Hi,
On multiple machines where SSSD is being used, “sudo” has stopped working. Users can authenticate successfully based on their group memberships, but are unable to elevate privileges.
[first.last@hostname ~]$ sudo su [sudo] password for first.last: Sorry, try again. [sudo] password for first.last:
Here is the SSSD Configuration:
[sssd] domains = X.Y.LOCAL services = nss, pam, sudo config_file_version = 2 debug_level = 0 [nss] [pam] [sudo] debug_level=10 [domain/x.y.local] debug_level=0 ad_server = AD.x.y.local id_provider = ad auth_provider = ad access_provider = ad sudo_provider = ad ldap_id_mapping = true ldap_use_tokengroups = False ldap_sasl_mech = GSSAPI krb5_realm = X.Y.LOCAL ldap_uri = ldap://AD.x.y.local ldap_sudo_search_base = ou= ldap_user_search_base = dc= ldap_user_object_class = user ldap_group_search_base = ou ldap_group_object_class = group ldap_user_home_directory = unixHomeDirectory ldap_user_principal = userPrincipalName ldap_access_order = filter, expire ldap_account_expire_policy = ad ldap_access_filter = cache_credentials = true override_homedir = /home/%d/%u default_shell = /bin/bash ldap_schema = ad
Here is sssd_sudo.log with level set to 10
(Wed May 17 13:33:51 2017) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=first.last)(sudoUser=first.last)(sudoUser=#xxxxxxxxx)(sudoUser=%yyyyyyyy)(sudoUser=%zzzzzz)] (Wed May 17 13:33:51 2017) [sssd[sudo]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x24216e0 (Wed May 17 13:33:51 2017) [sssd[sudo]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x241d2f0 (Wed May 17 13:33:51 2017) [sssd[sudo]] [ldb] (0x4000): Running timer event 0x24216e0 "ltdb_callback" (Wed May 17 13:33:51 2017) [sssd[sudo]] [ldb] (0x4000): Destroying timer event 0x241d2f0 "ltdb_timeout" (Wed May 17 13:33:51 2017) [sssd[sudo]] [ldb] (0x4000): Ending timer event 0x24216e0 "ltdb_callback" (Wed May 17 13:33:51 2017) [sssd[sudo]] [sudosrv_get_rules] (0x2000): About to get sudo rules from cache (Wed May 17 13:33:51 2017) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(name=defaults)))] (Wed May 17 13:33:51 2017) [sssd[sudo]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x2421880 (Wed May 17 13:33:51 2017) [sssd[sudo]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x241bd70 (Wed May 17 13:33:51 2017) [sssd[sudo]] [ldb] (0x4000): Running timer event 0x2421880 "ltdb_callback" (Wed May 17 13:33:51 2017) [sssd[sudo]] [ldb] (0x4000): Destroying timer event 0x241bd70 "ltdb_timeout" (Wed May 17 13:33:51 2017) [sssd[sudo]] [ldb] (0x4000): Ending timer event 0x2421880 "ltdb_callback" (Wed May 17 13:33:51 2017) [sssd[sudo]] [sudosrv_get_sudorules_from_cache] (0x0400): Returning 0 rules for [<default options>@x.y.local] (Wed May 17 13:33:51 2017) [sssd[sudo]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0x241dbe0][17] (Wed May 17 13:33:51 2017) [sssd[sudo]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0x241dbe0][17] (Wed May 17 13:33:51 2017) [sssd[sudo]] [sudosrv_cmd] (0x2000): Using protocol version [1] (Wed May 17 13:33:51 2017) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'first.last' matched without domain, user is first.last (Wed May 17 13:33:51 2017) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'first.last' matched without domain, user is first.last (Wed May 17 13:33:51 2017) [sssd[sudo]] [sudosrv_cmd_parse_query_done] (0x0200): Requesting rules for [first.last] from [<ALL>] (Wed May 17 13:33:51 2017) [sssd[sudo]] [sss_ncache_check_str] (0x2000): Checking negative cache for [NCE/USER/x.y.local/first.last] (Wed May 17 13:33:51 2017) [sssd[sudo]] [sudosrv_get_user] (0x0200): Requesting info about [first.last@x.y.local] (Wed May 17 13:33:51 2017) [sssd[sudo]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x2411ce0 (Wed May 17 13:33:51 2017) [sssd[sudo]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x241bcf0 (Wed May 17 13:33:51 2017) [sssd[sudo]] [ldb] (0x4000): Running timer event 0x2411ce0 "ltdb_callback" (Wed May 17 13:33:51 2017) [sssd[sudo]] [ldb] (0x4000): Destroying timer event 0x241bcf0 "ltdb_timeout" (Wed May 17 13:33:51 2017) [sssd[sudo]] [ldb] (0x4000): Ending timer event 0x2411ce0 "ltdb_callback" (Wed May 17 13:33:51 2017) [sssd[sudo]] [sudosrv_get_user] (0x0400): Returning info for user [first.last@x.y.local] (Wed May 17 13:33:51 2017) [sssd[sudo]] [sudosrv_get_rules] (0x0400): Retrieving rules for [first.last] from [x.y.local] (Wed May 17 13:33:51 2017) [sssd[sudo]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x2416450 (Wed May 17 13:33:51 2017) [sssd[sudo]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x241a150 (Wed May 17 13:33:51 2017) [sssd[sudo]] [ldb] (0x4000): Running timer event 0x2416450 "ltdb_callback" (Wed May 17 13:33:51 2017) [sssd[sudo]] [ldb] (0x4000): Destroying timer event 0x241a150 "ltdb_timeout" (Wed May 17 13:33:51 2017) [sssd[sudo]] [ldb] (0x4000): Ending timer event 0x2416450 "ltdb_callback" (Wed May 17 13:33:51 2017) [sssd[sudo]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x2412df0 (Wed May 17 13:33:51 2017) [sssd[sudo]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x2421340 (Wed May 17 13:33:51 2017) [sssd[sudo]] [ldb] (0x4000): Running timer event 0x2412df0 "ltdb_callback" (Wed May 17 13:33:51 2017) [sssd[sudo]] [ldb] (0x4000): Destroying timer event 0x2421340 "ltdb_timeout" (Wed May 17 13:33:51 2017) [sssd[sudo]] [ldb] (0x4000): Ending timer event 0x2412df0 "ltdb_callback" (Wed May 17 13:33:51 2017) [sssd[sudo]] [sysdb_search_group_by_gid] (0x0400): No such entry
Verified that correct %groupname entry exists under /etc/sudoers file.
What else can be checked?
Thanks,
~ abhi
Where are your sudo rules stored? You give sudo debug log from SSSD, but also say that the user's group is in /etc/sudoers. Are sudo rules in AD or local to the system?
On 05/17/2017 02:17 PM, Abhijit Tikekar wrote:
Hi,
On multiple machines where SSSD is being used, “sudo” has stopped working. Users can authenticate successfully based on their group memberships, but are unable to elevate privileges.
[first.last@hostname ~]$ sudo su
[sudo] password for first.last:
Sorry, try again.
[sudo] password for first.last:
Here is the SSSD Configuration:
[sssd]
domains = X.Y.LOCAL
services = nss, pam, sudo
config_file_version = 2
debug_level = 0
[nss]
[pam]
[sudo]
debug_level=10
[domain/x.y.local]
debug_level=0
ad_server = AD.x.y.local
id_provider = ad
auth_provider = ad
access_provider = ad
sudo_provider = ad
ldap_id_mapping = true
ldap_use_tokengroups = False
ldap_sasl_mech = GSSAPI
krb5_realm = X.Y.LOCAL
ldap_uri = ldap://AD.x.y.local
ldap_sudo_search_base = ou=
ldap_user_search_base = dc=
ldap_user_object_class = user
ldap_group_search_base = ou
ldap_group_object_class = group
ldap_user_home_directory = unixHomeDirectory
ldap_user_principal = userPrincipalName
ldap_access_order = filter, expire
ldap_account_expire_policy = ad
ldap_access_filter =
cache_credentials = true
override_homedir = /home/%d/%u
default_shell = /bin/bash
ldap_schema = ad
Here is sssd_sudo.log with level set to 10
(Wed May 17 13:33:51 2017) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=first.last)(sudoUser=first.last)(sudoUser=#xxxxxxxxx)(sudoUser=%yyyyyyyy)(sudoUser=%zzzzzz)]
(Wed May 17 13:33:51 2017) [sssd[sudo]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x24216e0
(Wed May 17 13:33:51 2017) [sssd[sudo]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x241d2f0
(Wed May 17 13:33:51 2017) [sssd[sudo]] [ldb] (0x4000): Running timer event 0x24216e0 "ltdb_callback"
(Wed May 17 13:33:51 2017) [sssd[sudo]] [ldb] (0x4000): Destroying timer event 0x241d2f0 "ltdb_timeout"
(Wed May 17 13:33:51 2017) [sssd[sudo]] [ldb] (0x4000): Ending timer event 0x24216e0 "ltdb_callback"
(Wed May 17 13:33:51 2017) [sssd[sudo]] [sudosrv_get_rules] (0x2000): About to get sudo rules from cache
(Wed May 17 13:33:51 2017) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(name=defaults)))]
(Wed May 17 13:33:51 2017) [sssd[sudo]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x2421880
