I think you first need to figure out why SSSD can't find your KDC: Cannot find KDC for realm "GSIL.ORG". It looks like SSSD is considering the domain to be offline so is probably not looking up the rules at all.
rob
Jeremy Tourville via FreeIPA-users wrote:
I am unable to sudo but I can login to this system. This host is a member of host group "admin", others hosts in the admin group are able to sudo. From troubleshooting, the issue appears to be isolated to this host only.
IPA Server is 4.9.11 but client is 4.9.12
[root@gsil-v-lc10 log]# rpm -qa | grep ipa-client ipa-client-4.9.12-9.module+el8.9.0+1535+eb844c6f.x86_64 ipa-client-common-4.9.12-9.module+el8.9.0+1535+eb844c6f.noarch
[root@gsil-v-lc10 log]# cat /etc/redhat-release Rocky Linux release 8.9 (Green Obsidian)
The ipa-client installed without any issues. kinit jtourville.sa@gsil.org works as expected. A klist shows the ticket id jtourville.sa works as expected and the appropriate groups are displayed.
Logs show the following while attempting to sudo:
tail -f /var/log/audit/audit.log -f /var/log/sssd/*.log -f /var/log/messages
==> /var/log/audit/audit.log <== node=gsil-v-lc10.idm.gsil.org type=SYSCALL msg=audit(1708441835.339:2331): arch=c000003e syscall=59 success=yes exit=0 a0=561a46512ff0 a1=561a465111a0 a2=561a46512590 a3=8 items=2 ppid=6267 pid=6543 auid=10044 uid=10044 gid=4001 euid=0 suid=0 fsuid=0 egid=4001 sgid=4001 fsgid=4001 tty=pts1 ses=7 comm="sudo" exe="/usr/bin/sudo" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key="privileged"
ARCH=x86_64 SYSCALL=execve AUID="jtourville.sa" UID="jtourville.sa" GID="gsil_sa" EUID="root" SUID="root" FSUID="root" EGID="gsil_sa" SGID="gsil_sa" FSGID="gsil_sa"
node=gsil-v-lc10.idm.gsil.org type=EXECVE msg=audit(1708441835.339:2331): argc=2 a0="sudo" a1="su" node=gsil-v-lc10.idm.gsil.org type=CWD msg=audit(1708441835.339:2331): cwd="/home/gsil.org/jtourville.sa" node=gsil-v-lc10.idm.gsil.org type=PATH msg=audit(1708441835.339:2331): item=0 name="/usr/bin/sudo" inode=100664031 dev=fd:01 mode=0104111 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:sudo_exec_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
OUID="root" OGID="root"
node=gsil-v-lc10.idm.gsil.org type=PATH msg=audit(1708441835.339:2331): item=1 name="/lib64/ld-linux-x86-64.so.2" inode=72105 dev=fd:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:ld_so_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
OUID="root" OGID="root"
node=gsil-v-lc10.idm.gsil.org type=PROCTITLE msg=audit(1708441835.339:2331): proctitle=7375646F007375
==> /var/log/sssd/sssd_kcm.log <== (2024-02-20 15:10:39): [kcm] [orderly_shutdown] (0x3f7c0): SIGTERM: killing children (2024-02-20 15:10:39): [kcm] [orderly_shutdown] (0x3f7c0): Shutting down (status = 0)
==> /var/log/audit/audit.log <== node=gsil-v-lc10.idm.gsil.org type=SERVICE_STOP msg=audit(1708441839.721:2332): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=sssd-kcm comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
UID="root" AUID="unset"
==> /var/log/messages <== Feb 20 15:10:39 gsil-v-lc10 sssd_kcm[6533]: Shutting down (status = 0) Feb 20 15:10:39 gsil-v-lc10 systemd[1]: sssd-kcm.service: Succeeded.
==> /var/log/audit/audit.log <== node=gsil-v-lc10.idm.gsil.org type=SERVICE_START msg=audit(1708441848.576:2333): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=sssd-kcm comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
UID="root" AUID="unset"
==> /var/log/sssd/sssd_kcm.log <== (2024-02-20 15:10:48): [kcm] [server_setup] (0x3f7c0): Starting with debug level = 0x0070
==> /var/log/sssd/krb5_child.log <== (2024-02-20 15:10:48): [krb5_child[6547]] [get_and_save_tgt] (0x0020): [RID#20] 2250: [-1765328230][Cannot find KDC for realm "gsil.org"] ********************** PREVIOUS MESSAGE WAS TRIGGERED BY THE FOLLOWING BACKTRACE:
- (2024-02-20 15:10:48): [krb5_child[6547]] [main] (0x0400): [RID#20] krb5_child started.
