Ah, since you’re using local sudo rules and not stored in AD, I think only the sudo log
would be most interesting. Plus, is the user either a member of wheel or linux_admin?
(iow, do either of these group show up if you run ‘id’ as the user?)
On 22 Dec 2017, at 15:09, Jakub Hrozek <jhrozek(a)redhat.com>
wrote:
If you follow
https://docs.pagure.org/SSSD.sssd/users/sudo_troubleshooting.html and
generate the sssd logs, does that shed some more light?
> On 22 Dec 2017, at 14:48, Viktor Ekl <viktorekl867(a)gmail.com> wrote:
>
> Hello.
>
> Sssd 1.15.2-50 on Centos 7. I'm trying to grant sudo access to members of known
AD group (say, "linux_admin"), but with no success:
> "<user> is not allowed to run sudo on <host>. This incident will be
reported"
> Can't understand why, according to sssd_domain.log group and members found ?
>
> My configuration, /etc/sudoers:
> %wheel ALL=(ALL) ALL
> %linux_admin ALL=(ALL) ALL
>
> part of /etc/sssd/sssd.conf:
> sudo_provider = ldap
>
> Part of sudo_debug log:
> sudo[1069] sudo_getgrnam: group linux_admin [] -> gid 10001 [] (cached)
> ...
> sudo[1069] sudo_get_gidlist: looking up group IDs for testadmin
> ...
> sudo[1069] user_in_group: user testadmin NOT in group linux_admin
>
> Part of sssd_testdomain.com.log:
> [sssd[be[testdomain.com]]] [dp_get_account_info_handler] (0x0200): Got request for
[0x2][BE_REQ_GROUP][name=linux_admin(a)testdomain.com]
> [sssd[be[testdomain.com]]] [dp_attach_req] (0x0400): DP Request [Account #11]: New
request. Flags [0x0001].
> [sssd[be[testdomain.com]]] [dp_attach_req] (0x0400): Number of active DP request: 1
> [sssd[be[testdomain.com]]] [sss_domain_get_state] (0x1000): Domain
testdomain.com is
Active
> [sssd[be[testdomain.com]]] [sdap_get_groups_next_base] (0x0400): Searching for groups
with base [cn=users,dc=testdomain,dc=com]
> [sssd[be[testdomain.com]]] [sdap_get_generic_ext_step] (0x0400): calling
ldap_search_ext with
[(&(cn=linux_admin)(objectClass=posixGroup)(cn=*)(&(gidNumber=*)(!(gidNumber=0))))][cn=users,dc=testdomain,dc=com].
> [sssd[be[testdomain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs:
[objectClass]
> [sssd[be[testdomain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs:
[cn]
> [sssd[be[testdomain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs:
[userPassword]
> [sssd[be[testdomain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs:
[gidNumber]
> [sssd[be[testdomain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs:
[memberUid]
> [sssd[be[testdomain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs:
[modifyTimestamp]
> [sssd[be[testdomain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs:
[uSNChanged]
> [sssd[be[testdomain.com]]] [sdap_parse_entry] (0x1000): OriginalDN:
[CN=linux_admin,CN=Users,DC=testdomain,DC=com].
> [sssd[be[testdomain.com]]] [sdap_get_generic_op_finished] (0x0400): Search result:
Success(0), no errmsg set
> [sssd[be[testdomain.com]]] [sdap_get_groups_process] (0x0400): Search for groups,
returned 1 results.
> [sssd[be[testdomain.com]]] [sdap_has_deref_support] (0x0400): The server supports
deref method ASQ
> [sssd[be[testdomain.com]]] [sdap_nested_group_recv] (0x0400): 0 users found in the
hash table
> [sssd[be[testdomain.com]]] [sdap_nested_group_recv] (0x0400): 1 groups found in the
hash table
> [sssd[be[testdomain.com]]] [sdap_attrs_get_sid_str] (0x1000): No [objectSID]
attribute. [0][Success]
> [sssd[be[testdomain.com]]] [sdap_get_primary_name] (0x0400): Processing object
linux_admin
> [sssd[be[testdomain.com]]] [sdap_save_group] (0x0400): Processing group
linux_admin(a)testdomain.com
> [sssd[be[testdomain.com]]] [sdap_process_ghost_members] (0x0400): The group has 1
members
> [sssd[be[testdomain.com]]] [sdap_process_ghost_members] (0x0400): Group has 1
members
> [sssd[be[testdomain.com]]] [sdap_save_group] (0x0400): Storing info for group
linux_admin(a)testdomain.com
> [sssd[be[testdomain.com]]] [sysdb_store_group] (0x1000): The group record of
linux_admin(a)testdomain.com did not change, only updated the timestamp cache
> [sssd[be[testdomain.com]]] [sdap_attrs_get_sid_str] (0x1000): No [objectSID]
attribute. [0][Success]
> [sssd[be[testdomain.com]]] [sdap_save_grpmem] (0x0400): Failed to get group sid
> [sssd[be[testdomain.com]]] [sdap_get_primary_name] (0x0400): Processing object
linux_admin
> [sssd[be[testdomain.com]]] [sdap_save_grpmem] (0x0400): Processing group
linux_admin(a)testdomain.com
> [sssd[be[testdomain.com]]] [sdap_save_grpmem] (0x0400): Adding member users to group
[linux_admin(a)testdomain.com]
> [sssd[be[testdomain.com]]] [sdap_fill_memberships] (0x0080): Member [testadmin] is it
out of domain scope?
> [sssd[be[testdomain.com]]] [sdap_fill_memberships] (0x0080): Member [testadmin] was
not found in cache. Is it out of scope?
> [sssd[be[testdomain.com]]] [sysdb_set_entry_attr] (0x0200): Entry
[name=linux_admin(a)testdomain.com,cn=groups,cn=testdomain.com,cn=sysdb] has set [ts_cache]
attrs.
> [sssd[be[testdomain.com]]] [dp_req_done] (0x0400): DP Request [Account #11]: Request
handler finished [0]: Success
> [sssd[be[testdomain.com]]] [_dp_req_recv] (0x0400): DP Request [Account #11]:
Receiving request data.
> [sssd[be[testdomain.com]]] [dp_req_reply_list_success] (0x0400): DP Request [Account
#11]: Finished. Success.
> [sssd[be[testdomain.com]]] [dp_req_reply_std] (0x1000): DP Request [Account #11]:
Returning [Success]: 0,0,Success
> _______________________________________________
> sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
> To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
_______________________________________________
sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org