(Wed May 17 13:33:51 2017) [sssd[sudo]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x241bd70
(Wed May 17 13:33:51 2017) [sssd[sudo]] [ldb] (0x4000): Running timer event 0x2421880 "ltdb_callback"
(Wed May 17 13:33:51 2017) [sssd[sudo]] [ldb] (0x4000): Destroying timer event 0x241bd70 "ltdb_timeout"
(Wed May 17 13:33:51 2017) [sssd[sudo]] [ldb] (0x4000): Ending timer event 0x2421880 "ltdb_callback"
(Wed May 17 13:33:51 2017) [sssd[sudo]] [sudosrv_get_sudorules_from_cache] (0x0400): Returning 0 rules for [<default options>@x.y.local]
(Wed May 17 13:33:51 2017) [sssd[sudo]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0x241dbe0][17]
(Wed May 17 13:33:51 2017) [sssd[sudo]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0x241dbe0][17]
(Wed May 17 13:33:51 2017) [sssd[sudo]] [sudosrv_cmd] (0x2000): Using protocol version [1]
(Wed May 17 13:33:51 2017) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'first.last' matched without domain, user is first.last
(Wed May 17 13:33:51 2017) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'first.last' matched without domain, user is first.last
(Wed May 17 13:33:51 2017) [sssd[sudo]] [sudosrv_cmd_parse_query_done] (0x0200): Requesting rules for [first.last] from [<ALL>]
(Wed May 17 13:33:51 2017) [sssd[sudo]] [sss_ncache_check_str] (0x2000): Checking negative cache for [NCE/USER/x.y.local/first.last]
(Wed May 17 13:33:51 2017) [sssd[sudo]] [sudosrv_get_user] (0x0200): Requesting info about [first.last@x.y.local mailto:first.last@x.y.local]
(Wed May 17 13:33:51 2017) [sssd[sudo]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x2411ce0
(Wed May 17 13:33:51 2017) [sssd[sudo]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x241bcf0
(Wed May 17 13:33:51 2017) [sssd[sudo]] [ldb] (0x4000): Running timer event 0x2411ce0 "ltdb_callback"
(Wed May 17 13:33:51 2017) [sssd[sudo]] [ldb] (0x4000): Destroying timer event 0x241bcf0 "ltdb_timeout"
(Wed May 17 13:33:51 2017) [sssd[sudo]] [ldb] (0x4000): Ending timer event 0x2411ce0 "ltdb_callback"
(Wed May 17 13:33:51 2017) [sssd[sudo]] [sudosrv_get_user] (0x0400): Returning info for user [first.last@x.y.local mailto:first.last@x.y.local]
(Wed May 17 13:33:51 2017) [sssd[sudo]] [sudosrv_get_rules] (0x0400): Retrieving rules for [first.last] from [x.y.local]
(Wed May 17 13:33:51 2017) [sssd[sudo]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x2416450
(Wed May 17 13:33:51 2017) [sssd[sudo]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x241a150
(Wed May 17 13:33:51 2017) [sssd[sudo]] [ldb] (0x4000): Running timer event 0x2416450 "ltdb_callback"
(Wed May 17 13:33:51 2017) [sssd[sudo]] [ldb] (0x4000): Destroying timer event 0x241a150 "ltdb_timeout"
(Wed May 17 13:33:51 2017) [sssd[sudo]] [ldb] (0x4000): Ending timer event 0x2416450 "ltdb_callback"
(Wed May 17 13:33:51 2017) [sssd[sudo]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x2412df0
(Wed May 17 13:33:51 2017) [sssd[sudo]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x2421340
(Wed May 17 13:33:51 2017) [sssd[sudo]] [ldb] (0x4000): Running timer event 0x2412df0 "ltdb_callback"
(Wed May 17 13:33:51 2017) [sssd[sudo]] [ldb] (0x4000): Destroying timer event 0x2421340 "ltdb_timeout"
(Wed May 17 13:33:51 2017) [sssd[sudo]] [ldb] (0x4000): Ending timer event 0x2412df0 "ltdb_callback"
(Wed May 17 13:33:51 2017) [sssd[sudo]] [sysdb_search_group_by_gid] (0x0400): No such entry
Verified that correct %groupname entry exists under /etc/sudoers file.
What else can be checked?
Thanks,
~ abhi
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
Sorry for the confusion. Sudo groups are in AD. We just add the AD group under sudoers .
E.g users from AD group ABC, XYZ can log in but only members of XYZ can "sudo su". %XYZ is added under /etc/sudoers
Thanks,
~abhi
On May 17, 2017, at 3:21 PM, Striker Leggette striker@terranforge.com wrote:
Where are your sudo rules stored? You give sudo debug log from SSSD, but also say that the user's group is in /etc/sudoers. Are sudo rules in AD or local to the system?
