4:31 a.m.
Hello,
Below my configuration and errors :)
(I've adapted some strings for the sake of example - domain is not real)
cat /etc/sssd/sssd.conf
[sssd]
services = nss, pam,ssh, sudo
debug_level = 0x7FFF
domains = LDAP_MY.COM
[sudo]
debug_level = 0x3ff0
[domain/LDAP_MY.COM]
debug_level = 0x3ff0
access_provider = ldap
id_provider = ldap
sudo_provider = ldap
ldap_uri = ldap://<IP>
ldap_default_bind_dn = <user>(a)my.com
ldap_default_authtok = <password>
ldap_sudo_search_base = OU=SUDOers,DC=my,DC=com
/etc/nsswitch.conf
...
sudoers: sss files
....
ldbsearch -H /var/lib/sss/db/cache_LDAP_MY.COM/ldb contains Microsoft AD records:
# record 2
dn: name=r2,cn=sudorules,cn=custom,cn=LDAP_MY.COM,cn=sysdb
cn: r2
dataExpireTimestamp: 1561891358
entryUSN: 245385
name: r2
objectClass: sudoRule
originalDN: CN=r2,OU=SUDOers,DC=my,DC=com
sudoCommand: ALL
sudoHost: ALL
sudoOption: !authenticate
sudoUser: Admin(a)my.com
distinguishedName: name=r2,cn=sudorules,cn=custom,cn=LDAP_MY.COM,
cn=sysdb
AD sudoRole is sudoRule in local SSSD DB cache.
But getting this below when trying to test 'sudo -l' or 'sudo su'
[sssd[sudo]] [sudosrv_fetch_rules] (0x0400): Returning 0 rules for [Admin@my.com(a)my.com]
from /var/log/sssd/sssd_sudo.log
Duplicate domain ?
I can see the rules been updated in the SSSD cache file from Microsoft AD.
But I cannot use them because maybe some misconfiguration ?
setup for sudo logs:
/etc/sudo.conf and put down the following lines:
Debug sudo /var/log/sudo_debug all@debug
Debug sudoers.so /var/log/sudo_debug all@debug
from /var/log/sudo_debug I have this:
...
user_in_group: user admin(a)my.com NOT in group sudo
...
Thx a lot!
Cheers!
2:38 a.m.
On Sun, Jun 30, 2019 at 09:31:17AM -0000, Bruno Monteiro wrote:
Hello,
Below my configuration and errors :)
(I've adapted some strings for the sake of example - domain is not real)
cat /etc/sssd/sssd.conf
[sssd]
services = nss, pam,ssh, sudo
debug_level = 0x7FFF
domains = LDAP_MY.COM
[sudo]
debug_level = 0x3ff0
[domain/LDAP_MY.COM]
debug_level = 0x3ff0
access_provider = ldap
id_provider = ldap
sudo_provider = ldap
ldap_uri = ldap://<IP>
ldap_default_bind_dn = <user>(a)my.com
ldap_default_authtok = <password>
ldap_sudo_search_base = OU=SUDOers,DC=my,DC=com
/etc/nsswitch.conf
...
sudoers: sss files
....
ldbsearch -H /var/lib/sss/db/cache_LDAP_MY.COM/ldb contains Microsoft AD records:
# record 2
dn: name=r2,cn=sudorules,cn=custom,cn=LDAP_MY.COM,cn=sysdb
the config snippet says the sudo search base is ou=sudoers, but the rule
example is at cn=sudoers,cn=custom..
cn: r2
dataExpireTimestamp: 1561891358
entryUSN: 245385
name: r2
objectClass: sudoRule
originalDN: CN=r2,OU=SUDOers,DC=my,DC=com
sudoCommand: ALL
sudoHost: ALL
sudoOption: !authenticate
sudoUser: Admin(a)my.com
distinguishedName: name=r2,cn=sudorules,cn=custom,cn=LDAP_MY.COM,
cn=sysdb
AD sudoRole is sudoRule in local SSSD DB cache.
But getting this below when trying to test 'sudo -l' or 'sudo su'
[sssd[sudo]] [sudosrv_fetch_rules] (0x0400): Returning 0 rules for [Admin@my.com(a)my.com]
from /var/log/sssd/sssd_sudo.log
Duplicate domain ?
That's just a minor bug in the debug message (at one point we switched
to using qualified names everywhere internally, but some debug messages
were qualifying the names on their own..)
I can see the rules been updated in the SSSD cache file from Microsoft AD.
But I cannot use them because maybe some misconfiguration ?
You're using the plain ldap sudo provider, but you're not using
case_sensitive=false so you need to make sure the case matches exactly;
AD is case-insensitive, but Linux is case-sensitive.
Also, I'm not sure if the plain LDAP provider is able to match the name
qualified with the domain name (Admin(a)my.com) in sudoUser or only username
(Admin).
Posting more context from the logs might be helpful as well.
>
> setup for sudo logs:
> /etc/sudo.conf and put down the following lines:
> Debug sudo /var/log/sudo_debug all@debug
> Debug sudoers.so /var/log/sudo_debug all@debug
>
> from /var/log/sudo_debug I have this:
> ...
> user_in_group: user admin(a)my.com NOT in group sudo
> ...
>
> Thx a lot!
>
> Cheers!
> _______________________________________________
> sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
> To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahoste...
4:09 a.m.
Hi Jakub,
Thx for the suggestions!
Here more logs:
NOTE: Replaced xxxx-xxxx or xxxx from the original name.
/var/log/sssd/sssd_sudo.log
(Mon Jul 1 08:25:02 2019) [sssd[sudo]] [accept_fd_handler] (0x0400): Client connected!
(Mon Jul 1 08:25:02 2019) [sssd[sudo]] [sss_cmd_get_version] (0x0200): Received client
version [1].
(Mon Jul 1 08:25:02 2019) [sssd[sudo]] [sss_cmd_get_version] (0x0200): Offered version
[1].
(Mon Jul 1 08:25:02 2019) [sssd[sudo]] [sudosrv_cmd] (0x2000): Using protocol version
[1]
(Mon Jul 1 08:25:02 2019) [sssd[sudo]] [sudosrv_get_rules_send] (0x0400): Running
initgroups for [admin(a)awsad.xxxx-xxxx.com]
(Mon Jul 1 08:25:02 2019) [sssd[sudo]] [cache_req_set_plugin] (0x2000): CR #8: Setting
"Initgroups by name" plugin
(Mon Jul 1 08:25:02 2019) [sssd[sudo]] [cache_req_send] (0x0400): CR #8: New request
'Initgroups by name'
(Mon Jul 1 08:25:02 2019) [sssd[sudo]] [cache_req_process_input] (0x0400): CR #8: Parsing
input name [admin(a)awsad.xxxx-xxxx.com]
(Mon Jul 1 08:25:02 2019) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name
'admin(a)awsad.xxxx-xxxx.com' matched expression for domain
'awsad.xxxx-xxxx.com', user is admin
(Mon Jul 1 08:25:02 2019) [sssd[sudo]] [cache_req_set_name] (0x0400): CR #8: Setting name
[admin]
(Mon Jul 1 08:25:02 2019) [sssd[sudo]] [cache_req_select_domains] (0x0400): CR #8:
Performing a single domain search
(Mon Jul 1 08:25:02 2019) [sssd[sudo]] [sss_domain_get_state] (0x1000): Domain
awsad.xxxx-xxxx.com is Active
(Mon Jul 1 08:25:02 2019) [sssd[sudo]] [cache_req_search_domains] (0x0400): CR #8: Search
will check the cache and check the data provider
(Mon Jul 1 08:25:02 2019) [sssd[sudo]] [cache_req_validate_domain_type] (0x2000): Request
type POSIX-only for domain awsad.xxxx-xxxx.com type POSIX is valid
(Mon Jul 1 08:25:02 2019) [sssd[sudo]] [cache_req_set_domain] (0x0400): CR #8: Using
domain [awsad.xxxx-xxxx.com]
(Mon Jul 1 08:25:02 2019) [sssd[sudo]] [cache_req_prepare_domain_data] (0x0400): CR #8:
Preparing input data for domain [awsad.xxxx-xxxx.com] rules
(Mon Jul 1 08:25:02 2019) [sssd[sudo]] [cache_req_search_send] (0x0400): CR #8: Looking
up admin(a)awsad.xxxx-xxxx.com
(Mon Jul 1 08:25:02 2019) [sssd[sudo]] [cache_req_search_ncache] (0x0400): CR #8:
Checking negative cache for [admin(a)awsad.xxxx-xxxx.com]
(Mon Jul 1 08:25:02 2019) [sssd[sudo]] [sss_ncache_check_str] (0x2000): Checking negative
cache for [NCE/USER/awsad.xxxx-xxxx.com/admin@awsad.xxxx-xxxx.com]
(Mon Jul 1 08:25:02 2019) [sssd[sudo]] [cache_req_search_ncache] (0x0400): CR #8:
[admin(a)awsad.xxxx-xxxx.com] is not present in negative cache
(Mon Jul 1 08:25:02 2019) [sssd[sudo]] [cache_req_search_cache] (0x0400): CR #8: Looking
up [admin(a)awsad.xxxx-xxxx.com] in cache
(Mon Jul 1 08:25:02 2019) [sssd[sudo]] [cache_req_search_send] (0x0400): CR #8: Object
found, but needs to be refreshed.
