On Mon, Jul 01, 2019 at 09:09:24AM -0000, B M wrote:

Hi Jakub,

Thx for the suggestions!

Here more logs:

NOTE: Replaced xxxx-xxxx or xxxx from the original name.

/var/log/sssd/sssd_sudo.log

(Mon Jul 1 08:25:02 2019) [sssd[sudo]] [accept_fd_handler] (0x0400): Client connected! (Mon Jul 1 08:25:02 2019) [sssd[sudo]] [sss_cmd_get_version] (0x0200): Received client version [1]. (Mon Jul 1 08:25:02 2019) [sssd[sudo]] [sss_cmd_get_version] (0x0200): Offered version [1]. (Mon Jul 1 08:25:02 2019) [sssd[sudo]] [sudosrv_cmd] (0x2000): Using protocol version [1] (Mon Jul 1 08:25:02 2019) [sssd[sudo]] [sudosrv_get_rules_send] (0x0400): Running initgroups for [admin@awsad.xxxx-xxxx.com] (Mon Jul 1 08:25:02 2019) [sssd[sudo]] [cache_req_set_plugin] (0x2000): CR #8: Setting "Initgroups by name" plugin (Mon Jul 1 08:25:02 2019) [sssd[sudo]] [cache_req_send] (0x0400): CR #8: New request 'Initgroups by name' (Mon Jul 1 08:25:02 2019) [sssd[sudo]] [cache_req_process_input] (0x0400): CR #8: Parsing input name [admin@awsad.xxxx-xxxx.com] (Mon Jul 1 08:25:02 2019) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'admin@awsad.xxxx-xxxx.com' matched expression for domain 'awsad.xxxx-xxxx.com', user is admin (Mon Jul 1 08:25:02 2019) [sssd[sudo]] [cache_req_set_name] (0x0400): CR #8: Setting name [admin] (Mon Jul 1 08:25:02 2019) [sssd[sudo]] [cache_req_select_domains] (0x0400): CR #8: Performing a single domain search (Mon Jul 1 08:25:02 2019) [sssd[sudo]] [sss_domain_get_state] (0x1000): Domain awsad.xxxx-xxxx.com is Active (Mon Jul 1 08:25:02 2019) [sssd[sudo]] [cache_req_search_domains] (0x0400): CR #8: Search will check the cache and check the data provider (Mon Jul 1 08:25:02 2019) [sssd[sudo]] [cache_req_validate_domain_type] (0x2000): Request type POSIX-only for domain awsad.xxxx-xxxx.com type POSIX is valid (Mon Jul 1 08:25:02 2019) [sssd[sudo]] [cache_req_set_domain] (0x0400): CR #8: Using domain [awsad.xxxx-xxxx.com] (Mon Jul 1 08:25:02 2019) [sssd[sudo]] [cache_req_prepare_domain_data] (0x0400): CR #8: Preparing input data for domain [awsad.xxxx-xxxx.com] rules (Mon Jul 1 08:25:02 2019) [sssd[sudo]] [cache_req_search_send] (0x0400): CR #8: Looking up admin@awsad.xxxx-xxxx.com (Mon Jul 1 08:25:02 2019) [sssd[sudo]] [cache_req_search_ncache] (0x0400): CR #8: Checking negative cache for [admin@awsad.xxxx-xxxx.com] (Mon Jul 1 08:25:02 2019) [sssd[sudo]] [sss_ncache_check_str] (0x2000): Checking negative cache for [NCE/USER/awsad.xxxx-xxxx.com/admin@awsad.xxxx-xxxx.com] (Mon Jul 1 08:25:02 2019) [sssd[sudo]] [cache_req_search_ncache] (0x0400): CR #8: [admin@awsad.xxxx-xxxx.com] is not present in negative cache (Mon Jul 1 08:25:02 2019) [sssd[sudo]] [cache_req_search_cache] (0x0400): CR #8: Looking up [admin@awsad.xxxx-xxxx.com] in cache (Mon Jul 1 08:25:02 2019) [sssd[sudo]] [cache_req_search_send] (0x0400): CR #8: Object found, but needs to be refreshed. (Mon Jul 1 08:25:02 2019) [sssd[sudo]] [cache_req_search_dp] (0x0400): CR #8: Looking up [admin@awsad.xxxx-xxxx.com] in data provider (Mon Jul 1 08:25:02 2019) [sssd[sudo]] [sss_dp_issue_request] (0x0400): Issuing request for [0x55c2341d5360:3:admin@awsad.xxxx-xxxx.com@awsad.xxxx-xxxx.com] (Mon Jul 1 08:25:02 2019) [sssd[sudo]] [sss_dp_get_account_msg] (0x0400): Creating request for [awsad.xxxx-xxxx.com][0x3][BE_REQ_INITGROUPS][name=admin@awsad.xxxx-xxxx.com:-] (Mon Jul 1 08:25:02 2019) [sssd[sudo]] [sbus_add_timeout] (0x2000): 0x55c2362f3a70 (Mon Jul 1 08:25:02 2019) [sssd[sudo]] [sss_dp_internal_get_send] (0x0400): Entering request [0x55c2341d5360:3:admin@awsad.xxxx-xxxx.com@awsad.xxxx-xxxx.com] (Mon Jul 1 08:25:02 2019) [sssd[sudo]] [sbus_remove_timeout] (0x2000): 0x55c2362f3a70 (Mon Jul 1 08:25:02 2019) [sssd[sudo]] [sss_dp_get_reply] (0x0010): The Data Provider returned an error [org.freedesktop.sssd.Error.DataProvider.Offline]

You'll want to fix this first..unless sssd can stay online at least for the duration of the test, the logs won't be as useful..

The way I usually debug these issues is to find the first occurence of "Going offline" or "Marking port XYZ as NOT_WORKING" in the log and then look couple of lines before.

See inline..

