Turns out, it was one of our own system hardening steps which has caused SSSD Sudo to
break.
Under /etc/pam.d/system-auth, once I commented the lines below, sudo started working
again. These lines were added to enable account lockout from multiple attempts. Can we
still have these along with pam_sss ? Are they just in the wrong order and interfering
with SSSD operations?
auth required pam_env.so
#auth required pam_faillock.so preauth audit silent deny=5 unlock_time=900
#auth [success=1 default=bad] pam_unix.so
#auth [default=die] pam_faillock.so authfail audit deny=5 unlock_time=900
#auth sufficient pam_faillock.so authsucc audit deny=5 unlock_time=900
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_sss.so use_first_pass
auth required pam_deny.so
Thanks,
~ Abhi
Sent from my iPhone
On May 17, 2017, at 5:05 PM, Striker Leggette
<striker(a)terranforge.com> wrote:
What format are your groups listed in /etc/sudoers? Use this example:
[striker-ad@el7client01 ~]$ id
uid=1672401105(striker-ad) gid=1672400513(domain users) groups=1672400513(domain users)
context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
[striker-ad@el7client01 ~]$ sudo tail -n 1 /etc/sudoers
%win\\domain\ users ALL = NOPASSWD: ALL
[striker-ad@el7client01 ~]$
Groups should be listed as '%<netbios>\\<group>' or, if they have
spaces, '%<netbios>\\<group\ name>'.
> On 05/17/2017 04:22 PM, Abhijit Tikekar wrote:
> Sorry for the confusion. Sudo groups are in AD. We just add the AD group under
sudoers .
>
> E.g users from AD group ABC, XYZ can log in but only members of XYZ can "sudo
su".
> %XYZ is added under /etc/sudoers
>
> Thanks,
>
> ~abhi
>
> On May 17, 2017, at 3:21 PM, Striker Leggette <striker(a)terranforge.com> wrote:
>
>> Where are your sudo rules stored? You give sudo debug log from SSSD, but also
say that the user's group is in /etc/sudoers. Are sudo rules in AD or local to the
system?
>>
>>> On 05/17/2017 02:17 PM, Abhijit Tikekar wrote:
>>> Hi,
>>>
>>> On multiple machines where SSSD is being used, “sudo” has stopped working.
Users can authenticate successfully based on their group memberships, but are unable to
elevate privileges.
>>>
>>> [first.last@hostname ~]$ sudo su
>>> [sudo] password for first.last:
>>> Sorry, try again.
>>> [sudo] password for first.last:
>>>
>>>
>>> Here is the SSSD Configuration:
>>>
>>> [sssd]
>>> domains = X.Y.LOCAL
>>> services = nss, pam, sudo
>>> config_file_version = 2
>>> debug_level = 0
>>> [nss]
>>> [pam]
>>> [sudo]
>>> debug_level=10
>>> [domain/x.y.local]
>>> debug_level=0
>>> ad_server = AD.x.y.local
>>> id_provider = ad
>>> auth_provider = ad
>>> access_provider = ad
>>> sudo_provider = ad
>>> ldap_id_mapping = true
>>> ldap_use_tokengroups = False
>>> ldap_sasl_mech = GSSAPI
>>> krb5_realm = X.Y.LOCAL
>>> ldap_uri = ldap://AD.x.y.local
>>> ldap_sudo_search_base = ou=
>>> ldap_user_search_base = dc=
>>> ldap_user_object_class = user
>>> ldap_group_search_base = ou
>>> ldap_group_object_class = group
>>> ldap_user_home_directory = unixHomeDirectory
>>> ldap_user_principal = userPrincipalName
>>> ldap_access_order = filter, expire
>>> ldap_account_expire_policy = ad
>>> ldap_access_filter =
>>> cache_credentials = true
>>> override_homedir = /home/%d/%u
>>> default_shell = /bin/bash
>>> ldap_schema = ad
>>>
>>>
>>>
>>> Here is sssd_sudo.log with level set to 10
>>>
>>> (Wed May 17 13:33:51 2017) [sssd[sudo]] [sudosrv_get_sudorules_query_cache]
(0x0200): Searching sysdb with
[(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=first.last)(sudoUser=first.last)(sudoUser=#xxxxxxxxx)(sudoUser=%yyyyyyyy)(sudoUser=%zzzzzz)]
>>> (Wed May 17 13:33:51 2017) [sssd[sudo]] [ldb] (0x4000): Added timed event
"ltdb_callback": 0x24216e0
>>> (Wed May 17 13:33:51 2017) [sssd[sudo]] [ldb] (0x4000): Added timed event
"ltdb_timeout": 0x241d2f0
>>> (Wed May 17 13:33:51 2017) [sssd[sudo]] [ldb] (0x4000): Running timer event
0x24216e0 "ltdb_callback"
>>> (Wed May 17 13:33:51 2017) [sssd[sudo]] [ldb] (0x4000): Destroying timer
event 0x241d2f0 "ltdb_timeout"
>>> (Wed May 17 13:33:51 2017) [sssd[sudo]] [ldb] (0x4000): Ending timer event
0x24216e0 "ltdb_callback"
>>> (Wed May 17 13:33:51 2017) [sssd[sudo]] [sudosrv_get_rules] (0x2000): About
to get sudo rules from cache
>>> (Wed May 17 13:33:51 2017) [sssd[sudo]] [sudosrv_get_sudorules_query_cache]
(0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(name=defaults)))]
>>> (Wed May 17 13:33:51 2017) [sssd[sudo]] [ldb] (0x4000): Added timed event
"ltdb_callback": 0x2421880
>>> (Wed May 17 13:33:51 2017) [sssd[sudo]] [ldb] (0x4000): Added timed event
"ltdb_timeout": 0x241bd70
>>> (Wed May 17 13:33:51 2017) [sssd[sudo]] [ldb] (0x4000): Running timer event
0x2421880 "ltdb_callback"
>>> (Wed May 17 13:33:51 2017) [sssd[sudo]] [ldb] (0x4000): Destroying timer
event 0x241bd70 "ltdb_timeout"
>>> (Wed May 17 13:33:51 2017) [sssd[sudo]] [ldb] (0x4000): Ending timer event
0x2421880 "ltdb_callback"
>>> (Wed May 17 13:33:51 2017) [sssd[sudo]] [sudosrv_get_sudorules_from_cache]
(0x0400): Returning 0 rules for [<default options>(a)x.y.local]
>>> (Wed May 17 13:33:51 2017) [sssd[sudo]] [reset_idle_timer] (0x4000): Idle
timer re-set for client [0x241dbe0][17]
>>> (Wed May 17 13:33:51 2017) [sssd[sudo]] [reset_idle_timer] (0x4000): Idle
timer re-set for client [0x241dbe0][17]
>>> (Wed May 17 13:33:51 2017) [sssd[sudo]] [sudosrv_cmd] (0x2000): Using
protocol version [1]
>>> (Wed May 17 13:33:51 2017) [sssd[sudo]] [sss_parse_name_for_domains]
(0x0200): name 'first.last' matched without domain, user is first.last
>>> (Wed May 17 13:33:51 2017) [sssd[sudo]] [sss_parse_name_for_domains]
(0x0200): name 'first.last' matched without domain, user is first.last
>>> (Wed May 17 13:33:51 2017) [sssd[sudo]] [sudosrv_cmd_parse_query_done]
(0x0200): Requesting rules for [first.last] from [<ALL>]
>>> (Wed May 17 13:33:51 2017) [sssd[sudo]] [sss_ncache_check_str] (0x2000):
Checking negative cache for [NCE/USER/x.y.local/first.last]
>>> (Wed May 17 13:33:51 2017) [sssd[sudo]] [sudosrv_get_user] (0x0200):
Requesting info about [first.last(a)x.y.local]
>>> (Wed May 17 13:33:51 2017) [sssd[sudo]] [ldb] (0x4000): Added timed event
"ltdb_callback": 0x2411ce0
>>> (Wed May 17 13:33:51 2017) [sssd[sudo]] [ldb] (0x4000): Added timed event
"ltdb_timeout": 0x241bcf0
>>> (Wed May 17 13:33:51 2017) [sssd[sudo]] [ldb] (0x4000): Running timer event
0x2411ce0 "ltdb_callback"
>>> (Wed May 17 13:33:51 2017) [sssd[sudo]] [ldb] (0x4000): Destroying timer
event 0x241bcf0 "ltdb_timeout"
>>> (Wed May 17 13:33:51 2017) [sssd[sudo]] [ldb] (0x4000): Ending timer event
0x2411ce0 "ltdb_callback"
>>> (Wed May 17 13:33:51 2017) [sssd[sudo]] [sudosrv_get_user] (0x0400):
Returning info for user [first.last(a)x.y.local]
>>> (Wed May 17 13:33:51 2017) [sssd[sudo]] [sudosrv_get_rules] (0x0400):
Retrieving rules for [first.last] from [x.y.local]
>>> (Wed May 17 13:33:51 2017) [sssd[sudo]] [ldb] (0x4000): Added timed event
"ltdb_callback": 0x2416450
>>> (Wed May 17 13:33:51 2017) [sssd[sudo]] [ldb] (0x4000): Added timed event
"ltdb_timeout": 0x241a150
>>> (Wed May 17 13:33:51 2017) [sssd[sudo]] [ldb] (0x4000): Running timer event
0x2416450 "ltdb_callback"
>>> (Wed May 17 13:33:51 2017) [sssd[sudo]] [ldb] (0x4000): Destroying timer
event 0x241a150 "ltdb_timeout"
>>> (Wed May 17 13:33:51 2017) [sssd[sudo]] [ldb] (0x4000): Ending timer event
0x2416450 "ltdb_callback"
>>> (Wed May 17 13:33:51 2017) [sssd[sudo]] [ldb] (0x4000): Added timed event
"ltdb_callback": 0x2412df0
>>> (Wed May 17 13:33:51 2017) [sssd[sudo]] [ldb] (0x4000): Added timed event
"ltdb_timeout": 0x2421340
>>> (Wed May 17 13:33:51 2017) [sssd[sudo]] [ldb] (0x4000): Running timer event
0x2412df0 "ltdb_callback"
>>> (Wed May 17 13:33:51 2017) [sssd[sudo]] [ldb] (0x4000): Destroying timer
event 0x2421340 "ltdb_timeout"
>>> (Wed May 17 13:33:51 2017) [sssd[sudo]] [ldb] (0x4000): Ending timer event
0x2412df0 "ltdb_callback"
>>> (Wed May 17 13:33:51 2017) [sssd[sudo]] [sysdb_search_group_by_gid] (0x0400):
No such entry
>>>
>>>
>>> Verified that correct %groupname entry exists under /etc/sudoers file.
>>>
>>> What else can be checked?
>>>
>>> Thanks,
>>>
>>> ~ abhi
>>>
>>>
>>> _______________________________________________
>>> sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
>>> To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org