Hi sssd-users list,
I am facing a strange issue on several CentOS servers. It seems that after a while ( days ) sudo does not work any more for some of my users. We keep rudo rules in OpenLDAP. If a user uses 'sudo su - ' , he gets a an error message ( "User abc is not allowed to run sudo on ....") however if he user runs 'id' followed by 'sudo su -' then in some of the cases, it works fine, user can get root access. I even upgraded to the unofficial repo hoping that the issue we see is similar/same to https://fedorahosted.org/sssd/ticket/2970. But I think it's a different issue.
Any ideas? Next I will be looking at dumping the local sssd cache files. I can provide debug =9 log files offline if needed.
Thank you
root@server yum.repos.d # rpm -qa | egrep sssd sssd-common-pac-1.13.4-4.el6.x86_64 sssd-ldap-1.13.4-4.el6.x86_64 sssd-tools-1.13.4-4.el6.x86_64 sssd-client-1.13.4-4.el6.x86_64 sssd-ad-1.13.4-4.el6.x86_64 python-sssdconfig-1.13.4-4.el6.noarch sssd-common-1.13.4-4.el6.x86_64 sssd-ipa-1.13.4-4.el6.x86_64 sssd-proxy-1.13.4-4.el6.x86_64 sssd-krb5-common-1.13.4-4.el6.x86_64 sssd-krb5-1.13.4-4.el6.x86_64 sssd-1.13.4-4.el6.x86_64
root@server sssd # vim /etc/sssd/sssd.conf # set debug = 9
root@server sssd # sudo -U abc -l* **User abc is not allowed to run sudo on **server**.*
root@server sssd # egrep sudo /etc/nsswitch.conf sudoers: sss
root@server sssd # ip a s dev eth0 | egrep global inet 216.X.Y.Z/26 brd 216.X.Y.Z scope global eth0
root@server sssd # id abc uid=100001044(abc) gid=1009(...) groups=1202(...),1168(...),1191(...),1102(...),1009(...),1101(...),1127(...),1167(...),1111(...),1178(...),1109(...),1199(...),1208(stage),1117(...),1198(...),1192(...),1206(...),1176(...),1404(...),1183(...),1103(...),1110(...),1205
root@abc sssd # sudo -U abc -l Matching Defaults entries for abc on this host: [...]
*User **abc**may run the following commands on this host:** ** (ALL) PASSWD: ALL*
# LDAP Sudo def dn: cn=stage,ou=sudoers,o=Domain,dc=domain,dc=com sudoOrder: 42 [...] sudoUser: %stage sudoRunAs: ALL cn: stage description: Allow Trusted Senior stuff become root sudoCommand: ALL sudoHost: 216.X.Y.Z [...] objectClass: top objectClass: sudoRole sudoOption: authenticate
# Group def dn: cn=stage,ou=groups,o=Domain,dc=domain,dc=com gidNumber: 1208 cn: stage description: stage Group objectClass: posixGroup objectClass: top memberUid: abc hMemberDN: uid=abc,ou=users,o=Domain,dc=domain,dc=com
Sanitized sssd.conf:
[sssd] config_file_version = 2 sbus_timeout = 30 services = nss, pam, sudo, ssh domains = LOCAL, DOMAIN1, DOMAIN2
[nss] filter_users = adm,apache,avahi,bin,daemon,dbus,ecryptfs,ftp,git,games,gopher,haldaemon,halt,hfallback,ldap,lp,mail,mailnull,named,news,nfsnobody,nobody,nscd,nslcd,ntp,operator,oprofile,ossec,postfix,puppet,puppet-dashboard,pulse,pulse-access,radiusd,root,rpc,rpcuser,rtkit,saslauth,sfallback,shutdown,slocate,smmsp,sshd,sync,tcpdump,tss,uucp,vcsa filter_groups = adm,apache,audio,bin,cdrom,cgred,daemon,dbus,dialout,dip,disk,ecryptfs,floppy,fuse,git,hfallback,kmem,ldap,lock,lp,mail,mailnull,man,mem,nfsnobody,nobody,nscd,ntp,ossec,oprofile,postdrop,postfix,puppet,puppet-dashboard,pulse,pulse-access,root,rpc,rpcuser,rtkit,saslauth,sfallback,slocate,smmsp,sshd,sys,tape,tcpdump,tss,tty,users,utempter,utmp,vcsa,video override_shell = /bin/bash
[pam] debug_level = 3 reconnection_retries = 3 offline_credentials_expiration = 2 offline_failed_login_attempts = 3 offline_failed_login_delay = 5 pam_verbosity = 1 pam_pwd_expiration_warning = 21 pam_account_expired_message = Account expired, please use selfservice portal to change your password and extend account.
