We found that there was a Sudo change that requires fqdn for hostnames. Older versions
used short names. Does having both fqdn and short names make it work?
Sent from my iPhone
On Dec 22, 2017, at 6:12 AM, Jakub Hrozek <jhrozek(a)redhat.com>
wrote:
EXTERNAL MAIL: sssd-users-bounces(a)lists.fedorahosted.org
Ah, since you’re using local sudo rules and not stored in AD, I think only the sudo log
would be most interesting. Plus, is the user either a member of wheel or linux_admin?
(iow, do either of these group show up if you run ‘id’ as the user?)
> On 22 Dec 2017, at 15:09, Jakub Hrozek <jhrozek(a)redhat.com> wrote:
>
> If you follow
https://docs.pagure.org/SSSD.sssd/users/sudo_troubleshooting.html and
generate the sssd logs, does that shed some more light?
>
>> On 22 Dec 2017, at 14:48, Viktor Ekl <viktorekl867(a)gmail.com> wrote:
>>
>> Hello.
>>
>> Sssd 1.15.2-50 on Centos 7. I'm trying to grant sudo access to members of
known AD group (say, "linux_admin"), but with no success:
>> "<user> is not allowed to run sudo on <host>. This incident
will be reported"
>> Can't understand why, according to sssd_domain.log group and members found
?
>>
>> My configuration, /etc/sudoers:
>> %wheel ALL=(ALL) ALL
>> %linux_admin ALL=(ALL) ALL
>>
>> part of /etc/sssd/sssd.conf:
>> sudo_provider = ldap
>>
>> Part of sudo_debug log:
>> sudo[1069] sudo_getgrnam: group linux_admin [] -> gid 10001 [] (cached)
>> ...
>> sudo[1069] sudo_get_gidlist: looking up group IDs for testadmin
>> ...
>> sudo[1069] user_in_group: user testadmin NOT in group linux_admin
>>
>> Part of sssd_testdomain.com.log:
>> [sssd[be[testdomain.com]]] [dp_get_account_info_handler] (0x0200): Got request
for [0x2][BE_REQ_GROUP][name=linux_admin(a)testdomain.com]
>> [sssd[be[testdomain.com]]] [dp_attach_req] (0x0400): DP Request [Account #11]:
New request. Flags [0x0001].
>> [sssd[be[testdomain.com]]] [dp_attach_req] (0x0400): Number of active DP request:
1
>> [sssd[be[testdomain.com]]] [sss_domain_get_state] (0x1000): Domain
testdomain.com
is Active
>> [sssd[be[testdomain.com]]] [sdap_get_groups_next_base] (0x0400): Searching for
groups with base [cn=users,dc=testdomain,dc=com]
>> [sssd[be[testdomain.com]]] [sdap_get_generic_ext_step] (0x0400): calling
ldap_search_ext with
[(&(cn=linux_admin)(objectClass=posixGroup)(cn=*)(&(gidNumber=*)(!(gidNumber=0))))][cn=users,dc=testdomain,dc=com].
>> [sssd[be[testdomain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting
attrs: [objectClass]
>> [sssd[be[testdomain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting
attrs: [cn]
>> [sssd[be[testdomain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting
attrs: [userPassword]
>> [sssd[be[testdomain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting
attrs: [gidNumber]
>> [sssd[be[testdomain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting
attrs: [memberUid]
>> [sssd[be[testdomain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting
attrs: [modifyTimestamp]
>> [sssd[be[testdomain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting
attrs: [uSNChanged]
>> [sssd[be[testdomain.com]]] [sdap_parse_entry] (0x1000): OriginalDN:
[CN=linux_admin,CN=Users,DC=testdomain,DC=com].
>> [sssd[be[testdomain.com]]] [sdap_get_generic_op_finished] (0x0400): Search
result: Success(0), no errmsg set
>> [sssd[be[testdomain.com]]] [sdap_get_groups_process] (0x0400): Search for groups,
returned 1 results.
>> [sssd[be[testdomain.com]]] [sdap_has_deref_support] (0x0400): The server supports
deref method ASQ
>> [sssd[be[testdomain.com]]] [sdap_nested_group_recv] (0x0400): 0 users found in
the hash table
>> [sssd[be[testdomain.com]]] [sdap_nested_group_recv] (0x0400): 1 groups found in
the hash table
>> [sssd[be[testdomain.com]]] [sdap_attrs_get_sid_str] (0x1000): No [objectSID]
attribute. [0][Success]
>> [sssd[be[testdomain.com]]] [sdap_get_primary_name] (0x0400): Processing object
linux_admin
>> [sssd[be[testdomain.com]]] [sdap_save_group] (0x0400): Processing group
linux_admin(a)testdomain.com
>> [sssd[be[testdomain.com]]] [sdap_process_ghost_members] (0x0400): The group has 1
members
>> [sssd[be[testdomain.com]]] [sdap_process_ghost_members] (0x0400): Group has 1
members
>> [sssd[be[testdomain.com]]] [sdap_save_group] (0x0400): Storing info for group
linux_admin(a)testdomain.com
>> [sssd[be[testdomain.com]]] [sysdb_store_group] (0x1000): The group record of
linux_admin(a)testdomain.com did not change, only updated the timestamp cache
>> [sssd[be[testdomain.com]]] [sdap_attrs_get_sid_str] (0x1000): No [objectSID]
attribute. [0][Success]
>> [sssd[be[testdomain.com]]] [sdap_save_grpmem] (0x0400): Failed to get group sid
>> [sssd[be[testdomain.com]]] [sdap_get_primary_name] (0x0400): Processing object
linux_admin
>> [sssd[be[testdomain.com]]] [sdap_save_grpmem] (0x0400): Processing group
linux_admin(a)testdomain.com
>> [sssd[be[testdomain.com]]] [sdap_save_grpmem] (0x0400): Adding member users to
group [linux_admin(a)testdomain.com]
>> [sssd[be[testdomain.com]]] [sdap_fill_memberships] (0x0080): Member [testadmin]
is it out of domain scope?
>> [sssd[be[testdomain.com]]] [sdap_fill_memberships] (0x0080): Member [testadmin]
was not found in cache. Is it out of scope?
>> [sssd[be[testdomain.com]]] [sysdb_set_entry_attr] (0x0200): Entry
[name=linux_admin(a)testdomain.com,cn=groups,cn=testdomain.com,cn=sysdb] has set [ts_cache]
attrs.
>> [sssd[be[testdomain.com]]] [dp_req_done] (0x0400): DP Request [Account #11]:
Request handler finished [0]: Success
>> [sssd[be[testdomain.com]]] [_dp_req_recv] (0x0400): DP Request [Account #11]:
Receiving request data.
>> [sssd[be[testdomain.com]]] [dp_req_reply_list_success] (0x0400): DP Request
[Account #11]: Finished. Success.
>> [sssd[be[testdomain.com]]] [dp_req_reply_std] (0x1000): DP Request [Account #11]:
Returning [Success]: 0,0,Success
>> _______________________________________________
>> sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
>> To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
> _______________________________________________
> sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
> To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
_______________________________________________
sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org