On 22 Dec 2017, at 14:48, Viktor Ekl <viktorekl867(a)gmail.com&gt; wrote: Hello. Sssd 1.15.2-50 on Centos 7. I'm trying to grant sudo access to members of known AD group (say, "linux_admin"), but with no success: "<user> is not allowed to run sudo on <host>. This incident will be reported" Can't understand why, according to sssd_domain.log group and members found ? My configuration, /etc/sudoers: %wheel ALL=(ALL) ALL %linux_admin ALL=(ALL) ALL part of /etc/sssd/sssd.conf: sudo_provider = ldap Part of sudo_debug log: sudo[1069] sudo_getgrnam: group linux_admin [] -> gid 10001 [] (cached) ... sudo[1069] sudo_get_gidlist: looking up group IDs for testadmin ... sudo[1069] user_in_group: user testadmin NOT in group linux_admin Part of sssd_testdomain.com.log: [sssd[be[testdomain.com]]] [dp_get_account_info_handler] (0x0200): Got request for [0x2][BE_REQ_GROUP][name=linux_admin(a)testdomain.com] [sssd[be[testdomain.com]]] [dp_attach_req] (0x0400): DP Request [Account #11]: New request. Flags [0x0001]. [sssd[be[testdomain.com]]] [dp_attach_req] (0x0400): Number of active DP request: 1 [sssd[be[testdomain.com]]] [sss_domain_get_state] (0x1000): Domain testdomain.com is Active [sssd[be[testdomain.com]]] [sdap_get_groups_next_base] (0x0400): Searching for groups with base [cn=users,dc=testdomain,dc=com] [sssd[be[testdomain.com]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(cn=linux_admin)(objectClass=posixGroup)(cn=*)(&(gidNumber=*)(!(gidNumber=0))))][cn=users,dc=testdomain,dc=com]. [sssd[be[testdomain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] [sssd[be[testdomain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] [sssd[be[testdomain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPassword] [sssd[be[testdomain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber] [sssd[be[testdomain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberUid] [sssd[be[testdomain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp] [sssd[be[testdomain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uSNChanged] [sssd[be[testdomain.com]]] [sdap_parse_entry] (0x1000): OriginalDN: [CN=linux_admin,CN=Users,DC=testdomain,DC=com]. [sssd[be[testdomain.com]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set [sssd[be[testdomain.com]]] [sdap_get_groups_process] (0x0400): Search for groups, returned 1 results. [sssd[be[testdomain.com]]] [sdap_has_deref_support] (0x0400): The server supports deref method ASQ [sssd[be[testdomain.com]]] [sdap_nested_group_recv] (0x0400): 0 users found in the hash table [sssd[be[testdomain.com]]] [sdap_nested_group_recv] (0x0400): 1 groups found in the hash table [sssd[be[testdomain.com]]] [sdap_attrs_get_sid_str] (0x1000): No [objectSID] attribute. [0][Success] [sssd[be[testdomain.com]]] [sdap_get_primary_name] (0x0400): Processing object linux_admin [sssd[be[testdomain.com]]] [sdap_save_group] (0x0400): Processing group linux_admin(a)testdomain.com [sssd[be[testdomain.com]]] [sdap_process_ghost_members] (0x0400): The group has 1 members [sssd[be[testdomain.com]]] [sdap_process_ghost_members] (0x0400): Group has 1 members [sssd[be[testdomain.com]]] [sdap_save_group] (0x0400): Storing info for group linux_admin(a)testdomain.com [sssd[be[testdomain.com]]] [sysdb_store_group] (0x1000): The group record of linux_admin(a)testdomain.com did not change, only updated the timestamp cache [sssd[be[testdomain.com]]] [sdap_attrs_get_sid_str] (0x1000): No [objectSID] attribute. [0][Success] [sssd[be[testdomain.com]]] [sdap_save_grpmem] (0x0400): Failed to get group sid [sssd[be[testdomain.com]]] [sdap_get_primary_name] (0x0400): Processing object linux_admin [sssd[be[testdomain.com]]] [sdap_save_grpmem] (0x0400): Processing group linux_admin(a)testdomain.com [sssd[be[testdomain.com]]] [sdap_save_grpmem] (0x0400): Adding member users to group [linux_admin(a)testdomain.com] [sssd[be[testdomain.com]]] [sdap_fill_memberships] (0x0080): Member [testadmin] is it out of domain scope? [sssd[be[testdomain.com]]] [sdap_fill_memberships] (0x0080): Member [testadmin] was not found in cache. Is it out of scope? [sssd[be[testdomain.com]]] [sysdb_set_entry_attr] (0x0200): Entry [name=linux_admin(a)testdomain.com,cn=groups,cn=testdomain.com,cn=sysdb] has set [ts_cache] attrs. [sssd[be[testdomain.com]]] [dp_req_done] (0x0400): DP Request [Account #11]: Request handler finished [0]: Success [sssd[be[testdomain.com]]] [_dp_req_recv] (0x0400): DP Request [Account #11]: Receiving request data. [sssd[be[testdomain.com]]] [dp_req_reply_list_success] (0x0400): DP Request [Account #11]: Finished. Success. [sssd[be[testdomain.com]]] [dp_req_reply_std] (0x1000): DP Request [Account #11]: Returning [Success]: 0,0,Success _______________________________________________ sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org

On Dec 22, 2017, at 6:12 AM, Jakub Hrozek <jhrozek(a)redhat.com&gt; wrote: EXTERNAL MAIL: sssd-users-bounces(a)lists.fedorahosted.org Ah, since you’re using local sudo rules and not stored in AD, I think only the sudo log would be most interesting. Plus, is the user either a member of wheel or linux_admin? (iow, do either of these group show up if you run ‘id’ as the user?) > On 22 Dec 2017, at 15:09, Jakub Hrozek <jhrozek(a)redhat.com&gt; wrote: > > If you follow https://docs.pagure.org/SSSD.sssd/users/sudo_troubleshooting.html and generate the sssd logs, does that shed some more light? > >> On 22 Dec 2017, at 14:48, Viktor Ekl <viktorekl867(a)gmail.com&gt; wrote: >> >> Hello. >> >> Sssd 1.15.2-50 on Centos 7. I'm trying to grant sudo access to members of known AD group (say, "linux_admin"), but with no success: >> "<user> is not allowed to run sudo on <host>. This incident will be reported" >> Can't understand why, according to sssd_domain.log group and members found ? >> >> My configuration, /etc/sudoers: >> %wheel ALL=(ALL) ALL >> %linux_admin ALL=(ALL) ALL >> >> part of /etc/sssd/sssd.conf: >> sudo_provider = ldap >> >> Part of sudo_debug log: >> sudo[1069] sudo_getgrnam: group linux_admin [] -> gid 10001 [] (cached) >> ... >> sudo[1069] sudo_get_gidlist: looking up group IDs for testadmin >> ... >> sudo[1069] user_in_group: user testadmin NOT in group linux_admin >> >> Part of sssd_testdomain.com.log: >> [sssd[be[testdomain.com]]] [dp_get_account_info_handler] (0x0200): Got request for [0x2][BE_REQ_GROUP][name=linux_admin(a)testdomain.com] >> [sssd[be[testdomain.com]]] [dp_attach_req] (0x0400): DP Request [Account #11]: New request. Flags [0x0001]. >> [sssd[be[testdomain.com]]] [dp_attach_req] (0x0400): Number of active DP request: 1 >> [sssd[be[testdomain.com]]] [sss_domain_get_state] (0x1000): Domain testdomain.com is Active >> [sssd[be[testdomain.com]]] [sdap_get_groups_next_base] (0x0400): Searching for groups with base [cn=users,dc=testdomain,dc=com] >> [sssd[be[testdomain.com]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(cn=linux_admin)(objectClass=posixGroup)(cn=*)(&(gidNumber=*)(!(gidNumber=0))))][cn=users,dc=testdomain,dc=com]. >> [sssd[be[testdomain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] >> [sssd[be[testdomain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] >> [sssd[be[testdomain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPassword] >> [sssd[be[testdomain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber] >> [sssd[be[testdomain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberUid] >> [sssd[be[testdomain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp] >> [sssd[be[testdomain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uSNChanged] >> [sssd[be[testdomain.com]]] [sdap_parse_entry] (0x1000): OriginalDN: [CN=linux_admin,CN=Users,DC=testdomain,DC=com]. >> [sssd[be[testdomain.com]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set >> [sssd[be[testdomain.com]]] [sdap_get_groups_process] (0x0400): Search for groups, returned 1 results. >> [sssd[be[testdomain.com]]] [sdap_has_deref_support] (0x0400): The server supports deref method ASQ >> [sssd[be[testdomain.com]]] [sdap_nested_group_recv] (0x0400): 0 users found in the hash table >> [sssd[be[testdomain.com]]] [sdap_nested_group_recv] (0x0400): 1 groups found in the hash table >> [sssd[be[testdomain.com]]] [sdap_attrs_get_sid_str] (0x1000): No [objectSID] attribute. [0][Success] >> [sssd[be[testdomain.com]]] [sdap_get_primary_name] (0x0400): Processing object linux_admin >> [sssd[be[testdomain.com]]] [sdap_save_group] (0x0400): Processing group linux_admin(a)testdomain.com >> [sssd[be[testdomain.com]]] [sdap_process_ghost_members] (0x0400): The group has 1 members >> [sssd[be[testdomain.com]]] [sdap_process_ghost_members] (0x0400): Group has 1 members >> [sssd[be[testdomain.com]]] [sdap_save_group] (0x0400): Storing info for group linux_admin(a)testdomain.com >> [sssd[be[testdomain.com]]] [sysdb_store_group] (0x1000): The group record of linux_admin(a)testdomain.com did not change, only updated the timestamp cache >> [sssd[be[testdomain.com]]] [sdap_attrs_get_sid_str] (0x1000): No [objectSID] attribute. [0][Success] >> [sssd[be[testdomain.com]]] [sdap_save_grpmem] (0x0400): Failed to get group sid >> [sssd[be[testdomain.com]]] [sdap_get_primary_name] (0x0400): Processing object linux_admin >> [sssd[be[testdomain.com]]] [sdap_save_grpmem] (0x0400): Processing group linux_admin(a)testdomain.com >> [sssd[be[testdomain.com]]] [sdap_save_grpmem] (0x0400): Adding member users to group [linux_admin(a)testdomain.com] >> [sssd[be[testdomain.com]]] [sdap_fill_memberships] (0x0080): Member [testadmin] is it out of domain scope? >> [sssd[be[testdomain.com]]] [sdap_fill_memberships] (0x0080): Member [testadmin] was not found in cache. Is it out of scope? >> [sssd[be[testdomain.com]]] [sysdb_set_entry_attr] (0x0200): Entry [name=linux_admin(a)testdomain.com,cn=groups,cn=testdomain.com,cn=sysdb] has set [ts_cache] attrs. >> [sssd[be[testdomain.com]]] [dp_req_done] (0x0400): DP Request [Account #11]: Request handler finished [0]: Success >> [sssd[be[testdomain.com]]] [_dp_req_recv] (0x0400): DP Request [Account #11]: Receiving request data. >> [sssd[be[testdomain.com]]] [dp_req_reply_list_success] (0x0400): DP Request [Account #11]: Finished. Success. >> [sssd[be[testdomain.com]]] [dp_req_reply_std] (0x1000): DP Request [Account #11]: Returning [Success]: 0,0,Success >> _______________________________________________ >> sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org >> To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org > _______________________________________________ > sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org > To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org _______________________________________________ sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org

We found that there was a Sudo change that requires fqdn for hostnames. Older versions used short names. Does having both fqdn and short names make it work?