Hi all,
I have a strange (at least to me) issue with a replica instance of FreeIPA server.
Almost every time I power cycle this instance after short period of time I cannot
'sudo -s'/'sudo su -' to switch to the local root account.
Due to the root account being present in AD (I have a working trust relationship
established with AD) I am switched to the root(a)win.domain.com where
win.domain.com is a
placeholder for my real AD domain name. Obviously, this account has no HBAC rules
configured that would allow him to switch account to the local root account...
This behaviour is something I do not understand because in my sssd configuration I attach
below I added an entry for a root user to the filter_users list.
In an attempt to resolve this I added enable_files_domain = false to my config but this
didn't improve anything.
I would really appreciate any help/pointing to possible misconfiguration that might be
causing this.
My sssd.conf looks like this:
[
domain/linux.domain.com/win.domain.com]
debug_level = 6
krb_auth_timeout = 90
use_fully_qualified_names = False
subdomain_homedir = /home/%u
selinux_provider = none
entry_cache_timeout = 5400
cached_auth_timeout = 5400
cache_credentials = True
[
domain/linux.domain.com]
debug_level = 6
entry_cache_timeout = 5400
cached_auth_timeout = 5400
cache_credentials = True
subdomain_homedir = /home/%u
# Optimization
subdomain_inherit = ignore_group_members, ldap_purge_cache_timeout
ignore_group_members = True
#cache_first = True
ldap_purge_cache_timeout = 0
ldap_sudo_full_refresh_interval = 21600
krb5_store_password_if_offline = True
ipa_domain =
linux.domain.com
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ldap_tls_cacert = /etc/ipa/ca.crt
ipa_hostname =
freeipa-1b.linux.domain.com
chpass_provider = ipa
ipa_server =
freeipa-1b.linux.domain.com
dns_discovery_domain =
linux.domain.com
ipa_server_mode = True
[sssd]
entry_cache_timeout = 5400
enable_files_domain = false
debug_level = 6
domain_resolution_order =
win.domain.com,
linux.domain.com
services = nss, sudo, pam, ssh
domains =
linux.domain.com
[nss]
entry_cache_timeout = 5400
debug_level = 6
filter_users =
fedora,root,ldap,named,avahi,haldaemon,dbus,radiusd,news,nscd,dirsrv,pkiuser,kdcproxy,ipaapi,apache,tomcat
filter_groups = fedora,wheel,adm,root
override_shell = /bin/bash
override_homedir = /home/%u
homedir_substring = /home
[pam]
entry_cache_timeout = 5400
debug_level = 6
pam_id_timeout = 90
[sudo]
entry_cache_timeout = 5400
debug_level = 6
[autofs]
entry_cache_timeout = 5400
debug_level = 6
[ssh]
entry_cache_timeout = 5400
debug_level = 6
[pac]
entry_cache_timeout = 5400
debug_level = 6
Relevant entries from the sssd.log:
(Mon Oct 8 12:11:59 2018) [sssd[nss]] [accept_fd_handler] (0x0400): Client connected!
(Mon Oct 8 12:11:59 2018) [sssd[nss]] [sss_cmd_get_version] (0x0200): Received client
version [1].
(Mon Oct 8 12:11:59 2018) [sssd[nss]] [sss_cmd_get_version] (0x0200): Offered version
[1].
