Hello,
I’m configuring CentOS 6.5 server to authenticate users and sudo rights against local Samba 4.1.8 (compiled from source). Sssd is 1.9.2 from package repository. User authentication works OK, I can log in with user that exists only in Samba but sudoing
with the same user fails. After hours of trying I still can’t get it right, sssd_sudo receives 0 rules from samba. Doing ldapsearch with criteria from logs do return sudoer entries as below. Am I missing something obvious?
Below are (in order) ldapsearch, ssssd.conf and sssd_default.log (part which I think relevant).
[root@dc1 sssd]# ldapsearch -h dc1 -Y GSSAPI -b OU=SUDOers,DC=teemu,DC=local '(&(objectClass=sudoRole)(|(!(sudoHost=*))(sudoHost=ALL)(sudoHost=Host01)(sudoHost=Host01.example.com)(sudoHost=192.168.0.21)(sudoHost=192.168.0.0/24)(sudoHost=fe80::786b:f4ff:fe87:3314)(sudoHost=fe80::/64)(sudoHost=+*)(|(sudoHost=*\\*)(sudoHost=*?*)(sudoHost=*\**)(sudoHost=*[*]*))))'
SASL/GSSAPI authentication started
SASL username: administrator@TEEMU.LOCAL
SASL SSF: 56
SASL data security layer installed.
# extended LDIF
#
# LDAPv3
# base <OU=SUDOers,DC=teemu,DC=local> with scope subtree
# filter: (&(objectClass=sudoRole)(|(!(sudoHost=*))(sudoHost=ALL)(sudoHost=Host01)(sudoHost=Host01.example.com)(sudoHost=192.168.0.21)(sudoHost=192.168.0.0/24)(sudoHost=fe80::786b:f4ff:fe87:3314)(sudoHost=fe80::/64)(sudoHost=+*)(|(sudoHost=*\\*)(sudoHost=*?*)(sudoHost=*\**)(sudoHost=*[*]*))))
# requesting: ALL
#
# defaults, SUDOers, teemu.local
dn: CN=defaults,OU=SUDOers,DC=teemu,DC=local
objectClass: top
objectClass: sudoRole
cn: defaults
description: Default sudoOption's go here
instanceType: 4
whenCreated: 20140625194645.0Z
whenChanged: 20140625194645.0Z
uSNCreated: 3798
uSNChanged: 3798
name: defaults
objectGUID:: vrCxbL/QkUGFyZWvELWj/w==
objectCategory: CN=sudoRole,CN=Schema,CN=Configuration,DC=teemu,DC=local
sudoOption: env_keep+=SSH_AUTH_SOCK
distinguishedName: CN=defaults,OU=SUDOers,DC=teemu,DC=local
# %wheel, SUDOers, teemu.local
dn: CN=%wheel,OU=SUDOers,DC=teemu,DC=local
objectClass: top
objectClass: sudoRole
cn: %wheel
instanceType: 4
whenCreated: 20140626094147.0Z
whenChanged: 20140626094147.0Z
uSNCreated: 3800
uSNChanged: 3800
name: %wheel
objectGUID:: jpGX5AmGUkimPw1yl+oZkA==
objectCategory: CN=sudoRole,CN=Schema,CN=Configuration,DC=teemu,DC=local
sudoUser: %wheel
sudoHost: ALL
sudoCommand: ALL
distinguishedName: CN=%wheel,OU=SUDOers,DC=teemu,DC=local
# reima, SUDOers, teemu.local
dn: CN=reima,OU=SUDOers,DC=teemu,DC=local
objectClass: top
objectClass: sudoRole
cn: reima
instanceType: 4
whenCreated: 20140625194650.0Z
whenChanged: 20140625194650.0Z
uSNCreated: 3799
uSNChanged: 3799
name: reima
objectGUID:: U1paZdVOSke2zmInSenFTg==
objectCategory: CN=sudoRole,CN=Schema,CN=Configuration,DC=teemu,DC=local
sudoUser: reima
sudoHost: ALL
sudoCommand: ALL
distinguishedName: CN=reima,OU=SUDOers,DC=teemu,DC=local
# search result
search: 4
result: 0 Success
# numResponses: 4
# numEntries: 3
Sssd.conf:
[sssd]
services = nss, pam, sudo
config_file_version = 2
domains = default
debug_level = 10
[nss]
[pam]
[sudo]
debug_level = 10
[domain/default]
debug_level = 10
id_provider = ldap
sudo_provider = ldap
ldap_schema = rfc2307bis
ldap_referrals = false
ldap_uri = ldap://dc1.teemu.local
ldap_search_base = cn=Users,dc=teemu,dc=local
ldap_sudo_search_base = ou=sudoers,dc=teemu,dc=local
ldap_force_upper_case_realm = true
# See man sssd-simple
access_provider = simple
# Uncomment to check for account expiration in DC
# access_provider = ldap
# ldap_access_order = expire
# ldap_account_expire_policy = ad
# Enumeration is discouraged for performance reasons.
# enumerate = true
ldap_default_bind_dn = cn=Administrator,cn=Users,dc=teemu,dc=local
ldap_default_authtok = XXXXXX
auth_provider = krb5
chpass_provider = krb5
ldap_sasl_mech = gssapi
ldap_sasl_authid = dc1$@TEEMU.LOCAL
krb5_realm = TEEMU.LOCAL
krb5_server = dc1.teemu.local
krb5_kpasswd = dc1.teemu.local
ldap_krb5_keytab = /etc/krb5.sssd.keytab
ldap_user_object_class = user
ldap_user_name = samAccountName
ldap_user_home_directory = unixHomeDirectory
ldap_user_principal = userPrincipalName
ldap_user_shell = loginShell
ldap_group_object_class = group
sssd_default.log:
(Fri Jun 27 14:56:27 2014) [sssd[be[default]]] [sdap_sudo_refresh_connect_done] (0x0400): SUDO LDAP connection successful
(Fri Jun 27 14:56:27 2014) [sssd[be[default]]] [sdap_sudo_load_sudoers_next_base] (0x0400): Searching for sudo rules with base [ou=sudoers,dc=teemu,dc=local]
(Fri Jun 27 14:56:27 2014) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(objectClass=sudoRole)(|(!(sudoHost=*))(sudoHost=ALL)\
(sudoHost=dc1)(sudoHost=dc1)(sudoHost=10.0.2.15)(sudoHost=10.0.2.0/24)(sudoHost=192.168.1.1)(sudoHost=192.168.1.0/24)(sudoHost=fe80::a00:27ff:fede:ba44)(sudoHost=fe80::/6\
4)(sudoHost=fe80::a00:27ff:fef3:dc1)(sudoHost=fe80::/64)(sudoHost=+*)(|(sudoHost=*\\*)(sudoHost=*?*)(sudoHost=*\**)(sudoHost=*[*]*))))][ou=sudoers,dc=teemu,dc=local].
(Fri Jun 27 14:56:27 2014) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass]
(Fri Jun 27 14:56:27 2014) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn]
(Fri Jun 27 14:56:27 2014) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sudoCommand]
(Fri Jun 27 14:56:27 2014) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sudoHost]
(Fri Jun 27 14:56:27 2014) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sudoUser]
(Fri Jun 27 14:56:27 2014) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sudoOption]
(Fri Jun 27 14:56:27 2014) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sudoRunAsUser]
(Fri Jun 27 14:56:27 2014) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sudoRunAsGroup]
(Fri Jun 27 14:56:27 2014) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sudoNotBefore]
(Fri Jun 27 14:56:27 2014) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sudoNotAfter]
(Fri Jun 27 14:56:27 2014) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sudoOrder]
(Fri Jun 27 14:56:27 2014) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uSNChanged]
(Fri Jun 27 14:56:27 2014) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 12
(Fri Jun 27 14:56:27 2014) [sssd[be[default]]] [sdap_process_result] (0x2000): Trace: sh[0xfed4e0], connected[1], ops[0xff7c20], ldap[0xfedba0]
(Fri Jun 27 14:56:27 2014) [sssd[be[default]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_RESULT]
(Fri Jun 27 14:56:27 2014) [sssd[be[default]]] [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg set
(Fri Jun 27 14:56:27 2014) [sssd[be[default]]] [sdap_get_generic_ext_done] (0x1000): Total count [0]
(Fri Jun 27 14:56:27 2014) [sssd[be[default]]] [sdap_sudo_load_sudoers_process] (0x0400): Receiving sudo rules with base [ou=sudoers,dc=teemu,dc=local]
(Fri Jun 27 14:56:27 2014) [sssd[be[default]]] [sdap_sudo_load_sudoers_done] (0x0400): Received 0 rules