I've got a few dozen servers using SSSD to authenticate and retrieve SUDO
rules stored in AD and GPO. Everything works perfectly except for a new
RHEL 6.8 server I brought up. sssd version 1.13.3 on both the working 6.8
and non-working 6.8 server. I literally copied the nsswitch, sssd.conf and
pam.d configs between the two just to make sure I didn't typo anything.
It authenticates fine and I can ssh into it, id account, do genet on the
users and groups without a problem. But sudo fails. Looking at debug
logs, I see it retrieving the 3 sudo rules we have stored in AD, however
it's complaining that there are no sub-attributes in the rules when there
clearly are. I'm guessing this is the source of my issues, but I have no
idea why it's not working only on this one server.
Any thoughts? Thanks!
(Thu Apr 5 09:45:27 2018) [sssd[be[internal.ieeeglobalspec.com]]]
[sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_ENTRY]
(Thu Apr 5 09:45:27 2018) [sssd[be[internal.ieeeglobalspec.com]]]
[sdap_parse_entry] (0x1000): OriginalDN:
[CN=fullaccess,OU=sudoers,DC=internal,DC=ieeeglobalspec,DC=com].
(Thu Apr 5 09:45:27 2018) [sssd[be[internal.ieeeglobalspec.com]]]
[sdap_parse_range] (0x2000): No sub-attributes for [objectClass]
(Thu Apr 5 09:45:27 2018) [sssd[be[internal.ieeeglobalspec.com]]]
[sdap_parse_range] (0x2000): No sub-attributes for [cn]
(Thu Apr 5 09:45:27 2018) [sssd[be[internal.ieeeglobalspec.com]]]
[sdap_parse_range] (0x2000): No sub-attributes for [uSNChanged]
(Thu Apr 5 09:45:27 2018) [sssd[be[internal.ieeeglobalspec.com]]]
[sdap_parse_range] (0x2000): No sub-attributes for [sudoCommand]
(Thu Apr 5 09:45:27 2018) [sssd[be[internal.ieeeglobalspec.com]]]
[sdap_parse_range] (0x2000): No sub-attributes for [sudoUser]
(Thu Apr 5 09:45:27 2018) [sssd[be[internal.ieeeglobalspec.com]]]
[sdap_parse_range] (0x2000): No sub-attributes for [sudoHost]
(Thu Apr 5 09:45:27 2018) [sssd[be[internal.ieeeglobalspec.com]]]
[sdap_process_result] (0x2000): Trace: sh[0xd42dc0], connected[1],
ops[0xd677a0], ldap[0xd42800]
(Thu Apr 5 09:45:27 2018) [sssd[be[internal.ieeeglobalspec.com]]]
[sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_ENTRY]
(Thu Apr 5 09:45:27 2018) [sssd[be[internal.ieeeglobalspec.com]]]
[sdap_parse_entry] (0x1000): OriginalDN:
[CN=DevTest,OU=sudoers,DC=internal,DC=ieeeglobalspec,DC=com].
(Thu Apr 5 09:45:27 2018) [sssd[be[internal.ieeeglobalspec.com]]]
[sdap_parse_range] (0x2000): No sub-attributes for [objectClass]
(Thu Apr 5 09:45:27 2018) [sssd[be[internal.ieeeglobalspec.com]]]
[sdap_parse_range] (0x2000): No sub-attributes for [cn]
(Thu Apr 5 09:45:27 2018) [sssd[be[internal.ieeeglobalspec.com]]]
[sdap_parse_range] (0x2000): No sub-attributes for [uSNChanged]
(Thu Apr 5 09:45:27 2018) [sssd[be[internal.ieeeglobalspec.com]]]
[sdap_parse_range] (0x2000): No sub-attributes for [sudoRunAsUser]
(Thu Apr 5 09:45:27 2018) [sssd[be[internal.ieeeglobalspec.com]]]
[sdap_parse_range] (0x2000): No sub-attributes for [sudoCommand]
(Thu Apr 5 09:45:27 2018) [sssd[be[internal.ieeeglobalspec.com]]]
[sdap_parse_range] (0x2000): No sub-attributes for [sudoUser]
(Thu Apr 5 09:45:27 2018) [sssd[be[internal.ieeeglobalspec.com]]]
[sdap_parse_range] (0x2000): No sub-attributes for [sudoHost]
....
(Thu Apr 5 09:45:34 2018) [sssd[sudo]] [sudosrv_get_sudorules_query_cache]
(0x0200): Searching sysdb with
[(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=a-mdiorio)(sudoUser=a-mdiorio)(sudoUser=#1002201106)(sudoUser=%Allowed\20RODC\20Password$
Thu Apr 5 09:45:34 2018) [sssd[sudo]] [sudosrv_get_rules] (0x2000): About
to get sudo rules from cache
(Thu Apr 5 09:45:34 2018) [sssd[sudo]] [sudosrv_get_sudorules_query_cache]
(0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(name=defaults)))]
(Thu Apr 5 09:45:34 2018) [sssd[sudo]] [sudosrv_get_sudorules_from_cache]
(0x0400): Returning 0 rules for [<default options>@
internal.ieeeglobalspec.com]
(Thu Apr 5 09:45:34 2018) [sssd[sudo]] [sss_parse_name_for_domains]
(0x0200): name 'a-mdiorio' matched without domain, user is a-mdiorio
(Thu Apr 5 09:45:34 2018) [sssd[sudo]] [sss_parse_name_for_domains]
(0x0200): name 'a-mdiorio' matched without domain, user is a-mdiorio
(Thu Apr 5 09:45:34 2018) [sssd[sudo]] [sudosrv_cmd_parse_query_done]
(0x0200): Requesting rules for [a-mdiorio] from [<ALL>]
(Thu Apr 5 09:45:34 2018) [sssd[sudo]] [sss_ncache_check_str] (0x2000):
Checking negative cache for [
NCE/USER/internal.ieeeglobalspec.com/a-mdiorio]
(Thu Apr 5 09:45:34 2018) [sssd[sudo]] [sudosrv_get_user] (0x0200):
Requesting info about [a-mdiorio(a)internal.ieeeglobalspec.com]
(Thu Apr 5 09:45:34 2018) [sssd[sudo]] [sudosrv_get_user] (0x0400):
Returning info for user [a-mdiorio(a)internal.ieeeglobalspec.com]
(Thu Apr 5 09:45:34 2018) [sssd[sudo]] [sudosrv_get_rules] (0x0400):
Retrieving rules for [a-mdiorio] from [
internal.ieeeglobalspec.com]
(Thu Apr 5 09:45:34 2018) [sssd[sudo]] [sudosrv_get_sudorules_query_cache]
(0x0200): Searching sysdb with
[(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=a-mdiorio)(sudoUser=a-mdiorio)(sudoUser=#1002201106)(sudoUser=%Allowed\20RODC\20Password$
(Thu Apr 5 09:45:34 2018) [sssd[sudo]] [sudosrv_get_rules] (0x2000): About
to get sudo rules from cache
(Thu Apr 5 09:45:34 2018) [sssd[sudo]] [sudosrv_get_sudorules_query_cache]
(0x0200): Searching sysdb with
[(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=a-mdiorio)(sudoUser=a-mdiorio)(sudoUser=#1002201106)(sudoUser=%Allowed\20RODC\20Password\20Replication\$
(Thu Apr 5 09:45:34 2018) [sssd[sudo]] [sudosrv_get_sudorules_from_cache]
(0x0400): Returning 0 rules for [a-mdiorio(a)internal.ieeeglobalspec.com]