On 05/17/2017 02:17 PM, Abhijit Tikekar wrote: Hi,
On multiple machines where SSSD is being used, “sudo” has stopped working. Users can authenticate successfully based on their group memberships, but are unable to elevate privileges.
[first.last@hostname ~]$ sudo su [sudo] password for first.last: Sorry, try again. [sudo] password for first.last:
Here is the SSSD Configuration:
[sssd] domains = X.Y.LOCAL services = nss, pam, sudo config_file_version = 2 debug_level = 0 [nss] [pam] [sudo] debug_level=10 [domain/x.y.local] debug_level=0 ad_server = AD.x.y.local id_provider = ad auth_provider = ad access_provider = ad sudo_provider = ad ldap_id_mapping = true ldap_use_tokengroups = False ldap_sasl_mech = GSSAPI krb5_realm = X.Y.LOCAL ldap_uri = ldap://AD.x.y.local ldap_sudo_search_base = ou= ldap_user_search_base = dc= ldap_user_object_class = user ldap_group_search_base = ou ldap_group_object_class = group ldap_user_home_directory = unixHomeDirectory ldap_user_principal = userPrincipalName ldap_access_order = filter, expire ldap_account_expire_policy = ad ldap_access_filter = cache_credentials = true override_homedir = /home/%d/%u default_shell = /bin/bash ldap_schema = ad
Here is sssd_sudo.log with level set to 10
(Wed May 17 13:33:51 2017) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=first.last)(sudoUser=first.last)(sudoUser=#xxxxxxxxx)(sudoUser=%yyyyyyyy)(sudoUser=%zzzzzz)] (Wed May 17 13:33:51 2017) [sssd[sudo]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x24216e0 (Wed May 17 13:33:51 2017) [sssd[sudo]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x241d2f0 (Wed May 17 13:33:51 2017) [sssd[sudo]] [ldb] (0x4000): Running timer event 0x24216e0 "ltdb_callback" (Wed May 17 13:33:51 2017) [sssd[sudo]] [ldb] (0x4000): Destroying timer event 0x241d2f0 "ltdb_timeout" (Wed May 17 13:33:51 2017) [sssd[sudo]] [ldb] (0x4000): Ending timer event 0x24216e0 "ltdb_callback" (Wed May 17 13:33:51 2017) [sssd[sudo]] [sudosrv_get_rules] (0x2000): About to get sudo rules from cache (Wed May 17 13:33:51 2017) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(name=defaults)))] (Wed May 17 13:33:51 2017) [sssd[sudo]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x2421880 (Wed May 17 13:33:51 2017) [sssd[sudo]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x241bd70 (Wed May 17 13:33:51 2017) [sssd[sudo]] [ldb] (0x4000): Running timer event 0x2421880 "ltdb_callback" (Wed May 17 13:33:51 2017) [sssd[sudo]] [ldb] (0x4000): Destroying timer event 0x241bd70 "ltdb_timeout" (Wed May 17 13:33:51 2017) [sssd[sudo]] [ldb] (0x4000): Ending timer event 0x2421880 "ltdb_callback" (Wed May 17 13:33:51 2017) [sssd[sudo]] [sudosrv_get_sudorules_from_cache] (0x0400): Returning 0 rules for [<default options>@x.y.local] (Wed May 17 13:33:51 2017) [sssd[sudo]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0x241dbe0][17] (Wed May 17 13:33:51 2017) [sssd[sudo]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0x241dbe0][17] (Wed May 17 13:33:51 2017) [sssd[sudo]] [sudosrv_cmd] (0x2000): Using protocol version [1] (Wed May 17 13:33:51 2017) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'first.last' matched without domain, user is first.last (Wed May 17 13:33:51 2017) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'first.last' matched without domain, user is first.last (Wed May 17 13:33:51 2017) [sssd[sudo]] [sudosrv_cmd_parse_query_done] (0x0200): Requesting rules for [first.last] from [<ALL>] (Wed May 17 13:33:51 2017) [sssd[sudo]] [sss_ncache_check_str] (0x2000): Checking