Thanks Galen for your help.
This is the output of the sssd_sudo.log and sssd_domain.log when I try a
sudo command.
The debug is set to 7.
I don't post now the sudo_debug.log because it's very long. If it could be
useful I can try to post it also later.
==> sssd_sudo.log <==
(Fri Nov 10 17:01:19 2017) [sssd[sudo]] [accept_fd_handler] (0x0400):
Client connected!
(Fri Nov 10 17:01:19 2017) [sssd[sudo]] [sss_cmd_get_version] (0x0200):
Received client version [1].
(Fri Nov 10 17:01:19 2017) [sssd[sudo]] [sss_cmd_get_version] (0x0200):
Offered version [1].
(Fri Nov 10 17:01:19 2017) [sssd[sudo]] [sss_parse_name_for_domains]
(0x0200): name 'MYUSER' matched without domain, user is MYUSER
(Fri Nov 10 17:01:19 2017) [sssd[sudo]] [sss_parse_name_for_domains]
(0x0200): name 'MYUSER' matched without domain, user is MYUSER
(Fri Nov 10 17:01:19 2017) [sssd[sudo]] [sudosrv_cmd_parse_query_done]
(0x0200): Requesting default options for [MYUSER] from [<ALL>]
(Fri Nov 10 17:01:19 2017) [sssd[sudo]] [sudosrv_get_user] (0x0200):
Requesting info about [MYUSER(a)MYDOMAIN.COM]
(Fri Nov 10 17:01:19 2017) [sssd[sudo]] [sudosrv_get_user] (0x0400):
Returning info for user [MYUSER(a)MYDOMAIN.COM]
(Fri Nov 10 17:01:19 2017) [sssd[sudo]] [sudosrv_get_rules] (0x0400):
Retrieving default options for [MYUSER] from [
MYDOMAIN.COM]
(Fri Nov 10 17:01:19 2017) [sssd[sudo]] [sudosrv_get_sudorules_query_cache]
(0x0200): Searching sysdb with
[(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=MYUSER)(sudoUser=#1126)(sudoUser=%SystemAdmin)(sudoUser=%MYUSER)(sudoUser=+*))(&(dataExpireTimestamp<=1510329679)))]
(Fri Nov 10 17:01:19 2017) [sssd[sudo]] [sudosrv_get_sudorules_query_cache]
(0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(name=defaults)))]
(Fri Nov 10 17:01:19 2017) [sssd[sudo]] [sudosrv_get_sudorules_from_cache]
(0x0400): Returning 0 rules for [<default options>(a)MYDOMAIN.COM]
(Fri Nov 10 17:01:19 2017) [sssd[sudo]] [sss_parse_name_for_domains]
(0x0200): name 'MYUSER' matched without domain, user is MYUSER
(Fri Nov 10 17:01:19 2017) [sssd[sudo]] [sss_parse_name_for_domains]
(0x0200): name 'MYUSER' matched without domain, user is MYUSER
(Fri Nov 10 17:01:19 2017) [sssd[sudo]] [sudosrv_cmd_parse_query_done]
(0x0200): Requesting rules for [MYUSER] from [<ALL>]
(Fri Nov 10 17:01:19 2017) [sssd[sudo]] [sudosrv_get_user] (0x0200):
Requesting info about [MYUSER(a)MYDOMAIN.COM]
(Fri Nov 10 17:01:19 2017) [sssd[sudo]] [sudosrv_get_user] (0x0400):
Returning info for user [MYUSER(a)MYDOMAIN.COM]
(Fri Nov 10 17:01:19 2017) [sssd[sudo]] [sudosrv_get_rules] (0x0400):
Retrieving rules for [MYUSER] from [
MYDOMAIN.COM]
(Fri Nov 10 17:01:19 2017) [sssd[sudo]] [sudosrv_get_sudorules_query_cache]
(0x0200): Searching sysdb with
[(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=MYUSER)(sudoUser=#1126)(sudoUser=%SystemAdmin)(sudoUser=%MYUSER)(sudoUser=+*))(&(dataExpireTimestamp<=1510329679)))]
(Fri Nov 10 17:01:19 2017) [sssd[sudo]] [sudosrv_get_sudorules_query_cache]
(0x0200): Searching sysdb with
[(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=MYUSER)(sudoUser=#1126)(sudoUser=%SystemAdmin)(sudoUser=%MYUSER)(sudoUser=+*)))]
(Fri Nov 10 17:01:19 2017) [sssd[sudo]] [sort_sudo_rules] (0x0400): Sorting
rules with higher-wins logic
(Fri Nov 10 17:01:19 2017) [sssd[sudo]] [sudosrv_get_sudorules_from_cache]
(0x0400): Returning 1 rules for [MYUSER(a)MYDOMAIN.COM]
==> sssd_MYDOMAIN.COM.log <==
(Fri Nov 10 17:01:22 2017) [sssd[be[MYDOMAIN.COM]]] [be_get_account_info]
(0x0200): Got request for [0x3][BE_REQ_INITGROUPS][1][name=MYUSER]
(Fri Nov 10 17:01:22 2017) [sssd[be[MYDOMAIN.COM]]] [be_req_set_domain]
(0x0400): Changing request domain from [
MYDOMAIN.COM] to [
MYDOMAIN.COM]
(Fri Nov 10 17:01:22 2017) [sssd[be[MYDOMAIN.COM]]]
[sdap_get_initgr_next_base] (0x0400): Searching for users with base
[dc=MYDOMAIN,dc=COM]
(Fri Nov 10 17:01:22 2017) [sssd[be[MYDOMAIN.COM]]]
[sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with
[(&(uid=MYUSER)(objectclass=posixAccount)(&(uidNumber=*)(!(uidNumber=0))))][dc=MYDOMAIN,dc=COM].
(Fri Nov 10 17:01:22 2017) [sssd[be[MYDOMAIN.COM]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass]
(Fri Nov 10 17:01:22 2017) [sssd[be[MYDOMAIN.COM]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uid]
(Fri Nov 10 17:01:22 2017) [sssd[be[MYDOMAIN.COM]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPassword]
(Fri Nov 10 17:01:22 2017) [sssd[be[MYDOMAIN.COM]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uidNumber]
(Fri Nov 10 17:01:22 2017) [sssd[be[MYDOMAIN.COM]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber]
(Fri Nov 10 17:01:22 2017) [sssd[be[MYDOMAIN.COM]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gecos]
(Fri Nov 10 17:01:22 2017) [sssd[be[MYDOMAIN.COM]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [homeDirectory]
(Fri Nov 10 17:01:22 2017) [sssd[be[MYDOMAIN.COM]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginShell]
(Fri Nov 10 17:01:22 2017) [sssd[be[MYDOMAIN.COM]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbPrincipalName]
(Fri Nov 10 17:01:22 2017) [sssd[be[MYDOMAIN.COM]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn]
(Fri Nov 10 17:01:22 2017) [sssd[be[MYDOMAIN.COM]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp]
(Fri Nov 10 17:01:22 2017) [sssd[be[MYDOMAIN.COM]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp]
(Fri Nov 10 17:01:22 2017) [sssd[be[MYDOMAIN.COM]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowLastChange]
(Fri Nov 10 17:01:22 2017) [sssd[be[MYDOMAIN.COM]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMin]
(Fri Nov 10 17:01:22 2017) [sssd[be[MYDOMAIN.COM]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMax]
(Fri Nov 10 17:01:22 2017) [sssd[be[MYDOMAIN.COM]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowWarning]
(Fri Nov 10 17:01:22 2017) [sssd[be[MYDOMAIN.COM]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowInactive]
(Fri Nov 10 17:01:22 2017) [sssd[be[MYDOMAIN.COM]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowExpire]
(Fri Nov 10 17:01:22 2017) [sssd[be[MYDOMAIN.COM]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowFlag]
(Fri Nov 10 17:01:22 2017) [sssd[be[MYDOMAIN.COM]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbLastPwdChange]
(Fri Nov 10 17:01:22 2017) [sssd[be[MYDOMAIN.COM]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs:
[krbPasswordExpiration]
(Fri Nov 10 17:01:22 2017) [sssd[be[MYDOMAIN.COM]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [pwdAttribute]
(Fri Nov 10 17:01:22 2017) [sssd[be[MYDOMAIN.COM]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [authorizedService]
(Fri Nov 10 17:01:22 2017) [sssd[be[MYDOMAIN.COM]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [accountExpires]
(Fri Nov 10 17:01:22 2017) [sssd[be[MYDOMAIN.COM]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userAccountControl]
(Fri Nov 10 17:01:22 2017) [sssd[be[MYDOMAIN.COM]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [nsAccountLock]
(Fri Nov 10 17:01:22 2017) [sssd[be[MYDOMAIN.COM]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [host]
(Fri Nov 10 17:01:22 2017) [sssd[be[MYDOMAIN.COM]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginDisabled]
(Fri Nov 10 17:01:22 2017) [sssd[be[MYDOMAIN.COM]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs:
[loginExpirationTime]
(Fri Nov 10 17:01:22 2017) [sssd[be[MYDOMAIN.COM]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs:
[loginAllowedTimeMap]
(Fri Nov 10 17:01:22 2017) [sssd[be[MYDOMAIN.COM]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sshPublicKey]
(Fri Nov 10 17:01:22 2017) [sssd[be[MYDOMAIN.COM]]] [sdap_parse_entry]
(0x1000): OriginalDN: [uid=MYUSER,ou=people,dc=MYDOMAIN,dc=COM].