(Mon Jul 1 08:25:02 2019) [sssd[sudo]] [cache_req_search_dp] (0x0400): CR #8: Looking up
[admin(a)awsad.xxxx-xxxx.com] in data provider
(Mon Jul 1 08:25:02 2019) [sssd[sudo]] [sss_dp_issue_request] (0x0400): Issuing request
for [0x55c2341d5360:3:admin@awsad.xxxx-xxxx.com@awsad.xxxx-xxxx.com]
(Mon Jul 1 08:25:02 2019) [sssd[sudo]] [sss_dp_get_account_msg] (0x0400): Creating
request for
[awsad.xxxx-xxxx.com][0x3][BE_REQ_INITGROUPS][name=admin@awsad.xxxx-xxxx.com:-]
(Mon Jul 1 08:25:02 2019) [sssd[sudo]] [sbus_add_timeout] (0x2000): 0x55c2362f3a70
(Mon Jul 1 08:25:02 2019) [sssd[sudo]] [sss_dp_internal_get_send] (0x0400): Entering
request [0x55c2341d5360:3:admin@awsad.xxxx-xxxx.com@awsad.xxxx-xxxx.com]
(Mon Jul 1 08:25:02 2019) [sssd[sudo]] [sbus_remove_timeout] (0x2000): 0x55c2362f3a70
(Mon Jul 1 08:25:02 2019) [sssd[sudo]] [sss_dp_get_reply] (0x0010): The Data Provider
returned an error [org.freedesktop.sssd.Error.DataProvider.Offline]
(Mon Jul 1 08:25:02 2019) [sssd[sudo]] [cache_req_common_dp_recv] (0x0040): CR #8: Data
Provider Error: 3, 5, Failed to get reply from Data Provider
(Mon Jul 1 08:25:02 2019) [sssd[sudo]] [cache_req_common_dp_recv] (0x0400): CR #8: Due to
an error we will return cached data
(Mon Jul 1 08:25:02 2019) [sssd[sudo]] [cache_req_search_cache] (0x0400): CR #8: Looking
up [admin(a)awsad.xxxx-xxxx.com] in cache
(Mon Jul 1 08:25:02 2019) [sssd[sudo]] [cache_req_search_ncache_filter] (0x0400): CR #8:
This request type does not support filtering result by negative cache
(Mon Jul 1 08:25:02 2019) [sssd[sudo]] [cache_req_search_done] (0x0400): CR #8: Returning
updated object [admin(a)awsad.xxxx-xxxx.com]
(Mon Jul 1 08:25:02 2019) [sssd[sudo]] [cache_req_create_and_add_result] (0x0400): CR #8:
Found 24 entries in domain awsad.xxxx-xxxx.com
(Mon Jul 1 08:25:02 2019) [sssd[sudo]] [sss_dp_req_destructor] (0x0400): Deleting
request: [0x55c2341d5360:3:admin@awsad.xxxx-xxxx.com@awsad.xxxx-xxxx.com]
(Mon Jul 1 08:25:02 2019) [sssd[sudo]] [cache_req_done] (0x0400): CR #8: Finished:
Success
(Mon Jul 1 08:25:02 2019) [sssd[sudo]] [sysdb_get_sudo_user_info] (0x0400): original
name: Admin(a)awsad.xxxx-xxxx.com
(Mon Jul 1 08:25:02 2019) [sssd[sudo]] [sudosrv_query_cache] (0x0200): Searching sysdb
with
[(&(objectClass=sudoRule)(dataExpireTimestamp<=1561969502)(|(name=defaults)(sudoUser=ALL)(sudoUser=Admin@awsad.xxxx-xxxx.com)(sudoUser=#1979001109)(sudoUser=%Domain\20Users@awsad.xxxx-xxxx.com)(sudoUser=%AWS\20Delegated\20Administrators@awsad.xxxx-xxxx.com)(sudoUser=%AWS\20Delegated\20Account\20Operators@awsad.xxxx-xxxx.com)(sudoUser=%AWS\20Delegated\20Active\20Directory\20Based\20Activation\20Administrators@awsad.xxxx-xxxx.com)(sudoUser=%AWS\20Delegated\20Deleted\20Object\20Lifetime\20Administrators@awsad.xxxx-xxxx.com)(sudoUser=%AWS\20Delegated\20Distributed\20File\20System\20Administrators@awsad.xxxx-xxxx.com)(sudoUser=%AWS\20Delegated\20Dynamic\20Host\20Configuration\20Protocol\20Administrators@awsad.xxxx-xxxx.com)(sudoUser=%AWS\20Delegated\20Enterprise\20Certificate\20Authority\20Administrators@awsad.xxxx-xxxx.com)(sudoUser=%AWS\20Delegated\20Fine\20Grained\20Password\20Policy\20Administrators@awsad.xxxx-xxxx.com)(sudoUser=%AWS\20Delegated\20Group\20Policy\20Administrators@awsad.xxxx-xxxx.com)(sudoUser=%AWS\20Delegated\20Managed\20Service\20Account\20Administrators@awsad.xxxx-xxxx.com)(sudoUser=%AWS\20Delegated\20Remote\20Access\20Service\20Administrators@awsad.xxxx-xxxx.com)(sudoUser=%AWS\20Delegated\20Replicate\20Directory\20Changes\20Administrators@awsad.xxxx-xxxx.com)(sudoUser=%AWS\20Delegated\20Sites\20and\20Services\20Administrators@awsad.xxxx-xxxx.com)(sudoUser=%AWS\20Delegated\20System\20Management\20Administrators@awsad.xxxx-xxxx.com)(sudoUser=%AWS\20Delegated\20Terminal\20Server\20Licensing\20Administrators@awsad.xxxx-xxxx.com)(sudoUser=%AWS\20Delegated\20User\20Principal\20Name\20Suffix\20Administrators@awsad.xxxx-xxxx.com)(sudoUser=%AWS\20Delegated\20Add\20Workstations\20To\20Domain\20Users@awsad.xxxx-xxxx.com)(sudoUser=%DnsAdmins@awsad.xxxx-xxxx.com)(sudoUser=%AWS\20Delegated\20Domain\20Name\20System\20Administrators@awsad.xxxx-xxxx.com)(sudoUser=%AWS\20Delegated\20Kerberos\20Delegation\20Administrators@awsad.xxxx-xxxx.com)(sudoUser=%AWS\20Delegated\20Server\20Administrators@awsad.xxxx-xxxx.com)(sudoUser=%TESTS@awsad.xxxx-xxxx.com)(sudoUser=%Domain\20Users(a)awsad.xxxx-xxxx.com)(sudoUser=+*)))]
(Mon Jul 1 08:25:02 2019) [sssd[sudo]] [sudosrv_refresh_rules_send] (0x0400): No expired
rules were found for [Admin@awsad.xxxx-xxxx.com(a)awsad.xxxx-xxxx.com].
(Mon Jul 1 08:25:02 2019) [sssd[sudo]] [sudosrv_fetch_rules] (0x0400): Retrieving default
options for [Admin@awsad.xxxx-xxxx.com(a)awsad.xxxx-xxxx.com]
(Mon Jul 1 08:25:02 2019) [sssd[sudo]] [sudosrv_query_cache] (0x0200): Searching sysdb
with [(&(objectClass=sudoRule)(name=defaults))]
(Mon Jul 1 08:25:02 2019) [sssd[sudo]] [sudosrv_fetch_rules] (0x0400): Returning 0
default options for [Admin@awsad.xxxx-xxxx.com(a)awsad.xxxx-xxxx.com]
(Mon Jul 1 08:25:02 2019) [sssd[sudo]] [sudosrv_build_response] (0x2000): error: [0]
(Mon Jul 1 08:25:02 2019) [sssd[sudo]] [sudosrv_build_response] (0x2000): rules_num: [0]
(Mon Jul 1 08:25:02 2019) [sssd[sudo]] [sudosrv_cmd] (0x2000): Using protocol version
[1]
(Mon Jul 1 08:25:02 2019) [sssd[sudo]] [sudosrv_get_rules_send] (0x0400): Running
initgroups for [admin(a)awsad.xxxx-xxxx.com]
(Mon Jul 1 08:25:02 2019) [sssd[sudo]] [cache_req_set_plugin] (0x2000): CR #9: Setting
"Initgroups by name" plugin
(Mon Jul 1 08:25:02 2019) [sssd[sudo]] [cache_req_send] (0x0400): CR #9: New request
'Initgroups by name'
(Mon Jul 1 08:25:02 2019) [sssd[sudo]] [cache_req_process_input] (0x0400): CR #9: Parsing
input name [admin(a)awsad.xxxx-xxxx.com]
(Mon Jul 1 08:25:02 2019) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name
'admin(a)awsad.xxxx-xxxx.com' matched expression for domain
'awsad.xxxx-xxxx.com', user is admin
(Mon Jul 1 08:25:02 2019) [sssd[sudo]] [cache_req_set_name] (0x0400): CR #9: Setting name
[admin]
(Mon Jul 1 08:25:02 2019) [sssd[sudo]] [cache_req_select_domains] (0x0400): CR #9:
Performing a single domain search
(Mon Jul 1 08:25:02 2019) [sssd[sudo]] [sss_domain_get_state] (0x1000): Domain
awsad.xxxx-xxxx.com is Active
(Mon Jul 1 08:25:02 2019) [sssd[sudo]] [cache_req_search_domains] (0x0400): CR #9: Search
will check the cache and check the data provider
(Mon Jul 1 08:25:02 2019) [sssd[sudo]] [cache_req_validate_domain_type] (0x2000): Request
type POSIX-only for domain awsad.xxxx-xxxx.com type POSIX is valid
(Mon Jul 1 08:25:02 2019) [sssd[sudo]] [cache_req_set_domain] (0x0400): CR #9: Using
domain [awsad.xxxx-xxxx.com]
(Mon Jul 1 08:25:02 2019) [sssd[sudo]] [cache_req_prepare_domain_data] (0x0400): CR #9:
Preparing input data for domain [awsad.xxxx-xxxx.com] rules
(Mon Jul 1 08:25:02 2019) [sssd[sudo]] [cache_req_search_send] (0x0400): CR #9: Looking
up admin(a)awsad.xxxx-xxxx.com
(Mon Jul 1 08:25:02 2019) [sssd[sudo]] [cache_req_search_ncache] (0x0400): CR #9:
Checking negative cache for [admin(a)awsad.xxxx-xxxx.com]
(Mon Jul 1 08:25:02 2019) [sssd[sudo]] [sss_ncache_check_str] (0x2000): Checking negative
cache for [NCE/USER/awsad.xxxx-xxxx.com/admin@awsad.xxxx-xxxx.com]
(Mon Jul 1 08:25:02 2019) [sssd[sudo]] [cache_req_search_ncache] (0x0400): CR #9:
[admin(a)awsad.xxxx-xxxx.com] is not present in negative cache
(Mon Jul 1 08:25:02 2019) [sssd[sudo]] [cache_req_search_cache] (0x0400): CR #9: Looking
up [admin(a)awsad.xxxx-xxxx.com] in cache
(Mon Jul 1 08:25:02 2019) [sssd[sudo]] [cache_req_search_send] (0x0400): CR #9: Object
found, but needs to be refreshed.
