On 18/07/14 16:18, Jakub Hrozek wrote:
On Thu, Jul 10, 2014 at 11:20:10AM +0100, Rowland Penny wrote:
Any suggest to what I check next??
Sorry for the delayed reply.
Looks like an ACI problem to me, the first search binds as NETBOOK$@EXAMPLE.COM, the second as cn=Administrator,cn=Users,dc=example,dc=com _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
ER, could you please expand 'ACI' for me, I haven't a clue what you are talking about ;-)
As for the part that I did understand, from what I have read, the first search is what sssd does and does not get any results, but by searching as the Administrator( and I suppose as any user) all the rules are found.
I have since tried again on a Linux Mint 17 (aka Ubuntu 14.04) laptop with the standard sssd packages and I still cannot get sudo to work, sssd seems to check for sudo rules but does not find any:
if I examine sssd_example.com.log, I find this:
[sdap_sudo_refresh_connect_done] (0x0400): SUDO LDAP connection successful [sdap_sudo_load_sudoers_next_base] (0x0400): Searching for sudo rules with base [ou=sudoers,dc=example,dc=com] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(objectClass=sudoRole)(|(!(sudoHost=*))(sudoHost=ALL)(sudoHost=ThinkPad)(sudoHost=ThinkPad.example.com)(sudoHost=192.168.0.215)(sudoHost=192.168.0.0/24)(sudoHost=fe80::86a6:c8ff:fe3b:da7b)(sudoHost=fe80::/64)(sudoHost=+*)(|(sudoHost=*\*)(sudoHost=*?*)(sudoHost=***)(sudoHost=*[*]*))))][ou=sudoers,dc=example,dc=com]. [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sudoCommand] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sudoHost] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sudoUser] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sudoOption] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sudoRunAsUser] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sudoRunAsGroup] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sudoNotBefore] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sudoNotAfter] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sudoOrder] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uSNChanged] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 6 [sdap_id_op_connect_done] (0x4000): caching successful connection after 2 notifies [be_run_unconditional_online_cb] (0x4000): List of unconditional online callbacks is empty, nothing to do.
would you like the entire sssd logs for the domain ?
I would like to add that sssd works for users and groups, so it it connecting to AD, it just doesn't seem to want to find any sudo rules.
I also take it that sssd & sudo work like this:
sudo rules are put into AD, sssd searches AD and pulls any rules that are relevant to the client, sssd then stores these rules in a cache, when the sudo command is run it first reads the sudo files on the client and then (provided it is set in nssswitch.conf) it reads the cache.
Rowland