(Mon Oct 8 12:11:59 2018) [sssd[nss]] [nss_getby_id] (0x0400): Input ID: 0
(Mon Oct 8 12:11:59 2018) [sssd[nss]] [cache_req_send] (0x0400): CR #14945: New request
'User by ID'
(Mon Oct 8 12:11:59 2018) [sssd[nss]] [cache_req_select_domains] (0x0400): CR #14945:
Performing a multi-domain search
(Mon Oct 8 12:11:59 2018) [sssd[nss]] [cache_req_search_domains] (0x0400): CR #14945:
Search will check the cache and check the data provider
(Mon Oct 8 12:11:59 2018) [sssd[nss]] [cache_req_set_domain] (0x0400): CR #14945: Using
domain [
win.domain.com]
(Mon Oct 8 12:11:59 2018) [sssd[nss]] [cache_req_search_send] (0x0400): CR #14945:
Looking up UID:0@win.domain.com
(Mon Oct 8 12:11:59 2018) [sssd[nss]] [cache_req_search_ncache] (0x0400): CR #14945:
Checking negative cache for [UID:0@win.domain.com]
(Mon Oct 8 12:11:59 2018) [sssd[nss]] [cache_req_search_ncache] (0x0400): CR #14945:
[UID:0@win.domain.com] does not exist (negative cache)
(Mon Oct 8 12:11:59 2018) [sssd[nss]] [cache_req_set_domain] (0x0400): CR #14945: Using
domain [
linux.domain.com]
(Mon Oct 8 12:11:59 2018) [sssd[nss]] [cache_req_search_send] (0x0400): CR #14945:
Looking up UID:0@linux.domain.com
(Mon Oct 8 12:11:59 2018) [sssd[nss]] [cache_req_search_ncache] (0x0400): CR #14945:
Checking negative cache for [UID:0@linux.domain.com]
(Mon Oct 8 12:11:59 2018) [sssd[nss]] [cache_req_search_ncache] (0x0400): CR #14945:
[UID:0@linux.domain.com] does not exist (negative cache)
(Mon Oct 8 12:11:59 2018) [sssd[nss]] [cache_req_process_result] (0x0400): CR #14945:
Finished: Not found
(Mon Oct 8 12:12:00 2018) [sssd[nss]] [nss_getby_name] (0x0400): Input name: root
(Mon Oct 8 12:12:00 2018) [sssd[nss]] [cache_req_send] (0x0400): CR #14946: New request
'User by name'
(Mon Oct 8 12:12:00 2018) [sssd[nss]] [cache_req_process_input] (0x0400): CR #14946:
Parsing input name [root]
(Mon Oct 8 12:12:00 2018) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name
'root' matched without domain, user is root
(Mon Oct 8 12:12:00 2018) [sssd[nss]] [cache_req_set_name] (0x0400): CR #14946: Setting
name [root]
(Mon Oct 8 12:12:00 2018) [sssd[nss]] [cache_req_select_domains] (0x0400): CR #14946:
Performing a multi-domain search
(Mon Oct 8 12:12:00 2018) [sssd[nss]] [cache_req_search_domains] (0x0400): CR #14946:
Search will check the cache and check the data provider
(Mon Oct 8 12:12:00 2018) [sssd[nss]] [cache_req_set_domain] (0x0400): CR #14946: Using
domain [
win.domain.com]
(Mon Oct 8 12:12:00 2018) [sssd[nss]] [cache_req_prepare_domain_data] (0x0400): CR
#14946: Preparing input data for domain [
win.domain.com] rules
(Mon Oct 8 12:12:00 2018) [sssd[nss]] [cache_req_search_send] (0x0400): CR #14946:
Looking up root(a)win.domain.com
(Mon Oct 8 12:12:00 2018) [sssd[nss]] [cache_req_search_ncache] (0x0400): CR #14946:
Checking negative cache for [root(a)win.domain.com]
(Mon Oct 8 12:12:00 2018) [sssd[nss]] [cache_req_search_ncache] (0x0400): CR #14946:
[root(a)win.domain.com] is not present in negative cache
(Mon Oct 8 12:12:00 2018) [sssd[nss]] [cache_req_search_cache] (0x0400): CR #14946:
Looking up [root(a)win.domain.com] in cache
(Mon Oct 8 12:12:00 2018) [sssd[nss]] [cache_req_search_send] (0x0400): CR #14946:
Returning [root(a)win.domain.com] from cache
(Mon Oct 8 12:12:00 2018) [sssd[nss]] [cache_req_search_ncache_filter] (0x0400): CR
#14946: This request type does not support filtering result by negative cache
(Mon Oct 8 12:12:00 2018) [sssd[nss]] [cache_req_create_and_add_result] (0x0400): CR