(Mon Jul 1 08:25:02 2019) [sssd[sudo]] [cache_req_search_dp] (0x0400): CR #9: Looking up
[admin(a)awsad.xxxx-xxxx.com] in data provider
(Mon Jul 1 08:25:02 2019) [sssd[sudo]] [sss_dp_issue_request] (0x0400): Issuing request
for [0x55c2341d5360:3:admin@awsad.xxxx-xxxx.com@awsad.xxxx-xxxx.com]
(Mon Jul 1 08:25:02 2019) [sssd[sudo]] [sss_dp_get_account_msg] (0x0400): Creating
request for
[awsad.xxxx-xxxx.com][0x3][BE_REQ_INITGROUPS][name=admin@awsad.xxxx-xxxx.com:-]
(Mon Jul 1 08:25:02 2019) [sssd[sudo]] [sbus_add_timeout] (0x2000): 0x55c236313f70
(Mon Jul 1 08:25:02 2019) [sssd[sudo]] [sss_dp_internal_get_send] (0x0400): Entering
request [0x55c2341d5360:3:admin@awsad.xxxx-xxxx.com@awsad.xxxx-xxxx.com]
(Mon Jul 1 08:25:02 2019) [sssd[sudo]] [sbus_remove_timeout] (0x2000): 0x55c236313f70
(Mon Jul 1 08:25:02 2019) [sssd[sudo]] [sss_dp_get_reply] (0x0010): The Data Provider
returned an error [org.freedesktop.sssd.Error.DataProvider.Offline]
(Mon Jul 1 08:25:02 2019) [sssd[sudo]] [cache_req_common_dp_recv] (0x0040): CR #9: Data
Provider Error: 3, 5, Failed to get reply from Data Provider
(Mon Jul 1 08:25:02 2019) [sssd[sudo]] [cache_req_common_dp_recv] (0x0400): CR #9: Due to
an error we will return cached data
(Mon Jul 1 08:25:02 2019) [sssd[sudo]] [cache_req_search_cache] (0x0400): CR #9: Looking
up [admin(a)awsad.xxxx-xxxx.com] in cache
(Mon Jul 1 08:25:02 2019) [sssd[sudo]] [cache_req_search_ncache_filter] (0x0400): CR #9:
This request type does not support filtering result by negative cache
(Mon Jul 1 08:25:02 2019) [sssd[sudo]] [cache_req_search_done] (0x0400): CR #9: Returning
updated object [admin(a)awsad.xxxx-xxxx.com]
(Mon Jul 1 08:25:02 2019) [sssd[sudo]] [cache_req_create_and_add_result] (0x0400): CR #9:
Found 24 entries in domain awsad.xxxx-xxxx.com
(Mon Jul 1 08:25:02 2019) [sssd[sudo]] [sss_dp_req_destructor] (0x0400): Deleting
request: [0x55c2341d5360:3:admin@awsad.xxxx-xxxx.com@awsad.xxxx-xxxx.com]
(Mon Jul 1 08:25:02 2019) [sssd[sudo]] [cache_req_done] (0x0400): CR #9: Finished:
Success
(Mon Jul 1 08:25:02 2019) [sssd[sudo]] [sysdb_get_sudo_user_info] (0x0400): original
name: Admin(a)awsad.xxxx-xxxx.com
(Mon Jul 1 08:25:02 2019) [sssd[sudo]] [sudosrv_query_cache] (0x0200): Searching sysdb
with
[(&(objectClass=sudoRule)(dataExpireTimestamp<=1561969502)(|(name=defaults)(sudoUser=ALL)(sudoUser=Admin@awsad.xxxx-xxxx.com)(sudoUser=#1979001109)(sudoUser=%Domain\20Users@awsad.xxxx-xxxx.com)(sudoUser=%AWS\20Delegated\20Administrators@awsad.xxxx-xxxx.com)(sudoUser=%AWS\20Delegated\20Account\20Operators@awsad.xxxx-xxxx.com)(sudoUser=%AWS\20Delegated\20Active\20Directory\20Based\20Activation\20Administrators@awsad.xxxx-xxxx.com)(sudoUser=%AWS\20Delegated\20Deleted\20Object\20Lifetime\20Administrators@awsad.xxxx-xxxx.com)(sudoUser=%AWS\20Delegated\20Distributed\20File\20System\20Administrators@awsad.xxxx-xxxx.com)(sudoUser=%AWS\20Delegated\20Dynamic\20Host\20Configuration\20Protocol\20Administrators@awsad.xxxx-xxxx.com)(sudoUser=%AWS\20Delegated\20Enterprise\20Certificate\20Authority\20Administrators@awsad.xxxx-xxxx.com)(sudoUser=%AWS\20Delegated\20Fine\20Grained\20Password\20Policy\20Administrators@awsad.xxxx-xxxx.com)(sudoUser=%AWS\20Delegated\20Group\20Policy\20Administrators@awsad.xxxx-xxxx.com)(sudoUser=%AWS\20Delegated\20Managed\20Service\20Account\20Administrators@awsad.xxxx-xxxx.com)(sudoUser=%AWS\20Delegated\20Remote\20Access\20Service\20Administrators@awsad.xxxx-xxxx.com)(sudoUser=%AWS\20Delegated\20Replicate\20Directory\20Changes\20Administrators@awsad.xxxx-xxxx.com)(sudoUser=%AWS\20Delegated\20Sites\20and\20Services\20Administrators@awsad.xxxx-xxxx.com)(sudoUser=%AWS\20Delegated\20System\20Management\20Administrators@awsad.xxxx-xxxx.com)(sudoUser=%AWS\20Delegated\20Terminal\20Server\20Licensing\20Administrators@awsad.xxxx-xxxx.com)(sudoUser=%AWS\20Delegated\20User\20Principal\20Name\20Suffix\20Administrators@awsad.xxxx-xxxx.com)(sudoUser=%AWS\20Delegated\20Add\20Workstations\20To\20Domain\20Users@awsad.xxxx-xxxx.com)(sudoUser=%DnsAdmins@awsad.xxxx-xxxx.com)(sudoUser=%AWS\20Delegated\20Domain\20Name\20System\20Administrators@awsad.xxxx-xxxx.com)(sudoUser=%AWS\20Delegated\20Kerberos\20Delegation\20Administrators@awsad.xxxx-xxxx.com)(sudoUser=%AWS\20Delegated\20Server\20Administrators@awsad.xxxx-xxxx.com)(sudoUser=%TESTS@awsad.xxxx-xxxx.com)(sudoUser=%Domain\20Users(a)awsad.xxxx-xxxx.com)(sudoUser=+*)))]
(Mon Jul 1 08:25:02 2019) [sssd[sudo]] [sudosrv_refresh_rules_send] (0x0400): No expired
rules were found for [Admin@awsad.xxxx-xxxx.com(a)awsad.xxxx-xxxx.com].
(Mon Jul 1 08:25:02 2019) [sssd[sudo]] [sudosrv_fetch_rules] (0x0400): Retrieving rules
for [Admin@awsad.xxxx-xxxx.com(a)awsad.xxxx-xxxx.com]
(Mon Jul 1 08:25:02 2019) [sssd[sudo]] [sudosrv_query_cache] (0x0200): Searching sysdb
with
[(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=Admin@awsad.xxxx-xxxx.com)(sudoUser=#1979001109)(sudoUser=%Domain\20Users@awsad.xxxx-xxxx.com)(sudoUser=%AWS\20Delegated\20Administrators@awsad.xxxx-xxxx.com)(sudoUser=%AWS\20Delegated\20Account\20Operators@awsad.xxxx-xxxx.com)(sudoUser=%AWS\20Delegated\20Active\20Directory\20Based\20Activation\20Administrators@awsad.xxxx-xxxx.com)(sudoUser=%AWS\20Delegated\20Deleted\20Object\20Lifetime\20Administrators@awsad.xxxx-xxxx.com)(sudoUser=%AWS\20Delegated\20Distributed\20File\20System\20Administrators@awsad.xxxx-xxxx.com)(sudoUser=%AWS\20Delegated\20Dynamic\20Host\20Configuration\20Protocol\20Administrators@awsad.xxxx-xxxx.com)(sudoUser=%AWS\20Delegated\20Enterprise\20Certificate\20Authority\20Administrators@awsad.xxxx-xxxx.com)(sudoUser=%AWS\20Delegated\20Fine\20Grained\20Password\20Policy\20Administrators@awsad.xxxx-xxxx.com)(sudoUser=%AWS\20Delegated\20Group\20Policy\20Administrators@awsad.xxxx-xxxx.com)(sudoUser=%AWS\20Delegated\20Managed\20Service\20Account\20Administrators@awsad.xxxx-xxxx.com)(sudoUser=%AWS\20Delegated\20Remote\20Access\20Service\20Administrators@awsad.xxxx-xxxx.com)(sudoUser=%AWS\20Delegated\20Replicate\20Directory\20Changes\20Administrators@awsad.xxxx-xxxx.com)(sudoUser=%AWS\20Delegated\20Sites\20and\20Services\20Administrators@awsad.xxxx-xxxx.com)(sudoUser=%AWS\20Delegated\20System\20Management\20Administrators@awsad.xxxx-xxxx.com)(sudoUser=%AWS\20Delegated\20Terminal\20Server\20Licensing\20Administrators@awsad.xxxx-xxxx.com)(sudoUser=%AWS\20Delegated\20User\20Principal\20Name\20Suffix\20Administrators@awsad.xxxx-xxxx.com)(sudoUser=%AWS\20Delegated\20Add\20Workstations\20To\20Domain\20Users@awsad.xxxx-xxxx.com)(sudoUser=%DnsAdmins@awsad.xxxx-xxxx.com)(sudoUser=%AWS\20Delegated\20Domain\20Name\20System\20Administrators@awsad.xxxx-xxxx.com)(sudoUser=%AWS\20Delegated\20Kerberos\20Delegation\20Administrators@awsad.xxxx-xxxx.com)(sudoUser=%AWS\20Delegated\20Server\20Administrators@awsad.xxxx-xxxx.com)(sudoUser=%TESTS@awsad.xxxx-xxxx.com)(sudoUser=%Domain\20Users(a)awsad.xxxx-xxxx.com)))]
(Mon Jul 1 08:25:02 2019) [sssd[sudo]] [sudosrv_cached_rules_by_user] (0x0400): Replacing
sudoUser attribute with sudoUser: #1979001109
(Mon Jul 1 08:25:02 2019) [sssd[sudo]] [sudosrv_query_cache] (0x0200): Searching sysdb
with
[(&(objectClass=sudoRule)(sudoUser=+*)(!(|(sudoUser=ALL)(sudoUser=Admin@awsad.xxxx-xxxx.com)(sudoUser=#1979001109)(sudoUser=%Domain\20Users@awsad.xxxx-xxxx.com)(sudoUser=%AWS\20Delegated\20Administrators@awsad.xxxx-xxxx.com)(sudoUser=%AWS\20Delegated\20Account\20Operators@awsad.xxxx-xxxx.com)(sudoUser=%AWS\20Delegated\20Active\20Directory\20Based\20Activation\20Administrators@awsad.xxxx-xxxx.com)(sudoUser=%AWS\20Delegated\20Deleted\20Object\20Lifetime\20Administrators@awsad.xxxx-xxxx.com)(sudoUser=%AWS\20Delegated\20Distributed\20File\20System\20Administrators@awsad.xxxx-xxxx.com)(sudoUser=%AWS\20Delegated\20Dynamic\20Host\20Configuration\20Protocol\20Administrators@awsad.xxxx-xxxx.com)(sudoUser=%AWS\20Delegated\20Enterprise\20Certificate\20Authority\20Administrators@awsad.xxxx-xxxx.com)(sudoUser=%AWS\20Delegated\20Fine\20Grained\20Password\20Policy\20Administrators@awsad.xxxx-xxxx.com)(sudoUser=%AWS\20Delegated\20Group\20Policy\20Administrators@awsad.xxxx-xxxx.com)(sudoUser=%AWS\20Delegated\20Managed\20Service\20Account\20Administrators@awsad.xxxx-xxxx.com)(sudoUser=%AWS\20Delegated\20Remote\20Access\20Service\20Administrators@awsad.xxxx-xxxx.com)(sudoUser=%AWS\20Delegated\20Replicate\20Directory\20Changes\20Administrators@awsad.xxxx-xxxx.com)(sudoUser=%AWS\20Delegated\20Sites\20and\20Services\20Administrators@awsad.xxxx-xxxx.com)(sudoUser=%AWS\20Delegated\20System\20Management\20Administrators@awsad.xxxx-xxxx.com)(sudoUser=%AWS\20Delegated\20Terminal\20Server\20Licensing\20Administrators@awsad.xxxx-xxxx.com)(sudoUser=%AWS\20Delegated\20User\20Principal\20Name\20Suffix\20Administrators@awsad.xxxx-xxxx.com)(sudoUser=%AWS\20Delegated\20Add\20Workstations\20To\20Domain\20Users@awsad.xxxx-xxxx.com)(sudoUser=%DnsAdmins@awsad.xxxx-xxxx.com)(sudoUser=%AWS\20Delegated\20Domain\20Name\20System\20Administrators@awsad.xxxx-xxxx.com)(sudoUser=%AWS\20Delegated\20Kerberos\20Delegation\20Administrators@awsad.xxxx-xxxx.com)(sudoUser=%AWS\20Delegated\20Server\20Administrators@awsad.xxxx-xxxx.com)(sudoUser=%TESTS@awsad.xxxx-xxxx.com)(sudoUser=%Domain\20Users(a)awsad.xxxx-xxxx.com))))]
(Mon Jul 1 08:25:02 2019) [sssd[sudo]] [sudosrv_fetch_rules] (0x0400): Returning 0 rules
for [Admin@awsad.xxxx-xxxx.com(a)awsad.xxxx-xxxx.com]
(Mon Jul 1 08:25:02 2019) [sssd[sudo]] [sudosrv_build_response] (0x2000): error: [0]
(Mon Jul 1 08:25:02 2019) [sssd[sudo]] [sudosrv_build_response] (0x2000): rules_num: [0]
/var/log/sssd/sssd_LDAP_AWSAD.XXXX-XXXX.COM.log
(Mon Jul 1 08:19:38 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [sysdb_sudo_store_rule]
(0x0400): Adding sudo rule %TESTS(a)awsad.xxxx-xxxx.com
(Mon Jul 1 08:19:38 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [sysdb_sudo_store_rule]
(0x0400): Adding sudo rule r3
(Mon Jul 1 08:19:38 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [sysdb_sudo_store_rule]
(0x0400): Adding sudo rule defaults
(Mon Jul 1 08:19:38 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [sdap_sudo_refresh_done]
(0x0400): Sudoers is successfully stored in cache
(Mon Jul 1 08:19:38 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [sdap_sudo_set_usn]
(0x0200): SUDO higher USN value: [245544]
(Mon Jul 1 08:19:38 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]]
[sdap_sudo_full_refresh_done] (0x0400): Successful full refresh of sudo rules
(Mon Jul 1 08:19:38 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [be_ptask_done] (0x0400):
Task [SUDO Full Refresh]: finished successfully
(Mon Jul 1 08:19:38 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [be_ptask_schedule]
(0x0400): Task [SUDO Full Refresh]: scheduling task 21600 seconds from last execution time
[1561990778]
(Mon Jul 1 08:19:38 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [sdap_process_result]
(0x2000): Trace: sh[0x55f8831b51f0], connected[1], ops[(nil)], ldap[0x55f8831bc530]
(Mon Jul 1 08:19:38 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [sdap_process_result]
(0x2000): Trace: end of ldap_result list
(Mon Jul 1 08:20:02 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [sbus_message_handler]
(0x2000): Received SBUS method org.freedesktop.sssd.dataprovider.getAccountInfo on path
/org/freedesktop/sssd/dataprovider
(Mon Jul 1 08:20:02 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [sbus_get_sender_id_send]
(0x2000): Not a sysbus message, quit
(Mon Jul 1 08:20:02 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]]
[dp_get_account_info_handler] (0x0200): Got request for
[0x3][BE_REQ_INITGROUPS][name=ubuntu(a)ldap_awsad.xxxx-xxxx.com]
(Mon Jul 1 08:20:02 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [sss_domain_get_state]
(0x1000): Domain LDAP_AWSAD.xxxx-xxxx.COM is Active
(Mon Jul 1 08:20:02 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [dp_attach_req] (0x0400):
DP Request [Initgroups #5]: New request. Flags [0x0001].
(Mon Jul 1 08:20:02 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [dp_attach_req] (0x0400):
Number of active DP request: 1
(Mon Jul 1 08:20:02 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [sss_domain_get_state]
(0x1000): Domain LDAP_AWSAD.xxxx-xxxx.COM is Active
(Mon Jul 1 08:20:02 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]]
[sdap_get_initgr_next_base] (0x0400): Searching for users with base
[DC=awsad,DC=xxxx-xxxx,DC=com]
(Mon Jul 1 08:20:02 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [sdap_print_server]
(0x2000): Searching 10.80.100.196:389
(Mon Jul 1 08:20:02 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]]
[sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with
[(&(uid=ubuntu)(objectclass=posixAccount)(&(uidNumber=*)(!(uidNumber=0))))][DC=awsad,DC=xxxx-xxxx,DC=com].
(Mon Jul 1 08:20:02 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass]
(Mon Jul 1 08:20:02 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uid]
(Mon Jul 1 08:20:02 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPassword]
(Mon Jul 1 08:20:02 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uidNumber]
(Mon Jul 1 08:20:02 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber]
(Mon Jul 1 08:20:02 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gecos]
(Mon Jul 1 08:20:02 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [homeDirectory]
(Mon Jul 1 08:20:02 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginShell]
(Mon Jul 1 08:20:02 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbPrincipalName]
(Mon Jul 1 08:20:02 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn]
(Mon Jul 1 08:20:02 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp]
(Mon Jul 1 08:20:02 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uSNChanged]
(Mon Jul 1 08:20:02 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowLastChange]
(Mon Jul 1 08:20:02 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMin]
(Mon Jul 1 08:20:02 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMax]
(Mon Jul 1 08:20:02 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowWarning]
(Mon Jul 1 08:20:02 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowInactive]
(Mon Jul 1 08:20:02 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowExpire]
(Mon Jul 1 08:20:02 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowFlag]
(Mon Jul 1 08:20:02 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbLastPwdChange]
(Mon Jul 1 08:20:02 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbPasswordExpiration]
(Mon Jul 1 08:20:02 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [pwdAttribute]
(Mon Jul 1 08:20:02 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [authorizedService]
(Mon Jul 1 08:20:02 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [accountExpires]
(Mon Jul 1 08:20:02 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userAccountControl]
(Mon Jul 1 08:20:02 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [nsAccountLock]
(Mon Jul 1 08:20:02 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [host]
(Mon Jul 1 08:20:02 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [rhost]
(Mon Jul 1 08:20:02 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginDisabled]
(Mon Jul 1 08:20:02 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginExpirationTime]
(Mon Jul 1 08:20:02 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginAllowedTimeMap]
(Mon Jul 1 08:20:02 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sshPublicKey]
(Mon Jul 1 08:20:02 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userCertificate;binary]
(Mon Jul 1 08:20:02 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [mail]
(Mon Jul 1 08:20:02 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]]
[sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 15
(Mon Jul 1 08:20:02 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [sdap_op_add] (0x2000):
New operation 15 timeout 6
(Mon Jul 1 08:20:02 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [sdap_process_result]
(0x2000): Trace: sh[0x55f8831b51f0], connected[1], ops[0x55f8831dbbe0],
ldap[0x55f8831bc530]
(Mon Jul 1 08:20:02 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]]
[sdap_ldap_connect_callback_add] (0x1000): New LDAP connection to
[ldap://ForestDnsZones.awsad.xxxx-xxxx.com/DC=ForestDnsZones,DC=awsad,DC=x...]
with fd [23].
(Mon Jul 1 08:20:02 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]]
[sdap_ldap_connect_callback_add] (0x1000): New LDAP connection to
[ldap://DomainDnsZones.awsad.xxxx-xxxx.com/DC=DomainDnsZones,DC=awsad,DC=x...]
with fd [24].
(Mon Jul 1 08:20:02 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]]
[sdap_ldap_connect_callback_add] (0x1000): New LDAP connection to
[ldap://awsad.xxxx-xxxx.com/CN=Configuration,DC=awsad,DC=xxxx-xxxx,DC=com] with fd [25].
(Mon Jul 1 08:20:02 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [sdap_rebind_proc]
(0x1000): Successfully bind to
[ldap://awsad.xxxx-xxxx.com/CN=Configuration,DC=awsad,DC=xxxx-xxxx,DC=com].
(Mon Jul 1 08:20:02 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [sdap_rebind_proc]
(0x1000): Successfully bind to
[ldap://DomainDnsZones.awsad.xxxx-xxxx.com/DC=DomainDnsZones,DC=awsad,DC=x...].
(Mon Jul 1 08:20:02 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [sdap_rebind_proc]
(0x1000): Successfully bind to
[ldap://ForestDnsZones.awsad.xxxx-xxxx.com/DC=ForestDnsZones,DC=awsad,DC=x...].
(Mon Jul 1 08:20:02 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]]
[sdap_get_generic_ext_add_references] (0x1000): Additional References:
ldap://ForestDnsZones.awsad.xxxx-xxxx.com/DC=ForestDnsZones,DC=awsad,DC=x...
(Mon Jul 1 08:20:02 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [sdap_process_result]
(0x2000): Trace: sh[0x55f8831b51f0], connected[1], ops[0x55f8831dbbe0],
ldap[0x55f8831bc530]
(Mon Jul 1 08:20:02 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]]
[sdap_get_generic_ext_add_references] (0x1000): Additional References:
ldap://awsad.xxxx-xxxx.com/CN=Configuration,DC=awsad,DC=xxxx-xxxx,DC=com
(Mon Jul 1 08:20:02 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [sdap_process_result]
(0x2000): Trace: sh[0x55f8831b51f0], connected[1], ops[0x55f8831dbbe0],
ldap[0x55f8831bc530]
(Mon Jul 1 08:20:02 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]]
[sdap_get_generic_ext_add_references] (0x1000): Additional References:
ldap://DomainDnsZones.awsad.xxxx-xxxx.com/DC=DomainDnsZones,DC=awsad,DC=x...
(Mon Jul 1 08:20:02 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [sdap_process_result]
(0x2000): Trace: sh[0x55f8831b51f0], connected[1], ops[0x55f8831dbbe0],
ldap[0x55f8831bc530]
(Mon Jul 1 08:20:02 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [sdap_process_result]
(0x2000): Trace: end of ldap_result list
(Mon Jul 1 08:20:02 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [sdap_process_result]
(0x2000): Trace: sh[0x55f8831b51f0], connected[1], ops[0x55f8831dbbe0],
ldap[0x55f8831bc530]
(Mon Jul 1 08:20:02 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]]
[sdap_get_generic_ext_add_references] (0x1000): Additional References:
ldap://awsad.xxxx-xxxx.com/CN=Schema,CN=Configuration,DC=awsad,DC=xxxx-xx...
(Mon Jul 1 08:20:02 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [sdap_process_result]
(0x2000): Trace: sh[0x55f8831b51f0], connected[1], ops[0x55f8831dbbe0],
ldap[0x55f8831bc530]
(Mon Jul 1 08:20:02 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [sdap_process_result]
(0x2000): Trace: end of ldap_result list
(Mon Jul 1 08:20:02 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [sdap_process_result]
(0x2000): Trace: sh[0x55f8831b51f0], connected[1], ops[0x55f8831dbbe0],
ldap[0x55f8831bc530]
(Mon Jul 1 08:20:02 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]]
[sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set
(Mon Jul 1 08:20:02 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [sdap_op_destructor]
(0x2000): Operation 15 finished
(Mon Jul 1 08:20:02 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [sysdb_search_user_by_upn]
(0x0400): No entry with upn [ubuntu(a)ldap_awsad.xxxx-xxxx.com] found.
(Mon Jul 1 08:20:02 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]]
[sysdb_search_entry_by_sid_str] (0x0400): No such entry
(Mon Jul 1 08:20:02 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [sysdb_search_object_attr]
(0x0400): No such entry.
(Mon Jul 1 08:20:02 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [sysdb_get_real_name]
(0x0040): Cannot find user [ubuntu(a)ldap_awsad.xxxx-xxxx.com] in cache
(Mon Jul 1 08:20:02 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [groups_by_user_done]
(0x2000): Failed to canonicalize name, using [ubuntu(a)ldap_awsad.xxxx-xxxx.com] [2]: No
such file or directory.
(Mon Jul 1 08:20:02 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [sysdb_search_by_name]
(0x0400): No such entry
(Mon Jul 1 08:20:02 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]]
[sysdb_cache_search_groups] (0x2000): Search groups with filter:
(&(objectCategory=group)(ghost=ubuntu(a)ldap_awsad.xxxx-xxxx.com))
(Mon Jul 1 08:20:02 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]]
[sysdb_cache_search_groups] (0x2000): No such entry
(Mon Jul 1 08:20:02 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [sysdb_delete_user]
(0x0400): Error: 2 (No such file or directory)
(Mon Jul 1 08:20:02 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [dp_req_done] (0x0400): DP
Request [Initgroups #5]: Request handler finished [0]: Success
(Mon Jul 1 08:20:02 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [_dp_req_recv] (0x0400):
DP Request [Initgroups #5]: Receiving request data.
(Mon Jul 1 08:20:02 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]]
[dp_req_reply_list_success] (0x0400): DP Request [Initgroups #5]: Finished. Success.
(Mon Jul 1 08:20:02 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [dp_req_reply_std]
(0x1000): DP Request [Initgroups #5]: Returning [Success]: 0,0,Success
(Mon Jul 1 08:20:02 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]]
[dp_table_value_destructor] (0x0400): Removing
[0:1:0x0001:3::LDAP_AWSAD.xxxx-xxxx.COM:name=ubuntu@ldap_awsad.xxxx-xxxx.com] from reply
table
(Mon Jul 1 08:20:02 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [dp_req_destructor]
(0x0400): DP Request [Initgroups #5]: Request removed.
(Mon Jul 1 08:20:02 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [dp_req_destructor]
(0x0400): Number of active DP request: 0
(Mon Jul 1 08:20:02 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [sdap_process_result]
(0x2000): Trace: sh[0x55f8831b51f0], connected[1], ops[(nil)], ldap[0x55f8831bc530]
(Mon Jul 1 08:20:02 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [sdap_process_result]
(0x2000): Trace: end of ldap_result list
(Mon Jul 1 08:20:09 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [sbus_message_handler]
(0x2000): Received SBUS method org.freedesktop.sssd.dataprovider.getAccountInfo on path
/org/freedesktop/sssd/dataprovider
(Mon Jul 1 08:20:09 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [sbus_get_sender_id_send]
(0x2000): Not a sysbus message, quit
(Mon Jul 1 08:20:09 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]]
[dp_get_account_info_handler] (0x0200): Got request for
[0x3][BE_REQ_INITGROUPS][name=ubuntu(a)ldap_awsad.xxxx-xxxx.com]
(Mon Jul 1 08:20:09 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [sss_domain_get_state]
(0x1000): Domain LDAP_AWSAD.xxxx-xxxx.COM is Active
(Mon Jul 1 08:20:09 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [dp_attach_req] (0x0400):
DP Request [Initgroups #6]: New request. Flags [0x0001].
(Mon Jul 1 08:20:09 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [dp_attach_req] (0x0400):
Number of active DP request: 1
(Mon Jul 1 08:20:09 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [sss_domain_get_state]
(0x1000): Domain LDAP_AWSAD.xxxx-xxxx.COM is Active
(Mon Jul 1 08:20:09 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]]
[sdap_get_initgr_next_base] (0x0400): Searching for users with base
[DC=awsad,DC=xxxx-xxxx,DC=com]
(Mon Jul 1 08:20:09 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [sdap_print_server]
(0x2000): Searching 10.80.100.196:389
(Mon Jul 1 08:20:09 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]]
[sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with
[(&(uid=ubuntu)(objectclass=posixAccount)(&(uidNumber=*)(!(uidNumber=0))))][DC=awsad,DC=xxxx-xxxx,DC=com].
(Mon Jul 1 08:20:09 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass]
(Mon Jul 1 08:20:09 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uid]
(Mon Jul 1 08:20:09 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPassword]
(Mon Jul 1 08:20:09 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uidNumber]
(Mon Jul 1 08:20:09 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber]
(Mon Jul 1 08:20:09 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gecos]
(Mon Jul 1 08:20:09 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [homeDirectory]
(Mon Jul 1 08:20:09 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginShell]
(Mon Jul 1 08:20:09 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbPrincipalName]
(Mon Jul 1 08:20:09 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn]
(Mon Jul 1 08:20:09 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp]
(Mon Jul 1 08:20:09 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uSNChanged]
(Mon Jul 1 08:20:09 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowLastChange]
(Mon Jul 1 08:20:09 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMin]
(Mon Jul 1 08:20:09 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMax]
(Mon Jul 1 08:20:09 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowWarning]
(Mon Jul 1 08:20:09 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowInactive]
(Mon Jul 1 08:20:09 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowExpire]
(Mon Jul 1 08:20:09 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowFlag]
(Mon Jul 1 08:20:09 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbLastPwdChange]
(Mon Jul 1 08:20:09 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbPasswordExpiration]
(Mon Jul 1 08:20:09 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [pwdAttribute]
(Mon Jul 1 08:20:09 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [authorizedService]
(Mon Jul 1 08:20:09 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [accountExpires]
(Mon Jul 1 08:20:09 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userAccountControl]
(Mon Jul 1 08:20:09 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [nsAccountLock]
(Mon Jul 1 08:20:09 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [host]
(Mon Jul 1 08:20:09 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [rhost]
(Mon Jul 1 08:20:09 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginDisabled]
(Mon Jul 1 08:20:09 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginExpirationTime]
(Mon Jul 1 08:20:09 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginAllowedTimeMap]
(Mon Jul 1 08:20:09 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sshPublicKey]
(Mon Jul 1 08:20:09 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userCertificate;binary]
(Mon Jul 1 08:20:09 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [mail]
(Mon Jul 1 08:20:09 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]]
[sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 26
(Mon Jul 1 08:20:09 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [sdap_op_add] (0x2000):
New operation 26 timeout 6
(Mon Jul 1 08:20:09 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [sdap_process_result]
(0x2000): Trace: sh[0x55f8831b51f0], connected[1], ops[0x55f8831dbd60],
ldap[0x55f8831bc530]
(Mon Jul 1 08:20:09 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]]
[sdap_ldap_connect_callback_add] (0x1000): New LDAP connection to
[ldap://ForestDnsZones.awsad.xxxx-xxxx.com/DC=ForestDnsZones,DC=awsad,DC=x...]
with fd [23].
(Mon Jul 1 08:20:09 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]]
[sdap_ldap_connect_callback_add] (0x1000): New LDAP connection to
[ldap://DomainDnsZones.awsad.xxxx-xxxx.com/DC=DomainDnsZones,DC=awsad,DC=x...]
with fd [24].
(Mon Jul 1 08:20:09 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]]
[sdap_ldap_connect_callback_add] (0x1000): New LDAP connection to
[ldap://awsad.xxxx-xxxx.com/CN=Configuration,DC=awsad,DC=xxxx-xxxx,DC=com] with fd [25].
(Mon Jul 1 08:20:09 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [sdap_rebind_proc]
(0x1000): Successfully bind to
[ldap://awsad.xxxx-xxxx.com/CN=Configuration,DC=awsad,DC=xxxx-xxxx,DC=com].
(Mon Jul 1 08:20:09 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [sdap_rebind_proc]
(0x1000): Successfully bind to
[ldap://DomainDnsZones.awsad.xxxx-xxxx.com/DC=DomainDnsZones,DC=awsad,DC=x...].
(Mon Jul 1 08:20:09 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [sdap_rebind_proc]
(0x1000): Successfully bind to
[ldap://ForestDnsZones.awsad.xxxx-xxxx.com/DC=ForestDnsZones,DC=awsad,DC=x...].
(Mon Jul 1 08:20:09 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]]
[sdap_get_generic_ext_add_references] (0x1000): Additional References:
ldap://ForestDnsZones.awsad.xxxx-xxxx.com/DC=ForestDnsZones,DC=awsad,DC=x...
(Mon Jul 1 08:20:09 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [sdap_process_result]
(0x2000): Trace: sh[0x55f8831b51f0], connected[1], ops[0x55f8831dbd60],
ldap[0x55f8831bc530]
(Mon Jul 1 08:20:09 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]]
[sdap_get_generic_ext_add_references] (0x1000): Additional References:
ldap://awsad.xxxx-xxxx.com/CN=Configuration,DC=awsad,DC=xxxx-xxxx,DC=com
(Mon Jul 1 08:20:09 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [sdap_process_result]
(0x2000): Trace: sh[0x55f8831b51f0], connected[1], ops[0x55f8831dbd60],
ldap[0x55f8831bc530]
(Mon Jul 1 08:20:09 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]]
[sdap_get_generic_ext_add_references] (0x1000): Additional References:
ldap://DomainDnsZones.awsad.xxxx-xxxx.com/DC=DomainDnsZones,DC=awsad,DC=x...
(Mon Jul 1 08:20:09 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [sdap_process_result]
(0x2000): Trace: sh[0x55f8831b51f0], connected[1], ops[0x55f8831dbd60],
ldap[0x55f8831bc530]
(Mon Jul 1 08:20:09 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [sdap_process_result]
(0x2000): Trace: end of ldap_result list
(Mon Jul 1 08:20:09 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [sdap_process_result]
(0x2000): Trace: sh[0x55f8831b51f0], connected[1], ops[0x55f8831dbd60],
ldap[0x55f8831bc530]
(Mon Jul 1 08:20:09 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]]
[sdap_get_generic_ext_add_references] (0x1000): Additional References:
ldap://awsad.xxxx-xxxx.com/CN=Schema,CN=Configuration,DC=awsad,DC=xxxx-xx...
(Mon Jul 1 08:20:09 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [sdap_process_result]
(0x2000): Trace: sh[0x55f8831b51f0], connected[1], ops[0x55f8831dbd60],
ldap[0x55f8831bc530]
(Mon Jul 1 08:20:09 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [sdap_process_result]
(0x2000): Trace: end of ldap_result list
(Mon Jul 1 08:20:09 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [sdap_process_result]
(0x2000): Trace: sh[0x55f8831b51f0], connected[1], ops[0x55f8831dbd60],
ldap[0x55f8831bc530]
(Mon Jul 1 08:20:09 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]]
[sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set
(Mon Jul 1 08:20:09 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [sdap_op_destructor]
(0x2000): Operation 26 finished
(Mon Jul 1 08:20:09 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [sysdb_search_user_by_upn]
(0x0400): No entry with upn [ubuntu(a)ldap_awsad.xxxx-xxxx.com] found.
(Mon Jul 1 08:20:09 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]]
[sysdb_search_entry_by_sid_str] (0x0400): No such entry
(Mon Jul 1 08:20:09 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [sysdb_search_object_attr]
(0x0400): No such entry.
(Mon Jul 1 08:20:09 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [sysdb_get_real_name]
(0x0040): Cannot find user [ubuntu(a)ldap_awsad.xxxx-xxxx.com] in cache
(Mon Jul 1 08:20:09 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [groups_by_user_done]
(0x2000): Failed to canonicalize name, using [ubuntu(a)ldap_awsad.xxxx-xxxx.com] [2]: No
such file or directory.
(Mon Jul 1 08:20:09 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [sysdb_search_by_name]
(0x0400): No such entry
(Mon Jul 1 08:20:09 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]]
[sysdb_cache_search_groups] (0x2000): Search groups with filter:
(&(objectCategory=group)(ghost=ubuntu(a)ldap_awsad.xxxx-xxxx.com))
(Mon Jul 1 08:20:09 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]]
[sysdb_cache_search_groups] (0x2000): No such entry
(Mon Jul 1 08:20:09 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [sysdb_delete_user]
(0x0400): Error: 2 (No such file or directory)
(Mon Jul 1 08:20:09 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [dp_req_done] (0x0400): DP
Request [Initgroups #6]: Request handler finished [0]: Success
(Mon Jul 1 08:20:09 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [_dp_req_recv] (0x0400):
DP Request [Initgroups #6]: Receiving request data.
(Mon Jul 1 08:20:09 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]]
[dp_req_reply_list_success] (0x0400): DP Request [Initgroups #6]: Finished. Success.
(Mon Jul 1 08:20:09 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [dp_req_reply_std]
(0x1000): DP Request [Initgroups #6]: Returning [Success]: 0,0,Success
(Mon Jul 1 08:20:09 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]]
[dp_table_value_destructor] (0x0400): Removing
[0:1:0x0001:3::LDAP_AWSAD.xxxx-xxxx.COM:name=ubuntu@ldap_awsad.xxxx-xxxx.com] from reply
table
(Mon Jul 1 08:20:09 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [dp_req_destructor]
(0x0400): DP Request [Initgroups #6]: Request removed.
(Mon Jul 1 08:20:09 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [dp_req_destructor]
(0x0400): Number of active DP request: 0
(Mon Jul 1 08:20:09 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [sdap_process_result]
(0x2000): Trace: sh[0x55f8831b51f0], connected[1], ops[(nil)], ldap[0x55f8831bc530]
(Mon Jul 1 08:20:09 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [sdap_process_result]
(0x2000): Trace: end of ldap_result list
ldbsearch -H /var/lib/sss/db/cache_LDAP_AWSAD.XXXX-XXXX.COM.ldb
asq: Unable to register control with rootdse!
# record 1
dn: cn=users,cn=LDAP_AWSAD.xxxx-xxxx.COM,cn=sysdb
cn: Users
distinguishedName: cn=users,cn=LDAP_AWSAD.xxxx-xxxx.COM,cn=sysdb
# record 2
dn: name=r2,cn=sudorules,cn=custom,cn=LDAP_AWSAD.xxxx-xxxx.COM,cn=sysdb
cn: r2
dataExpireTimestamp: 1561974578
entryUSN: 245385
name: r2
objectClass: sudoRule
originalDN: CN=r2,OU=SUDOers,OU=awsad,DC=awsad,DC=xxxx-xxxx,DC=com
sudoCommand: ALL
sudoHost: ALL
sudoOption: !authenticate
sudoUser: Admin(a)awsad.xxxx-xxxx.com
sudoUser: admin(a)awsad.xxxx-xxxx.com
distinguishedName: name=r2,cn=sudorules,cn=custom,cn=LDAP_AWSAD.xxxx-xxxx.COM,
cn=sysdb
# record 3
dn: cn=LDAP_AWSAD.xxxx-xxxx.COM,cn=sysdb
cn: LDAP_AWSAD.xxxx-xxxx.COM
distinguishedName: cn=LDAP_AWSAD.xxxx-xxxx.COM,cn=sysdb
# record 4
dn: name=defaults,cn=sudorules,cn=custom,cn=LDAP_AWSAD.xxxx-xxxx.COM,cn=sysdb
cn: defaults
dataExpireTimestamp: 1561974578
entryUSN: 245543
name: defaults
objectClass: sudoRule
originalDN: CN=defaults,OU=SUDOers,OU=awsad,DC=awsad,DC=xxxx-xxxx,DC=com
sudoCommand: ALL
sudoHost: ALL
sudoOption: !authenticate
sudoUser: ALL
sudoUser: all
distinguishedName: name=defaults,cn=sudorules,cn=custom,cn=LDAP_AWSAD.YARA-DFD
P.COM,cn=sysdb
# record 5
dn:
name=%TESTS(a)awsad.xxxx-xxxx.com,cn=sudorules,cn=custom,cn=LDAP_AWSAD.xxxx-xxxx.COM,cn=sysdb
cn: %TESTS(a)awsad.xxxx-xxxx.com
dataExpireTimestamp: 1561974578
entryUSN: 245477
name: %TESTS(a)awsad.xxxx-xxxx.com
objectClass: sudoRule
originalDN: CN=%TESTS(a)awsad.xxxx-xxxx.com,OU=SUDOers,OU=awsad,DC=awsad,DC=yara
-dfdp,DC=com
sudoCommand: ALL
sudoHost: ALL
sudoOption: !authenticate
sudoUser: %TESTS(a)awsad.xxxx-xxxx.com
sudoUser: %tests(a)awsad.xxxx-xxxx.com
distinguishedName: name=%TESTS(a)awsad.xxxx-xxxx.com,cn=sudorules,cn=custom,cn=L
DAP_AWSAD.xxxx-xxxx.COM,cn=sysdb
# record 6
dn: cn=ranges,cn=sysdb
cn: ranges
distinguishedName: cn=ranges,cn=sysdb
# record 7
dn: name=r3,cn=sudorules,cn=custom,cn=LDAP_AWSAD.xxxx-xxxx.COM,cn=sysdb
cn: r3
dataExpireTimestamp: 1561974578
entryUSN: 245509
name: r3
objectClass: sudoRule
originalDN: CN=r3,OU=SUDOers,OU=awsad,DC=awsad,DC=xxxx-xxxx,DC=com
sudoCommand: ALL
sudoHost: ALL
sudoOption: ALL
sudoUser: Admin(a)ldap_awsad.xxxx-xxxx.com
sudoUser: admin(a)ldap_awsad.xxxx-xxxx.com
distinguishedName: name=r3,cn=sudorules,cn=custom,cn=LDAP_AWSAD.xxxx-xxxx.COM,
cn=sysdb
# record 8
dn: cn=sudorules,cn=custom,cn=LDAP_AWSAD.xxxx-xxxx.COM,cn=sysdb
cn: sudorules
sudoLastFullRefreshTime: 1561969178
distinguishedName: cn=sudorules,cn=custom,cn=LDAP_AWSAD.xxxx-xxxx.COM,cn=sysdb
# record 9
dn: cn=sysdb
cn: sysdb
description: base object
version: 0.20
distinguishedName: cn=sysdb
# record 10
dn: cn=groups,cn=LDAP_AWSAD.xxxx-xxxx.COM,cn=sysdb
cn: Groups
distinguishedName: cn=groups,cn=LDAP_AWSAD.xxxx-xxxx.COM,cn=sysdb
# record 11
dn: name=r1,cn=sudorules,cn=custom,cn=LDAP_AWSAD.xxxx-xxxx.COM,cn=sysdb
cn: r1
dataExpireTimestamp: 1561974578
entryUSN: 245304
name: r1
objectClass: sudoRule
originalDN: CN=r1,OU=SUDOers,OU=awsad,DC=awsad,DC=xxxx-xxxx,DC=com
sudoCommand: ALL
sudoHost: ALL
sudoOption: !authenticate
sudoUser: ubuntu(a)ldap_awsad.xxxx-xxxx.com
distinguishedName: name=r1,cn=sudorules,cn=custom,cn=LDAP_AWSAD.xxxx-xxxx.COM,
cn=sysdb
# returned 11 records
# 11 entries
# 0 referrals
root@dfdp-080100016:~# ldbsearch -H /var/lib/sss/db/cache_LDAP_AWSAD.xxxx-xxxx.COM.ldb
asq: Unable to register control with rootdse!
