I've got a few dozen servers using SSSD to authenticate and retrieve SUDO rules stored in AD and GPO. Everything works perfectly except for a new RHEL 6.8 server I brought up. sssd version 1.13.3 on both the working 6.8 and non-working 6.8 server. I literally copied the nsswitch, sssd.conf and pam.d configs between the two just to make sure I didn't typo anything.
It authenticates fine and I can ssh into it, id account, do genet on the users and groups without a problem. But sudo fails. Looking at debug logs, I see it retrieving the 3 sudo rules we have stored in AD, however it's complaining that there are no sub-attributes in the rules when there clearly are. I'm guessing this is the source of my issues, but I have no idea why it's not working only on this one server.
Any thoughts? Thanks!
(Thu Apr 5 09:45:27 2018) [sssd[be[
internal.ieeeglobalspec.com]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_ENTRY]
(Thu Apr 5 09:45:27 2018) [sssd[be[
internal.ieeeglobalspec.com]]] [sdap_parse_entry] (0x1000): OriginalDN: [CN=fullaccess,OU=sudoers,DC=internal,DC=ieeeglobalspec,DC=com].
(Thu Apr 5 09:45:27 2018) [sssd[be[
internal.ieeeglobalspec.com]]] [sdap_process_result] (0x2000): Trace: sh[0xd42dc0], connected[1], ops[0xd677a0], ldap[0xd42800]
(Thu Apr 5 09:45:27 2018) [sssd[be[
internal.ieeeglobalspec.com]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_ENTRY]
(Thu Apr 5 09:45:27 2018) [sssd[be[
internal.ieeeglobalspec.com]]] [sdap_parse_entry] (0x1000): OriginalDN: [CN=DevTest,OU=sudoers,DC=internal,DC=ieeeglobalspec,DC=com].
....
(Thu Apr 5 09:45:34 2018) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=a-mdiorio)(sudoUser=a-mdiorio)(sudoUser=#1002201106)(sudoUser=%Allowed\20RODC\20Password$
Thu Apr 5 09:45:34 2018) [sssd[sudo]] [sudosrv_get_rules] (0x2000): About to get sudo rules from cache
(Thu Apr 5 09:45:34 2018) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(name=defaults)))]
(Thu Apr 5 09:45:34 2018) [sssd[sudo]] [sudosrv_get_sudorules_from_cache] (0x0400): Returning 0 rules for [<default options>@
internal.ieeeglobalspec.com]
(Thu Apr 5 09:45:34 2018) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'a-mdiorio' matched without domain, user is a-mdiorio
(Thu Apr 5 09:45:34 2018) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'a-mdiorio' matched without domain, user is a-mdiorio
(Thu Apr 5 09:45:34 2018) [sssd[sudo]] [sudosrv_cmd_parse_query_done] (0x0200): Requesting rules for [a-mdiorio] from [<ALL>]
(Thu Apr 5 09:45:34 2018) [sssd[sudo]] [sudosrv_get_rules] (0x0400): Retrieving rules for [a-mdiorio] from [
internal.ieeeglobalspec.com]
(Thu Apr 5 09:45:34 2018) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=a-mdiorio)(sudoUser=a-mdiorio)(sudoUser=#1002201106)(sudoUser=%Allowed\20RODC\20Password$
(Thu Apr 5 09:45:34 2018) [sssd[sudo]] [sudosrv_get_rules] (0x2000): About to get sudo rules from cache
(Thu Apr 5 09:45:34 2018) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=a-mdiorio)(sudoUser=a-mdiorio)(sudoUser=#1002201106)(sudoUser=%Allowed\20RODC\20Password\20Replication\$