(Fri Nov 10 17:01:22 2017) [sssd[be[MYDOMAIN.COM]]]
[sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no
errmsg set
(Fri Nov 10 17:01:22 2017) [sssd[be[MYDOMAIN.COM]]] [sdap_save_user]
(0x0400): Save user
(Fri Nov 10 17:01:22 2017) [sssd[be[MYDOMAIN.COM]]]
[sdap_attrs_get_sid_str] (0x1000): No [objectSID] attribute. [0][Success]
(Fri Nov 10 17:01:22 2017) [sssd[be[MYDOMAIN.COM]]] [sdap_get_primary_name]
(0x0400): Processing object MYUSER
(Fri Nov 10 17:01:22 2017) [sssd[be[MYDOMAIN.COM]]] [sdap_save_user]
(0x0400): Processing user MYUSER
(Fri Nov 10 17:01:22 2017) [sssd[be[MYDOMAIN.COM]]] [sdap_save_user]
(0x0400): Original memberOf is not available for [MYUSER].
(Fri Nov 10 17:01:22 2017) [sssd[be[MYDOMAIN.COM]]] [sdap_save_user]
(0x0400): User principal is not available for [MYUSER].
(Fri Nov 10 17:01:22 2017) [sssd[be[MYDOMAIN.COM]]] [sdap_save_user]
(0x0400): Storing info for user MYUSER
(Fri Nov 10 17:01:22 2017) [sssd[be[MYDOMAIN.COM]]]
[sdap_initgr_rfc2307_next_base] (0x0400): Searching for groups with base
[dc=MYDOMAIN,dc=COM]
(Fri Nov 10 17:01:22 2017) [sssd[be[MYDOMAIN.COM]]]
[sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with
[(&(memberuid=MYUSER)(objectClass=posixGroup)(cn=*)(&(gidNumber=*)(!(gidNumber=0))))][dc=MYDOMAIN,dc=COM].
(Fri Nov 10 17:01:22 2017) [sssd[be[MYDOMAIN.COM]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass]
(Fri Nov 10 17:01:22 2017) [sssd[be[MYDOMAIN.COM]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn]
(Fri Nov 10 17:01:22 2017) [sssd[be[MYDOMAIN.COM]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPassword]
(Fri Nov 10 17:01:22 2017) [sssd[be[MYDOMAIN.COM]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber]
(Fri Nov 10 17:01:22 2017) [sssd[be[MYDOMAIN.COM]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp]
(Fri Nov 10 17:01:22 2017) [sssd[be[MYDOMAIN.COM]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp]
(Fri Nov 10 17:01:22 2017) [sssd[be[MYDOMAIN.COM]]] [sdap_parse_entry]
(0x1000): OriginalDN: [cn=SystemAdmin,ou=groups,dc=MYDOMAIN,dc=COM].
(Fri Nov 10 17:01:22 2017) [sssd[be[MYDOMAIN.COM]]]
[sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no
errmsg set
(Fri Nov 10 17:01:22 2017) [sssd[be[MYDOMAIN.COM]]] [sdap_get_initgr_done]
(0x0400): Primary group already cached, nothing to do.
(Fri Nov 10 17:01:22 2017) [sssd[be[MYDOMAIN.COM]]] [acctinfo_callback]
(0x0100): Request processed. Returned 0,0,Success
(Fri Nov 10 17:01:22 2017) [sssd[be[MYDOMAIN.COM]]] [be_req_set_domain]
(0x0400): Changing request domain from [
MYDOMAIN.COM] to [
MYDOMAIN.COM]
(Fri Nov 10 17:01:22 2017) [sssd[be[MYDOMAIN.COM]]] [be_pam_handler]
(0x0100): Got request with the following data
(Fri Nov 10 17:01:22 2017) [sssd[be[MYDOMAIN.COM]]] [pam_print_data]
(0x0100): command: SSS_PAM_AUTHENTICATE
(Fri Nov 10 17:01:22 2017) [sssd[be[MYDOMAIN.COM]]] [pam_print_data]
(0x0100): domain:
MYDOMAIN.COM
(Fri Nov 10 17:01:22 2017) [sssd[be[MYDOMAIN.COM]]] [pam_print_data]
(0x0100): user: MYUSER
(Fri Nov 10 17:01:22 2017) [sssd[be[MYDOMAIN.COM]]] [pam_print_data]
(0x0100): service: sudo
(Fri Nov 10 17:01:22 2017) [sssd[be[MYDOMAIN.COM]]] [pam_print_data]
(0x0100): tty: /dev/pts/4
(Fri Nov 10 17:01:22 2017) [sssd[be[MYDOMAIN.COM]]] [pam_print_data]
(0x0100): ruser: MYUSER
(Fri Nov 10 17:01:22 2017) [sssd[be[MYDOMAIN.COM]]] [pam_print_data]
(0x0100): rhost:
(Fri Nov 10 17:01:22 2017) [sssd[be[MYDOMAIN.COM]]] [pam_print_data]
(0x0100): authtok type: 1
(Fri Nov 10 17:01:22 2017) [sssd[be[MYDOMAIN.COM]]] [pam_print_data]
(0x0100): newauthtok type: 0
(Fri Nov 10 17:01:22 2017) [sssd[be[MYDOMAIN.COM]]] [pam_print_data]
(0x0100): priv: 0
(Fri Nov 10 17:01:22 2017) [sssd[be[MYDOMAIN.COM]]] [pam_print_data]
(0x0100): cli_pid: 30273
(Fri Nov 10 17:01:22 2017) [sssd[be[MYDOMAIN.COM]]] [pam_print_data]
(0x0100): logon name: not set
(Fri Nov 10 17:01:22 2017) [sssd[be[MYDOMAIN.COM]]]
[fo_resolve_service_send] (0x0100): Trying to resolve service 'LDAP'
(Fri Nov 10 17:01:22 2017) [sssd[be[MYDOMAIN.COM]]] [get_server_status]
(0x1000): Status of server 'LDAPSERVER' is 'working'
(Fri Nov 10 17:01:22 2017) [sssd[be[MYDOMAIN.COM]]] [get_port_status]
(0x1000): Port status of port 389 for server 'LDAPSERVER' is 'working'
(Fri Nov 10 17:01:22 2017) [sssd[be[MYDOMAIN.COM]]] [get_server_status]
(0x1000): Status of server 'LDAPSERVER' is 'working'
(Fri Nov 10 17:01:22 2017) [sssd[be[MYDOMAIN.COM]]]
[be_resolve_server_process] (0x1000): Saving the first resolved server
(Fri Nov 10 17:01:22 2017) [sssd[be[MYDOMAIN.COM]]]
[be_resolve_server_process] (0x0200): Found address for server LDAPSERVER:
[XXX.XXX.XXX.XXX] TTL 2994
(Fri Nov 10 17:01:22 2017) [sssd[be[MYDOMAIN.COM]]] [sdap_uri_callback]
(0x0400): Constructed uri 'ldap://LDAPSERVER'
(Fri Nov 10 17:01:22 2017) [sssd[be[MYDOMAIN.COM]]] [sss_ldap_init_send]
(0x0400): Setting 6 seconds timeout for connecting
(Fri Nov 10 17:01:22 2017) [sssd[be[MYDOMAIN.COM]]]
[sdap_ldap_connect_callback_add] (0x1000): New LDAP connection to
[ldap://LDAPSERVER:389/??base] with fd [24].