(Mon Jul 1 08:25:02 2019) [sssd[sudo]] [cache_req_common_dp_recv] (0x0040): CR #8: Data Provider Error: 3, 5, Failed to get reply from Data Provider (Mon Jul 1 08:25:02 2019) [sssd[sudo]] [cache_req_common_dp_recv] (0x0400): CR #8: Due to an error we will return cached data (Mon Jul 1 08:25:02 2019) [sssd[sudo]] [cache_req_search_cache] (0x0400): CR #8: Looking up [admin@awsad.xxxx-xxxx.com] in cache (Mon Jul 1 08:25:02 2019) [sssd[sudo]] [cache_req_search_ncache_filter] (0x0400): CR #8: This request type does not support filtering result by negative cache (Mon Jul 1 08:25:02 2019) [sssd[sudo]] [cache_req_search_done] (0x0400): CR #8: Returning updated object [admin@awsad.xxxx-xxxx.com] (Mon Jul 1 08:25:02 2019) [sssd[sudo]] [cache_req_create_and_add_result] (0x0400): CR #8: Found 24 entries in domain awsad.xxxx-xxxx.com (Mon Jul 1 08:25:02 2019) [sssd[sudo]] [sss_dp_req_destructor] (0x0400): Deleting request: [0x55c2341d5360:3:admin@awsad.xxxx-xxxx.com@awsad.xxxx-xxxx.com] (Mon Jul 1 08:25:02 2019) [sssd[sudo]] [cache_req_done] (0x0400): CR #8: Finished: Success (Mon Jul 1 08:25:02 2019) [sssd[sudo]] [sysdb_get_sudo_user_info] (0x0400): original name: Admin@awsad.xxxx-xxxx.com (Mon Jul 1 08:25:02 2019) [sssd[sudo]] [sudosrv_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(dataExpireTimestamp<=1561969502)(|(name=defaults)(sudoUser=ALL)(sudoUser=Admin@awsad.xxxx-xxxx.com)(sudoUser=#1979001109)(sudoUser=%Domain\20Users@awsad.xxxx-xxxx.com)(sudoUser=%AWS\20Delegated\20Administrators@awsad.xxxx-xxxx.com)(sudoUser=%AWS\20Delegated\20Account\20Operators@awsad.xxxx-xxxx.com)(sudoUser=%AWS\20Delegated\20Active\20Directory\20Based\20Activation\20Administrators@awsad.xxxx-xxxx.com)(sudoUser=%AWS\20Delegated\20Deleted\20Object\20Lifetime\20Administrators@awsad.xxxx-xxxx.com)(sudoUser=%AWS\20Delegated\20Distributed\20File\20System\20Administrators@awsad.xxxx-xxxx.com)(sudoUser=%AWS\20Delegated\20Dynamic\20Host\20Configuration\20Protocol\20Administrators@awsad.xxxx-xxxx.com)(sudoUser=%AWS\20Delegated\20Enterprise\20Certificate\20Authority\20Administrators@awsad.xxxx-xxxx.com)(sudoUser=%AWS\20Delegated\20Fine\20Grained\20Password\20Policy\20Administrators@awsad.xxxx-xxxx.com)(sudoUser=%AWS\20Delegated\20Group\20Policy\20Administrators@awsad.xxxx-xxxx.com)(sudoUser=%AWS\20Delegated\20Managed\20Service\20Account\20Administrators@awsad.xxxx-xxxx.com)(sudoUser=%AWS\20Delegated\20Remote\20Access\20Service\20Administrators@awsad.xxxx-xxxx.com)(sudoUser=%AWS\20Delegated\20Replicate\20Directory\20Changes\20Administrators@awsad.xxxx-xxxx.com)(sudoUser=%AWS\20Delegated\20Sites\20and\20Services\20Administrators@awsad.xxxx-xxxx.com)(sudoUser=%AWS\20Delegated\20System\20Management\20Administrators@awsad.xxxx-xxxx.com)(sudoUser=%AWS\20Delegated\20Terminal\20Server\20Licensing\20Administrators@awsad.xxxx-xxxx.com)(sudoUser=%AWS\20Delegated\20User\20Principal\20Name\20Suffix\20Administrators@awsad.xxxx-xxxx.com)(sudoUser=%AWS\20Delegated\20Add\20Workstations\20To\20Domain\20Users@awsad.xxxx-xxxx.com)(sudoUser=%DnsAdmins@awsad.xxxx-xxxx.com)(sudoUser=%AWS\20Delegated\20Domain\20Name\20System\20Administrators@awsad.xxxx-xxxx.com)(sudoUser=%AWS\20Delegated\20Kerberos\20Delegation\20Administrators@awsad.xxxx-xxxx.com)(sudoUser=%AWS\20Delegated\20Server\20Administrators@awsad.xxxx-xxxx.com)(sudoUser=%TESTS@awsad.xxxx-xxxx.com)(sudoUser=%Domain\20Users@awsad.xxxx-xxxx.com)(sudoUser=+*)))] (Mon Jul 1 08:25:02 2019) [sssd[sudo]] [sudosrv_refresh_rules_send] (0x0400): No expired rules were found for [Admin@awsad.xxxx-xxxx.com@awsad.xxxx-xxxx.com]. (Mon Jul 1 08:25:02 2019) [sssd[sudo]] [sudosrv_fetch_rules] (0x0400): Retrieving default options for [Admin@awsad.xxxx-xxxx.com@awsad.xxxx-xxxx.com] (Mon Jul 1 08:25:02 2019) [sssd[sudo]] [sudosrv_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(name=defaults))] (Mon Jul 1 08:25:02 2019) [sssd[sudo]] [sudosrv_fetch_rules] (0x0400): Returning 0 default options for [Admin@awsad.xxxx-xxxx.com@awsad.xxxx-xxxx.com] (Mon Jul 1 08:25:02 2019) [sssd[sudo]] [sudosrv_build_response] (0x2000): error: [0] (Mon Jul 1 08:25:02 2019) [sssd[sudo]] [sudosrv_build_response] (0x2000): rules_num: [0] (Mon Jul 1 08:25:02 2019) [sssd[sudo]] [sudosrv_cmd] (0x2000): Using protocol version [1] (Mon Jul 1 08:25:02 2019) [sssd[sudo]] [sudosrv_get_rules_send] (0x0400): Running initgroups for [admin@awsad.xxxx-xxxx.com] (Mon Jul 1 08:25:02 2019) [sssd[sudo]] [cache_req_set_plugin] (0x2000): CR #9: Setting "Initgroups by name" plugin (Mon Jul 1 08:25:02 2019) [sssd[sudo]] [cache_req_send] (0x0400): CR #9: New request 'Initgroups by name' (Mon Jul 1 08:25:02 2019) [sssd[sudo]] [cache_req_process_input] (0x0400): CR #9: Parsing input name [admin@awsad.xxxx-xxxx.com] (Mon Jul 1 08:25:02 2019) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'admin@awsad.xxxx-xxxx.com' matched expression for domain 'awsad.xxxx-xxxx.com', user is admin (Mon Jul 1 08:25:02 2019) [sssd[sudo]] [cache_req_set_name] (0x0400): CR #9: Setting name [admin] (Mon Jul 1 08:25:02 2019) [sssd[sudo]] [cache_req_select_domains] (0x0400): CR #9: Performing a single domain search (Mon Jul 1 08:25:02 2019) [sssd[sudo]] [sss_domain_get_state] (0x1000): Domain awsad.xxxx-xxxx.com is Active (Mon Jul 1 08:25:02 2019) [sssd[sudo]] [cache_req_search_domains] (0x0400): CR #9: Search will check the cache and check the data provider (Mon Jul 1 08:25:02 2019) [sssd[sudo]] [cache_req_validate_domain_type] (0x2000): Request type POSIX-only for domain awsad.xxxx-xxxx.com type POSIX is valid (Mon Jul 1 08:25:02 2019) [sssd[sudo]] [cache_req_set_domain] (0x0400): CR #9: Using domain [awsad.xxxx-xxxx.com] (Mon Jul 1 08:25:02 2019) [sssd[sudo]] [cache_req_prepare_domain_data] (0x0400): CR #9: Preparing input data for domain [awsad.xxxx-xxxx.com] rules (Mon Jul 1 08:25:02 2019) [sssd[sudo]] [cache_req_search_send] (0x0400): CR #9: Looking up admin@awsad.xxxx-xxxx.com (Mon Jul 1 08:25:02 2019) [sssd[sudo]] [cache_req_search_ncache] (0x0400): CR #9: Checking negative cache for [admin@awsad.xxxx-xxxx.com] (Mon Jul 1 08:25:02 2019) [sssd[sudo]] [sss_ncache_check_str] (0x2000): Checking negative cache for [NCE/USER/awsad.xxxx-xxxx.com/admin@awsad.xxxx-xxxx.com] (Mon Jul 1 08:25:02 2019) [sssd[sudo]] [cache_req_search_ncache] (0x0400): CR #9: [admin@awsad.xxxx-xxxx.com] is not present in negative cache (Mon Jul 1 08:25:02 2019) [sssd[sudo]] [cache_req_search_cache] (0x0400): CR #9: Looking up [admin@awsad.xxxx-xxxx.com] in cache (Mon Jul 1 08:25:02 2019) [sssd[sudo]] [cache_req_search_send] (0x0400): CR #9: Object found, but needs to be refreshed. (Mon Jul 1 08:25:02 2019) [sssd[sudo]] [cache_req_search_dp] (0x0400): CR #9: Looking up [admin@awsad.xxxx-xxxx.com] in data provider (Mon Jul 1 08:25:02 2019) [sssd[sudo]] [sss_dp_issue_request] (0x0400): Issuing request for [0x55c2341d5360:3:admin@awsad.xxxx-xxxx.com@awsad.xxxx-xxxx.com] (Mon Jul 1 08:25:02 2019) [sssd[sudo]] [sss_dp_get_account_msg] (0x0400): Creating request for [awsad.xxxx-xxxx.com][0x3][BE_REQ_INITGROUPS][name=admin@awsad.xxxx-xxxx.com:-] (Mon Jul 1 08:25:02 2019) [sssd[sudo]] [sbus_add_timeout] (0x2000): 0x55c236313f70 (Mon Jul 1 08:25:02 2019) [sssd[sudo]] [sss_dp_internal_get_send] (0x0400): Entering request [0x55c2341d5360:3:admin@awsad.xxxx-xxxx.com@awsad.xxxx-xxxx.com] (Mon Jul 1 08:25:02 2019) [sssd[sudo]] [sbus_remove_timeout] (0x2000): 0x55c236313f70 (Mon Jul 1 08:25:02 2019) [sssd[sudo]] [sss_dp_get_reply] (0x0010): The Data Provider returned an error [org.freedesktop.sssd.Error.DataProvider.Offline] (Mon Jul 1 08:25:02 2019) [sssd[sudo]] [cache_req_common_dp_recv] (0x0040): CR #9: Data Provider Error: 3, 5, Failed to get reply from Data Provider (Mon Jul 1 08:25:02 2019) [sssd[sudo]] [cache_req_common_dp_recv] (0x0400): CR #9: Due to an error we will return cached data (Mon Jul 1 08:25:02 2019) [sssd[sudo]] [cache_req_search_cache] (0x0400): CR #9: Looking up [admin@awsad.xxxx-xxxx.com] in cache (Mon Jul 1 08:25:02 2019) [sssd[sudo]] [cache_req_search_ncache_filter] (0x0400): CR #9: This request type does not support filtering result by negative cache (Mon Jul 1 08:25:02 2019) [sssd[sudo]] [cache_req_search_done] (0x0400): CR #9: Returning updated object [admin@awsad.xxxx-xxxx.com] (Mon Jul 1 08:25:02 2019) [sssd[sudo]] [cache_req_create_and_add_result] (0x0400): CR #9: Found 24 entries in domain awsad.xxxx-xxxx.com (Mon Jul 1 08:25:02 2019) [sssd[sudo]] [sss_dp_req_destructor] (0x0400): Deleting request: [0x55c2341d5360:3:admin@awsad.xxxx-xxxx.com@awsad.xxxx-xxxx.com] (Mon Jul 1 08:25:02 2019) [sssd[sudo]] [cache_req_done] (0x0400): CR #9: Finished: Success (Mon Jul 1 08:25:02 2019) [sssd[sudo]] [sysdb_get_sudo_user_info] (0x0400): original name: Admin@awsad.xxxx-xxxx.com (Mon Jul 1 08:25:02 2019) [sssd[sudo]] [sudosrv_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(dataExpireTimestamp<=1561969502)(|(name=defaults)(sudoUser=ALL)(sudoUser=Admin@awsad.xxxx-xxxx.com)(sudoUser=#1979001109)(sudoUser=%Domain\20Users@awsad.xxxx-xxxx.com)(sudoUser=%AWS\20Delegated\20Administrators@awsad.xxxx-xxxx.com)(sudoUser=%AWS\20Delegated\20Account\20Operators@awsad.xxxx-xxxx.com)(sudoUser=%AWS\20Delegated\20Active\20Directory\20Based\20Activation\20Administrators@awsad.xxxx-xxxx.com)(sudoUser=%AWS\20Delegated\20Deleted\20Object\20Lifetime\20Administrators@awsad.xxxx-xxxx.com)(sudoUser=%AWS\20Delegated\20Distributed\20File\20System\20Administrators@awsad.xxxx-xxxx.com)(sudoUser=%AWS\20Delegated\20Dynamic\20Host\20Configuration\20Protocol\20Administrators@awsad.xxxx-xxxx.com)(sudoUser=%AWS\20Delegated\20Enterprise\20Certificate\20Authority\20Administrators@awsad.xxxx-xxxx.com)(sudoUser=%AWS\20Delegated\20Fine\20Grained\20Password\20Policy\20Administrators@awsad.xxxx-xxxx.com)(sudoUser=%AWS\20Delegated\20Group\20Policy\20Administrators@awsad.xxxx-xxxx.com)(sudoUser=%AWS\20Delegated\20Managed\20Service\20Account\20Administrators@awsad.xxxx-xxxx.com)(sudoUser=%AWS\20Delegated\20Remote\20Access\20Service\20Administrators@awsad.xxxx-xxxx.com)(sudoUser=%AWS\20Delegated\20Replicate\20Directory\20Changes\20Administrators@awsad.xxxx-xxxx.com)(sudoUser=%AWS\20Delegated\20Sites\20and\20Services\20Administrators@awsad.xxxx-xxxx.com)(sudoUser=%AWS\20Delegated\20System\20Management\20Administrators@awsad.xxxx-xxxx.com)(sudoUser=%AWS\20Delegated\20Terminal\20Server\20Licensing\20Administrators@awsad.xxxx-xxxx.com)(sudoUser=%AWS\20Delegated\20User\20Principal\20Name\20Suffix\20Administrators@awsad.xxxx-xxxx.com)(sudoUser=%AWS\20Delegated\20Add\20Workstations\20To\20Domain\20Users@awsad.xxxx-xxxx.com)(sudoUser=%DnsAdmins@awsad.xxxx-xxxx.com)(sudoUser=%AWS\20Delegated\20Domain\20Name\20System\20Administrators@awsad.xxxx-xxxx.com)(sudoUser=%AWS\20Delegated\20Kerberos\20Delegation\20Administrators@awsad.xxxx-xxxx.com)(sudoUser=%AWS\20Delegated\20Server\20Administrators@awsad.xxxx-xxxx.com)(sudoUser=%TESTS@awsad.xxxx-xxxx.com)(sudoUser=%Domain\20Users@awsad.xxxx-xxxx.com)(sudoUser=+*)))] (Mon Jul 1 08:25:02 2019) [sssd[sudo]] [sudosrv_refresh_rules_send] (0x0400): No expired rules were found for [Admin@awsad.xxxx-xxxx.com@awsad.xxxx-xxxx.com]. (Mon Jul 1 08:25:02 2019) [sssd[sudo]] [sudosrv_fetch_rules] (0x0400): Retrieving rules for [Admin@awsad.xxxx-xxxx.com@awsad.xxxx-xxxx.com] (Mon Jul 1 08:25:02 2019) [sssd[sudo]] [sudosrv_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=Admin@awsad.xxxx-xxxx.com)(sudoUser=#1979001109)(sudoUser=%Domain\20Users@awsad.xxxx-xxxx.com)(sudoUser=%AWS\20Delegated\20Administrators@awsad.xxxx-xxxx.com)(sudoUser=%AWS\20Delegated\20Account\20Operators@awsad.xxxx-xxxx.com)(sudoUser=%AWS\20Delegated\20Active\20Directory\20Based\20Activation\20Administrators@awsad.xxxx-xxxx.com)(sudoUser=%AWS\20Delegated\20Deleted\20Object\20Lifetime\20Administrators@awsad.xxxx-xxxx.com)(sudoUser=%AWS\20Delegated\20Distributed\20File\20System\20Administrators@awsad.xxxx-xxxx.com)(sudoUser=%AWS\20Delegated\20Dynamic\20Host\20Configuration\20Protocol\20Administrators@awsad.xxxx-xxxx.com)(sudoUser=%AWS\20Delegated\20Enterprise\20Certificate\20Authority\20Administrators@awsad.xxxx-xxxx.com)(sudoUser=%AWS\20Delegated\20Fine\20Grained\20Password\20Policy\20Administrators@awsad.xxxx-xxxx.com)(sudoUser=%AWS\20Delegated\20Group\20Policy\20Administrators@awsad.xxxx-xxxx.com)(sudoUser=%AWS\20Delegated\20Managed\20Service\20Account\20Administrators@awsad.xxxx-xxxx.com)(sudoUser=%AWS\20Delegated\20Remote\20Access\20Service\20Administrators@awsad.xxxx-xxxx.com)(sudoUser=%AWS\20Delegated\20Replicate\20Directory\20Changes\20Administrators@awsad.xxxx-xxxx.com)(sudoUser=%AWS\20Delegated\20Sites\20and\20Services\20Administrators@awsad.xxxx-xxxx.com)(sudoUser=%AWS\20Delegated\20System\20Management\20Administrators@awsad.xxxx-xxxx.com)(sudoUser=%AWS\20Delegated\20Terminal\20Server\20Licensing\20Administrators@awsad.xxxx-xxxx.com)(sudoUser=%AWS\20Delegated\20User\20Principal\20Name\20Suffix\20Administrators@awsad.xxxx-xxxx.com)(sudoUser=%AWS\20Delegated\20Add\20Workstations\20To\20Domain\20Users@awsad.xxxx-xxxx.com)(sudoUser=%DnsAdmins@awsad.xxxx-xxxx.com)(sudoUser=%AWS\20Delegated\20Domain\20Name\20System\20Administrators@awsad.xxxx-xxxx.com)(sudoUser=%AWS\20Delegated\20Kerberos\20Delegation\20Administrators@awsad.xxxx-xxxx.com)(sudoUser=%AWS\20Delegated\20Server\20Administrators@awsad.xxxx-xxxx.com)(sudoUser=%TESTS@awsad.xxxx-xxxx.com)(sudoUser=%Domain\20Users@awsad.xxxx-xxxx.com)))] (Mon Jul 1 08:25:02 2019) [sssd[sudo]] [sudosrv_cached_rules_by_user] (0x0400): Replacing sudoUser attribute with sudoUser: #1979001109 (Mon Jul 1 08:25:02 2019) [sssd[sudo]] [sudosrv_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(sudoUser=+*)(!(|(sudoUser=ALL)(sudoUser=Admin@awsad.xxxx-xxxx.com)(sudoUser=#1979001109)(sudoUser=%Domain\20Users@awsad.xxxx-xxxx.com)(sudoUser=%AWS\20Delegated\20Administrators@awsad.xxxx-xxxx.com)(sudoUser=%AWS\20Delegated\20Account\20Operators@awsad.xxxx-xxxx.com)(sudoUser=%AWS\20Delegated\20Active\20Directory\20Based\20Activation\20Administrators@awsad.xxxx-xxxx.com)(sudoUser=%AWS\20Delegated\20Deleted\20Object\20Lifetime\20Administrators@awsad.xxxx-xxxx.com)(sudoUser=%AWS\20Delegated\20Distributed\20File\20System\20Administrators@awsad.xxxx-xxxx.com)(sudoUser=%AWS\20Delegated\20Dynamic\20Host\20Configuration\20Protocol\20Administrators@awsad.xxxx-xxxx.com)(sudoUser=%AWS\20Delegated\20Enterprise\20Certificate\20Authority\20Administrators@awsad.xxxx-xxxx.com)(sudoUser=%AWS\20Delegated\20Fine\20Grained\20Password\20Policy\20Administrators@awsad.xxxx-xxxx.com)(sudoUser=%AWS\20Delegated\20Group\20Policy\20Administrators@awsad.xxxx-xxxx.com)(sudoUser=%AWS\20Delegated\20Managed\20Service\20Account\20Administrators@awsad.xxxx-xxxx.com)(sudoUser=%AWS\20Delegated\20Remote\20Access\20Service\20Administrators@awsad.xxxx-xxxx.com)(sudoUser=%AWS\20Delegated\20Replicate\20Directory\20Changes\20Administrators@awsad.xxxx-xxxx.com)(sudoUser=%AWS\20Delegated\20Sites\20and\20Services\20Administrators@awsad.xxxx-xxxx.com)(sudoUser=%AWS\20Delegated\20System\20Management\20Administrators@awsad.xxxx-xxxx.com)(sudoUser=%AWS\20Delegated\20Terminal\20Server\20Licensing\20Administrators@awsad.xxxx-xxxx.com)(sudoUser=%AWS\20Delegated\20User\20Principal\20Name\20Suffix\20Administrators@awsad.xxxx-xxxx.com)(sudoUser=%AWS\20Delegated\20Add\20Workstations\20To\20Domain\20Users@awsad.xxxx-xxxx.com)(sudoUser=%DnsAdmins@awsad.xxxx-xxxx.com)(sudoUser=%AWS\20Delegated\20Domain\20Name\20System\20Administrators@awsad.xxxx-xxxx.com)(sudoUser=%AWS\20Delegated\20Kerberos\20Delegation\20Administrators@awsad.xxxx-xxxx.com)(sudoUser=%AWS\20Delegated\20Server\20Administrators@awsad.xxxx-xxxx.com)(sudoUser=%TESTS@awsad.xxxx-xxxx.com)(sudoUser=%Domain\20Users@awsad.xxxx-xxxx.com))))] (Mon Jul 1 08:25:02 2019) [sssd[sudo]] [sudosrv_fetch_rules] (0x0400): Returning 0 rules for [Admin@awsad.xxxx-xxxx.com@awsad.xxxx-xxxx.com] (Mon Jul 1 08:25:02 2019) [sssd[sudo]] [sudosrv_build_response] (0x2000): error: [0] (Mon Jul 1 08:25:02 2019) [sssd[sudo]] [sudosrv_build_response] (0x2000): rules_num: [0]

/var/log/sssd/sssd_LDAP_AWSAD.XXXX-XXXX.COM.log (Mon Jul 1 08:19:38 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [sysdb_sudo_store_rule] (0x0400): Adding sudo rule %TESTS@awsad.xxxx-xxxx.com (Mon Jul 1 08:19:38 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [sysdb_sudo_store_rule] (0x0400): Adding sudo rule r3 (Mon Jul 1 08:19:38 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [sysdb_sudo_store_rule] (0x0400): Adding sudo rule defaults (Mon Jul 1 08:19:38 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [sdap_sudo_refresh_done] (0x0400): Sudoers is successfully stored in cache (Mon Jul 1 08:19:38 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [sdap_sudo_set_usn] (0x0200): SUDO higher USN value: [245544] (Mon Jul 1 08:19:38 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [sdap_sudo_full_refresh_done] (0x0400): Successful full refresh of sudo rules (Mon Jul 1 08:19:38 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [be_ptask_done] (0x0400): Task [SUDO Full Refresh]: finished successfully (Mon Jul 1 08:19:38 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [be_ptask_schedule] (0x0400): Task [SUDO Full Refresh]: scheduling task 21600 seconds from last execution time [1561990778] (Mon Jul 1 08:19:38 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [sdap_process_result] (0x2000): Trace: sh[0x55f8831b51f0], connected[1], ops[(nil)], ldap[0x55f8831bc530] (Mon Jul 1 08:19:38 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [sdap_process_result] (0x2000): Trace: end of ldap_result list (Mon Jul 1 08:20:02 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [sbus_message_handler] (0x2000): Received SBUS method org.freedesktop.sssd.dataprovider.getAccountInfo on path /org/freedesktop/sssd/dataprovider (Mon Jul 1 08:20:02 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Mon Jul 1 08:20:02 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [dp_get_account_info_handler] (0x0200): Got request for [0x3][BE_REQ_INITGROUPS][name=ubuntu@ldap_awsad.xxxx-xxxx.com] (Mon Jul 1 08:20:02 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [sss_domain_get_state] (0x1000): Domain LDAP_AWSAD.xxxx-xxxx.COM is Active (Mon Jul 1 08:20:02 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [dp_attach_req] (0x0400): DP Request [Initgroups #5]: New request. Flags [0x0001]. (Mon Jul 1 08:20:02 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [dp_attach_req] (0x0400): Number of active DP request: 1 (Mon Jul 1 08:20:02 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [sss_domain_get_state] (0x1000): Domain LDAP_AWSAD.xxxx-xxxx.COM is Active (Mon Jul 1 08:20:02 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [sdap_get_initgr_next_base] (0x0400): Searching for users with base [DC=awsad,DC=xxxx-xxxx,DC=com] (Mon Jul 1 08:20:02 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [sdap_print_server] (0x2000): Searching 10.80.100.196:389 (Mon Jul 1 08:20:02 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(uid=ubuntu)(objectclass=posixAccount)(&(uidNumber=*)(!(uidNumber=0))))][DC=awsad,DC=xxxx-xxxx,DC=com]. (Mon Jul 1 08:20:02 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Mon Jul 1 08:20:02 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uid] (Mon Jul 1 08:20:02 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPassword] (Mon Jul 1 08:20:02 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uidNumber] (Mon Jul 1 08:20:02 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber] (Mon Jul 1 08:20:02 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gecos] (Mon Jul 1 08:20:02 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [homeDirectory] (Mon Jul 1 08:20:02 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginShell] (Mon Jul 1 08:20:02 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbPrincipalName] (Mon Jul 1 08:20:02 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Mon Jul 1 08:20:02 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp] (Mon Jul 1 08:20:02 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uSNChanged] (Mon Jul 1 08:20:02 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowLastChange] (Mon Jul 1 08:20:02 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMin] (Mon Jul 1 08:20:02 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMax] (Mon Jul 1 08:20:02 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowWarning] (Mon Jul 1 08:20:02 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowInactive] (Mon Jul 1 08:20:02 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowExpire] (Mon Jul 1 08:20:02 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowFlag] (Mon Jul 1 08:20:02 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbLastPwdChange] (Mon Jul 1 08:20:02 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbPasswordExpiration] (Mon Jul 1 08:20:02 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [pwdAttribute] (Mon Jul 1 08:20:02 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [authorizedService] (Mon Jul 1 08:20:02 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [accountExpires] (Mon Jul 1 08:20:02 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userAccountControl] (Mon Jul 1 08:20:02 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [nsAccountLock] (Mon Jul 1 08:20:02 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [host] (Mon Jul 1 08:20:02 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [rhost] (Mon Jul 1 08:20:02 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginDisabled] (Mon Jul 1 08:20:02 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginExpirationTime] (Mon Jul 1 08:20:02 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginAllowedTimeMap] (Mon Jul 1 08:20:02 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sshPublicKey] (Mon Jul 1 08:20:02 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userCertificate;binary] (Mon Jul 1 08:20:02 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [mail] (Mon Jul 1 08:20:02 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 15 (Mon Jul 1 08:20:02 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [sdap_op_add] (0x2000): New operation 15 timeout 6 (Mon Jul 1 08:20:02 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [sdap_process_result] (0x2000): Trace: sh[0x55f8831b51f0], connected[1], ops[0x55f8831dbbe0], ldap[0x55f8831bc530] (Mon Jul 1 08:20:02 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [sdap_ldap_connect_callback_add] (0x1000): New LDAP connection to [ldap://ForestDnsZones.awsad.xxxx-xxxx.com/DC=ForestDnsZones,DC=awsad,DC=xxxx-xxxx,DC=com] with fd [23]. (Mon Jul 1 08:20:02 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [sdap_ldap_connect_callback_add] (0x1000): New LDAP connection to [ldap://DomainDnsZones.awsad.xxxx-xxxx.com/DC=DomainDnsZones,DC=awsad,DC=xxxx-xxxx,DC=com] with fd [24]. (Mon Jul 1 08:20:02 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [sdap_ldap_connect_callback_add] (0x1000): New LDAP connection to [ldap://awsad.xxxx-xxxx.com/CN=Configuration,DC=awsad,DC=xxxx-xxxx,DC=com] with fd [25]. (Mon Jul 1 08:20:02 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [sdap_rebind_proc] (0x1000): Successfully bind to [ldap://awsad.xxxx-xxxx.com/CN=Configuration,DC=awsad,DC=xxxx-xxxx,DC=com]. (Mon Jul 1 08:20:02 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [sdap_rebind_proc] (0x1000): Successfully bind to [ldap://DomainDnsZones.awsad.xxxx-xxxx.com/DC=DomainDnsZones,DC=awsad,DC=xxxx-xxxx,DC=com]. (Mon Jul 1 08:20:02 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [sdap_rebind_proc] (0x1000): Successfully bind to [ldap://ForestDnsZones.awsad.xxxx-xxxx.com/DC=ForestDnsZones,DC=awsad,DC=xxxx-xxxx,DC=com]. (Mon Jul 1 08:20:02 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [sdap_get_generic_ext_add_references] (0x1000): Additional References: ldap://ForestDnsZones.awsad.xxxx-xxxx.com/DC=ForestDnsZones,DC=awsad,DC=xxxx-xxxx,DC=com (Mon Jul 1 08:20:02 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [sdap_process_result] (0x2000): Trace: sh[0x55f8831b51f0], connected[1], ops[0x55f8831dbbe0], ldap[0x55f8831bc530] (Mon Jul 1 08:20:02 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [sdap_get_generic_ext_add_references] (0x1000): Additional References: ldap://awsad.xxxx-xxxx.com/CN=Configuration,DC=awsad,DC=xxxx-xxxx,DC=com (Mon Jul 1 08:20:02 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [sdap_process_result] (0x2000): Trace: sh[0x55f8831b51f0], connected[1], ops[0x55f8831dbbe0], ldap[0x55f8831bc530] (Mon Jul 1 08:20:02 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [sdap_get_generic_ext_add_references] (0x1000): Additional References: ldap://DomainDnsZones.awsad.xxxx-xxxx.com/DC=DomainDnsZones,DC=awsad,DC=xxxx-xxxx,DC=com

Here we see many referrals being followed. This is typical with AD and with LDAP provider with AD you'll want to switch off the referral support: ldap_referrals = false this is documented here: https://docs.pagure.org/SSSD.sssd/users/ldap_with_ad.html

Is there a reason to use the LDAP provider and not the AD provider?

(Mon Jul 1 08:20:02 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [sdap_process_result] (0x2000): Trace: sh[0x55f8831b51f0], connected[1], ops[0x55f8831dbbe0], ldap[0x55f8831bc530] (Mon Jul 1 08:20:02 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [sdap_process_result] (0x2000): Trace: end of ldap_result list (Mon Jul 1 08:20:02 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [sdap_process_result] (0x2000): Trace: sh[0x55f8831b51f0], connected[1], ops[0x55f8831dbbe0], ldap[0x55f8831bc530] (Mon Jul 1 08:20:02 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [sdap_get_generic_ext_add_references] (0x1000): Additional References: ldap://awsad.xxxx-xxxx.com/CN=Schema,CN=Configuration,DC=awsad,DC=xxxx-xxxx,DC=com (Mon Jul 1 08:20:02 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [sdap_process_result] (0x2000): Trace: sh[0x55f8831b51f0], connected[1], ops[0x55f8831dbbe0], ldap[0x55f8831bc530] (Mon Jul 1 08:20:02 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [sdap_process_result] (0x2000): Trace: end of ldap_result list (Mon Jul 1 08:20:02 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [sdap_process_result] (0x2000): Trace: sh[0x55f8831b51f0], connected[1], ops[0x55f8831dbbe0], ldap[0x55f8831bc530] (Mon Jul 1 08:20:02 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Mon Jul 1 08:20:02 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [sdap_op_destructor] (0x2000): Operation 15 finished (Mon Jul 1 08:20:02 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [sysdb_search_user_by_upn] (0x0400): No entry with upn [ubuntu@ldap_awsad.xxxx-xxxx.com] found. (Mon Jul 1 08:20:02 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [sysdb_search_entry_by_sid_str] (0x0400): No such entry (Mon Jul 1 08:20:02 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [sysdb_search_object_attr] (0x0400): No such entry. (Mon Jul 1 08:20:02 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [sysdb_get_real_name] (0x0040): Cannot find user [ubuntu@ldap_awsad.xxxx-xxxx.com] in cache (Mon Jul 1 08:20:02 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [groups_by_user_done] (0x2000): Failed to canonicalize name, using [ubuntu@ldap_awsad.xxxx-xxxx.com] [2]: No such file or directory. (Mon Jul 1 08:20:02 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [sysdb_search_by_name] (0x0400): No such entry (Mon Jul 1 08:20:02 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [sysdb_cache_search_groups] (0x2000): Search groups with filter: (&(objectCategory=group)(ghost=ubuntu@ldap_awsad.xxxx-xxxx.com)) (Mon Jul 1 08:20:02 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [sysdb_cache_search_groups] (0x2000): No such entry (Mon Jul 1 08:20:02 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [sysdb_delete_user] (0x0400): Error: 2 (No such file or directory) (Mon Jul 1 08:20:02 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [dp_req_done] (0x0400): DP Request [Initgroups #5]: Request handler finished [0]: Success (Mon Jul 1 08:20:02 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [_dp_req_recv] (0x0400): DP Request [Initgroups #5]: Receiving request data. (Mon Jul 1 08:20:02 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [dp_req_reply_list_success] (0x0400): DP Request [Initgroups #5]: Finished. Success. (Mon Jul 1 08:20:02 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [dp_req_reply_std] (0x1000): DP Request [Initgroups #5]: Returning [Success]: 0,0,Success (Mon Jul 1 08:20:02 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [dp_table_value_destructor] (0x0400): Removing [0:1:0x0001:3::LDAP_AWSAD.xxxx-xxxx.COM:name=ubuntu@ldap_awsad.xxxx-xxxx.com] from reply table (Mon Jul 1 08:20:02 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [dp_req_destructor] (0x0400): DP Request [Initgroups #5]: Request removed. (Mon Jul 1 08:20:02 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [dp_req_destructor] (0x0400): Number of active DP request: 0 (Mon Jul 1 08:20:02 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [sdap_process_result] (0x2000): Trace: sh[0x55f8831b51f0], connected[1], ops[(nil)], ldap[0x55f8831bc530] (Mon Jul 1 08:20:02 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [sdap_process_result] (0x2000): Trace: end of ldap_result list (Mon Jul 1 08:20:09 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [sbus_message_handler] (0x2000): Received SBUS method org.freedesktop.sssd.dataprovider.getAccountInfo on path /org/freedesktop/sssd/dataprovider (Mon Jul 1 08:20:09 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Mon Jul 1 08:20:09 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [dp_get_account_info_handler] (0x0200): Got request for [0x3][BE_REQ_INITGROUPS][name=ubuntu@ldap_awsad.xxxx-xxxx.com] (Mon Jul 1 08:20:09 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [sss_domain_get_state] (0x1000): Domain LDAP_AWSAD.xxxx-xxxx.COM is Active (Mon Jul 1 08:20:09 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [dp_attach_req] (0x0400): DP Request [Initgroups #6]: New request. Flags [0x0001]. (Mon Jul 1 08:20:09 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [dp_attach_req] (0x0400): Number of active DP request: 1 (Mon Jul 1 08:20:09 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [sss_domain_get_state] (0x1000): Domain LDAP_AWSAD.xxxx-xxxx.COM is Active (Mon Jul 1 08:20:09 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [sdap_get_initgr_next_base] (0x0400): Searching for users with base [DC=awsad,DC=xxxx-xxxx,DC=com] (Mon Jul 1 08:20:09 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [sdap_print_server] (0x2000): Searching 10.80.100.196:389 (Mon Jul 1 08:20:09 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(uid=ubuntu)(objectclass=posixAccount)(&(uidNumber=*)(!(uidNumber=0))))][DC=awsad,DC=xxxx-xxxx,DC=com]. (Mon Jul 1 08:20:09 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Mon Jul 1 08:20:09 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uid] (Mon Jul 1 08:20:09 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPassword] (Mon Jul 1 08:20:09 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uidNumber] (Mon Jul 1 08:20:09 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber] (Mon Jul 1 08:20:09 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gecos] (Mon Jul 1 08:20:09 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [homeDirectory] (Mon Jul 1 08:20:09 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginShell] (Mon Jul 1 08:20:09 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbPrincipalName] (Mon Jul 1 08:20:09 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Mon Jul 1 08:20:09 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp] (Mon Jul 1 08:20:09 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uSNChanged] (Mon Jul 1 08:20:09 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowLastChange] (Mon Jul 1 08:20:09 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMin] (Mon Jul 1 08:20:09 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMax] (Mon Jul 1 08:20:09 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowWarning] (Mon Jul 1 08:20:09 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowInactive] (Mon Jul 1 08:20:09 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowExpire] (Mon Jul 1 08:20:09 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowFlag] (Mon Jul 1 08:20:09 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbLastPwdChange] (Mon Jul 1 08:20:09 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbPasswordExpiration] (Mon Jul 1 08:20:09 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [pwdAttribute] (Mon Jul 1 08:20:09 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [authorizedService] (Mon Jul 1 08:20:09 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [accountExpires] (Mon Jul 1 08:20:09 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userAccountControl] (Mon Jul 1 08:20:09 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [nsAccountLock] (Mon Jul 1 08:20:09 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [host] (Mon Jul 1 08:20:09 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [rhost] (Mon Jul 1 08:20:09 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginDisabled] (Mon Jul 1 08:20:09 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginExpirationTime] (Mon Jul 1 08:20:09 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginAllowedTimeMap] (Mon Jul 1 08:20:09 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sshPublicKey] (Mon Jul 1 08:20:09 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userCertificate;binary] (Mon Jul 1 08:20:09 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [mail] (Mon Jul 1 08:20:09 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 26 (Mon Jul 1 08:20:09 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [sdap_op_add] (0x2000): New operation 26 timeout 6 (Mon Jul 1 08:20:09 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [sdap_process_result] (0x2000): Trace: sh[0x55f8831b51f0], connected[1], ops[0x55f8831dbd60], ldap[0x55f8831bc530] (Mon Jul 1 08:20:09 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [sdap_ldap_connect_callback_add] (0x1000): New LDAP connection to [ldap://ForestDnsZones.awsad.xxxx-xxxx.com/DC=ForestDnsZones,DC=awsad,DC=xxxx-xxxx,DC=com] with fd [23]. (Mon Jul 1 08:20:09 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [sdap_ldap_connect_callback_add] (0x1000): New LDAP connection to [ldap://DomainDnsZones.awsad.xxxx-xxxx.com/DC=DomainDnsZones,DC=awsad,DC=xxxx-xxxx,DC=com] with fd [24]. (Mon Jul 1 08:20:09 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [sdap_ldap_connect_callback_add] (0x1000): New LDAP connection to [ldap://awsad.xxxx-xxxx.com/CN=Configuration,DC=awsad,DC=xxxx-xxxx,DC=com] with fd [25]. (Mon Jul 1 08:20:09 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [sdap_rebind_proc] (0x1000): Successfully bind to [ldap://awsad.xxxx-xxxx.com/CN=Configuration,DC=awsad,DC=xxxx-xxxx,DC=com]. (Mon Jul 1 08:20:09 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [sdap_rebind_proc] (0x1000): Successfully bind to [ldap://DomainDnsZones.awsad.xxxx-xxxx.com/DC=DomainDnsZones,DC=awsad,DC=xxxx-xxxx,DC=com]. (Mon Jul 1 08:20:09 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [sdap_rebind_proc] (0x1000): Successfully bind to [ldap://ForestDnsZones.awsad.xxxx-xxxx.com/DC=ForestDnsZones,DC=awsad,DC=xxxx-xxxx,DC=com]. (Mon Jul 1 08:20:09 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [sdap_get_generic_ext_add_references] (0x1000): Additional References: ldap://ForestDnsZones.awsad.xxxx-xxxx.com/DC=ForestDnsZones,DC=awsad,DC=xxxx-xxxx,DC=com (Mon Jul 1 08:20:09 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [sdap_process_result] (0x2000): Trace: sh[0x55f8831b51f0], connected[1], ops[0x55f8831dbd60], ldap[0x55f8831bc530] (Mon Jul 1 08:20:09 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [sdap_get_generic_ext_add_references] (0x1000): Additional References: ldap://awsad.xxxx-xxxx.com/CN=Configuration,DC=awsad,DC=xxxx-xxxx,DC=com (Mon Jul 1 08:20:09 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [sdap_process_result] (0x2000): Trace: sh[0x55f8831b51f0], connected[1], ops[0x55f8831dbd60], ldap[0x55f8831bc530] (Mon Jul 1 08:20:09 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [sdap_get_generic_ext_add_references] (0x1000): Additional References: ldap://DomainDnsZones.awsad.xxxx-xxxx.com/DC=DomainDnsZones,DC=awsad,DC=xxxx-xxxx,DC=com (Mon Jul 1 08:20:09 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [sdap_process_result] (0x2000): Trace: sh[0x55f8831b51f0], connected[1], ops[0x55f8831dbd60], ldap[0x55f8831bc530] (Mon Jul 1 08:20:09 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [sdap_process_result] (0x2000): Trace: end of ldap_result list (Mon Jul 1 08:20:09 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [sdap_process_result] (0x2000): Trace: sh[0x55f8831b51f0], connected[1], ops[0x55f8831dbd60], ldap[0x55f8831bc530] (Mon Jul 1 08:20:09 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [sdap_get_generic_ext_add_references] (0x1000): Additional References: ldap://awsad.xxxx-xxxx.com/CN=Schema,CN=Configuration,DC=awsad,DC=xxxx-xxxx,DC=com (Mon Jul 1 08:20:09 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [sdap_process_result] (0x2000): Trace: sh[0x55f8831b51f0], connected[1], ops[0x55f8831dbd60], ldap[0x55f8831bc530] (Mon Jul 1 08:20:09 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [sdap_process_result] (0x2000): Trace: end of ldap_result list (Mon Jul 1 08:20:09 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [sdap_process_result] (0x2000): Trace: sh[0x55f8831b51f0], connected[1], ops[0x55f8831dbd60], ldap[0x55f8831bc530] (Mon Jul 1 08:20:09 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Mon Jul 1 08:20:09 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [sdap_op_destructor] (0x2000): Operation 26 finished (Mon Jul 1 08:20:09 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [sysdb_search_user_by_upn] (0x0400): No entry with upn [ubuntu@ldap_awsad.xxxx-xxxx.com] found. (Mon Jul 1 08:20:09 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [sysdb_search_entry_by_sid_str] (0x0400): No such entry (Mon Jul 1 08:20:09 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [sysdb_search_object_attr] (0x0400): No such entry. (Mon Jul 1 08:20:09 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [sysdb_get_real_name] (0x0040): Cannot find user [ubuntu@ldap_awsad.xxxx-xxxx.com] in cache (Mon Jul 1 08:20:09 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [groups_by_user_done] (0x2000): Failed to canonicalize name, using [ubuntu@ldap_awsad.xxxx-xxxx.com] [2]: No such file or directory. (Mon Jul 1 08:20:09 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [sysdb_search_by_name] (0x0400): No such entry (Mon Jul 1 08:20:09 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [sysdb_cache_search_groups] (0x2000): Search groups with filter: (&(objectCategory=group)(ghost=ubuntu@ldap_awsad.xxxx-xxxx.com)) (Mon Jul 1 08:20:09 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [sysdb_cache_search_groups] (0x2000): No such entry (Mon Jul 1 08:20:09 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [sysdb_delete_user] (0x0400): Error: 2 (No such file or directory) (Mon Jul 1 08:20:09 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [dp_req_done] (0x0400): DP Request [Initgroups #6]: Request handler finished [0]: Success (Mon Jul 1 08:20:09 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [_dp_req_recv] (0x0400): DP Request [Initgroups #6]: Receiving request data. (Mon Jul 1 08:20:09 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [dp_req_reply_list_success] (0x0400): DP Request [Initgroups #6]: Finished. Success. (Mon Jul 1 08:20:09 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [dp_req_reply_std] (0x1000): DP Request [Initgroups #6]: Returning [Success]: 0,0,Success (Mon Jul 1 08:20:09 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [dp_table_value_destructor] (0x0400): Removing [0:1:0x0001:3::LDAP_AWSAD.xxxx-xxxx.COM:name=ubuntu@ldap_awsad.xxxx-xxxx.com] from reply table (Mon Jul 1 08:20:09 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [dp_req_destructor] (0x0400): DP Request [Initgroups #6]: Request removed. (Mon Jul 1 08:20:09 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [dp_req_destructor] (0x0400): Number of active DP request: 0 (Mon Jul 1 08:20:09 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [sdap_process_result] (0x2000): Trace: sh[0x55f8831b51f0], connected[1], ops[(nil)], ldap[0x55f8831bc530] (Mon Jul 1 08:20:09 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [sdap_process_result] (0x2000): Trace: end of ldap_result list

ldbsearch -H /var/lib/sss/db/cache_LDAP_AWSAD.XXXX-XXXX.COM.ldb

asq: Unable to register control with rootdse! # record 1 dn: cn=users,cn=LDAP_AWSAD.xxxx-xxxx.COM,cn=sysdb cn: Users distinguishedName: cn=users,cn=LDAP_AWSAD.xxxx-xxxx.COM,cn=sysdb

# record 2 dn: name=r2,cn=sudorules,cn=custom,cn=LDAP_AWSAD.xxxx-xxxx.COM,cn=sysdb cn: r2 dataExpireTimestamp: 1561974578 entryUSN: 245385 name: r2 objectClass: sudoRule originalDN: CN=r2,OU=SUDOers,OU=awsad,DC=awsad,DC=xxxx-xxxx,DC=com sudoCommand: ALL sudoHost: ALL sudoOption: !authenticate sudoUser: Admin@awsad.xxxx-xxxx.com sudoUser: admin@awsad.xxxx-xxxx.com distinguishedName: name=r2,cn=sudorules,cn=custom,cn=LDAP_AWSAD.xxxx-xxxx.COM, cn=sysdb

# record 3 dn: cn=LDAP_AWSAD.xxxx-xxxx.COM,cn=sysdb cn: LDAP_AWSAD.xxxx-xxxx.COM distinguishedName: cn=LDAP_AWSAD.xxxx-xxxx.COM,cn=sysdb

# record 4 dn: name=defaults,cn=sudorules,cn=custom,cn=LDAP_AWSAD.xxxx-xxxx.COM,cn=sysdb cn: defaults dataExpireTimestamp: 1561974578 entryUSN: 245543 name: defaults objectClass: sudoRule originalDN: CN=defaults,OU=SUDOers,OU=awsad,DC=awsad,DC=xxxx-xxxx,DC=com sudoCommand: ALL sudoHost: ALL sudoOption: !authenticate sudoUser: ALL sudoUser: all distinguishedName: name=defaults,cn=sudorules,cn=custom,cn=LDAP_AWSAD.YARA-DFD P.COM,cn=sysdb

# record 5 dn: name=%TESTS@awsad.xxxx-xxxx.com,cn=sudorules,cn=custom,cn=LDAP_AWSAD.xxxx-xxxx.COM,cn=sysdb cn: %TESTS@awsad.xxxx-xxxx.com dataExpireTimestamp: 1561974578 entryUSN: 245477 name: %TESTS@awsad.xxxx-xxxx.com objectClass: sudoRule originalDN: CN=%TESTS@awsad.xxxx-xxxx.com,OU=SUDOers,OU=awsad,DC=awsad,DC=yara -dfdp,DC=com sudoCommand: ALL sudoHost: ALL sudoOption: !authenticate sudoUser: %TESTS@awsad.xxxx-xxxx.com sudoUser: %tests@awsad.xxxx-xxxx.com distinguishedName: name=%TESTS@awsad.xxxx-xxxx.com,cn=sudorules,cn=custom,cn=L DAP_AWSAD.xxxx-xxxx.COM,cn=sysdb

# record 6 dn: cn=ranges,cn=sysdb cn: ranges distinguishedName: cn=ranges,cn=sysdb

# record 7 dn: name=r3,cn=sudorules,cn=custom,cn=LDAP_AWSAD.xxxx-xxxx.COM,cn=sysdb cn: r3 dataExpireTimestamp: 1561974578 entryUSN: 245509 name: r3 objectClass: sudoRule originalDN: CN=r3,OU=SUDOers,OU=awsad,DC=awsad,DC=xxxx-xxxx,DC=com sudoCommand: ALL sudoHost: ALL sudoOption: ALL sudoUser: Admin@ldap_awsad.xxxx-xxxx.com sudoUser: admin@ldap_awsad.xxxx-xxxx.com distinguishedName: name=r3,cn=sudorules,cn=custom,cn=LDAP_AWSAD.xxxx-xxxx.COM, cn=sysdb

# record 8 dn: cn=sudorules,cn=custom,cn=LDAP_AWSAD.xxxx-xxxx.COM,cn=sysdb cn: sudorules sudoLastFullRefreshTime: 1561969178 distinguishedName: cn=sudorules,cn=custom,cn=LDAP_AWSAD.xxxx-xxxx.COM,cn=sysdb

# record 9 dn: cn=sysdb cn: sysdb description: base object version: 0.20 distinguishedName: cn=sysdb

# record 10 dn: cn=groups,cn=LDAP_AWSAD.xxxx-xxxx.COM,cn=sysdb cn: Groups distinguishedName: cn=groups,cn=LDAP_AWSAD.xxxx-xxxx.COM,cn=sysdb

# record 11 dn: name=r1,cn=sudorules,cn=custom,cn=LDAP_AWSAD.xxxx-xxxx.COM,cn=sysdb cn: r1 dataExpireTimestamp: 1561974578 entryUSN: 245304 name: r1 objectClass: sudoRule originalDN: CN=r1,OU=SUDOers,OU=awsad,DC=awsad,DC=xxxx-xxxx,DC=com sudoCommand: ALL sudoHost: ALL sudoOption: !authenticate sudoUser: ubuntu@ldap_awsad.xxxx-xxxx.com distinguishedName: name=r1,cn=sudorules,cn=custom,cn=LDAP_AWSAD.xxxx-xxxx.COM, cn=sysdb

# returned 11 records # 11 entries # 0 referrals root@dfdp-080100016:~# ldbsearch -H /var/lib/sss/db/cache_LDAP_AWSAD.xxxx-xxxx.COM.ldb asq: Unable to register control with rootdse! # record 1 dn: cn=users,cn=LDAP_AWSAD.xxxx-xxxx.COM,cn=sysdb cn: Users distinguishedName: cn=users,cn=LDAP_AWSAD.xxxx-xxxx.COM,cn=sysdb

# record 2 dn: name=r2,cn=sudorules,cn=custom,cn=LDAP_AWSAD.xxxx-xxxx.COM,cn=sysdb cn: r2 dataExpireTimestamp: 1561974578 entryUSN: 245385 name: r2 objectClass: sudoRule originalDN: CN=r2,OU=SUDOers,OU=awsad,DC=awsad,DC=xxxx-xxxx,DC=com sudoCommand: ALL sudoHost: ALL sudoOption: !authenticate sudoUser: Admin@awsad.xxxx-xxxx.com sudoUser: admin@awsad.xxxx-xxxx.com distinguishedName: name=r2,cn=sudorules,cn=custom,cn=LDAP_AWSAD.xxxx-xxxx.COM, cn=sysdb

# record 3 dn: cn=LDAP_AWSAD.xxxx-xxxx.COM,cn=sysdb cn: LDAP_AWSAD.xxxx-xxxx.COM distinguishedName: cn=LDAP_AWSAD.xxxx-xxxx.COM,cn=sysdb

# record 4 dn: name=defaults,cn=sudorules,cn=custom,cn=LDAP_AWSAD.xxxx-xxxx.COM,cn=sysdb cn: defaults dataExpireTimestamp: 1561974578 entryUSN: 245543 name: defaults objectClass: sudoRule originalDN: CN=defaults,OU=SUDOers,OU=awsad,DC=awsad,DC=xxxx-xxxx,DC=com sudoCommand: ALL sudoHost: ALL sudoOption: !authenticate sudoUser: ALL sudoUser: all distinguishedName: name=defaults,cn=sudorules,cn=custom,cn=LDAP_AWSAD.YARA-DFD P.COM,cn=sysdb

# record 5 dn: name=%TESTS@awsad.xxxx-xxxx.com,cn=sudorules,cn=custom,cn=LDAP_AWSAD.xxxx-xxxx.COM,cn=sysdb cn: %TESTS@awsad.xxxx-xxxx.com dataExpireTimestamp: 1561974578 entryUSN: 245477 name: %TESTS@awsad.xxxx-xxxx.com objectClass: sudoRule originalDN: CN=%TESTS@awsad.xxxx-xxxx.com,OU=SUDOers,OU=awsad,DC=awsad,DC=yara -dfdp,DC=com sudoCommand: ALL sudoHost: ALL sudoOption: !authenticate sudoUser: %TESTS@awsad.xxxx-xxxx.com sudoUser: %tests@awsad.xxxx-xxxx.com distinguishedName: name=%TESTS@awsad.xxxx-xxxx.com,cn=sudorules,cn=custom,cn=L DAP_AWSAD.xxxx-xxxx.COM,cn=sysdb

# record 6 dn: cn=ranges,cn=sysdb cn: ranges distinguishedName: cn=ranges,cn=sysdb

# record 7 dn: name=r3,cn=sudorules,cn=custom,cn=LDAP_AWSAD.xxxx-xxxx.COM,cn=sysdb cn: r3 dataExpireTimestamp: 1561974578 entryUSN: 245509 name: r3 objectClass: sudoRule originalDN: CN=r3,OU=SUDOers,OU=awsad,DC=awsad,DC=xxxx-xxxx,DC=com sudoCommand: ALL sudoHost: ALL sudoOption: ALL sudoUser: Admin@ldap_awsad.xxxx-xxxx.com sudoUser: admin@ldap_awsad.xxxx-xxxx.com distinguishedName: name=r3,cn=sudorules,cn=custom,cn=LDAP_AWSAD.xxxx-xxxx.COM, cn=sysdb

# record 8 dn: cn=sudorules,cn=custom,cn=LDAP_AWSAD.xxxx-xxxx.COM,cn=sysdb cn: sudorules sudoLastFullRefreshTime: 1561969178 distinguishedName: cn=sudorules,cn=custom,cn=LDAP_AWSAD.xxxx-xxxx.COM,cn=sysdb

# record 9 dn: cn=sysdb cn: sysdb description: base object version: 0.20 distinguishedName: cn=sysdb

# record 10 dn: cn=groups,cn=LDAP_AWSAD.xxxx-xxxx.COM,cn=sysdb cn: Groups distinguishedName: cn=groups,cn=LDAP_AWSAD.xxxx-xxxx.COM,cn=sysdb

# record 11 dn: name=r1,cn=sudorules,cn=custom,cn=LDAP_AWSAD.xxxx-xxxx.COM,cn=sysdb cn: r1 dataExpireTimestamp: 1561974578 entryUSN: 245304 name: r1 objectClass: sudoRule originalDN: CN=r1,OU=SUDOers,OU=awsad,DC=awsad,DC=xxxx-xxxx,DC=com sudoCommand: ALL sudoHost: ALL sudoOption: !authenticate sudoUser: ubuntu@ldap_awsad.xxxx-xxxx.com distinguishedName: name=r1,cn=sudorules,cn=custom,cn=LDAP_AWSAD.xxxx-xxxx.COM, cn=sysdb

# returned 11 records # 11 entries # 0 referrals

/etc/sssd/sssd.conf

[sssd] services = nss, pam,ssh, sudo debug_level = 0x7FFF domains = awsad.xxxx-xxxx.com, aws.dfdp.com, LDAP_AWSAD.xxxx-xxxx.COM

[sudo] debug_level = 0x3ff0

[domain/LDAP_AWSAD.xxxx-xxxx.COM] case_sensitive=false debug_level = 0x3ff0 access_provider = ldap id_provider = ldap sudo_provider = ldap ldap_uri = ldap://xxx.xxx.xxx.xxx ldap_default_bind_dn = account@awsad.xxxx-xxxx.com ldap_default_authtok = xxxxxxxxx ldap_sudo_search_base = OU=SUDOers,OU=awsad,DC=awsad,DC=xxxx-xxxx,DC=com

[domain/awsad.xxxx-xxxx.com] debug_level = 0x0200 id_provider = ad access_provider = ad enumerate = true subdomain_enumerate = all ad_domain = AWSAD.xxxx-xxxx.COM krb5_realm = AWSAD.xxxx-xxxx.COM realmd_tags = manages-system joined-with-adcli cache_credentials = True krb5_store_password_if_offline = True default_shell = /bin/bash ldap_id_mapping = True use_fully_qualified_names = True fallback_homedir = /home/%d/%u

[domain/aws.xxxx.com] debug_level = 0x0200 id_provider = ad access_provider = ad enumerate = true ad_domain = AWS.xxxx.COM krb5_realm = AWS.xxxx.COM realmd_tags = manages-system joined-with-adcli cache_credentials = True krb5_store_password_if_offline = True default_shell = /bin/bash ldap_id_mapping = True use_fully_qualified_names = True fallback_homedir = /home/%d/%u

[domain/ad.xxxx.com] debug_level = 0x0200 id_provider = ad access_provider = ad ad_server = xxx.ad.xxxx.com ad_server_backup = xxx.ad.xxxx.com enumerate = true ad_domain = AD.XXXX.COM krb5_realm = AD.XXXX.COM realmd_tags = manages-system joined-with-adcli cache_credentials = True krb5_store_password_if_offline = True default_shell = /bin/bash ldap_id_mapping = True use_fully_qualified_names = True fallback_homedir = /home/%d/%u

/etc/nsswitch.conf

# /etc/nsswitch.conf # # Example configuration of GNU Name Service Switch functionality. # If you have the `glibc-doc-reference' and `info' packages installed, try: # `info libc "Name Service Switch"' for information about this file.

passwd: compat systemd sss group: compat systemd sss shadow: compat sss gshadow: files

hosts: files dns networks: files

protocols: db files services: db files sss ethers: db files rpc: db files

netgroup: nis sss sudoers: sss files

Windows AD using the SUDO schema (imported).

Only 1 entry from MS AD for the sake of example:

PS C:\Windows\system32> Get-ADObject –Identity "CN=r2,OU=SUDOers,OU=awsad,DC=awsad,DC=xxxx-xxxx,DC=com" -Property *

CanonicalName : awsad.xxxx-xxxx.com/awsad/SUDOers/r2 CN : r2 Created : 6/30/2019 8:59:46 AM createTimeStamp : 6/30/2019 8:59:46 AM Deleted : Description : DisplayName : DistinguishedName : CN=r2,OU=SUDOers,OU=awsad,DC=awsad,DC=xxxx-xxxx,DC=com dSCorePropagationData : {1/1/1601 12:00:00 AM} instanceType : 4 isDeleted : LastKnownParent : Modified : 6/30/2019 8:59:56 AM modifyTimeStamp : 6/30/2019 8:59:56 AM Name : r2 nTSecurityDescriptor : System.DirectoryServices.ActiveDirectorySecurity ObjectCategory : CN=sudoRole,CN=Schema,CN=Configuration,DC=awsad,DC=xxxx-xxxx,DC=com ObjectClass : sudoRole ObjectGUID : 9b660613-94f8-4f58-86bc-21e813027fbf ProtectedFromAccidentalDeletion : False sDRightsEffective : 7 sudoCommand : {ALL} sudoHost : {ALL} sudoOption : {!authenticate} sudoUser : {Admin@awsad.xxxx-xxxx.com} uSNChanged : 245385 uSNCreated : 245385 whenChanged : 6/30/2019 8:59:56 AM whenCreated : 6/30/2019 8:59:46 AM

PS C:\Windows\system32>

Thx a lot! and Cheers! _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...