#14946: Found 1 entries in domain
win.domain.com
(Mon Oct 8 12:12:00 2018) [sssd[nss]] [cache_req_done] (0x0400): CR #14946: Finished:
Success
(Mon Oct 8 12:12:00 2018) [sssd[nss]] [nss_getby_name] (0x0400): Input name: root
(Mon Oct 8 12:12:00 2018) [sssd[nss]] [cache_req_send] (0x0400): CR #14947: New request
'Group by name'
(Mon Oct 8 12:12:00 2018) [sssd[nss]] [cache_req_process_input] (0x0400): CR #14947:
Parsing input name [root]
(Mon Oct 8 12:12:00 2018) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name
'root' matched without domain, user is root
(Mon Oct 8 12:12:00 2018) [sssd[nss]] [cache_req_set_name] (0x0400): CR #14947: Setting
name [root]
(Mon Oct 8 12:12:00 2018) [sssd[nss]] [cache_req_select_domains] (0x0400): CR #14947:
Performing a multi-domain search
(Mon Oct 8 12:12:00 2018) [sssd[nss]] [cache_req_search_domains] (0x0400): CR #14947:
Search will check the cache and check the data provider
(Mon Oct 8 12:12:00 2018) [sssd[nss]] [cache_req_set_domain] (0x0400): CR #14947: Using
domain [
win.domain.com]
(Mon Oct 8 12:12:00 2018) [sssd[nss]] [cache_req_prepare_domain_data] (0x0400): CR
#14947: Preparing input data for domain [
win.domain.com] rules
(Mon Oct 8 12:12:00 2018) [sssd[nss]] [cache_req_search_send] (0x0400): CR #14947:
Looking up root(a)win.domain.com
(Mon Oct 8 12:12:00 2018) [sssd[nss]] [cache_req_search_ncache] (0x0400): CR #14947:
Checking negative cache for [root(a)win.domain.com]
(Mon Oct 8 12:12:00 2018) [sssd[nss]] [cache_req_search_ncache] (0x0400): CR #14947:
[root(a)win.domain.com] is not present in negative cache
(Mon Oct 8 12:12:00 2018) [sssd[nss]] [cache_req_search_cache] (0x0400): CR #14947:
Looking up [root(a)win.domain.com] in cache
(Mon Oct 8 12:12:00 2018) [sssd[nss]] [sysdb_get_user_members_recursively] (0x0400): No
such entry
(Mon Oct 8 12:12:00 2018) [sssd[nss]] [cache_req_search_send] (0x0400): CR #14947:
Returning [root(a)win.domain.com] from cache
(Mon Oct 8 12:12:00 2018) [sssd[nss]] [cache_req_search_ncache_filter] (0x0400): CR
#14947: This request type does not support filtering result by negative cache
(Mon Oct 8 12:12:00 2018) [sssd[nss]] [cache_req_create_and_add_result] (0x0400): CR
#14947: Found 1 entries in domain
win.domain.com
(Mon Oct 8 12:12:00 2018) [sssd[nss]] [cache_req_done] (0x0400): CR #14947: Finished:
Success
(Mon Oct 8 12:12:00 2018) [sssd[nss]] [client_recv] (0x0200): Client disconnected!
(Mon Oct 8 12:12:02 2018) [sssd[nss]] [get_client_cred] (0x0080): The following failure
is expected to happen in case SELinux is disabled:
SELINUX_getpeercon failed [92][Protocol not available].
Additional info:
I use Fedora 27 with freeipa:
Name : freeipa-server
Version : 4.6.3
Release : 2.fc27
Arch : x86_64
and sssd:
Name : sssd
Version : 1.16.3
Release : 2.fc27
Arch : x86_64
nsswitch.conf content:
passwd: sss files systemd
shadow: files sss
group: sss files systemd
#hosts: db files nisplus nis dns
hosts: files dns myhostname
# Example - obey only what nisplus tells us...
#services: nisplus [NOTFOUND=return] files
#networks: nisplus [NOTFOUND=return] files
#protocols: nisplus [NOTFOUND=return] files
#rpc: nisplus [NOTFOUND=return] files
#ethers: nisplus [NOTFOUND=return] files
#netmasks: nisplus [NOTFOUND=return] files
bootparams: nisplus [NOTFOUND=return] files
ethers: files
netmasks: files
networks: files
protocols: files
rpc: files
services: files sss
netgroup: nisplus sss
publickey: nisplus
automount: files nisplus
aliases: files nisplus
sudoers: files sss