(Fri Nov 10 17:01:22 2017) [sssd[be[MYDOMAIN.COM]]] [sdap_sys_connect_done]
(0x0100): Executing START TLS
(Fri Nov 10 17:01:22 2017) [sssd[be[MYDOMAIN.COM]]] [sdap_connect_done]
(0x0080): START TLS result: Success(0), (null)
(Fri Nov 10 17:01:22 2017) [sssd[be[MYDOMAIN.COM]]] [fo_set_port_status]
(0x0100): Marking port 389 of server 'LDAPSERVER' as 'working'
(Fri Nov 10 17:01:22 2017) [sssd[be[MYDOMAIN.COM]]]
[set_server_common_status] (0x0100): Marking server 'LDAPSERVER' as
'working'
(Fri Nov 10 17:01:22 2017) [sssd[be[MYDOMAIN.COM]]] [fo_set_port_status]
(0x0400): Marking port 389 of duplicate server 'LDAPSERVER' as 'working'
(Fri Nov 10 17:01:22 2017) [sssd[be[MYDOMAIN.COM]]] [simple_bind_send]
(0x0100): Executing simple bind as: uid=MYUSER,ou=people,dc=MYDOMAIN,dc=COM
(Fri Nov 10 17:01:22 2017) [sssd[be[MYDOMAIN.COM]]] [simple_bind_done]
(0x1000): Password Policy Response: expire [-1] grace [-1] error [No error].
(Fri Nov 10 17:01:22 2017) [sssd[be[MYDOMAIN.COM]]] [simple_bind_done]
(0x0400): Bind result: Success(0), no errmsg set
(Fri Nov 10 17:01:22 2017) [sssd[be[MYDOMAIN.COM]]] [sdap_pam_auth_done]
(0x0100): Password successfully cached for MYUSER
(Fri Nov 10 17:01:22 2017) [sssd[be[MYDOMAIN.COM]]]
[be_pam_handler_callback] (0x0100): Backend returned: (0, 0, <NULL>)
[Success]
(Fri Nov 10 17:01:22 2017) [sssd[be[MYDOMAIN.COM]]]
[be_pam_handler_callback] (0x0100): Sending result [
0][MYDOMAIN.COM]
(Fri Nov 10 17:01:22 2017) [sssd[be[MYDOMAIN.COM]]]
[be_pam_handler_callback] (0x0100): Sent result [
0][MYDOMAIN.COM]
(Fri Nov 10 17:01:22 2017) [sssd[be[MYDOMAIN.COM]]] [be_req_set_domain]
(0x0400): Changing request domain from [
MYDOMAIN.COM] to [
MYDOMAIN.COM]
(Fri Nov 10 17:01:22 2017) [sssd[be[MYDOMAIN.COM]]] [be_pam_handler]
(0x0100): Got request with the following data
(Fri Nov 10 17:01:22 2017) [sssd[be[MYDOMAIN.COM]]] [pam_print_data]
(0x0100): command: SSS_PAM_ACCT_MGMT
(Fri Nov 10 17:01:22 2017) [sssd[be[MYDOMAIN.COM]]] [pam_print_data]
(0x0100): domain:
MYDOMAIN.COM
(Fri Nov 10 17:01:22 2017) [sssd[be[MYDOMAIN.COM]]] [pam_print_data]
(0x0100): user: MYUSER
(Fri Nov 10 17:01:22 2017) [sssd[be[MYDOMAIN.COM]]] [pam_print_data]
(0x0100): service: sudo
(Fri Nov 10 17:01:22 2017) [sssd[be[MYDOMAIN.COM]]] [pam_print_data]
(0x0100): tty: /dev/pts/4
(Fri Nov 10 17:01:22 2017) [sssd[be[MYDOMAIN.COM]]] [pam_print_data]
(0x0100): ruser: MYUSER
(Fri Nov 10 17:01:22 2017) [sssd[be[MYDOMAIN.COM]]] [pam_print_data]
(0x0100): rhost:
(Fri Nov 10 17:01:22 2017) [sssd[be[MYDOMAIN.COM]]] [pam_print_data]
(0x0100): authtok type: 0
(Fri Nov 10 17:01:22 2017) [sssd[be[MYDOMAIN.COM]]] [pam_print_data]
(0x0100): newauthtok type: 0
(Fri Nov 10 17:01:22 2017) [sssd[be[MYDOMAIN.COM]]] [pam_print_data]
(0x0100): priv: 0
(Fri Nov 10 17:01:22 2017) [sssd[be[MYDOMAIN.COM]]] [pam_print_data]
(0x0100): cli_pid: 30273
(Fri Nov 10 17:01:22 2017) [sssd[be[MYDOMAIN.COM]]] [pam_print_data]
(0x0100): logon name: not set
(Fri Nov 10 17:01:22 2017) [sssd[be[MYDOMAIN.COM]]] [sdap_access_send]
(0x0400): Performing access check for user [MYUSER]
(Fri Nov 10 17:01:22 2017) [sssd[be[MYDOMAIN.COM]]]
[sdap_access_filter_send] (0x0400): Performing access filter check for user
[MYUSER]
(Fri Nov 10 17:01:22 2017) [sssd[be[MYDOMAIN.COM]]]
[sdap_access_filter_send] (0x0400): Checking filter against LDAP
(Fri Nov 10 17:01:22 2017) [sssd[be[MYDOMAIN.COM]]]
[sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with
[(&(uid=MYUSER)(objectclass=posixAccount)(uidNumber=*))][uid=MYUSER,ou=people,dc=MYDOMAIN,dc=COM].
(Fri Nov 10 17:01:22 2017) [sssd[be[MYDOMAIN.COM]]] [sdap_parse_entry]
(0x1000): OriginalDN: [uid=MYUSER,ou=people,dc=MYDOMAIN,dc=COM].
(Fri Nov 10 17:01:22 2017) [sssd[be[MYDOMAIN.COM]]]
[sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no
errmsg set
(Fri Nov 10 17:01:22 2017) [sssd[be[MYDOMAIN.COM]]]
[sdap_access_filter_done] (0x0400): Access granted by online lookup
(Fri Nov 10 17:01:22 2017) [sssd[be[MYDOMAIN.COM]]]
[be_pam_handler_callback] (0x0100): Backend returned: (0, 0, <NULL>)
[Success]
(Fri Nov 10 17:01:22 2017) [sssd[be[MYDOMAIN.COM]]]
[be_pam_handler_callback] (0x0400): SELinux provider doesn't exist, not
sending the request to it.
(Fri Nov 10 17:01:22 2017) [sssd[be[MYDOMAIN.COM]]]
[be_pam_handler_callback] (0x0100): Sending result [
0][MYDOMAIN.COM]
(Fri Nov 10 17:01:22 2017) [sssd[be[MYDOMAIN.COM]]]
[be_pam_handler_callback] (0x0100): Sent result [
0][MYDOMAIN.COM]
==> sssd_sudo.log <==
(Fri Nov 10 17:01:22 2017) [sssd[sudo]] [client_recv] (0x0200): Client
disconnected!
According with Lukas's link:
a) SSSD sudo responder – sssd_sudo.log:
There is this line: [sudosrv_get_sudorules_from_cache] (0x0400): Returning
1 rules for [MYUSER(a)MYDOMAIN.COM]
There is also this line: [sudosrv_get_sudorules_query_cache] (0x0200):
Searching sysdb with
[(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=MYUSER)(sudoUser=#1126)(sudoUser=%SystemAdmin)(sudoUser=%MYUSER)(sudoUser=+*)))]
b) SSSD domain – sssd_$domain.log
There is not this line: sdap_sudo_refresh_load_done
There is not this line: sysdb_save_sudorule
There is not this line: sdap_sudo_refresh_load_done
There is this line: [sdap_get_generic_ext_step] (0x0400): calling
ldap_search_ext with
[(&(uid=MYUSER)(objectclass=posixAccount)(uidNumber=*))][uid=MYUSER,ou=people,dc=MYDOMAIN,dc=COM]
BUT it doesn't look for sudo information but only about uid...
Could be this the problem?
Thanks all for the hints.
Andrea
2017-11-10 14:47 GMT+01:00 Galen Johnson <solitaryr(a)gmail.com>:
I've not set this up but it looks as though you have the system
configured
correctly to leverage sssd. At this point, it looks like you may want to
ask on the sudoers list what needs to be done on the ldap side as well.
Also, the link Lukas pointed to may help. Looking at the original log
snippets provided, I see no reference to the ldap_sudo_search_base string.
I would have expected to see a search request for sudo like you see for
other queries. This is stretching my expertise at this point. If it were
me, I would focus on the ldap pieces now and figure out a) is the ldap
config correct (ldapsearch is your friend here) and b) what I may have
misconfigured in the sssd ldap configs. In general, I tend to bump the
debug up to 10 (sss_debug is helpful), run a quick test, then drop the
debug back down so I can minimize the noise.
=G=
On Fri, Nov 10, 2017 at 8:17 AM, Andrea Passuello <
andrea.passuello(a)widegroup.eu> wrote:
> Thanks for the hint.
>
> Ok the output is this
>
> $ sudo sudo --version | grep sssd
> Configure options: --prefix=/usr -v --with-all-insults --with-pam
> --with-fqdn --with-logging=syslog --with-logfac=authpriv --with-env-editor
> --with-editor=/usr/bin/editor --with-exampledir=/usr/share/doc/sudo/examples
> --with-timeout=15 --with-password-timeout=0 --with-passprompt=[sudo]
> password for %p: --without-lecture --with-tty-tickets
> --disable-root-mailer --enable-admin-flag --with-sendmail=/usr/sbin/sendmail
> --with-rundir=/var/run/sudo --mandir=/usr/share/man
> --libexecdir=/usr/lib/sudo --with-sssd --with-sssd-lib=/usr/lib/x86_64-linux-gnu
> --with-selinux --with-linux-audit
>
>
> Is it ok?
>
> What can I check now?
>
>
>
>
>
>
>
>
>
> 2017-11-10 13:58 GMT+01:00 Galen Johnson <solitaryr(a)gmail.com>:
>
>> Try 'sudo sudo --version'. I got the same output as you until I ran
>> sudo --version with root privs.
>>
>> =G=
>>
>> On Fri, Nov 10, 2017 at 3:45 AM, Andrea Passuello <
>> andrea.passuello(a)widegroup.eu> wrote:
>>
>>> Thanks for the answers.
>>>
>>> # dpkg -l | grep sudo
>>> ii libsss-sudo
>>> 1.13.4-1ubuntu1.8
>>> amd64 Communicator library for sudo
>>> ii sudo
>>> 1.8.16-0ubuntu1.5
>>> amd64 Provide limited super user privileges to specific users
>>>
>>> I don't have sudo-ldap installed.
>>>
>>> # sudo --version | grep sssd
>>> doesn't return anything
>>>
>>> # sudo --version
>>> Sudo version 1.8.16
>>> Sudoers policy plugin version 1.8.16
>>> Sudoers file grammar version 45
>>> Sudoers I/O plugin version 1.8.16
>>>
>>> What do I miss?
>>>
>>> Thanks a lot.
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> 2017-11-09 21:45 GMT+01:00 Michael Ströder <michael(a)stroeder.com>:
>>>
>>>> Lukas Slebodnik wrote:
>>>> > On (08/11/17 16:01), Andrea Passuello wrote:
>>>> >> Hi all,
>>>> >> I use SSSD with OpenLDAP and I am able to authenticate users.
>>>> >> I am trying to configure SSSD for managing and caching sudo but
I
>>>> can't use
>>>> >> sudo and the system reply me with this:
>>>> >>
>>>> >> Sorry, user xxx is not allowed to execute '/usr/bin/apt-get
update'
>>>> as root
>>>> >> on MACHINE.
>>>> >>
>>>> > A) ensure that you have right version of sudo installed on
>>>> debian/ubuntu
>>>> > It need to be compiled with sssd support
>>>> > sudo --version | grep sssd
>>>> For whatever reason Debian has to different sudo packages:
>>>> sudo - Provide limited super user privileges to specific users
>>>> sudo-ldap - Provide limited super user privileges to specific users
>>>>
>>>> For "sudoers: sss" in nsswitch.conf you need package
"sudo" and *not*
>>>> "sudo-ldap" even if you have your sudoers entries in LDAP
directory.
>>>>
>>>> Ciao, Michael.
>>>>
>>>>
>>>> _______________________________________________
>>>> sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
>>>> To unsubscribe send an email to sssd-users-leave(a)lists.fedorah
>>>>
osted.org
>>>>
>>>>
>>>
>>> Avvertenze ai sensi del D.Lgs.196 del 30/06/2003
>>> Le informazioni contenute in questo messaggio di posta elettronica e/o
>>> files allegati, sono da considerarsi strettamente riservati. Il loro
>>> utilizzo è consentito esclusivamente al destinatario del messaggio, per le
>>> finalità indicate nello stesso. Costituisce violazione ai principi dettati
>>> dal D.Lgs. 196/2003: trattenere il messaggio stesso oltre il tempo
>>> necessario, divulgarlo anche in parte, distribuirlo ad altri soggetti,
>>> copiarlo od utilizzarlo per finalità diverse. In ogni momento potrà
>>> richiederci la sospensione dell'impiego dei suoi dati, ad esclusione
delle
>>> comunicazioni effettuate in esecuzione di obblighi di legge. Qualora avesse
>>> ricevuto questo messaggio senza esserne il destinatario La preghiamo
>>> cortesemente di darcene notizia via e-mail e di procedere alla distruzione
>>> del messaggio stesso dal Suo sistema. Se desidera presentare un reclamo,
>>> può trovare informazioni e supporto sul nostro sito
>>>
www.widegroup.eu/reclami o può scrivere a reclami(a)widegroup.eu.
>>> Grazie.
>>> This message is confidential. It may also be privileged or otherwise
>>> protected by work, product, immunity or other legal rules. If you have
>>> received it by mistake, please let us know by e-mail reply and delete it
>>> from your system; you may not copy this message or disclose its contents to
>>> anyone. The integrity and security of this message cannot be guaranteed on
>>> the Internet. If you want to submit a formal complaint, you can find
>>> information and support on our website
www.widegroup.eu/reclami or
>>> writing to reclami(a)widegroup.eu. Thank you.
>>>
>>> _______________________________________________
>>> sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
>>> To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
>>>
>>>
>>
>> _______________________________________________
>> sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
>> To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
>>
>>
>
> Avvertenze ai sensi del D.Lgs.196 del 30/06/2003
> Le informazioni contenute in questo messaggio di posta elettronica e/o
> files allegati, sono da considerarsi strettamente riservati. Il loro
> utilizzo è consentito esclusivamente al destinatario del messaggio, per le
> finalità indicate nello stesso. Costituisce violazione ai principi dettati
> dal D.Lgs. 196/2003: trattenere il messaggio stesso oltre il tempo
> necessario, divulgarlo anche in parte, distribuirlo ad altri soggetti,
> copiarlo od utilizzarlo per finalità diverse. In ogni momento potrà
> richiederci la sospensione dell'impiego dei suoi dati, ad esclusione delle
> comunicazioni effettuate in esecuzione di obblighi di legge. Qualora avesse
> ricevuto questo messaggio senza esserne il destinatario La preghiamo
> cortesemente di darcene notizia via e-mail e di procedere alla distruzione
> del messaggio stesso dal Suo sistema. Se desidera presentare un reclamo,
> può trovare informazioni e supporto sul nostro sito
>
www.widegroup.eu/reclami o può scrivere a reclami(a)widegroup.eu. Grazie.
> This message is confidential. It may also be privileged or otherwise
> protected by work, product, immunity or other legal rules. If you have
> received it by mistake, please let us know by e-mail reply and delete it
> from your system; you may not copy this message or disclose its contents to
> anyone. The integrity and security of this message cannot be guaranteed on
> the Internet. If you want to submit a formal complaint, you can find
> information and support on our website
www.widegroup.eu/reclami or
> writing to reclami(a)widegroup.eu. Thank you.
>
> _______________________________________________
> sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
> To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
>
>
_______________________________________________
sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
--
Avvertenze ai sensi del D.Lgs.196 del 30/06/2003
Le informazioni contenute in questo messaggio di posta elettronica e/o
files allegati, sono da considerarsi strettamente riservati. Il loro
utilizzo è consentito esclusivamente al destinatario del messaggio, per le
finalità indicate nello stesso. Costituisce violazione ai principi dettati
dal D.Lgs. 196/2003: trattenere il messaggio stesso oltre il tempo
necessario, divulgarlo anche in parte, distribuirlo ad altri soggetti,
copiarlo od utilizzarlo per finalità diverse. In ogni momento potrà
richiederci la sospensione dell'impiego dei suoi dati, ad esclusione delle
comunicazioni effettuate in esecuzione di obblighi di legge. Qualora avesse
ricevuto questo messaggio senza esserne il destinatario La preghiamo
cortesemente di darcene notizia via e-mail e di procedere alla distruzione
del messaggio stesso dal Suo sistema. Se desidera presentare un reclamo,
può trovare informazioni e supporto sul nostro sito
www.widegroup.eu/reclami
o può scrivere a reclami(a)widegroup.eu. Grazie.
--
This message is confidential. It may also be privileged or otherwise
protected by work, product, immunity or other legal rules. If you have
received it by mistake, please let us know by e-mail reply and delete it
from your system; you may not copy this message or disclose its contents to
anyone. The integrity and security of this message cannot be guaranteed on
the Internet. If you want to submit a formal complaint, you can find
information and support on our website
www.widegroup.eu/reclami or writing
to reclami(a)widegroup.eu. Thank you.