[sudo] debug_level=9
[ssh] # debug_level=9
[domain/LOCAL] description = LOCAL Users domain id_provider = local enumerate = true min_id = 500 max_id = 999 default_shell = /bin/bash base_directory = /home create_homedir = false remove_homedir = true homedir_umask = 077 skel_dir = /etc/skel mail_dir = /var/spool/mail
######### SECTION: DOMAIN1 [domain/DOMAIN1] min_id = 499 debug_level = 9 cache_credentials = True entry_cache_timeout = 864000
auth_provider = ldap id_provider = ldap access_provider = ldap #chpass_provider = ldap sudo_provider = ldap selinux_provider = none autofs_provider = none
# LDAP Search ldap_search_base = dc=domain,dc=com ldap_group_search_base = ou=groups,o=Domain,dc=domain,dc=com ldap_user_search_base = ou=users,o=Domain,dc=domain,dc=com?subtree?(|(description=cn=stage,ou=groups,o=Domain,dc=domain,dc=com)(.....)(.....))
# LDAP Custom Schema ldap_group_member = hMemberDN ldap_user_member_of = description # this should really be rfc2307 ldap_schema = rfc2307bis
ldap_network_timeout = 3 ldap_id_use_start_tls = False ldap_tls_reqcert = never ldap_tls_cacertdir = /etc/openldap/cacerts
ldap_uri = ldaps://s1.sec.domain.com, ldaps://s2.sec.domain.com, ldaps://s3.sec.domain.com ldap_backup_uri = ldaps://66.X.Y.Z
ldap_default_authtok_type = obfuscated_password ldap_default_bind_dn = uid=MYDN ldap_default_authtok = MYPASS
ldap_user_ssh_public_key = sshPublicKey
ldap_pwd_policy = none ldap_account_expire_policy = shadow ldap_user_shadow_expire = shadowExpire # shadowExpire: days since Jan 1, 1970 that account is disabled: $ echo $(($(date --utc --date "$1" +%s)/86400))
ldap_chpass_update_last_change = false
ldap_access_order = filter, expire ldap_access_filter = (&(objectClass=posixAccount)(uidNumber=*)(hAccountInitialSetup=1)(|(description=cn=stage,ou=groups,o=Domain,dc=domain,dc=com)))
# SUDO ldap_sudo_search_base = ou=sudoers,o=Domain,dc=domain,dc=com ldap_sudo_full_refresh_interval = 86400 ldap_sudo_smart_refresh_interval = 3600 #entry_cache_sudo_timeout = 5400
The same options for DOMAIN2 except filters and user/group base.
hMemberDN is defined in nis.schema, a relic of OpenLDAP 2.2, a workaround applied before transitioning to 2.4.40.
# Modification to posixGroup attributetype ( 1.3.6.1.1.1.1.28 NAME 'hMemberDN' DESC 'RFC2256: member of a group' SUP distinguishedName )
objectclass ( 1.3.6.1.1.1.2.2 NAME 'posixGroup' DESC 'Abstraction of a group of accounts' SUP top STRUCTURAL MUST ( cn $ gidNumber ) MAY ( userPassword $ memberUid $ hMemberDN $ description ) )
hMemberDN: uid=abc,ou=users,o=Domain,dc=domain,dc=com
On Wed, Oct 19, 2016 at 11:54:39AM -0400, Mario Rossi wrote:
Hi sssd-users list,
I am facing a strange issue on several CentOS servers. It seems that after a while ( days ) sudo does not work any more for some of my users. We keep rudo rules in OpenLDAP. If a user uses 'sudo su - ' , he gets a an error message ( "User abc is not allowed to run sudo on ....") however if he user runs 'id' followed by 'sudo su -' then in some of the cases, it works fine, user can get root access. I even upgraded to the unofficial repo hoping that the issue we see is similar/same to https://fedorahosted.org/sssd/ticket/2970. But I think it's a different issue.
Any ideas? Next I will be looking at dumping the local sssd cache files. I can provide debug =9 log files offline if needed.
I think this is the best course of action..
btw does the user come from DOMAIN1 or DOMAIN2?
and do you need the local domain? It's really code that mostly has meaning for testing or experiments, I've never seen anyone using it in production..
