Hi Jakub,
That is correct, I have 2 users, one is a member of DOMAIN1, the other
is a member of DOMAIN2. The options for both domains is similar as we
use automatic deployment system. One of the users is hfa-joswel-tehnicom
( test account ), the other one is azapravdin.
I thought local domain is required, I use it to inject a local emergency
user on all servers. But I can remove local domain if it is recommended.
Thank you
Mario
On 10/20/2016 03:36 AM, Jakub Hrozek wrote:
On Wed, Oct 19, 2016 at 11:54:39AM -0400, Mario Rossi wrote:
> Hi sssd-users list,
>
> I am facing a strange issue on several CentOS servers. It seems that after a
> while ( days ) sudo does not work any more for some of my users. We keep
> rudo rules in OpenLDAP. If a user uses 'sudo su - ' , he gets a an error
> message ( "User abc is not allowed to run sudo on ....") however if he
user
> runs 'id' followed by 'sudo su -' then in some of the cases, it
works
> fine, user can get root access. I even upgraded to the unofficial repo
> hoping that the issue we see is similar/same to
>
https://fedorahosted.org/sssd/ticket/2970. But I think it's a different
> issue.
>
> Any ideas? Next I will be looking at dumping the local sssd cache files. I
> can provide debug =9 log files offline if needed.
I think this is the best course of action..
btw does the user come from DOMAIN1 or DOMAIN2?
and do you need the local domain? It's really code that mostly has
meaning for testing or experiments, I've never seen anyone using it in
production..
> Thank you
>
> root@server yum.repos.d # rpm -qa | egrep sssd
> sssd-common-pac-1.13.4-4.el6.x86_64
> sssd-ldap-1.13.4-4.el6.x86_64
> sssd-tools-1.13.4-4.el6.x86_64
> sssd-client-1.13.4-4.el6.x86_64
> sssd-ad-1.13.4-4.el6.x86_64
> python-sssdconfig-1.13.4-4.el6.noarch
> sssd-common-1.13.4-4.el6.x86_64
> sssd-ipa-1.13.4-4.el6.x86_64
> sssd-proxy-1.13.4-4.el6.x86_64
> sssd-krb5-common-1.13.4-4.el6.x86_64
> sssd-krb5-1.13.4-4.el6.x86_64
> sssd-1.13.4-4.el6.x86_64
>
> root@server sssd # vim /etc/sssd/sssd.conf # set debug = 9
>
> root@server sssd # sudo -U abc -l*
> **User abc is not allowed to run sudo on **server**.*
>
> root@server sssd # egrep sudo /etc/nsswitch.conf
> sudoers: sss
>
> root@server sssd # ip a s dev eth0 | egrep global
> inet 216.X.Y.Z/26 brd 216.X.Y.Z scope global eth0
>
>
> root@server sssd # id abc
> uid=100001044(abc) gid=1009(...)
groups=1202(...),1168(...),1191(...),1102(...),1009(...),1101(...),1127(...),1167(...),1111(...),1178(...),1109(...),1199(...),1208(stage),1117(...),1198(...),1192(...),1206(...),1176(...),1404(...),1183(...),1103(...),1110(...),1205
>
> root@abc sssd # sudo -U abc -l
> Matching Defaults entries for abc on this host:
> [...]
>
> *User **abc**may run the following commands on this host:**
> ** (ALL) PASSWD: ALL*
>
>
> # LDAP Sudo def
> dn: cn=stage,ou=sudoers,o=Domain,dc=domain,dc=com
> sudoOrder: 42
> [...]
> sudoUser: %stage
> sudoRunAs: ALL
> cn: stage
> description: Allow Trusted Senior stuff become root
> sudoCommand: ALL
> sudoHost: 216.X.Y.Z
> [...]
> objectClass: top
> objectClass: sudoRole
> sudoOption: authenticate
>
>
>
> # Group def
> dn: cn=stage,ou=groups,o=Domain,dc=domain,dc=com
> gidNumber: 1208
> cn: stage
> description: stage Group
> objectClass: posixGroup
> objectClass: top
> memberUid: abc
> hMemberDN: uid=abc,ou=users,o=Domain,dc=domain,dc=com
>
>
> Sanitized sssd.conf:
>
> [sssd]
> config_file_version = 2
> sbus_timeout = 30
> services = nss, pam, sudo, ssh
> domains = LOCAL, DOMAIN1, DOMAIN2
>
> [nss]
> filter_users =
adm,apache,avahi,bin,daemon,dbus,ecryptfs,ftp,git,games,gopher,haldaemon,halt,hfallback,ldap,lp,mail,mailnull,named,news,nfsnobody,nobody,nscd,nslcd,ntp,operator,oprofile,ossec,postfix,puppet,puppet-dashboard,pulse,pulse-access,radiusd,root,rpc,rpcuser,rtkit,saslauth,sfallback,shutdown,slocate,smmsp,sshd,sync,tcpdump,tss,uucp,vcsa
> filter_groups =
adm,apache,audio,bin,cdrom,cgred,daemon,dbus,dialout,dip,disk,ecryptfs,floppy,fuse,git,hfallback,kmem,ldap,lock,lp,mail,mailnull,man,mem,nfsnobody,nobody,nscd,ntp,ossec,oprofile,postdrop,postfix,puppet,puppet-dashboard,pulse,pulse-access,root,rpc,rpcuser,rtkit,saslauth,sfallback,slocate,smmsp,sshd,sys,tape,tcpdump,tss,tty,users,utempter,utmp,vcsa,video
> override_shell = /bin/bash
>
> [pam]
> debug_level = 3
> reconnection_retries = 3
> offline_credentials_expiration = 2
> offline_failed_login_attempts = 3
> offline_failed_login_delay = 5
> pam_verbosity = 1
> pam_pwd_expiration_warning = 21
> pam_account_expired_message = Account expired, please use selfservice portal
> to change your password and extend account.
>
> [sudo]
> debug_level=9
>
> [ssh]
> # debug_level=9
>
> [domain/LOCAL]
> description = LOCAL Users domain
> id_provider = local
> enumerate = true
> min_id = 500
> max_id = 999
> default_shell = /bin/bash
> base_directory = /home
> create_homedir = false
> remove_homedir = true
> homedir_umask = 077
> skel_dir = /etc/skel
> mail_dir = /var/spool/mail
>
>
> ######### SECTION: DOMAIN1
> [domain/DOMAIN1]
> min_id = 499
> debug_level = 9
> cache_credentials = True
> entry_cache_timeout = 864000
>
> auth_provider = ldap
> id_provider = ldap
> access_provider = ldap
> #chpass_provider = ldap
> sudo_provider = ldap
> selinux_provider = none
> autofs_provider = none
>
>
> # LDAP Search
> ldap_search_base = dc=domain,dc=com
> ldap_group_search_base = ou=groups,o=Domain,dc=domain,dc=com
> ldap_user_search_base =
ou=users,o=Domain,dc=domain,dc=com?subtree?(|(description=cn=stage,ou=groups,o=Domain,dc=domain,dc=com)(.....)(.....))
>
>
> # LDAP Custom Schema
> ldap_group_member = hMemberDN
> ldap_user_member_of = description
> # this should really be rfc2307
> ldap_schema = rfc2307bis
>
> ldap_network_timeout = 3
> ldap_id_use_start_tls = False
> ldap_tls_reqcert = never
> ldap_tls_cacertdir = /etc/openldap/cacerts
>
> ldap_uri =
ldaps://s1.sec.domain.com,
ldaps://s2.sec.domain.com,
>
ldaps://s3.sec.domain.com
> ldap_backup_uri = ldaps://66.X.Y.Z
>
> ldap_default_authtok_type = obfuscated_password
> ldap_default_bind_dn = uid=MYDN
> ldap_default_authtok = MYPASS
>
>
> ldap_user_ssh_public_key = sshPublicKey
>
> ldap_pwd_policy = none
> ldap_account_expire_policy = shadow
> ldap_user_shadow_expire = shadowExpire
> # shadowExpire: days since Jan 1, 1970 that account is disabled: $ echo
> $(($(date --utc --date "$1" +%s)/86400))
>
> ldap_chpass_update_last_change = false
>
> ldap_access_order = filter, expire
> ldap_access_filter =
(&(objectClass=posixAccount)(uidNumber=*)(hAccountInitialSetup=1)(|(description=cn=stage,ou=groups,o=Domain,dc=domain,dc=com)))
>
> # SUDO
> ldap_sudo_search_base = ou=sudoers,o=Domain,dc=domain,dc=com
> ldap_sudo_full_refresh_interval = 86400
> ldap_sudo_smart_refresh_interval = 3600
> #entry_cache_sudo_timeout = 5400
>
> The same options for DOMAIN2 except filters and user/group base.
>
> hMemberDN is defined in nis.schema, a relic of OpenLDAP 2.2, a workaround
> applied before transitioning to 2.4.40.
>
> # Modification to posixGroup
> attributetype ( 1.3.6.1.1.1.1.28 NAME 'hMemberDN'
> DESC 'RFC2256: member of a group'
> SUP distinguishedName )
>
> objectclass ( 1.3.6.1.1.1.2.2 NAME 'posixGroup'
> DESC 'Abstraction of a group of accounts'
> SUP top STRUCTURAL
> MUST ( cn $ gidNumber )
> MAY ( userPassword $ memberUid $ hMemberDN $ description ) )
>
> hMemberDN: uid=abc,ou=users,o=Domain,dc=domain,dc=com
>
>
>
>
> _______________________________________________
> sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
> To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
_______________________________________________
sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org