# record 1
dn: cn=users,cn=LDAP_AWSAD.xxxx-xxxx.COM,cn=sysdb
cn: Users
distinguishedName: cn=users,cn=LDAP_AWSAD.xxxx-xxxx.COM,cn=sysdb
# record 2
dn: name=r2,cn=sudorules,cn=custom,cn=LDAP_AWSAD.xxxx-xxxx.COM,cn=sysdb
cn: r2
dataExpireTimestamp: 1561974578
entryUSN: 245385
name: r2
objectClass: sudoRule
originalDN: CN=r2,OU=SUDOers,OU=awsad,DC=awsad,DC=xxxx-xxxx,DC=com
sudoCommand: ALL
sudoHost: ALL
sudoOption: !authenticate
sudoUser: Admin(a)awsad.xxxx-xxxx.com
sudoUser: admin(a)awsad.xxxx-xxxx.com
distinguishedName: name=r2,cn=sudorules,cn=custom,cn=LDAP_AWSAD.xxxx-xxxx.COM,
cn=sysdb
# record 3
dn: cn=LDAP_AWSAD.xxxx-xxxx.COM,cn=sysdb
cn: LDAP_AWSAD.xxxx-xxxx.COM
distinguishedName: cn=LDAP_AWSAD.xxxx-xxxx.COM,cn=sysdb
# record 4
dn: name=defaults,cn=sudorules,cn=custom,cn=LDAP_AWSAD.xxxx-xxxx.COM,cn=sysdb
cn: defaults
dataExpireTimestamp: 1561974578
entryUSN: 245543
name: defaults
objectClass: sudoRule
originalDN: CN=defaults,OU=SUDOers,OU=awsad,DC=awsad,DC=xxxx-xxxx,DC=com
sudoCommand: ALL
sudoHost: ALL
sudoOption: !authenticate
sudoUser: ALL
sudoUser: all
distinguishedName: name=defaults,cn=sudorules,cn=custom,cn=LDAP_AWSAD.YARA-DFD
P.COM,cn=sysdb
# record 5
dn:
name=%TESTS(a)awsad.xxxx-xxxx.com,cn=sudorules,cn=custom,cn=LDAP_AWSAD.xxxx-xxxx.COM,cn=sysdb
cn: %TESTS(a)awsad.xxxx-xxxx.com
dataExpireTimestamp: 1561974578
entryUSN: 245477
name: %TESTS(a)awsad.xxxx-xxxx.com
objectClass: sudoRule
originalDN: CN=%TESTS(a)awsad.xxxx-xxxx.com,OU=SUDOers,OU=awsad,DC=awsad,DC=yara
-dfdp,DC=com
sudoCommand: ALL
sudoHost: ALL
sudoOption: !authenticate
sudoUser: %TESTS(a)awsad.xxxx-xxxx.com
sudoUser: %tests(a)awsad.xxxx-xxxx.com
distinguishedName: name=%TESTS(a)awsad.xxxx-xxxx.com,cn=sudorules,cn=custom,cn=L
DAP_AWSAD.xxxx-xxxx.COM,cn=sysdb
# record 6
dn: cn=ranges,cn=sysdb
cn: ranges
distinguishedName: cn=ranges,cn=sysdb
# record 7
dn: name=r3,cn=sudorules,cn=custom,cn=LDAP_AWSAD.xxxx-xxxx.COM,cn=sysdb
cn: r3
dataExpireTimestamp: 1561974578
entryUSN: 245509
name: r3
objectClass: sudoRule
originalDN: CN=r3,OU=SUDOers,OU=awsad,DC=awsad,DC=xxxx-xxxx,DC=com
sudoCommand: ALL
sudoHost: ALL
sudoOption: ALL
sudoUser: Admin(a)ldap_awsad.xxxx-xxxx.com
sudoUser: admin(a)ldap_awsad.xxxx-xxxx.com
distinguishedName: name=r3,cn=sudorules,cn=custom,cn=LDAP_AWSAD.xxxx-xxxx.COM,
cn=sysdb
# record 8
dn: cn=sudorules,cn=custom,cn=LDAP_AWSAD.xxxx-xxxx.COM,cn=sysdb
cn: sudorules
sudoLastFullRefreshTime: 1561969178
distinguishedName: cn=sudorules,cn=custom,cn=LDAP_AWSAD.xxxx-xxxx.COM,cn=sysdb
# record 9
dn: cn=sysdb
cn: sysdb
description: base object
version: 0.20
distinguishedName: cn=sysdb
# record 10
dn: cn=groups,cn=LDAP_AWSAD.xxxx-xxxx.COM,cn=sysdb
cn: Groups
distinguishedName: cn=groups,cn=LDAP_AWSAD.xxxx-xxxx.COM,cn=sysdb
# record 11
dn: name=r1,cn=sudorules,cn=custom,cn=LDAP_AWSAD.xxxx-xxxx.COM,cn=sysdb
cn: r1
dataExpireTimestamp: 1561974578
entryUSN: 245304
name: r1
objectClass: sudoRule
originalDN: CN=r1,OU=SUDOers,OU=awsad,DC=awsad,DC=xxxx-xxxx,DC=com
sudoCommand: ALL
sudoHost: ALL
sudoOption: !authenticate
sudoUser: ubuntu(a)ldap_awsad.xxxx-xxxx.com
distinguishedName: name=r1,cn=sudorules,cn=custom,cn=LDAP_AWSAD.xxxx-xxxx.COM,
cn=sysdb
# returned 11 records
# 11 entries
# 0 referrals
/etc/sssd/sssd.conf
[sssd]
services = nss, pam,ssh, sudo
debug_level = 0x7FFF
domains = awsad.xxxx-xxxx.com, aws.dfdp.com, LDAP_AWSAD.xxxx-xxxx.COM
[sudo]
debug_level = 0x3ff0
[domain/LDAP_AWSAD.xxxx-xxxx.COM]
case_sensitive=false
debug_level = 0x3ff0
access_provider = ldap
id_provider = ldap
sudo_provider = ldap
ldap_uri = ldap://xxx.xxx.xxx.xxx
ldap_default_bind_dn = account(a)awsad.xxxx-xxxx.com
ldap_default_authtok = xxxxxxxxx
ldap_sudo_search_base = OU=SUDOers,OU=awsad,DC=awsad,DC=xxxx-xxxx,DC=com
[domain/awsad.xxxx-xxxx.com]
debug_level = 0x0200
id_provider = ad
access_provider = ad
enumerate = true
subdomain_enumerate = all
ad_domain = AWSAD.xxxx-xxxx.COM
krb5_realm = AWSAD.xxxx-xxxx.COM
realmd_tags = manages-system joined-with-adcli
cache_credentials = True
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = True
fallback_homedir = /home/%d/%u
[domain/aws.xxxx.com]
debug_level = 0x0200
id_provider = ad
access_provider = ad
enumerate = true
ad_domain = AWS.xxxx.COM
krb5_realm = AWS.xxxx.COM
realmd_tags = manages-system joined-with-adcli
cache_credentials = True
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = True
fallback_homedir = /home/%d/%u
[domain/ad.xxxx.com]
debug_level = 0x0200
id_provider = ad
access_provider = ad
ad_server = xxx.ad.xxxx.com
ad_server_backup = xxx.ad.xxxx.com
enumerate = true
ad_domain = AD.XXXX.COM
krb5_realm = AD.XXXX.COM
realmd_tags = manages-system joined-with-adcli
cache_credentials = True
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = True
fallback_homedir = /home/%d/%u
/etc/nsswitch.conf
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.
passwd: compat systemd sss
group: compat systemd sss
shadow: compat sss
gshadow: files
hosts: files dns
networks: files
protocols: db files
services: db files sss
ethers: db files
rpc: db files
netgroup: nis sss
sudoers: sss files
Windows AD using the SUDO schema (imported).