negative cache for [NCE/USER/x.y.local/first.last] (Wed May 17 13:33:51 2017) [sssd[sudo]] [sudosrv_get_user] (0x0200): Requesting info about [first.last@x.y.local] (Wed May 17 13:33:51 2017) [sssd[sudo]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x2411ce0 (Wed May 17 13:33:51 2017) [sssd[sudo]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x241bcf0 (Wed May 17 13:33:51 2017) [sssd[sudo]] [ldb] (0x4000): Running timer event 0x2411ce0 "ltdb_callback" (Wed May 17 13:33:51 2017) [sssd[sudo]] [ldb] (0x4000): Destroying timer event 0x241bcf0 "ltdb_timeout" (Wed May 17 13:33:51 2017) [sssd[sudo]] [ldb] (0x4000): Ending timer event 0x2411ce0 "ltdb_callback" (Wed May 17 13:33:51 2017) [sssd[sudo]] [sudosrv_get_user] (0x0400): Returning info for user [first.last@x.y.local] (Wed May 17 13:33:51 2017) [sssd[sudo]] [sudosrv_get_rules] (0x0400): Retrieving rules for [first.last] from [x.y.local] (Wed May 17 13:33:51 2017) [sssd[sudo]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x2416450 (Wed May 17 13:33:51 2017) [sssd[sudo]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x241a150 (Wed May 17 13:33:51 2017) [sssd[sudo]] [ldb] (0x4000): Running timer event 0x2416450 "ltdb_callback" (Wed May 17 13:33:51 2017) [sssd[sudo]] [ldb] (0x4000): Destroying timer event 0x241a150 "ltdb_timeout" (Wed May 17 13:33:51 2017) [sssd[sudo]] [ldb] (0x4000): Ending timer event 0x2416450 "ltdb_callback" (Wed May 17 13:33:51 2017) [sssd[sudo]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x2412df0 (Wed May 17 13:33:51 2017) [sssd[sudo]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x2421340 (Wed May 17 13:33:51 2017) [sssd[sudo]] [ldb] (0x4000): Running timer event 0x2412df0 "ltdb_callback" (Wed May 17 13:33:51 2017) [sssd[sudo]] [ldb] (0x4000): Destroying timer event 0x2421340 "ltdb_timeout" (Wed May 17 13:33:51 2017) [sssd[sudo]] [ldb] (0x4000): Ending timer event 0x2412df0 "ltdb_callback" (Wed May 17 13:33:51 2017) [sssd[sudo]] [sysdb_search_group_by_gid] (0x0400): No such entry
Verified that correct %groupname entry exists under /etc/sudoers file.
What else can be checked?
Thanks,
~ abhi
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
What format are your groups listed in /etc/sudoers? Use this example:
[striker-ad@el7client01 ~]$ id uid=1672401105(striker-ad) gid=1672400513(domain users) groups=1672400513(domain users) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 [striker-ad@el7client01 ~]$ sudo tail -n 1 /etc/sudoers %win\domain\ users ALL = NOPASSWD: ALL [striker-ad@el7client01 ~]$
Groups should be listed as '%<netbios>\<group>' or, if they have spaces, '%<netbios>\<group\ name>'.
On 05/17/2017 04:22 PM, Abhijit Tikekar wrote:
Sorry for the confusion. Sudo groups are in AD. We just add the AD group under sudoers .
E.g users from AD group ABC, XYZ can log in but only members of XYZ can "sudo su". %XYZ is added under /etc/sudoers
Thanks,
~abhi
On May 17, 2017, at 3:21 PM, Striker Leggette <striker@terranforge.com mailto:striker@terranforge.com> wrote:
Where are your sudo rules stored? You give sudo debug log from SSSD, but also say that the user's group is in /etc/sudoers. Are sudo rules in AD or local to the system?
On 05/17/2017 02:17 PM, Abhijit Tikekar wrote:
Hi,
On multiple machines where SSSD is being used, “sudo” has stopped working. Users can authenticate successfully based on their group memberships, but are unable to elevate privileges.
[first.last@hostname ~]$ sudo su
[sudo] password for first.last:
Sorry, try again.
