I have SSSD (1.8.4) working fine on Debian Wheezy system, with an LDAP backend for users and groups. However, I'm having a problem with sudo.
My sudoers configuration file has the line following line in it:
%sudo ALL=(ALL:ALL) ALL
And my LDAP (via SSSD) user is in that "sudo" group (its UID is in the /etc/group file for group sudo, and getent shows this fine).
sudo:x:27:9009
However, when I run a sudo command, I receive the following error:
chris is not in the sudoers file. This incident will be reported.
Can someone help me to understand why this might be happening?
Chris
On Tue, Apr 22, 2014 at 10:52:23PM +0100, Chris Hayes wrote:
I have SSSD (1.8.4) working fine on Debian Wheezy system, with an LDAP backend for users and groups. However, I'm having a problem with sudo.
My sudoers configuration file has the line following line in it:
%sudo ALL=(ALL:ALL) ALL
And my LDAP (via SSSD) user is in that "sudo" group (its UID is in the /etc/group file for group sudo, and getent shows this fine).
sudo:x:27:9009
However, when I run a sudo command, I receive the following error:
chris is not in the sudoers file. This incident will be reported.
Can someone help me to understand why this might be happening?
Chris
If you run 'id user' do you see him as a member of the sudo group?
IIRC the functionality for an LDAP user to be a member of a UNIX group was added sometimes in 1.9..
On Wed, Apr 23, 2014 at 10:01 AM, Jakub Hrozek jhrozek@redhat.com wrote:
On Tue, Apr 22, 2014 at 10:52:23PM +0100, Chris Hayes wrote:
I have SSSD (1.8.4) working fine on Debian Wheezy system, with an LDAP backend for users and groups. However, I'm having a problem with sudo.
My sudoers configuration file has the line following line in it:
%sudo ALL=(ALL:ALL) ALL
And my LDAP (via SSSD) user is in that "sudo" group (its UID is in the /etc/group file for group sudo, and getent shows this fine).
sudo:x:27:9009
However, when I run a sudo command, I receive the following error:
chris is not in the sudoers file. This incident will be reported.
Can someone help me to understand why this might be happening?
Chris
If you run 'id user' do you see him as a member of the sudo group?
uid=9009(chris) gid=9001(chris) groups=9001(chris)
OK, I see that it's not picking up that sudo group.
IIRC the functionality for an LDAP user to be a member of a UNIX group
was added sometimes in 1.9..
I have an LDAP group though, and this also doesn't show in the id output. Is this also an issue with the pre-1.9 releases?
admins:*:9000:9009
Kind regards, Chris
On Wed, Apr 23, 2014 at 10:50:06AM +0100, Chris Hayes wrote:
On Wed, Apr 23, 2014 at 10:01 AM, Jakub Hrozek jhrozek@redhat.com wrote:
On Tue, Apr 22, 2014 at 10:52:23PM +0100, Chris Hayes wrote:
I have SSSD (1.8.4) working fine on Debian Wheezy system, with an LDAP backend for users and groups. However, I'm having a problem with sudo.
My sudoers configuration file has the line following line in it:
%sudo ALL=(ALL:ALL) ALL
And my LDAP (via SSSD) user is in that "sudo" group (its UID is in the /etc/group file for group sudo, and getent shows this fine).
sudo:x:27:9009
However, when I run a sudo command, I receive the following error:
chris is not in the sudoers file. This incident will be reported.
Can someone help me to understand why this might be happening?
Chris
If you run 'id user' do you see him as a member of the sudo group?
uid=9009(chris) gid=9001(chris) groups=9001(chris)
OK, I see that it's not picking up that sudo group.
IIRC the functionality for an LDAP user to be a member of a UNIX group
was added sometimes in 1.9..
I have an LDAP group though, and this also doesn't show in the id output. Is this also an issue with the pre-1.9 releases?
admins:*:9000:9009
Ah, sorry I guess I was confused when you said earlier you had a group in /etc/groups..so the group sudo relies on is in LDAP or files?
In general, I would recommend to upgrade to 1.9.x if possible, but such basic functionality like list of groups the user is a member of worked in 1.8 as well. Are you sure you're using the correct schema? Does the 'id' output for other users look OK?
Check out some tips at: https://fedorahosted.org/sssd/wiki/FAQ
On Wed, Apr 23, 2014 at 1:26 PM, Jakub Hrozek jhrozek@redhat.com wrote:
On Wed, Apr 23, 2014 at 10:50:06AM +0100, Chris Hayes wrote:
On Wed, Apr 23, 2014 at 10:01 AM, Jakub Hrozek jhrozek@redhat.com
wrote:
On Tue, Apr 22, 2014 at 10:52:23PM +0100, Chris Hayes wrote:
I have SSSD (1.8.4) working fine on Debian Wheezy system, with an
LDAP
backend for users and groups. However, I'm having a problem with
sudo.
My sudoers configuration file has the line following line in it:
%sudo ALL=(ALL:ALL) ALL
And my LDAP (via SSSD) user is in that "sudo" group (its UID is in
the
/etc/group file for group sudo, and getent shows this fine).
sudo:x:27:9009
However, when I run a sudo command, I receive the following error:
chris is not in the sudoers file. This incident will be reported.
Can someone help me to understand why this might be happening?
Chris
If you run 'id user' do you see him as a member of the sudo group?
uid=9009(chris) gid=9001(chris) groups=9001(chris)
OK, I see that it's not picking up that sudo group.
IIRC the functionality for an LDAP user to be a member of a UNIX group
was added sometimes in 1.9..
I have an LDAP group though, and this also doesn't show in the id output. Is this also an issue with the pre-1.9 releases?
admins:*:9000:9009
Ah, sorry I guess I was confused when you said earlier you had a group in /etc/groups..so the group sudo relies on is in LDAP or files?
In general, I would recommend to upgrade to 1.9.x if possible, but such basic functionality like list of groups the user is a member of worked in 1.8 as well. Are you sure you're using the correct schema? Does the 'id' output for other users look OK?
Check out some tips at: https://fedorahosted.org/sssd/wiki/FAQ _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
Just to be clear, my confusion is exasperated by seeing exactly what I'd expect using getent. Here are the getent lookups.
# My LDAP user (via SSSD). chris:*:9009:9001:Chris:/home/chris:/bin/bash
# The local group (/etc/group). sudo:x:27:9009
# The LDAP group (via SSSD). admins:*:9000:9009
The getent works fine suggests to me that my schema is fine. Upgrading isn't really an option as I maintain dozens of machines running Debian Wheezy.
While sudo maintains that "chris" isn't present in either of these groups.
So is this because my sudo doesn't support SSSD?
Kind regards, Chris
Can someone please disambiguate the situation as I'm really unsure what the problem is after hearing back from some of you guys.
On Wed, Apr 23, 2014 at 1:57 PM, Chris Hayes berzerkatives@gmail.comwrote:
On Wed, Apr 23, 2014 at 1:26 PM, Jakub Hrozek jhrozek@redhat.com wrote:
On Wed, Apr 23, 2014 at 10:50:06AM +0100, Chris Hayes wrote:
On Wed, Apr 23, 2014 at 10:01 AM, Jakub Hrozek jhrozek@redhat.com
wrote:
On Tue, Apr 22, 2014 at 10:52:23PM +0100, Chris Hayes wrote:
I have SSSD (1.8.4) working fine on Debian Wheezy system, with an
LDAP
backend for users and groups. However, I'm having a problem with
sudo.
My sudoers configuration file has the line following line in it:
%sudo ALL=(ALL:ALL) ALL
And my LDAP (via SSSD) user is in that "sudo" group (its UID is in
the
/etc/group file for group sudo, and getent shows this fine).
sudo:x:27:9009
However, when I run a sudo command, I receive the following error:
chris is not in the sudoers file. This incident will be reported.
Can someone help me to understand why this might be happening?
Chris
If you run 'id user' do you see him as a member of the sudo group?
uid=9009(chris) gid=9001(chris) groups=9001(chris)
OK, I see that it's not picking up that sudo group.
IIRC the functionality for an LDAP user to be a member of a UNIX group
was added sometimes in 1.9..
I have an LDAP group though, and this also doesn't show in the id
output.
Is this also an issue with the pre-1.9 releases?
admins:*:9000:9009
Ah, sorry I guess I was confused when you said earlier you had a group in /etc/groups..so the group sudo relies on is in LDAP or files?
In general, I would recommend to upgrade to 1.9.x if possible, but such basic functionality like list of groups the user is a member of worked in 1.8 as well. Are you sure you're using the correct schema? Does the 'id' output for other users look OK?
Check out some tips at: https://fedorahosted.org/sssd/wiki/FAQ _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
Just to be clear, my confusion is exasperated by seeing exactly what I'd expect using getent. Here are the getent lookups.
# My LDAP user (via SSSD). chris:*:9009:9001:Chris:/home/chris:/bin/bash
# The local group (/etc/group). sudo:x:27:9009
# The LDAP group (via SSSD). admins:*:9000:9009
The getent works fine suggests to me that my schema is fine. Upgrading isn't really an option as I maintain dozens of machines running Debian Wheezy.
While sudo maintains that "chris" isn't present in either of these groups.
So is this because my sudo doesn't support SSSD?
Kind regards, Chris
On 24/04/14 23:11, Chris Hayes wrote:
Can someone please disambiguate the situation as I'm really unsure what the problem is after hearing back from some of you guys.
On Wed, Apr 23, 2014 at 1:57 PM, Chris Hayes <berzerkatives@gmail.com mailto:berzerkatives@gmail.com> wrote:
On Wed, Apr 23, 2014 at 1:26 PM, Jakub Hrozek <jhrozek@redhat.com <mailto:jhrozek@redhat.com>> wrote: On Wed, Apr 23, 2014 at 10:50:06AM +0100, Chris Hayes wrote: > On Wed, Apr 23, 2014 at 10:01 AM, Jakub Hrozek <jhrozek@redhat.com <mailto:jhrozek@redhat.com>> wrote: > > > On Tue, Apr 22, 2014 at 10:52:23PM +0100, Chris Hayes wrote: > > > I have SSSD (1.8.4) working fine on Debian Wheezy system, with an LDAP > > > backend for users and groups. However, I'm having a problem with sudo. > > > > > > My sudoers configuration file has the line following line in it: > > > > > > %sudo ALL=(ALL:ALL) ALL > > > > > > And my LDAP (via SSSD) user is in that "sudo" group (its UID is in the > > > /etc/group file for group sudo, and getent shows this fine). > > > > > > sudo:x:27:9009 > > > > > > However, when I run a sudo command, I receive the following error: > > > > > > chris is not in the sudoers file. This incident will be reported. > > > > > > Can someone help me to understand why this might be happening? > > > > > > Chris > > > > If you run 'id user' do you see him as a member of the sudo group? > > > > uid=9009(chris) gid=9001(chris) groups=9001(chris) > > OK, I see that it's not picking up that sudo group. > > IIRC the functionality for an LDAP user to be a member of a UNIX group > > was added sometimes in 1.9.. > > > > I have an LDAP group though, and this also doesn't show in the id output. > Is this also an issue with the pre-1.9 releases? > > admins:*:9000:9009 Ah, sorry I guess I was confused when you said earlier you had a group in /etc/groups..so the group sudo relies on is in LDAP or files? In general, I would recommend to upgrade to 1.9.x if possible, but such basic functionality like list of groups the user is a member of worked in 1.8 as well. Are you sure you're using the correct schema? Does the 'id' output for other users look OK? Check out some tips at: https://fedorahosted.org/sssd/wiki/FAQ _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org <mailto:sssd-users@lists.fedorahosted.org> https://lists.fedorahosted.org/mailman/listinfo/sssd-users Just to be clear, my confusion is exasperated by seeing exactly what I'd expect using getent. Here are the getent lookups. # My LDAP user (via SSSD). chris:*:9009:9001:Chris:/home/chris:/bin/bash # The local group (/etc/group). sudo:x:27:9009 # The LDAP group (via SSSD). admins:*:9000:9009 The getent works fine suggests to me that my schema is fine. Upgrading isn't really an option as I maintain dozens of machines running Debian Wheezy. While sudo maintains that "chris" isn't present in either of these groups. So is this because my sudo doesn't support SSSD? Kind regards, Chris
sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
Hi, I did a bit of research, took me all of 30 seconds to prove what I said was true, your version of sudo does not support sssd, see here: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=724763
Rowland
Ah. That's not good...
Thanks for the help, Rowland.
On Fri, Apr 25, 2014 at 8:08 AM, Rowland Penny repenny241155@gmail.comwrote:
On 24/04/14 23:11, Chris Hayes wrote:
Can someone please disambiguate the situation as I'm really unsure what the problem is after hearing back from some of you guys.
On Wed, Apr 23, 2014 at 1:57 PM, Chris Hayes berzerkatives@gmail.comwrote:
On Wed, Apr 23, 2014 at 1:26 PM, Jakub Hrozek jhrozek@redhat.comwrote:
On Wed, Apr 23, 2014 at 10:50:06AM +0100, Chris Hayes wrote:
On Wed, Apr 23, 2014 at 10:01 AM, Jakub Hrozek jhrozek@redhat.com
wrote:
On Tue, Apr 22, 2014 at 10:52:23PM +0100, Chris Hayes wrote:
I have SSSD (1.8.4) working fine on Debian Wheezy system, with an
LDAP
backend for users and groups. However, I'm having a problem with
sudo.
My sudoers configuration file has the line following line in it:
%sudo ALL=(ALL:ALL) ALL
And my LDAP (via SSSD) user is in that "sudo" group (its UID is in
the
/etc/group file for group sudo, and getent shows this fine).
sudo:x:27:9009
However, when I run a sudo command, I receive the following error:
chris is not in the sudoers file. This incident will be reported.
Can someone help me to understand why this might be happening?
Chris
If you run 'id user' do you see him as a member of the sudo group?
uid=9009(chris) gid=9001(chris) groups=9001(chris)
OK, I see that it's not picking up that sudo group.
IIRC the functionality for an LDAP user to be a member of a UNIX group
was added sometimes in 1.9..
I have an LDAP group though, and this also doesn't show in the id
output.
Is this also an issue with the pre-1.9 releases?
admins:*:9000:9009
Ah, sorry I guess I was confused when you said earlier you had a group in /etc/groups..so the group sudo relies on is in LDAP or files?
In general, I would recommend to upgrade to 1.9.x if possible, but such basic functionality like list of groups the user is a member of worked in 1.8 as well. Are you sure you're using the correct schema? Does the 'id' output for other users look OK?
Check out some tips at: https://fedorahosted.org/sssd/wiki/FAQ _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
Just to be clear, my confusion is exasperated by seeing exactly what I'd expect using getent. Here are the getent lookups.
# My LDAP user (via SSSD). chris:*:9009:9001:Chris:/home/chris:/bin/bash
# The local group (/etc/group). sudo:x:27:9009
# The LDAP group (via SSSD). admins:*:9000:9009
The getent works fine suggests to me that my schema is fine. Upgrading isn't really an option as I maintain dozens of machines running Debian Wheezy.
While sudo maintains that "chris" isn't present in either of these groups.
So is this because my sudo doesn't support SSSD?
Kind regards, Chris
sssd-users mailing listsssd-users@lists.fedorahosted.orghttps://lists.fedorahosted.org/mailman/listinfo/sssd-users
Hi, I did a bit of research, took me all of 30 seconds to prove what I said was true, your version of sudo does not support sssd, see here: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=724763
Rowland
sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
On 23/04/14 10:50, Chris Hayes wrote:
On Wed, Apr 23, 2014 at 10:01 AM, Jakub Hrozek <jhrozek@redhat.com mailto:jhrozek@redhat.com> wrote:
On Tue, Apr 22, 2014 at 10:52:23PM +0100, Chris Hayes wrote: > I have SSSD (1.8.4) working fine on Debian Wheezy system, with an LDAP > backend for users and groups. However, I'm having a problem with sudo. > > My sudoers configuration file has the line following line in it: > > %sudo ALL=(ALL:ALL) ALL > > And my LDAP (via SSSD) user is in that "sudo" group (its UID is in the > /etc/group file for group sudo, and getent shows this fine). > > sudo:x:27:9009 > > However, when I run a sudo command, I receive the following error: > > chris is not in the sudoers file. This incident will be reported. > > Can someone help me to understand why this might be happening? > > Chris If you run 'id user' do you see him as a member of the sudo group?
uid=9009(chris) gid=9001(chris) groups=9001(chris)
OK, I see that it's not picking up that sudo group.
IIRC the functionality for an LDAP user to be a member of a UNIX group was added sometimes in 1.9..
I have an LDAP group though, and this also doesn't show in the id output. Is this also an issue with the pre-1.9 releases?
admins:*:9000:9009
Kind regards, Chris
sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
Hi, I think this may be down to the same problem as the Autofs problem recently, does the version of sudo that the OP is using know about sssd ?? It wasn't until version 1.8.6 on Ubuntu that this worked (they patched it to build with sssd if ldap was disabled)
Rowland
On Wed, Apr 23, 2014 at 1:37 PM, Rowland Penny repenny241155@gmail.comwrote:
On 23/04/14 10:50, Chris Hayes wrote:
On Wed, Apr 23, 2014 at 10:01 AM, Jakub Hrozek jhrozek@redhat.comwrote:
On Tue, Apr 22, 2014 at 10:52:23PM +0100, Chris Hayes wrote:
I have SSSD (1.8.4) working fine on Debian Wheezy system, with an LDAP backend for users and groups. However, I'm having a problem with sudo.
My sudoers configuration file has the line following line in it:
%sudo ALL=(ALL:ALL) ALL
And my LDAP (via SSSD) user is in that "sudo" group (its UID is in the /etc/group file for group sudo, and getent shows this fine).
sudo:x:27:9009
However, when I run a sudo command, I receive the following error:
chris is not in the sudoers file. This incident will be reported.
Can someone help me to understand why this might be happening?
Chris
If you run 'id user' do you see him as a member of the sudo group?
uid=9009(chris) gid=9001(chris) groups=9001(chris)
OK, I see that it's not picking up that sudo group.
IIRC the functionality for an LDAP user to be a member of a UNIX group
was added sometimes in 1.9..
I have an LDAP group though, and this also doesn't show in the id output. Is this also an issue with the pre-1.9 releases?
admins:*:9000:9009
Kind regards, Chris
sssd-users mailing listsssd-users@lists.fedorahosted.orghttps://lists.fedorahosted.org/mailman/listinfo/sssd-users
Hi, I think this may be down to the same problem as the Autofs problem recently, does the version of sudo that the OP is using know about sssd ?? It wasn't until version 1.8.6 on Ubuntu that this worked (they patched it to build with sssd if ldap was disabled)
Rowland
sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
sssd-users@lists.fedorahosted.org