- (2024-02-20 15:10:48): [krb5_child[6547]] [unpack_buffer] (0x1000): [RID#20] total buffer size: [120]
- (2024-02-20 15:10:48): [krb5_child[6547]] [unpack_buffer] (0x0100): [RID#20] cmd [241 (auth)] uid [10044] gid [4001] validate [true] enterprise principal [false] offline [false] UPN [jtourville.sa@GSIL.ORG]
- (2024-02-20 15:10:48): [krb5_child[6547]] [unpack_buffer] (0x0100): [RID#20] ccname: [KCM:] old_ccname: [KCM:] keytab: [/etc/krb5.keytab]
- (2024-02-20 15:10:48): [krb5_child[6547]] [switch_creds] (0x0200): [RID#20] Switch user to [10044][4001].
- (2024-02-20 15:10:48): [krb5_child[6547]] [sss_krb5_cc_verify_ccache] (0x2000): [RID#20] TGT not found or expired.
- (2024-02-20 15:10:48): [krb5_child[6547]] [switch_creds] (0x0200): [RID#20] Switch user to [0][0].
- (2024-02-20 15:10:48): [krb5_child[6547]] [k5c_check_old_ccache] (0x4000): [RID#20] Ccache_file is [KCM:] and is active and TGT is valid.
- (2024-02-20 15:10:48): [krb5_child[6547]] [k5c_setup_fast] (0x0100): [RID#20] Fast principal is set to [host/gsil-v-lc10.idm.gsil.org@IDM.GSIL.ORG]
- (2024-02-20 15:10:48): [krb5_child[6547]] [find_principal_in_keytab] (0x4000): [RID#20] Trying to find principal host/gsil-v-lc10.idm.gsil.org@IDM.GSIL.ORG in keytab.
- (2024-02-20 15:10:48): [krb5_child[6547]] [match_principal] (0x1000): [RID#20] Principal matched to the sample (host/gsil-v-lc10.idm.gsil.org@IDM.GSIL.ORG).
- (2024-02-20 15:10:48): [krb5_child[6547]] [check_fast_ccache] (0x0200): [RID#20] FAST TGT is still valid.
- (2024-02-20 15:10:48): [krb5_child[6547]] [become_user] (0x0200): [RID#20] Trying to become user [10044][4001].
- (2024-02-20 15:10:48): [krb5_child[6547]] [main] (0x2000): [RID#20] Running as [10044][4001].
- (2024-02-20 15:10:48): [krb5_child[6547]] [set_lifetime_options] (0x0100): [RID#20] No specific renewable lifetime requested.
- (2024-02-20 15:10:48): [krb5_child[6547]] [set_lifetime_options] (0x0100): [RID#20] No specific lifetime requested.
- (2024-02-20 15:10:48): [krb5_child[6547]] [set_canonicalize_option] (0x0100): [RID#20] Canonicalization is set to [true]
- (2024-02-20 15:10:48): [krb5_child[6547]] [main] (0x0400): [RID#20] Will perform auth
- (2024-02-20 15:10:48): [krb5_child[6547]] [main] (0x0400): [RID#20] Will perform online auth
- (2024-02-20 15:10:48): [krb5_child[6547]] [tgt_req_child] (0x1000): [RID#20] Attempting to get a TGT
- (2024-02-20 15:10:48): [krb5_child[6547]] [get_and_save_tgt] (0x0400): [RID#20] Attempting kinit for realm [GSIL.ORG]
- (2024-02-20 15:10:48): [krb5_child[6547]] [get_and_save_tgt] (0x0020): [RID#20] 2250: [-1765328230][Cannot find KDC for realm "GSIL.ORG"]
********************** BACKTRACE DUMP ENDS HERE *********************************
(2024-02-20 15:10:48): [krb5_child[6547]] [map_krb5_error] (0x0020): [RID#20] 2379: [-1765328230][Cannot find KDC for realm "GSIL.ORG"] (2024-02-20 15:10:48): [krb5_child[6551]] [get_and_save_tgt] (0x0020): [RID#20] 2250: [-1765328230][Cannot find KDC for realm "GSIL.ORG"] ********************** PREVIOUS MESSAGE WAS TRIGGERED BY THE FOLLOWING BACKTRACE:
- (2024-02-20 15:10:48): [krb5_child[6551]] [main] (0x0400): [RID#20] krb5_child started.
- (2024-02-20 15:10:48): [krb5_child[6551]] [unpack_buffer] (0x1000): [RID#20] total buffer size: [120]
- (2024-02-20 15:10:48): [krb5_child[6551]] [unpack_buffer] (0x0100): [RID#20] cmd [241 (auth)] uid [10044] gid [4001] validate [true] enterprise principal [false] offline [false] UPN [jtourville.sa@GSIL.ORG]
- (2024-02-20 15:10:48): [krb5_child[6551]] [unpack_buffer] (0x0100): [RID#20] ccname: [KCM:] old_ccname: [KCM:] keytab: [/etc/krb5.keytab]
- (2024-02-20 15:10:48): [krb5_child[6551]] [switch_creds] (0x0200): [RID#20] Switch user to [10044][4001].
- (2024-02-20 15:10:48): [krb5_child[6551]] [sss_krb5_cc_verify_ccache] (0x2000): [RID#20] TGT not found or expired.
- (2024-02-20 15:10:48): [krb5_child[6551]] [switch_creds] (0x0200): [RID#20] Switch user to [0][0].
- (2024-02-20 15:10:48): [krb5_child[6551]] [k5c_check_old_ccache] (0x4000): [RID#20] Ccache_file is [KCM:] and is active and TGT is valid.
- (2024-02-20 15:10:48): [krb5_child[6551]] [k5c_setup_fast] (0x0100): [RID#20] Fast principal is set to [host/gsil-v-lc10.idm.gsil.org@IDM.GSIL.ORG]
- (2024-02-20 15:10:48): [krb5_child[6551]] [find_principal_in_keytab] (0x4000): [RID#20] Trying to find principal host/gsil-v-lc10.idm.gsil.org@IDM.GSIL.ORG in keytab.
- (2024-02-20 15:10:48): [krb5_child[6551]] [match_principal] (0x1000): [RID#20] Principal matched to the sample (host/gsil-v-lc10.idm.gsil.org@IDM.GSIL.ORG).
- (2024-02-20 15:10:48): [krb5_child[6551]] [check_fast_ccache] (0x0200): [RID#20] FAST TGT is still valid.
- (2024-02-20 15:10:48): [krb5_child[6551]] [become_user] (0x0200): [RID#20] Trying to become user [10044][4001].
- (2024-02-20 15:10:48): [krb5_child[6551]] [main] (0x2000): [RID#20] Running as [10044][4001].
- (2024-02-20 15:10:48): [krb5_child[6551]] [set_lifetime_options] (0x0100): [RID#20] No specific renewable lifetime requested.
- (2024-02-20 15:10:48): [krb5_child[6551]] [set_lifetime_options] (0x0100): [RID#20] No specific lifetime requested.
- (2024-02-20 15:10:48): [krb5_child[6551]] [set_canonicalize_option] (0x0100): [RID#20] Canonicalization is set to [true]
- (2024-02-20 15:10:48): [krb5_child[6551]] [main] (0x0400): [RID#20] Will perform auth
- (2024-02-20 15:10:48): [krb5_child[6551]] [main] (0x0400): [RID#20] Will perform online auth
- (2024-02-20 15:10:48): [krb5_child[6551]] [tgt_req_child] (0x1000): [RID#20] Attempting to get a TGT
- (2024-02-20 15:10:48): [krb5_child[6551]] [get_and_save_tgt] (0x0400): [RID#20] Attempting kinit for realm [GSIL.ORG]
- (2024-02-20 15:10:48): [krb5_child[6551]] [get_and_save_tgt] (0x0020): [RID#20] 2250: [-1765328230][Cannot find KDC for realm "GSIL.ORG"]
********************** BACKTRACE DUMP ENDS HERE *********************************
(2024-02-20 15:10:48): [krb5_child[6551]] [map_krb5_error] (0x0020): [RID#20] 2379: [-1765328230][Cannot find KDC for realm "GSIL.ORG"]
==> /var/log/messages <== Feb 20 15:10:48 gsil-v-lc10 systemd[1]: Starting SSSD Kerberos Cache Manager... Feb 20 15:10:48 gsil-v-lc10 systemd[1]: Started SSSD Kerberos Cache Manager. Feb 20 15:10:48 gsil-v-lc10 sssd_kcm[6550]: Starting up Feb 20 15:10:48 gsil-v-lc10 krb5_child[6547]: Cannot find KDC for realm "GSIL.ORG" Feb 20 15:10:48 gsil-v-lc10 krb5_child[6547]: Cannot find KDC for realm "GSIL.ORG" Feb 20 15:10:48 gsil-v-lc10 krb5_child[6551]: Cannot find KDC for realm "GSIL.ORG"
==> /var/log/sssd/sssd_idm.gsil.org.log <== (2024-02-20 15:10:48): [be[idm.gsil.org]] [fo_resolve_service_send] (0x0020): [RID#20] No available servers for service 'IPA'
- ... skipping repetitive backtrace ...
(2024-02-20 15:10:48): [be[idm.gsil.org]] [child_sig_handler] (0x0020): [RID#20] waitpid did not found a child with changed status.
- ... skipping repetitive backtrace ...
(2024-02-20 15:10:48): [be[idm.gsil.org]] [krb5_auth_cache_creds] (0x0020): [RID#20] Offline authentication failed
==> /var/log/audit/audit.log <== node=gsil-v-lc10.idm.gsil.org type=USER_AUTH msg=audit(1708441848.898:2334): pid=6543 uid=10044 auid=10044 ses=7 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:authentication grantors=? acct="jtourville.sa" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=failed'
UID="jtourville.sa" AUID="jtourville.sa"
==> /var/log/messages <== Feb 20 15:10:48 gsil-v-lc10 krb5_child[6551]: Cannot find KDC for realm "GSIL.ORG" -- _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue