2:19 p.m.
So I've extended my AD and created a sudoRole in an OU, and can get it to work for a
single user. I can't however get it to work with an AD group.
I've tried %<adgroupname>, <adgroupname>, and +<adgroupname> all in
the sudoUser attribute on the object, but cannot get it to use the group. Getent group
<adgroupname> returns members. Reading the Sudoers LDAP Manual has this to say for
sudoUser:
"A user name, user ID (prefixed with '#'), Unix group name or ID (prefixed
with '%' or '%#' respectively), user netgroup (prefixed with '+'),
or non-Unix group name or ID (prefixed with '%:' or '%:#' respectively).
User netgroups are matched using the user and domain members only; the host member is not
used when matching. Non-Unix group support is only available when an appropriate
group_plugin is defined in the global defaults sudoRole object."
So is it reasonable to assume the last sentence is tripping this up? Does a group_plugin
need to be defined in defaults? What group_plugin needs to be defined in defaults? It all
works fine with just a single user in the sudoUser attribute. Once I replace it with
%<adgroupname>, the same way I put it in the sudoers file manually, it fails to
match the rule.
From sssd_sudo.log
When just my user is listed specifically in the sudoUser attribute in the sudoRole object
in AD:
[sudosrv_get_sudorules_query_cache] (0x0200):Searching sysdb with
[(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=myaduser)(sudoUser=#1165)(sudoUser=%Domain\20Users)(sudoUser=%<adgroupname1>)(sudoUser=%<adgroupname2>)(sudoUser=%<adgroupnameiwanttouse>)
...
[sort_sudo_rules] (0x0400): Sorting rules with higher-wins logic
[sudosrv_get_sudorules_from_cache] (0x0400): Returning 1 rules for
[myaduser(a)mydomain.com]
When a group my user is in, is in the sudoUser attribute in the sudoRole object in AD:
[sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with
[(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=myaduser)(sudoUser=#1165)(sudoUser=%Domain\20Users)(sudoUser=%<adgroupname1>)(sudoUser=%<adgroupname2>)(sudoUser=%<adgroupnameiwanttouse>)
...
[sudosrv_get_sudorules_from_cache] (0x0400): Returning 0 rules for
[myaduser(a)mydomain.com]
I've tried matching case with the filter that's in sssd_sudo.log, I've tried
matching case from id $user, nothing seems to work but listing my user account
specifically. Is there some magic to getting AD groups to work with SUDO LDAP objects?
Todd
2:04 a.m.
On Tue, May 24, 2016 at 07:19:31PM +0000, Mote, Todd wrote:
So I've extended my AD and created a sudoRole in an OU, and can
get it to work for a single user. I can't however get it to work with an AD group.
I've tried %<adgroupname>, <adgroupname>, and +<adgroupname> all in
the sudoUser attribute on the object, but cannot get it to use the group. Getent group
<adgroupname> returns members. Reading the Sudoers LDAP Manual has this to say for
sudoUser:
Does id $user report the user as member of that group?
"A user name, user ID (prefixed with '#'), Unix group name or ID (prefixed
with '%' or '%#' respectively), user netgroup (prefixed with '+'),
or non-Unix group name or ID (prefixed with '%:' or '%:#' respectively).
User netgroups are matched using the user and domain members only; the host member is not
used when matching. Non-Unix group support is only available when an appropriate
group_plugin is defined in the global defaults sudoRole object."
So is it reasonable to assume the last sentence is tripping this up? Does a group_plugin
need to be defined in defaults? What group_plugin needs to be defined in defaults? It all
works fine with just a single user in the sudoUser attribute. Once I replace it with
%<adgroupname>, the same way I put it in the sudoers file manually, it fails to
match the rule.
That shouldn't be necessary.
From sssd_sudo.log
When just my user is listed specifically in the sudoUser attribute in the sudoRole object
in AD:
[sudosrv_get_sudorules_query_cache] (0x0200):Searching sysdb with
[(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=myaduser)(sudoUser=#1165)(sudoUser=%Domain\20Users)(sudoUser=%<adgroupname1>)(sudoUser=%<adgroupname2>)(sudoUser=%<adgroupnameiwanttouse>)
...
[sort_sudo_rules] (0x0400): Sorting rules with higher-wins logic
[sudosrv_get_sudorules_from_cache] (0x0400): Returning 1 rules for
[myaduser(a)mydomain.com]
When a group my user is in, is in the sudoUser attribute in the sudoRole object in AD:
[sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with
[(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=myaduser)(sudoUser=#1165)(sudoUser=%Domain\20Users)(sudoUser=%<adgroupname1>)(sudoUser=%<adgroupname2>)(sudoUser=%<adgroupnameiwanttouse>)
...
[sudosrv_get_sudorules_from_cache] (0x0400): Returning 0 rules for
[myaduser(a)mydomain.com]
Please note that his an internal cache filter, not an LDAP filter. You
can with it with:
ldbsearch -H /var/lib/sss/db/cache_$yourdomain.ldb $filter
In general, this upstream wiki page can pinpoint what went wrong,
usually the sudo logs are quite interesting:
https://fedorahosted.org/sssd/wiki/HOWTO_Troubleshoot_SUDO
I've tried matching case with the filter that's in sssd_sudo.log, I've tried
matching case from id $user, nothing seems to work but listing my user account
specifically. Is there some magic to getting AD groups to work with SUDO LDAP objects?
Todd
_______________________________________________
sssd-users mailing list
sssd-users(a)lists.fedorahosted.org
https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org
2890
days inactive
2891
days old
sssd-users@lists.fedorahosted.org
1 comments
2 participants
participants (2)
-
Jakub Hrozek -
Mote, Todd