13:33:51 2017) [sssd[sudo]] [reset_idle_timer]
(0x4000): Idle timer re-set for client [0x241dbe0][17]
(Wed
May 17 13:33:51 2017) [sssd[sudo]] [reset_idle_timer]
(0x4000): Idle timer re-set for client [0x241dbe0][17]
(Wed
May 17 13:33:51 2017) [sssd[sudo]] [sudosrv_cmd]
(0x2000): Using protocol version [1]
(Wed
May 17 13:33:51 2017) [sssd[sudo]]
[sss_parse_name_for_domains] (0x0200): name 'first.last'
matched without domain, user is first.last
(Wed
May 17 13:33:51 2017) [sssd[sudo]]
[sss_parse_name_for_domains] (0x0200): name 'first.last'
matched without domain, user is first.last
(Wed
May 17 13:33:51 2017) [sssd[sudo]]
[sudosrv_cmd_parse_query_done] (0x0200): Requesting
rules for [first.last] from [<ALL>]
(Wed
May 17 13:33:51 2017) [sssd[sudo]]
[sss_ncache_check_str] (0x2000): Checking negative cache
for [NCE/USER/x.y.local/first.last]
(Wed
May 17 13:33:51 2017) [sssd[sudo]] [sudosrv_get_user]
(0x0200): Requesting info about [first.last@x.y.local]
(Wed
May 17 13:33:51 2017) [sssd[sudo]] [ldb] (0x4000): Added
timed event "ltdb_callback": 0x2411ce0
(Wed
May 17 13:33:51 2017) [sssd[sudo]] [ldb] (0x4000): Added
timed event "ltdb_timeout": 0x241bcf0
(Wed
May 17 13:33:51 2017) [sssd[sudo]] [ldb] (0x4000):
Running timer event 0x2411ce0 "ltdb_callback"
(Wed
May 17 13:33:51 2017) [sssd[sudo]] [ldb] (0x4000):
Destroying timer event 0x241bcf0 "ltdb_timeout"
(Wed
May 17 13:33:51 2017) [sssd[sudo]] [ldb] (0x4000):
Ending timer event 0x2411ce0 "ltdb_callback"
(Wed
May 17 13:33:51 2017) [sssd[sudo]] [sudosrv_get_user]
(0x0400): Returning info for user [first.last@x.y.local]
(Wed
May 17 13:33:51 2017) [sssd[sudo]] [sudosrv_get_rules]
(0x0400): Retrieving rules for [first.last] from
[x.y.local]
(Wed
May 17 13:33:51 2017) [sssd[sudo]] [ldb] (0x4000): Added
timed event "ltdb_callback": 0x2416450
(Wed
May 17 13:33:51 2017) [sssd[sudo]] [ldb] (0x4000): Added
timed event "ltdb_timeout": 0x241a150
(Wed
May 17 13:33:51 2017) [sssd[sudo]] [ldb] (0x4000):
Running timer event 0x2416450 "ltdb_callback"
(Wed
May 17 13:33:51 2017) [sssd[sudo]] [ldb] (0x4000):
Destroying timer event 0x241a150 "ltdb_timeout"
(Wed
May 17 13:33:51 2017) [sssd[sudo]] [ldb] (0x4000):
Ending timer event 0x2416450 "ltdb_callback"
(Wed
May 17 13:33:51 2017) [sssd[sudo]] [ldb] (0x4000): Added
timed event "ltdb_callback": 0x2412df0
(Wed
May 17 13:33:51 2017) [sssd[sudo]] [ldb] (0x4000): Added
timed event "ltdb_timeout": 0x2421340
(Wed
May 17 13:33:51 2017) [sssd[sudo]] [ldb] (0x4000):
Running timer event 0x2412df0 "ltdb_callback"
(Wed
May 17 13:33:51 2017) [sssd[sudo]] [ldb] (0x4000):
Destroying timer event 0x2421340 "ltdb_timeout"
(Wed
May 17 13:33:51 2017) [sssd[sudo]] [ldb] (0x4000):
Ending timer event 0x2412df0 "ltdb_callback"
(Wed
May 17 13:33:51 2017) [sssd[sudo]]
[sysdb_search_group_by_gid] (0x0400): No such entry
Verified
that correct %groupname entry exists under /etc/sudoers
file.
What
else can be checked?
Thanks,
~
abhi
_______________________________________________
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org