Thank you
root@server yum.repos.d # rpm -qa | egrep sssd sssd-common-pac-1.13.4-4.el6.x86_64 sssd-ldap-1.13.4-4.el6.x86_64 sssd-tools-1.13.4-4.el6.x86_64 sssd-client-1.13.4-4.el6.x86_64 sssd-ad-1.13.4-4.el6.x86_64 python-sssdconfig-1.13.4-4.el6.noarch sssd-common-1.13.4-4.el6.x86_64 sssd-ipa-1.13.4-4.el6.x86_64 sssd-proxy-1.13.4-4.el6.x86_64 sssd-krb5-common-1.13.4-4.el6.x86_64 sssd-krb5-1.13.4-4.el6.x86_64 sssd-1.13.4-4.el6.x86_64
root@server sssd # vim /etc/sssd/sssd.conf # set debug = 9
root@server sssd # sudo -U abc -l* **User abc is not allowed to run sudo on **server**.*
root@server sssd # egrep sudo /etc/nsswitch.conf sudoers: sss
root@server sssd # ip a s dev eth0 | egrep global inet 216.X.Y.Z/26 brd 216.X.Y.Z scope global eth0
root@server sssd # id abc uid=100001044(abc) gid=1009(...) groups=1202(...),1168(...),1191(...),1102(...),1009(...),1101(...),1127(...),1167(...),1111(...),1178(...),1109(...),1199(...),1208(stage),1117(...),1198(...),1192(...),1206(...),1176(...),1404(...),1183(...),1103(...),1110(...),1205
root@abc sssd # sudo -U abc -l Matching Defaults entries for abc on this host: [...]
*User **abc**may run the following commands on this host:** ** (ALL) PASSWD: ALL*
# LDAP Sudo def dn: cn=stage,ou=sudoers,o=Domain,dc=domain,dc=com sudoOrder: 42 [...] sudoUser: %stage sudoRunAs: ALL cn: stage description: Allow Trusted Senior stuff become root sudoCommand: ALL sudoHost: 216.X.Y.Z [...] objectClass: top objectClass: sudoRole sudoOption: authenticate
# Group def dn: cn=stage,ou=groups,o=Domain,dc=domain,dc=com gidNumber: 1208 cn: stage description: stage Group objectClass: posixGroup objectClass: top memberUid: abc hMemberDN: uid=abc,ou=users,o=Domain,dc=domain,dc=com
Sanitized sssd.conf:
[sssd] config_file_version = 2 sbus_timeout = 30 services = nss, pam, sudo, ssh domains = LOCAL, DOMAIN1, DOMAIN2
[nss] filter_users = adm,apache,avahi,bin,daemon,dbus,ecryptfs,ftp,git,games,gopher,haldaemon,halt,hfallback,ldap,lp,mail,mailnull,named,news,nfsnobody,nobody,nscd,nslcd,ntp,operator,oprofile,ossec,postfix,puppet,puppet-dashboard,pulse,pulse-access,radiusd,root,rpc,rpcuser,rtkit,saslauth,sfallback,shutdown,slocate,smmsp,sshd,sync,tcpdump,tss,uucp,vcsa filter_groups = adm,apache,audio,bin,cdrom,cgred,daemon,dbus,dialout,dip,disk,ecryptfs,floppy,fuse,git,hfallback,kmem,ldap,lock,lp,mail,mailnull,man,mem,nfsnobody,nobody,nscd,ntp,ossec,oprofile,postdrop,postfix,puppet,puppet-dashboard,pulse,pulse-access,root,rpc,rpcuser,rtkit,saslauth,sfallback,slocate,smmsp,sshd,sys,tape,tcpdump,tss,tty,users,utempter,utmp,vcsa,video override_shell = /bin/bash
[pam] debug_level = 3 reconnection_retries = 3 offline_credentials_expiration = 2 offline_failed_login_attempts = 3 offline_failed_login_delay = 5 pam_verbosity = 1 pam_pwd_expiration_warning = 21 pam_account_expired_message = Account expired, please use selfservice portal to change your password and extend account.