[sudo] password for first.last:
Here is the SSSD Configuration:
[sssd]
domains = X.Y.LOCAL
services = nss, pam, sudo
config_file_version = 2
debug_level = 0
[nss]
[pam]
[sudo]
debug_level=10
[domain/x.y.local]
debug_level=0
ad_server = AD.x.y.local
id_provider = ad
auth_provider = ad
access_provider = ad
sudo_provider = ad
ldap_id_mapping = true
ldap_use_tokengroups = False
ldap_sasl_mech = GSSAPI
krb5_realm = X.Y.LOCAL
ldap_uri = ldap://AD.x.y.local
ldap_sudo_search_base = ou=
ldap_user_search_base = dc=
ldap_user_object_class = user
ldap_group_search_base = ou
ldap_group_object_class = group
ldap_user_home_directory = unixHomeDirectory
ldap_user_principal = userPrincipalName
ldap_access_order = filter, expire
ldap_account_expire_policy = ad
ldap_access_filter =
cache_credentials = true
override_homedir = /home/%d/%u
default_shell = /bin/bash
ldap_schema = ad
Here is sssd_sudo.log with level set to 10
(Wed May 17 13:33:51 2017) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=first.last)(sudoUser=first.last)(sudoUser=#xxxxxxxxx)(sudoUser=%yyyyyyyy)(sudoUser=%zzzzzz)]
(Wed May 17 13:33:51 2017) [sssd[sudo]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x24216e0
(Wed May 17 13:33:51 2017) [sssd[sudo]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x241d2f0
(Wed May 17 13:33:51 2017) [sssd[sudo]] [ldb] (0x4000): Running timer event 0x24216e0 "ltdb_callback"
(Wed May 17 13:33:51 2017) [sssd[sudo]] [ldb] (0x4000): Destroying timer event 0x241d2f0 "ltdb_timeout"
(Wed May 17 13:33:51 2017) [sssd[sudo]] [ldb] (0x4000): Ending timer event 0x24216e0 "ltdb_callback"
(Wed May 17 13:33:51 2017) [sssd[sudo]] [sudosrv_get_rules] (0x2000): About to get sudo rules from cache
(Wed May 17 13:33:51 2017) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(name=defaults)))]
(Wed May 17 13:33:51 2017) [sssd[sudo]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x2421880
(Wed May 17 13:33:51 2017) [sssd[sudo]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x241bd70
(Wed May 17 13:33:51 2017) [sssd[sudo]] [ldb] (0x4000): Running timer event 0x2421880 "ltdb_callback"
(Wed May 17 13:33:51 2017) [sssd[sudo]] [ldb] (0x4000): Destroying timer event 0x241bd70 "ltdb_timeout"
(Wed May 17 13:33:51 2017) [sssd[sudo]] [ldb] (0x4000): Ending timer event 0x2421880 "ltdb_callback"
(Wed May 17 13:33:51 2017) [sssd[sudo]] [sudosrv_get_sudorules_from_cache] (0x0400): Returning 0 rules for [<default options>@x.y.local]
(Wed May 17 13:33:51 2017) [sssd[sudo]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0x241dbe0][17]
(Wed May 17 13:33:51 2017) [sssd[sudo]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0x241dbe0][17]
(Wed May 17 13:33:51 2017) [sssd[sudo]] [sudosrv_cmd] (0x2000): Using protocol version [1]
(Wed May 17 13:33:51 2017) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'first.last' matched without domain, user is first.last
(Wed May 17 13:33:51 2017) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'first.last' matched without domain, user is first.last
(Wed May 17 13:33:51 2017) [sssd[sudo]] [sudosrv_cmd_parse_query_done] (0x0200): Requesting rules for [first.last] from [<ALL>]
(Wed May 17 13:33:51 2017) [sssd[sudo]] [sss_ncache_check_str] (0x2000): Checking negative cache for [NCE/USER/x.y.local/first.last]
(Wed May 17 13:33:51 2017) [sssd[sudo]] [sudosrv_get_user] (0x0200): Requesting info about [first.last@x.y.local mailto:first.last@x.y.local]
(Wed May 17 13:33:51 2017) [sssd[sudo]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x2411ce0
(Wed May 17 13:33:51 2017) [sssd[sudo]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x241bcf0
(Wed May 17 13:33:51 2017) [sssd[sudo]] [ldb] (0x4000): Running timer event 0x2411ce0 "ltdb_callback"
(Wed May 17 13:33:51 2017) [sssd[sudo]] [ldb] (0x4000): Destroying timer event 0x241bcf0 "ltdb_timeout"
(Wed May 17 13:33:51 2017) [sssd[sudo]] [ldb] (0x4000): Ending timer event 0x2411ce0 "ltdb_callback"
(Wed May 17 13:33:51 2017) [sssd[sudo]] [sudosrv_get_user] (0x0400): Returning info for user [first.last@x.y.local mailto:first.last@x.y.local]
(Wed May 17 13:33:51 2017) [sssd[sudo]] [sudosrv_get_rules] (0x0400): Retrieving rules for [first.last] from [x.y.local]
(Wed May 17 13:33:51 2017) [sssd[sudo]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x2416450
(Wed May 17 13:33:51 2017) [sssd[sudo]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x241a150
(Wed May 17 13:33:51 2017) [sssd[sudo]] [ldb] (0x4000): Running timer event 0x2416450 "ltdb_callback"
(Wed May 17 13:33:51 2017) [sssd[sudo]] [ldb] (0x4000): Destroying timer event 0x241a150 "ltdb_timeout"
(Wed May 17 13:33:51 2017) [sssd[sudo]] [ldb] (0x4000): Ending timer event 0x2416450 "ltdb_callback"
(Wed May 17 13:33:51 2017) [sssd[sudo]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x2412df0
(Wed May 17 13:33:51 2017) [sssd[sudo]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x2421340
(Wed May 17 13:33:51 2017) [sssd[sudo]] [ldb] (0x4000): Running timer event 0x2412df0 "ltdb_callback"
(Wed May 17 13:33:51 2017) [sssd[sudo]] [ldb] (0x4000): Destroying timer event 0x2421340 "ltdb_timeout"
(Wed May 17 13:33:51 2017) [sssd[sudo]] [ldb] (0x4000): Ending timer event 0x2412df0 "ltdb_callback"
(Wed May 17 13:33:51 2017) [sssd[sudo]] [sysdb_search_group_by_gid] (0x0400): No such entry
Verified that correct %groupname entry exists under /etc/sudoers file.
What else can be checked?
Thanks,
~ abhi
sssd-users mailing list --sssd-users@lists.fedorahosted.org To unsubscribe send an email tosssd-users-leave@lists.fedorahosted.org
Turns out, it was one of our own system hardening steps which has caused SSSD Sudo to break.
Under /etc/pam.d/system-auth, once I commented the lines below, sudo started working again. These lines were added to enable account lockout from multiple attempts. Can we still have these along with pam_sss ? Are they just in the wrong order and interfering with SSSD operations?
auth required pam_env.so #auth required pam_faillock.so preauth audit silent deny=5 unlock_time=900 #auth [success=1 default=bad] pam_unix.so #auth [default=die] pam_faillock.so authfail audit deny=5 unlock_time=900 #auth sufficient pam_faillock.so authsucc audit deny=5 unlock_time=900 auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth sufficient pam_sss.so use_first_pass auth required pam_deny.so
Thanks,
~ Abhi
Sent from my iPhone
On May 17, 2017, at 5:05 PM, Striker Leggette striker@terranforge.com wrote:
What format are your groups listed in /etc/sudoers? Use this example:
[striker-ad@el7client01 ~]$ id uid=1672401105(striker-ad) gid=1672400513(domain users) groups=1672400513(domain users) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 [striker-ad@el7client01 ~]$ sudo tail -n 1 /etc/sudoers %win\domain\ users ALL = NOPASSWD: ALL [striker-ad@el7client01 ~]$
Groups should be listed as '%<netbios>\<group>' or, if they have spaces, '%<netbios>\<group\ name>'.
On 05/17/2017 04:22 PM, Abhijit Tikekar wrote: Sorry for the confusion. Sudo groups are in AD. We just add the AD group under sudoers .
E.g users from AD group ABC, XYZ can log in but only members of XYZ can "sudo su". %XYZ is added under /etc/sudoers
Thanks,
~abhi
On May 17, 2017, at 3:21 PM, Striker Leggette striker@terranforge.com wrote:
Where are your sudo rules stored? You give sudo debug log from SSSD, but also say that the user's group is in /etc/sudoers. Are sudo rules in AD or local to the system?
On 05/17/2017 02:17 PM, Abhijit Tikekar wrote: Hi,
On multiple machines where SSSD is being used, “sudo” has stopped working. Users can authenticate successfully based on their group memberships, but are unable to elevate privileges.
[first.last@hostname ~]$ sudo su [sudo] password for first.last: Sorry, try again. [sudo] password for first.last:
Here is the SSSD Configuration:
[sssd] domains = X.Y.LOCAL services = nss, pam, sudo config_file_version = 2 debug_level = 0 [nss] [pam] [sudo] debug_level=10 [domain/x.y.local] debug_level=0 ad_server = AD.x.y.local id_provider = ad auth_provider = ad access_provider = ad sudo_provider = ad ldap_id_mapping = true ldap_use_tokengroups = False ldap_sasl_mech = GSSAPI krb5_realm = X.Y.LOCAL ldap_uri = ldap://AD.x.y.local ldap_sudo_search_base = ou= ldap_user_search_base = dc= ldap_user_object_class = user ldap_group_search_base = ou ldap_group_object_class = group ldap_user_home_directory = unixHomeDirectory ldap_user_principal = userPrincipalName ldap_access_order = filter, expire ldap_account_expire_policy = ad ldap_access_filter = cache_credentials = true override_homedir = /home/%d/%u default_shell = /bin/bash ldap_schema = ad
Here is sssd_sudo.log with level set to 10
(Wed May 17 13:33:51 2017) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=first.last)(sudoUser=first.last)(sudoUser=#xxxxxxxxx)(sudoUser=%yyyyyyyy)(sudoUser=%zzzzzz)] (Wed May 17 13:33:51 2017) [sssd[sudo]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x24216e0 (Wed May 17 13:33:51 2017) [sssd[sudo]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x241d2f0 (Wed May 17 13:33:51 2017) [sssd[sudo]] [ldb] (0x4000): Running timer event 0x24216e0 "ltdb_callback" (Wed May 17 13:33:51 2017) [sssd[sudo]] [ldb] (0x4000): Destroying timer event 0x241d2f0 "ltdb_timeout" (Wed May 17 13:33:51 2017) [sssd[sudo]] [ldb] (0x4000): Ending