On Tue, Apr 22, 2014 at 10:52:23PM +0100, Chris Hayes wrote: > I have SSSD (1.8.4) working fine on Debian Wheezy system, with an LDAP > backend for users and groups. However, I'm having a problem with sudo. > > My sudoers configuration file has the line following line in it: > > %sudo ALL=(ALL:ALL) ALL > > And my LDAP (via SSSD) user is in that "sudo" group (its UID is in the > /etc/group file for group sudo, and getent shows this fine). > > sudo:x:27:9009 > > However, when I run a sudo command, I receive the following error: > > chris is not in the sudoers file. This incident will be reported. > > Can someone help me to understand why this might be happening? > > Chris If you run 'id user' do you see him as a member of the sudo group?

was added sometimes in 1.9..

On Wed, Apr 23, 2014 at 10:50:06AM +0100, Chris Hayes wrote: > On Wed, Apr 23, 2014 at 10:01 AM, Jakub Hrozek <jhrozek(a)redhat.com&gt; wrote: > > > On Tue, Apr 22, 2014 at 10:52:23PM +0100, Chris Hayes wrote: > > > I have SSSD (1.8.4) working fine on Debian Wheezy system, with an LDAP > > > backend for users and groups. However, I'm having a problem with sudo. > > > > > > My sudoers configuration file has the line following line in it: > > > > > > %sudo ALL=(ALL:ALL) ALL > > > > > > And my LDAP (via SSSD) user is in that "sudo" group (its UID is in the > > > /etc/group file for group sudo, and getent shows this fine). > > > > > > sudo:x:27:9009 > > > > > > However, when I run a sudo command, I receive the following error: > > > > > > chris is not in the sudoers file. This incident will be reported. > > > > > > Can someone help me to understand why this might be happening? > > > > > > Chris > > > > If you run 'id user' do you see him as a member of the sudo group? > > > > uid=9009(chris) gid=9001(chris) groups=9001(chris) > > OK, I see that it's not picking up that sudo group. > > IIRC the functionality for an LDAP user to be a member of a UNIX group > > was added sometimes in 1.9.. > > > > I have an LDAP group though, and this also doesn't show in the id output. > Is this also an issue with the pre-1.9 releases? > > admins:*:9000:9009 Ah, sorry I guess I was confused when you said earlier you had a group in /etc/groups..so the group sudo relies on is in LDAP or files? In general, I would recommend to upgrade to 1.9.x if possible, but such basic functionality like list of groups the user is a member of worked in 1.8 as well. Are you sure you're using the correct schema? Does the 'id' output for other users look OK? Check out some tips at: https://fedorahosted.org/sssd/wiki/FAQ _______________________________________________ sssd-users mailing list sssd-users(a)lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users

Can someone please disambiguate the situation as I'm really unsure what the problem is after hearing back from some of you guys. On Wed, Apr 23, 2014 at 1:57 PM, Chris Hayes <berzerkatives(a)gmail.com <mailto:berzerkatives@gmail.com>> wrote: On Wed, Apr 23, 2014 at 1:26 PM, Jakub Hrozek <jhrozek(a)redhat.com <mailto:jhrozek@redhat.com>> wrote: On Wed, Apr 23, 2014 at 10:50:06AM +0100, Chris Hayes wrote: > On Wed, Apr 23, 2014 at 10:01 AM, Jakub Hrozek <jhrozek(a)redhat.com <mailto:jhrozek@redhat.com>> wrote: > > > On Tue, Apr 22, 2014 at 10:52:23PM +0100, Chris Hayes wrote: > > > I have SSSD (1.8.4) working fine on Debian Wheezy system, with an LDAP > > > backend for users and groups. However, I'm having a problem with sudo. > > > > > > My sudoers configuration file has the line following line in it: > > > > > > %sudo ALL=(ALL:ALL) ALL > > > > > > And my LDAP (via SSSD) user is in that "sudo" group (its UID is in the > > > /etc/group file for group sudo, and getent shows this fine). > > > > > > sudo:x:27:9009 > > > > > > However, when I run a sudo command, I receive the following error: > > > > > > chris is not in the sudoers file. This incident will be reported. > > > > > > Can someone help me to understand why this might be happening? > > > > > > Chris > > > > If you run 'id user' do you see him as a member of the sudo group? > > > > uid=9009(chris) gid=9001(chris) groups=9001(chris) > > OK, I see that it's not picking up that sudo group. > > IIRC the functionality for an LDAP user to be a member of a UNIX group > > was added sometimes in 1.9.. > > > > I have an LDAP group though, and this also doesn't show in the id output. > Is this also an issue with the pre-1.9 releases? > > admins:*:9000:9009 Ah, sorry I guess I was confused when you said earlier you had a group in /etc/groups..so the group sudo relies on is in LDAP or files? In general, I would recommend to upgrade to 1.9.x if possible, but such basic functionality like list of groups the user is a member of worked in 1.8 as well. Are you sure you're using the correct schema? Does the 'id' output for other users look OK? Check out some tips at: https://fedorahosted.org/sssd/wiki/FAQ _______________________________________________ sssd-users mailing list sssd-users(a)lists.fedorahosted.org <mailto:sssd-users@lists.fedorahosted.org> https://lists.fedorahosted.org/mailman/listinfo/sssd-users Just to be clear, my confusion is exasperated by seeing exactly what I'd expect using getent. Here are the getent lookups. # My LDAP user (via SSSD). chris:*:9009:9001:Chris:/home/chris:/bin/bash # The local group (/etc/group). sudo:x:27:9009 # The LDAP group (via SSSD). admins:*:9000:9009 The getent works fine suggests to me that my schema is fine. Upgrading isn't really an option as I maintain dozens of machines running Debian Wheezy. While sudo maintains that "chris" isn't present in either of these groups. So is this because my sudo doesn't support SSSD? Kind regards, Chris _______________________________________________ sssd-users mailing list sssd-users(a)lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users

On Wed, Apr 23, 2014 at 10:01 AM, Jakub Hrozek <jhrozek(a)redhat.com <mailto:jhrozek@redhat.com>> wrote: On Tue, Apr 22, 2014 at 10:52:23PM +0100, Chris Hayes wrote: > I have SSSD (1.8.4) working fine on Debian Wheezy system, with an LDAP > backend for users and groups. However, I'm having a problem with sudo. > > My sudoers configuration file has the line following line in it: > > %sudo ALL=(ALL:ALL) ALL > > And my LDAP (via SSSD) user is in that "sudo" group (its UID is in the > /etc/group file for group sudo, and getent shows this fine). > > sudo:x:27:9009 > > However, when I run a sudo command, I receive the following error: > > chris is not in the sudoers file. This incident will be reported. > > Can someone help me to understand why this might be happening? > > Chris If you run 'id user' do you see him as a member of the sudo group? uid=9009(chris) gid=9001(chris) groups=9001(chris) OK, I see that it's not picking up that sudo group. IIRC the functionality for an LDAP user to be a member of a UNIX group was added sometimes in 1.9.. I have an LDAP group though, and this also doesn't show in the id output. Is this also an issue with the pre-1.9 releases? admins:*:9000:9009 Kind regards, Chris _______________________________________________ sssd-users mailing list sssd-users(a)lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users