[sudo] debug_level=9
[ssh] # debug_level=9
[domain/LOCAL] description = LOCAL Users domain id_provider = local enumerate = true min_id = 500 max_id = 999 default_shell = /bin/bash base_directory = /home create_homedir = false remove_homedir = true homedir_umask = 077 skel_dir = /etc/skel mail_dir = /var/spool/mail
######### SECTION: DOMAIN1 [domain/DOMAIN1] min_id = 499 debug_level = 9 cache_credentials = True entry_cache_timeout = 864000
auth_provider = ldap id_provider = ldap access_provider = ldap #chpass_provider = ldap sudo_provider = ldap selinux_provider = none autofs_provider = none
# LDAP Search ldap_search_base = dc=domain,dc=com ldap_group_search_base = ou=groups,o=Domain,dc=domain,dc=com ldap_user_search_base = ou=users,o=Domain,dc=domain,dc=com?subtree?(|(description=cn=stage,ou=groups,o=Domain,dc=domain,dc=com)(.....)(.....))
# LDAP Custom Schema ldap_group_member = hMemberDN ldap_user_member_of = description # this should really be rfc2307 ldap_schema = rfc2307bis
ldap_network_timeout = 3 ldap_id_use_start_tls = False ldap_tls_reqcert = never ldap_tls_cacertdir = /etc/openldap/cacerts
ldap_uri = ldaps://s1.sec.domain.com, ldaps://s2.sec.domain.com, ldaps://s3.sec.domain.com ldap_backup_uri = ldaps://66.X.Y.Z
ldap_default_authtok_type = obfuscated_password ldap_default_bind_dn = uid=MYDN ldap_default_authtok = MYPASS
ldap_user_ssh_public_key = sshPublicKey
ldap_pwd_policy = none ldap_account_expire_policy = shadow ldap_user_shadow_expire = shadowExpire # shadowExpire: days since Jan 1, 1970 that account is disabled: $ echo $(($(date --utc --date "$1" +%s)/86400))
ldap_chpass_update_last_change = false
ldap_access_order = filter, expire ldap_access_filter = (&(objectClass=posixAccount)(uidNumber=*)(hAccountInitialSetup=1)(|(description=cn=stage,ou=groups,o=Domain,dc=domain,dc=com)))
# SUDO ldap_sudo_search_base = ou=sudoers,o=Domain,dc=domain,dc=com ldap_sudo_full_refresh_interval = 86400 ldap_sudo_smart_refresh_interval = 3600 #entry_cache_sudo_timeout = 5400
The same options for DOMAIN2 except filters and user/group base.
hMemberDN is defined in nis.schema, a relic of OpenLDAP 2.2, a workaround applied before transitioning to 2.4.40.
# Modification to posixGroup attributetype ( 1.3.6.1.1.1.1.28 NAME 'hMemberDN' DESC 'RFC2256: member of a group' SUP distinguishedName )
objectclass ( 1.3.6.1.1.1.2.2 NAME 'posixGroup' DESC 'Abstraction of a group of accounts' SUP top STRUCTURAL MUST ( cn $ gidNumber ) MAY ( userPassword $ memberUid $ hMemberDN $ description ) )
hMemberDN: uid=abc,ou=users,o=Domain,dc=domain,dc=com
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
Hi Jakub,
That is correct, I have 2 users, one is a member of DOMAIN1, the other is a member of DOMAIN2. The options for both domains is similar as we use automatic deployment system. One of the users is hfa-joswel-tehnicom ( test account ), the other one is azapravdin.
I thought local domain is required, I use it to inject a local emergency user on all servers. But I can remove local domain if it is recommended.
Thank you Mario
On 10/20/2016 03:36 AM, Jakub Hrozek wrote:
On Wed, Oct 19, 2016 at 11:54:39AM -0400, Mario Rossi wrote:
Hi sssd-users list,
I am facing a strange issue on several CentOS servers. It seems that after a while ( days ) sudo does not work any more for some of my users. We keep rudo rules in OpenLDAP. If a user uses 'sudo su - ' , he gets a an error message ( "User abc is not allowed to run sudo on ....") however if he user runs 'id' followed by 'sudo su -' then in some of the cases, it works fine, user can get root access. I even upgraded to the unofficial repo hoping that the issue we see is similar/same to https://fedorahosted.org/sssd/ticket/2970. But I think it's a different issue.
Any ideas? Next I will be looking at dumping the local sssd cache files. I can provide debug =9 log files offline if needed.
I think this is the best course of action..
btw does the user come from DOMAIN1 or DOMAIN2?
and do you need the local domain? It's really code that mostly has meaning for testing or experiments, I've never seen anyone using it in production..
