On 09/07/14 19:00, Rich Megginson wrote:
re:
https://lists.fedorahosted.org/pipermail/sssd-users/2014-July/001891.html
<snip>
> OK, I take back all that I said over on the samba list, sssd does not
> pull the sudo rules from AD
>
> I have just spent two hours trying to get sssd to get the sudo rules
> from AD on my netbook that I have just installed Linux Mint mate 17 on,
> to no effect.
>
> after upping sssd debug to 9, I found this search in
> sssd_example.com.log:
>
>
(&(objectClass=sudoRole)(|(!(sudoHost=*))(sudoHost=ALL)(sudoHost=netbook)(sudoHost=netbook.example.com)(sudoHost=192.168.0.229)(sudoHost=192.168.0.0/24)(sudoHost=fe80::1e4b:d6ff:fec0:e307)(sudoHost=fe80::/64)(sudoHost=+*)(|(sudoHost=*?*)(sudoHost=*\**)(sudoHost=*[*]*))))
>
>
> If I try to search with this via ldbsearch, it does not work, all I get
> is this:
>
> allocating request failed: Unable to parse search expression
>
> If I remove one small part, it does work and displays the sudo roles
>
> So, what does this do?
>
> (sudoHost=*\**)
I'm not sure what this search is supposed to do. What is the
intention of this? If it is to search for any sudoHost value with a
literal asterisk "*" character in it, then the search filter syntax is
wrong. According to
http://tools.ietf.org/html/rfc4515, if you want
to use a "*" in a search filter, it must be escaped like this: \2A, so
the search filter would be (sudoHost=*\2A*)
>
> because I can only get the search to work without it
>
> Rowland
_______________________________________________
sssd-users mailing list
sssd-users(a)lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
OK, I have done a bit more investigation and I am now of the the opinion
that it is a permissions problem.
If I do this ldapsearch on the client:
ldapsearch -h dc1 -Y GSSAPI -b ou=Sudoers,dc=example,dc=com
'(&(objectClass=sudoRole)(|(!(sudoHost=*))(sudoHost=ALL)(sudoHost=netbook)(sudoHost=netbook.example.com)(sudoHost=192.168.0.229)(sudoHost=192.168.0.0/24)(sudoHost=fe80::1e4b:d6ff:fec0:e307)(sudoHost=fe80::/64)(sudoHost=+*)(|(sudoHost=*?*)(sudoHost=*\**)(sudoHost=*[*]*))))'
I get this response:
SASL/GSSAPI authentication started
SASL username: NETBOOK$(a)EXAMPLE.COM
SASL SSF: 56
SASL data security layer installed.
# extended LDIF
#
# LDAPv3
# base <ou=Sudoers,dc=example,dc=com> with scope subtree
# filter:
(&(objectClass=sudoRole)(|(!(sudoHost=*))(sudoHost=ALL)(sudoHost=netbook)(sudoHost=netbook.example.com)(sudoHost=192.168.0.229)(sudoHost=192.168.0.0/24)(sudoHost=fe80::1e4b:d6ff:fec0:e307)(sudoHost=fe80::/64)(sudoHost=+*)(|(sudoHost=*?*)(sudoHost=*\**)(sudoHost=*[*]*))))
# requesting: ALL
#
# search result
search: 4
result: 0 Success
# numResponses: 1
But, if I do the ldapsearch this way:
ldapsearch -x -h dc1 -b ou=Sudoers,dc=example,dc=com -D
cn=Administrator,cn=Users,dc=example,dc=com -w xxxxxxxx
'(&(objectClass=sudoRole)(|(!(sudoHost=*))(sudoHost=ALL)(sudoHost=netbook)(sudoHost=netbook.example.com)(sudoHost=192.168.0.229)(sudoHost=192.168.0.0/24)(sudoHost=fe80::1e4b:d6ff:fec0:e307)(sudoHost=fe80::/64)(sudoHost=+*)(|(sudoHost=*?*)(sudoHost=*\**)(sudoHost=*[*]*))))'
I get this response:
# extended LDIF
#
# LDAPv3
# base <ou=Sudoers,dc=example,dc=com> with scope subtree
# filter:
(&(objectClass=sudoRole)(|(!(sudoHost=*))(sudoHost=ALL)(sudoHost=netbook)(sudoHost=netbook.example.com)(sudoHost=192.168.0.229)(sudoHost=192.168.0.0/24)(sudoHost=fe80::1e4b:d6ff:fec0:e307)(sudoHost=fe80::/64)(sudoHost=+*)(|(sudoHost=*?*)(sudoHost=*\**)(sudoHost=*[*]*))))
# requesting: ALL
#
# defaults, SUDOers,
example.com
dn: CN=defaults,OU=SUDOers,dc=example,dc=com
objectClass: top
objectClass: sudoRole
cn: defaults
description: Default sudoOptions go here
instanceType: 4
whenCreated: 20140703100647.0Z
uSNCreated: 7410
name: defaults
objectGUID:: CFeHJYb9kUSpz1xbrqnrOA==
objectCategory: CN=sudoRole,CN=Schema,CN=Configuration,dc=example,dc=com
sudoOption: env_reset
sudoOption: mail_badpass
sudoOption:
secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sb
in:/bin"
sudoHost: ALL
whenChanged: 20140710085142.0Z
uSNChanged: 8889
distinguishedName: CN=defaults,OU=SUDOers,dc=example,dc=com
# rowland, SUDOers,
example.com
dn: CN=rowland,OU=SUDOers,dc=example,dc=com
objectClass: top
objectClass: sudoRole
cn: rowland
instanceType: 4
whenCreated: 20140703100648.0Z
uSNCreated: 7412
name: rowland
objectGUID:: KSCH09FZ4kmM9WIV1qxAPg==
objectCategory: CN=sudoRole,CN=Schema,CN=Configuration,dc=example,dc=com
sudoUser: rowland
sudoCommand: ALL
sudoHost: ALL
whenChanged: 20140710085009.0Z
uSNChanged: 8887
distinguishedName: CN=rowland,OU=SUDOers,dc=example,dc=com
# %sudo, SUDOers,
example.com
dn: CN=%sudo,OU=SUDOers,dc=example,dc=com
objectClass: top
objectClass: sudoRole
cn: %sudo
instanceType: 4
whenCreated: 20140703100647.0Z
uSNCreated: 7411
name: %sudo
objectGUID:: 0k5Y1dUTjEG0M2UcUJww8g==
objectCategory: CN=sudoRole,CN=Schema,CN=Configuration,dc=example,dc=com
sudoUser: %sudo
sudoCommand: ALL
sudoHost: ALL
whenChanged: 20140710085009.0Z
uSNChanged: 8888
distinguishedName: CN=%sudo,OU=SUDOers,dc=example,dc=com
# search result
search: 2
result: 0 Success
# numResponses: 4
# numEntries: 3
Any suggest to what I check next??
Rowland