timer event 0x24216e0 "ltdb_callback" (Wed May 17 13:33:51 2017) [sssd[sudo]] [sudosrv_get_rules] (0x2000): About to get sudo rules from cache (Wed May 17 13:33:51 2017) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(name=defaults)))] (Wed May 17 13:33:51 2017) [sssd[sudo]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x2421880 (Wed May 17 13:33:51 2017) [sssd[sudo]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x241bd70 (Wed May 17 13:33:51 2017) [sssd[sudo]] [ldb] (0x4000): Running timer event 0x2421880 "ltdb_callback" (Wed May 17 13:33:51 2017) [sssd[sudo]] [ldb] (0x4000): Destroying timer event 0x241bd70 "ltdb_timeout" (Wed May 17 13:33:51 2017) [sssd[sudo]] [ldb] (0x4000): Ending timer event 0x2421880 "ltdb_callback" (Wed May 17 13:33:51 2017) [sssd[sudo]] [sudosrv_get_sudorules_from_cache] (0x0400): Returning 0 rules for [<default options>@x.y.local] (Wed May 17 13:33:51 2017) [sssd[sudo]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0x241dbe0][17] (Wed May 17 13:33:51 2017) [sssd[sudo]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0x241dbe0][17] (Wed May 17 13:33:51 2017) [sssd[sudo]] [sudosrv_cmd] (0x2000): Using protocol version [1] (Wed May 17 13:33:51 2017) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'first.last' matched without domain, user is first.last (Wed May 17 13:33:51 2017) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'first.last' matched without domain, user is first.last (Wed May 17 13:33:51 2017) [sssd[sudo]] [sudosrv_cmd_parse_query_done] (0x0200): Requesting rules for [first.last] from [<ALL>] (Wed May 17 13:33:51 2017) [sssd[sudo]] [sss_ncache_check_str] (0x2000): Checking negative cache for [NCE/USER/x.y.local/first.last] (Wed May 17 13:33:51 2017) [sssd[sudo]] [sudosrv_get_user] (0x0200): Requesting info about [first.last@x.y.local] (Wed May 17 13:33:51 2017) [sssd[sudo]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x2411ce0 (Wed May 17 13:33:51 2017) [sssd[sudo]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x241bcf0 (Wed May 17 13:33:51 2017) [sssd[sudo]] [ldb] (0x4000): Running timer event 0x2411ce0 "ltdb_callback" (Wed May 17 13:33:51 2017) [sssd[sudo]] [ldb] (0x4000): Destroying timer event 0x241bcf0 "ltdb_timeout" (Wed May 17 13:33:51 2017) [sssd[sudo]] [ldb] (0x4000): Ending timer event 0x2411ce0 "ltdb_callback" (Wed May 17 13:33:51 2017) [sssd[sudo]] [sudosrv_get_user] (0x0400): Returning info for user [first.last@x.y.local] (Wed May 17 13:33:51 2017) [sssd[sudo]] [sudosrv_get_rules] (0x0400): Retrieving rules for [first.last] from [x.y.local] (Wed May 17 13:33:51 2017) [sssd[sudo]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x2416450 (Wed May 17 13:33:51 2017) [sssd[sudo]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x241a150 (Wed May 17 13:33:51 2017) [sssd[sudo]] [ldb] (0x4000): Running timer event 0x2416450 "ltdb_callback" (Wed May 17 13:33:51 2017) [sssd[sudo]] [ldb] (0x4000): Destroying timer event 0x241a150 "ltdb_timeout" (Wed May 17 13:33:51 2017) [sssd[sudo]] [ldb] (0x4000): Ending timer event 0x2416450 "ltdb_callback" (Wed May 17 13:33:51 2017) [sssd[sudo]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x2412df0 (Wed May 17 13:33:51 2017) [sssd[sudo]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x2421340 (Wed May 17 13:33:51 2017) [sssd[sudo]] [ldb] (0x4000): Running timer event 0x2412df0 "ltdb_callback" (Wed May 17 13:33:51 2017) [sssd[sudo]] [ldb] (0x4000): Destroying timer event 0x2421340 "ltdb_timeout" (Wed May 17 13:33:51 2017) [sssd[sudo]] [ldb] (0x4000): Ending timer event 0x2412df0 "ltdb_callback" (Wed May 17 13:33:51 2017) [sssd[sudo]] [sysdb_search_group_by_gid] (0x0400): No such entry
Verified that correct %groupname entry exists under /etc/sudoers file.
What else can be checked?
Thanks,
~ abhi
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
sssd-users@lists.fedorahosted.org
-
Abhijit Tikekar -
Striker Leggette