Thank you
root@server yum.repos.d # rpm -qa | egrep sssd sssd-common-pac-1.13.4-4.el6.x86_64 sssd-ldap-1.13.4-4.el6.x86_64 sssd-tools-1.13.4-4.el6.x86_64 sssd-client-1.13.4-4.el6.x86_64 sssd-ad-1.13.4-4.el6.x86_64 python-sssdconfig-1.13.4-4.el6.noarch sssd-common-1.13.4-4.el6.x86_64 sssd-ipa-1.13.4-4.el6.x86_64 sssd-proxy-1.13.4-4.el6.x86_64 sssd-krb5-common-1.13.4-4.el6.x86_64 sssd-krb5-1.13.4-4.el6.x86_64 sssd-1.13.4-4.el6.x86_64
root@server sssd # vim /etc/sssd/sssd.conf # set debug = 9
root@server sssd # sudo -U abc -l* **User abc is not allowed to run sudo on **server**.*
root@server sssd # egrep sudo /etc/nsswitch.conf sudoers: sss
root@server sssd # ip a s dev eth0 | egrep global inet 216.X.Y.Z/26 brd 216.X.Y.Z scope global eth0
root@server sssd # id abc uid=100001044(abc) gid=1009(...) groups=1202(...),1168(...),1191(...),1102(...),1009(...),1101(...),1127(...),1167(...),1111(...),1178(...),1109(...),1199(...),1208(stage),1117(...),1198(...),1192(...),1206(...),1176(...),1404(...),1183(...),1103(...),1110(...),1205
root@abc sssd # sudo -U abc -l Matching Defaults entries for abc on this host: [...]
*User **abc**may run the following commands on this host:** ** (ALL) PASSWD: ALL*
# LDAP Sudo def dn: cn=stage,ou=sudoers,o=Domain,dc=domain,dc=com sudoOrder: 42 [...] sudoUser: %stage sudoRunAs: ALL cn: stage description: Allow Trusted Senior stuff become root sudoCommand: ALL sudoHost: 216.X.Y.Z [...] objectClass: top objectClass: sudoRole sudoOption: authenticate
# Group def dn: cn=stage,ou=groups,o=Domain,dc=domain,dc=com gidNumber: 1208 cn: stage description: stage Group objectClass: posixGroup objectClass: top memberUid: abc hMemberDN: uid=abc,ou=users,o=Domain,dc=domain,dc=com
Sanitized sssd.conf:
[sssd] config_file_version = 2 sbus_timeout = 30 services = nss, pam, sudo, ssh domains = LOCAL, DOMAIN1, DOMAIN2
[nss] filter_users = adm,apache,avahi,bin,daemon,dbus,ecryptfs,ftp,git,games,gopher,haldaemon,halt,hfallback,ldap,lp,mail,mailnull,named,news,nfsnobody,nobody,nscd,nslcd,ntp,operator,oprofile,ossec,postfix,puppet,puppet-dashboard,pulse,pulse-access,radiusd,root,rpc,rpcuser,rtkit,saslauth,sfallback,shutdown,slocate,smmsp,sshd,sync,tcpdump,tss,uucp,vcsa filter_groups = adm,apache,audio,bin,cdrom,cgred,daemon,dbus,dialout,dip,disk,ecryptfs,floppy,fuse,git,hfallback,kmem,ldap,lock,lp,mail,mailnull,man,mem,nfsnobody,nobody,nscd,ntp,ossec,oprofile,postdrop,postfix,puppet,puppet-dashboard,pulse,pulse-access,root,rpc,rpcuser,rtkit,saslauth,sfallback,slocate,smmsp,sshd,sys,tape,tcpdump,tss,tty,users,utempter,utmp,vcsa,video override_shell = /bin/bash
[pam] debug_level = 3 reconnection_retries = 3 offline_credentials_expiration = 2 offline_failed_login_attempts = 3 offline_failed_login_delay = 5 pam_verbosity = 1 pam_pwd_expiration_warning = 21 pam_account_expired_message = Account expired, please use selfservice portal to change your password and extend account.
[sudo] debug_level=9
[ssh] # debug_level=9
[domain/LOCAL] description = LOCAL Users domain id_provider = local enumerate = true min_id = 500 max_id = 999 default_shell = /bin/bash base_directory = /home create_homedir = false remove_homedir = true homedir_umask = 077 skel_dir = /etc/skel mail_dir = /var/spool/mail
######### SECTION: DOMAIN1 [domain/DOMAIN1] min_id = 499 debug_level = 9 cache_credentials = True entry_cache_timeout = 864000
auth_provider = ldap id_provider = ldap access_provider = ldap #chpass_provider = ldap sudo_provider = ldap selinux_provider = none autofs_provider = none
# LDAP Search ldap_search_base = dc=domain,dc=com ldap_group_search_base = ou=groups,o=Domain,dc=domain,dc=com ldap_user_search_base = ou=users,o=Domain,dc=domain,dc=com?subtree?(|(description=cn=stage,ou=groups,o=Domain,dc=domain,dc=com)(.....)(.....))
# LDAP Custom Schema ldap_group_member = hMemberDN ldap_user_member_of = description # this should really be rfc2307 ldap_schema = rfc2307bis
ldap_network_timeout = 3 ldap_id_use_start_tls = False ldap_tls_reqcert = never ldap_tls_cacertdir = /etc/openldap/cacerts
ldap_uri = ldaps://s1.sec.domain.com, ldaps://s2.sec.domain.com, ldaps://s3.sec.domain.com ldap_backup_uri = ldaps://66.X.Y.Z
ldap_default_authtok_type = obfuscated_password ldap_default_bind_dn = uid=MYDN ldap_default_authtok = MYPASS
ldap_user_ssh_public_key = sshPublicKey
ldap_pwd_policy = none ldap_account_expire_policy = shadow ldap_user_shadow_expire = shadowExpire # shadowExpire: days since Jan 1, 1970 that account is disabled: $ echo $(($(date --utc --date "$1" +%s)/86400))
ldap_chpass_update_last_change = false
ldap_access_order = filter, expire ldap_access_filter = (&(objectClass=posixAccount)(uidNumber=*)(hAccountInitialSetup=1)(|(description=cn=stage,ou=groups,o=Domain,dc=domain,dc=com)))
# SUDO ldap_sudo_search_base = ou=sudoers,o=Domain,dc=domain,dc=com ldap_sudo_full_refresh_interval = 86400 ldap_sudo_smart_refresh_interval = 3600 #entry_cache_sudo_timeout = 5400
The same options for DOMAIN2 except filters and user/group base.
hMemberDN is defined in nis.schema, a relic of OpenLDAP 2.2, a workaround applied before transitioning to 2.4.40.
# Modification to posixGroup attributetype ( 1.3.6.1.1.1.1.28 NAME 'hMemberDN' DESC 'RFC2256: member of a group' SUP distinguishedName )
objectclass ( 1.3.6.1.1.1.2.2 NAME 'posixGroup' DESC 'Abstraction of a group of accounts' SUP top STRUCTURAL MUST ( cn $ gidNumber ) MAY ( userPassword $ memberUid $ hMemberDN $ description ) )
hMemberDN: uid=abc,ou=users,o=Domain,dc=domain,dc=com
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
What sets the dataExpireTimestamp to 1 in the cache files ? Should I file a bug ? Affected users cannot use sudo on certain hosts
# record 14 dn: name=stage,cn=groups,cn=DOMAIN2,cn=sysdb createTimestamp: 1476812816 gidNumber: 16208
[....]
lastUpdate: 1476816339
[....] * **dataExpireTimestamp: 1*
root@stage ~ # sudo -U hfa-joswel-tehnicom -l User hfa-joswel-tehnicom is not allowed to run sudo on stage.
root@stage ~ # sss_cache -E
root@stage ~ # sudo -U hfa-joswel-tehnicom -l User hfa-joswel-tehnicom is not allowed to run sudo on stage.
root@stage ~ # id hfa-joswel-tehnicom uid=116000059(hfa-joswel-tehnicom) gid=1003(....) groups=16102(....),16009(....),16205(....),16208(stage),1003(....)
root@stage ~ # sudo -U hfa-joswel-tehnicom -l Matching Defaults entries for hfa-joswel-tehnicom on this host: env_keep+=SSH_AUTH_SOCK, logfile=/var/log/ldap-sudo.log, loglinelen=0, log_year, log_host, syslog=auth, ignore_dot, !mail_no_user, ignore_local_sudoers, umask=0077, umask_override, always_set_home, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY", secure_path=/sbin:/bin:/usr/sbin:/usr/bin, badpass_message=Wrong password. I have noted your incompetence in the log. Don't think you're fooling anyone., !requiretty, passprompt=LDAP OnePassword for %u:
User hfa-joswel-tehnicom may run the following commands on this host: (ALL) PASSWD: ALL
On 10/20/2016 07:29 AM, Mario Rossi wrote:
Hi Jakub,
That is correct, I have 2 users, one is a member of DOMAIN1, the other is a member of DOMAIN2. The options for both domains is similar as we use automatic deployment system. One of the users is hfa-joswel-tehnicom ( test account ), the other one is azapravdin.
I thought local domain is required, I use it to inject a local emergency user on all servers. But I can remove local domain if it is recommended.
Thank you Mario
On 10/20/2016 03:36 AM, Jakub Hrozek wrote:
On Wed, Oct 19, 2016 at 11:54:39AM -0400, Mario Rossi wrote:
Hi sssd-users list,
I am facing a strange issue on several CentOS servers. It seems that after a while ( days ) sudo does not work any more for some of my users. We keep rudo rules in OpenLDAP. If a user uses 'sudo su - ' , he gets a an error message ( "User abc is not allowed to run sudo on ....") however if he user runs 'id' followed by 'sudo su -' then in some of the cases, it works fine, user can get root access. I even upgraded to the unofficial repo hoping that the issue we see is similar/same to https://fedorahosted.org/sssd/ticket/2970. But I think it's a different issue.
Any ideas? Next I will be looking at dumping the local sssd cache files. I can provide debug =9 log files offline if needed.
I think this is the best course of action..
btw does the user come from DOMAIN1 or DOMAIN2?
and do you need the local domain? It's really code that mostly has meaning for testing or experiments, I've never seen anyone using it in production..
Thank you
root@server yum.repos.d # rpm -qa | egrep sssd sssd-common-pac-1.13.4-4.el6.x86_64 sssd-ldap-1.13.4-4.el6.x86_64 sssd-tools-1.13.4-4.el6.x86_64 sssd-client-1.13.4-4.el6.x86_64 sssd-ad-1.13.4-4.el6.x86_64 python-sssdconfig-1.13.4-4.el6.noarch sssd-common-1.13.4-4.el6.x86_64 sssd-ipa-1.13.4-4.el6.x86_64 sssd-proxy-1.13.4-4.el6.x86_64 sssd-krb5-common-1.13.4-4.el6.x86_64 sssd-krb5-1.13.4-4.el6.x86_64 sssd-1.13.4-4.el6.x86_64
root@server sssd # vim /etc/sssd/sssd.conf # set debug = 9
root@server sssd # sudo -U abc -l* **User abc is not allowed to run sudo on **server**.*
root@server sssd # egrep sudo /etc/nsswitch.conf sudoers: sss
root@server sssd # ip a s dev eth0 | egrep global inet 216.X.Y.Z/26 brd 216.X.Y.Z scope global eth0
root@server sssd # id abc uid=100001044(abc) gid=1009(...) groups=1202(...),1168(...),1191(...),1102(...),1009(...),1101(...),1127(...),1167(...),1111(...),1178(...),1109(...),1199(...),1208(stage),1117(...),1198(...),1192(...),1206(...),1176(...),1404(...),1183(...),1103(...),1110(...),1205
root@abc sssd # sudo -U abc -l Matching Defaults entries for abc on this host: [...]
*User **abc**may run the following commands on this host:** ** (ALL) PASSWD: ALL*
# LDAP Sudo def dn: cn=stage,ou=sudoers,o=Domain,dc=domain,dc=com sudoOrder: 42 [...] sudoUser: %stage sudoRunAs: ALL cn: stage description: Allow Trusted Senior stuff become root sudoCommand: ALL sudoHost: 216.X.Y.Z [...] objectClass: top objectClass: sudoRole sudoOption: authenticate
# Group def dn: cn=stage,ou=groups,o=Domain,dc=domain,dc=com gidNumber: 1208 cn: stage description: stage Group objectClass: posixGroup objectClass: top memberUid: abc hMemberDN: uid=abc,ou=users,o=Domain,dc=domain,dc=com
Sanitized sssd.conf:
[sssd] config_file_version = 2 sbus_timeout = 30 services = nss, pam, sudo, ssh domains = LOCAL, DOMAIN1, DOMAIN2
[nss] filter_users = adm,apache,avahi,bin,daemon,dbus,ecryptfs,ftp,git,games,gopher,haldaemon,halt,hfallback,ldap,lp,mail,mailnull,named,news,nfsnobody,nobody,nscd,nslcd,ntp,operator,oprofile,ossec,postfix,puppet,puppet-dashboard,pulse,pulse-access,radiusd,root,rpc,rpcuser,rtkit,saslauth,sfallback,shutdown,slocate,smmsp,sshd,sync,tcpdump,tss,uucp,vcsa filter_groups = adm,apache,audio,bin,cdrom,cgred,daemon,dbus,dialout,dip,disk,ecryptfs,floppy,fuse,git,hfallback,kmem,ldap,lock,lp,mail,mailnull,man,mem,nfsnobody,nobody,nscd,ntp,ossec,oprofile,postdrop,postfix,puppet,puppet-dashboard,pulse,pulse-access,root,rpc,rpcuser,rtkit,saslauth,sfallback,slocate,smmsp,sshd,sys,tape,tcpdump,tss,tty,users,utempter,utmp,vcsa,video override_shell = /bin/bash
[pam] debug_level = 3 reconnection_retries = 3 offline_credentials_expiration = 2 offline_failed_login_attempts = 3 offline_failed_login_delay = 5 pam_verbosity = 1 pam_pwd_expiration_warning = 21 pam_account_expired_message = Account expired, please use selfservice portal to change your password and extend account.
[sudo] debug_level=9
[ssh] # debug_level=9
[domain/LOCAL] description = LOCAL Users domain id_provider = local enumerate = true min_id = 500 max_id = 999 default_shell = /bin/bash base_directory = /home create_homedir = false remove_homedir = true homedir_umask = 077 skel_dir = /etc/skel mail_dir = /var/spool/mail
######### SECTION: DOMAIN1 [domain/DOMAIN1] min_id = 499 debug_level = 9 cache_credentials = True entry_cache_timeout = 864000
auth_provider = ldap id_provider = ldap access_provider = ldap #chpass_provider = ldap sudo_provider = ldap selinux_provider = none autofs_provider = none
# LDAP Search ldap_search_base = dc=domain,dc=com ldap_group_search_base = ou=groups,o=Domain,dc=domain,dc=com ldap_user_search_base = ou=users,o=Domain,dc=domain,dc=com?subtree?(|(description=cn=stage,ou=groups,o=Domain,dc=domain,dc=com)(.....)(.....))
# LDAP Custom Schema ldap_group_member = hMemberDN ldap_user_member_of = description # this should really be rfc2307 ldap_schema = rfc2307bis
ldap_network_timeout = 3 ldap_id_use_start_tls = False ldap_tls_reqcert = never ldap_tls_cacertdir = /etc/openldap/cacerts
ldap_uri =ldaps://s1.sec.domain.com,ldaps://s2.sec.domain.com, ldaps://s3.sec.domain.com ldap_backup_uri =ldaps://66.X.Y.Z
ldap_default_authtok_type = obfuscated_password ldap_default_bind_dn = uid=MYDN ldap_default_authtok = MYPASS
ldap_user_ssh_public_key = sshPublicKey
ldap_pwd_policy = none ldap_account_expire_policy = shadow ldap_user_shadow_expire = shadowExpire # shadowExpire: days since Jan 1, 1970 that account is disabled: $ echo $(($(date --utc --date "$1" +%s)/86400))
ldap_chpass_update_last_change = false
ldap_access_order = filter, expire ldap_access_filter = (&(objectClass=posixAccount)(uidNumber=*)(hAccountInitialSetup=1)(|(description=cn=stage,ou=groups,o=Domain,dc=domain,dc=com)))
# SUDO ldap_sudo_search_base = ou=sudoers,o=Domain,dc=domain,dc=com ldap_sudo_full_refresh_interval = 86400 ldap_sudo_smart_refresh_interval = 3600 #entry_cache_sudo_timeout = 5400
The same options for DOMAIN2 except filters and user/group base.
hMemberDN is defined in nis.schema, a relic of OpenLDAP 2.2, a workaround applied before transitioning to 2.4.40.
# Modification to posixGroup attributetype ( 1.3.6.1.1.1.1.28 NAME 'hMemberDN' DESC 'RFC2256: member of a group' SUP distinguishedName )
objectclass ( 1.3.6.1.1.1.2.2 NAME 'posixGroup' DESC 'Abstraction of a group of accounts' SUP top STRUCTURAL MUST ( cn $ gidNumber ) MAY ( userPassword $ memberUid $ hMemberDN $ description ) )
hMemberDN: uid=abc,ou=users,o=Domain,dc=domain,dc=com
sssd-users mailing list --sssd-users@lists.fedorahosted.org To unsubscribe send an email tosssd-users-leave@lists.fedorahosted.org
sssd-users mailing list --sssd-users@lists.fedorahosted.org To unsubscribe send an email tosssd-users-leave@lists.fedorahosted.org
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
sssd-users@lists.fedorahosted.org