On Sun, Jun 30, 2019 at 09:31:17AM -0000, Bruno Monteiro wrote:
Hello,
Below my configuration and errors :)
(I've adapted some strings for the sake of example - domain is not real)
cat /etc/sssd/sssd.conf
[sssd]
services = nss, pam,ssh, sudo
debug_level = 0x7FFF
domains =
LDAP_MY.COM
[sudo]
debug_level = 0x3ff0
[
domain/LDAP_MY.COM]
debug_level = 0x3ff0
access_provider = ldap
id_provider = ldap
sudo_provider = ldap
ldap_uri = ldap://<IP>
ldap_default_bind_dn = <user>(a)my.com
ldap_default_authtok = <password>
ldap_sudo_search_base = OU=SUDOers,DC=my,DC=com
/etc/nsswitch.conf
...
sudoers: sss files
....
ldbsearch -H /var/lib/sss/db/cache_LDAP_MY.COM/ldb contains Microsoft AD records:
# record 2
dn: name=r2,cn=sudorules,cn=custom,cn=LDAP_MY.COM,cn=sysdb
the config snippet says the sudo search base is ou=sudoers, but the rule
example is at cn=sudoers,cn=custom..
cn: r2
dataExpireTimestamp: 1561891358
entryUSN: 245385
name: r2
objectClass: sudoRule
originalDN: CN=r2,OU=SUDOers,DC=my,DC=com
sudoCommand: ALL
sudoHost: ALL
sudoOption: !authenticate
sudoUser: Admin(a)my.com
distinguishedName:
name=r2,cn=sudorules,cn=custom,cn=LDAP_MY.COM,
cn=sysdb
AD sudoRole is sudoRule in local SSSD DB cache.
But getting this below when trying to test 'sudo -l' or 'sudo su'
[sssd[sudo]] [sudosrv_fetch_rules] (0x0400): Returning 0 rules for [Admin@my.com(a)my.com]
from /var/log/sssd/sssd_sudo.log
Duplicate domain ?
That's just a minor bug in the debug message (at one point we switched
to using qualified names everywhere internally, but some debug messages
were qualifying the names on their own..)
I can see the rules been updated in the SSSD cache file from Microsoft AD.
But I cannot use them because maybe some misconfiguration ?
You're using the plain ldap sudo provider, but you're not using
case_sensitive=false so you need to make sure the case matches exactly;
AD is case-insensitive, but Linux is case-sensitive.
Also, I'm not sure if the plain LDAP provider is able to match the name
qualified with the domain name (Admin(a)my.com) in sudoUser or only username
(Admin).
Posting more context from the logs might be helpful as well.
>
> setup for sudo logs:
> /etc/sudo.conf and put down the following lines:
> Debug sudo /var/log/sudo_debug all@debug
> Debug sudoers.so /var/log/sudo_debug all@debug
>
> from /var/log/sudo_debug I have this:
> ...
> user_in_group: user admin(a)my.com NOT in group sudo
> ...
>
> Thx a lot!
>
> Cheers!
> _______________________________________________
> sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
> To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahoste...