So I've extended my AD and created a sudoRole in an OU, and can get it to work for a single user. I can't however get it to work with an AD group.
I've tried %<adgroupname>, <adgroupname>, and +<adgroupname> all in the sudoUser attribute on the object, but cannot get it to use the group. Getent group <adgroupname> returns members. Reading the Sudoers LDAP Manual has this to say for sudoUser:
"A user name, user ID (prefixed with '#'), Unix group name or ID (prefixed with '%' or '%#' respectively), user netgroup (prefixed with '+'), or non-Unix group name or ID (prefixed with '%:' or '%:#' respectively). User netgroups are matched using the user and domain members only; the host member is not used when matching. Non-Unix group support is only available when an appropriate group_plugin is defined in the global defaults sudoRole object."
So is it reasonable to assume the last sentence is tripping this up? Does a group_plugin need to be defined in defaults? What group_plugin needs to be defined in defaults? It all works fine with just a single user in the sudoUser attribute. Once I replace it with %<adgroupname>, the same way I put it in the sudoers file manually, it fails to match the rule.
From sssd_sudo.log
When just my user is listed specifically in the sudoUser attribute in the sudoRole object in AD:
[sudosrv_get_sudorules_query_cache] (0x0200):Searching sysdb with [(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=myaduser)(sudoUser=#1165)(sudoUser=%Domain\20Users)(sudoUser=%<adgroupname1>)(sudoUser=%<adgroupname2>)(sudoUser=%<adgroupnameiwanttouse>) ... [sort_sudo_rules] (0x0400): Sorting rules with higher-wins logic [sudosrv_get_sudorules_from_cache] (0x0400): Returning 1 rules for [myaduser@mydomain.com]
When a group my user is in, is in the sudoUser attribute in the sudoRole object in AD:
[sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=myaduser)(sudoUser=#1165)(sudoUser=%Domain\20Users)(sudoUser=%<adgroupname1>)(sudoUser=%<adgroupname2>)(sudoUser=%<adgroupnameiwanttouse>) ... [sudosrv_get_sudorules_from_cache] (0x0400): Returning 0 rules for [myaduser@mydomain.com]
I've tried matching case with the filter that's in sssd_sudo.log, I've tried matching case from id $user, nothing seems to work but listing my user account specifically. Is there some magic to getting AD groups to work with SUDO LDAP objects?
Todd
On Tue, May 24, 2016 at 07:19:31PM +0000, Mote, Todd wrote:
So I've extended my AD and created a sudoRole in an OU, and can get it to work for a single user. I can't however get it to work with an AD group.
I've tried %<adgroupname>, <adgroupname>, and +<adgroupname> all in the sudoUser attribute on the object, but cannot get it to use the group. Getent group <adgroupname> returns members. Reading the Sudoers LDAP Manual has this to say for sudoUser:
Does id $user report the user as member of that group?
"A user name, user ID (prefixed with '#'), Unix group name or ID (prefixed with '%' or '%#' respectively), user netgroup (prefixed with '+'), or non-Unix group name or ID (prefixed with '%:' or '%:#' respectively). User netgroups are matched using the user and domain members only; the host member is not used when matching. Non-Unix group support is only available when an appropriate group_plugin is defined in the global defaults sudoRole object."
So is it reasonable to assume the last sentence is tripping this up? Does a group_plugin need to be defined in defaults? What group_plugin needs to be defined in defaults? It all works fine with just a single user in the sudoUser attribute. Once I replace it with %<adgroupname>, the same way I put it in the sudoers file manually, it fails to match the rule.
That shouldn't be necessary.
From sssd_sudo.log
When just my user is listed specifically in the sudoUser attribute in the sudoRole object in AD:
[sudosrv_get_sudorules_query_cache] (0x0200):Searching sysdb with [(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=myaduser)(sudoUser=#1165)(sudoUser=%Domain\20Users)(sudoUser=%<adgroupname1>)(sudoUser=%<adgroupname2>)(sudoUser=%<adgroupnameiwanttouse>) ... [sort_sudo_rules] (0x0400): Sorting rules with higher-wins logic [sudosrv_get_sudorules_from_cache] (0x0400): Returning 1 rules for [myaduser@mydomain.com]
When a group my user is in, is in the sudoUser attribute in the sudoRole object in AD:
[sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=myaduser)(sudoUser=#1165)(sudoUser=%Domain\20Users)(sudoUser=%<adgroupname1>)(sudoUser=%<adgroupname2>)(sudoUser=%<adgroupnameiwanttouse>) ... [sudosrv_get_sudorules_from_cache] (0x0400): Returning 0 rules for [myaduser@mydomain.com]
Please note that his an internal cache filter, not an LDAP filter. You can with it with: ldbsearch -H /var/lib/sss/db/cache_$yourdomain.ldb $filter
In general, this upstream wiki page can pinpoint what went wrong, usually the sudo logs are quite interesting: https://fedorahosted.org/sssd/wiki/HOWTO_Troubleshoot_SUDO
I've tried matching case with the filter that's in sssd_sudo.log, I've tried matching case from id $user, nothing seems to work but listing my user account specifically. Is there some magic to getting AD groups to work with SUDO LDAP objects?
Todd
sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org
sssd-users@lists.fedorahosted.org