Only 1 entry from MS AD for the sake of example:
PS C:\Windows\system32> Get-ADObject –Identity
"CN=r2,OU=SUDOers,OU=awsad,DC=awsad,DC=xxxx-xxxx,DC=com" -Property *
CanonicalName : awsad.xxxx-xxxx.com/awsad/SUDOers/r2
CN : r2
Created : 6/30/2019 8:59:46 AM
createTimeStamp : 6/30/2019 8:59:46 AM
Deleted :
Description :
DisplayName :
DistinguishedName : CN=r2,OU=SUDOers,OU=awsad,DC=awsad,DC=xxxx-xxxx,DC=com
dSCorePropagationData : {1/1/1601 12:00:00 AM}
instanceType : 4
isDeleted :
LastKnownParent :
Modified : 6/30/2019 8:59:56 AM
modifyTimeStamp : 6/30/2019 8:59:56 AM
Name : r2
nTSecurityDescriptor : System.DirectoryServices.ActiveDirectorySecurity
ObjectCategory :
CN=sudoRole,CN=Schema,CN=Configuration,DC=awsad,DC=xxxx-xxxx,DC=com
ObjectClass : sudoRole
ObjectGUID : 9b660613-94f8-4f58-86bc-21e813027fbf
ProtectedFromAccidentalDeletion : False
sDRightsEffective : 7
sudoCommand : {ALL}
sudoHost : {ALL}
sudoOption : {!authenticate}
sudoUser : {Admin(a)awsad.xxxx-xxxx.com}
uSNChanged : 245385
uSNCreated : 245385
whenChanged : 6/30/2019 8:59:56 AM
whenCreated : 6/30/2019 8:59:46 AM
PS C:\Windows\system32>
Thx a lot! and Cheers!
4:59 a.m.
On Mon, Jul 01, 2019 at 09:09:24AM -0000, B M wrote:
Hi Jakub,
Thx for the suggestions!
Here more logs:
NOTE: Replaced xxxx-xxxx or xxxx from the original name.
/var/log/sssd/sssd_sudo.log
(Mon Jul 1 08:25:02 2019) [sssd[sudo]] [accept_fd_handler] (0x0400): Client connected!
(Mon Jul 1 08:25:02 2019) [sssd[sudo]] [sss_cmd_get_version] (0x0200): Received client
version [1].
(Mon Jul 1 08:25:02 2019) [sssd[sudo]] [sss_cmd_get_version] (0x0200): Offered version
[1].
(Mon Jul 1 08:25:02 2019) [sssd[sudo]] [sudosrv_cmd] (0x2000): Using protocol version
[1]
(Mon Jul 1 08:25:02 2019) [sssd[sudo]] [sudosrv_get_rules_send] (0x0400): Running
initgroups for [admin(a)awsad.xxxx-xxxx.com]
(Mon Jul 1 08:25:02 2019) [sssd[sudo]] [cache_req_set_plugin] (0x2000): CR #8: Setting
"Initgroups by name" plugin
(Mon Jul 1 08:25:02 2019) [sssd[sudo]] [cache_req_send] (0x0400): CR #8: New request
'Initgroups by name'
(Mon Jul 1 08:25:02 2019) [sssd[sudo]] [cache_req_process_input] (0x0400): CR #8:
Parsing input name [admin(a)awsad.xxxx-xxxx.com]
(Mon Jul 1 08:25:02 2019) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name
'admin(a)awsad.xxxx-xxxx.com' matched expression for domain
'awsad.xxxx-xxxx.com', user is admin
(Mon Jul 1 08:25:02 2019) [sssd[sudo]] [cache_req_set_name] (0x0400): CR #8: Setting
name [admin]
(Mon Jul 1 08:25:02 2019) [sssd[sudo]] [cache_req_select_domains] (0x0400): CR #8:
Performing a single domain search
(Mon Jul 1 08:25:02 2019) [sssd[sudo]] [sss_domain_get_state] (0x1000): Domain
awsad.xxxx-xxxx.com is Active
(Mon Jul 1 08:25:02 2019) [sssd[sudo]] [cache_req_search_domains] (0x0400): CR #8:
Search will check the cache and check the data provider
(Mon Jul 1 08:25:02 2019) [sssd[sudo]] [cache_req_validate_domain_type] (0x2000):
Request type POSIX-only for domain awsad.xxxx-xxxx.com type POSIX is valid
(Mon Jul 1 08:25:02 2019) [sssd[sudo]] [cache_req_set_domain] (0x0400): CR #8: Using
domain [awsad.xxxx-xxxx.com]
(Mon Jul 1 08:25:02 2019) [sssd[sudo]] [cache_req_prepare_domain_data] (0x0400): CR #8:
Preparing input data for domain [awsad.xxxx-xxxx.com] rules
(Mon Jul 1 08:25:02 2019) [sssd[sudo]] [cache_req_search_send] (0x0400): CR #8: Looking
up admin(a)awsad.xxxx-xxxx.com
(Mon Jul 1 08:25:02 2019) [sssd[sudo]] [cache_req_search_ncache] (0x0400): CR #8:
Checking negative cache for [admin(a)awsad.xxxx-xxxx.com]
(Mon Jul 1 08:25:02 2019) [sssd[sudo]] [sss_ncache_check_str] (0x2000): Checking
negative cache for [NCE/USER/awsad.xxxx-xxxx.com/admin@awsad.xxxx-xxxx.com]
(Mon Jul 1 08:25:02 2019) [sssd[sudo]] [cache_req_search_ncache] (0x0400): CR #8:
[admin(a)awsad.xxxx-xxxx.com] is not present in negative cache
(Mon Jul 1 08:25:02 2019) [sssd[sudo]] [cache_req_search_cache] (0x0400): CR #8: Looking
up [admin(a)awsad.xxxx-xxxx.com] in cache
(Mon Jul 1 08:25:02 2019) [sssd[sudo]] [cache_req_search_send] (0x0400): CR #8: Object
found, but needs to be refreshed.
(Mon Jul 1 08:25:02 2019) [sssd[sudo]] [cache_req_search_dp] (0x0400): CR #8: Looking up
[admin(a)awsad.xxxx-xxxx.com] in data provider
(Mon Jul 1 08:25:02 2019) [sssd[sudo]] [sss_dp_issue_request] (0x0400): Issuing request
for [0x55c2341d5360:3:admin@awsad.xxxx-xxxx.com@awsad.xxxx-xxxx.com]
(Mon Jul 1 08:25:02 2019) [sssd[sudo]] [sss_dp_get_account_msg] (0x0400): Creating
request for
[awsad.xxxx-xxxx.com][0x3][BE_REQ_INITGROUPS][name=admin@awsad.xxxx-xxxx.com:-]
(Mon Jul 1 08:25:02 2019) [sssd[sudo]] [sbus_add_timeout] (0x2000): 0x55c2362f3a70
(Mon Jul 1 08:25:02 2019) [sssd[sudo]] [sss_dp_internal_get_send] (0x0400): Entering
request [0x55c2341d5360:3:admin@awsad.xxxx-xxxx.com@awsad.xxxx-xxxx.com]
(Mon Jul 1 08:25:02 2019) [sssd[sudo]] [sbus_remove_timeout] (0x2000): 0x55c2362f3a70
(Mon Jul 1 08:25:02 2019) [sssd[sudo]] [sss_dp_get_reply] (0x0010): The Data Provider
returned an error [org.freedesktop.sssd.Error.DataProvider.Offline]
You'll want to fix this first..unless sssd can stay online at least for
the duration of the test, the logs won't be as useful..
The way I usually debug these issues is to find the first occurence of
"Going offline" or "Marking port XYZ as NOT_WORKING" in the log and
then
look couple of lines before.
See inline..
(Mon Jul 1 08:25:02 2019) [sssd[sudo]] [cache_req_common_dp_recv]
(0x0040): CR #8: Data Provider Error: 3, 5, Failed to get reply from Data Provider
(Mon Jul 1 08:25:02 2019) [sssd[sudo]] [cache_req_common_dp_recv] (0x0400): CR #8: Due
to an error we will return cached data
(Mon Jul 1 08:25:02 2019) [sssd[sudo]] [cache_req_search_cache] (0x0400): CR #8: Looking
up [admin(a)awsad.xxxx-xxxx.com] in cache
(Mon Jul 1 08:25:02 2019) [sssd[sudo]] [cache_req_search_ncache_filter] (0x0400): CR #8:
This request type does not support filtering result by negative cache
(Mon Jul 1 08:25:02 2019) [sssd[sudo]] [cache_req_search_done] (0x0400): CR #8:
Returning updated object [admin(a)awsad.xxxx-xxxx.com]
(Mon Jul 1 08:25:02 2019) [sssd[sudo]] [cache_req_create_and_add_result] (0x0400): CR
#8: Found 24 entries in domain awsad.xxxx-xxxx.com
(Mon Jul 1 08:25:02 2019) [sssd[sudo]] [sss_dp_req_destructor] (0x0400): Deleting
request: [0x55c2341d5360:3:admin@awsad.xxxx-xxxx.com@awsad.xxxx-xxxx.com]
(Mon Jul 1 08:25:02 2019) [sssd[sudo]] [cache_req_done] (0x0400): CR #8: Finished:
Success
(Mon Jul 1 08:25:02 2019) [sssd[sudo]] [sysdb_get_sudo_user_info] (0x0400): original
name: Admin(a)awsad.xxxx-xxxx.com
(Mon Jul 1 08:25:02 2019) [sssd[sudo]] [sudosrv_query_cache] (0x0200): Searching sysdb
with
[(&(objectClass=sudoRule)(dataExpireTimestamp<=1561969502)(|(name=defaults)(sudoUser=ALL)(sudoUser=Admin@awsad.xxxx-xxxx.com)(sudoUser=#1979001109)(sudoUser=%Domain\20Users@awsad.xxxx-xxxx.com)(sudoUser=%AWS\20Delegated\20Administrators@awsad.xxxx-xxxx.com)(sudoUser=%AWS\20Delegated\20Account\20Operators@awsad.xxxx-xxxx.com)(sudoUser=%AWS\20Delegated\20Active\20Directory\20Based\20Activation\20Administrators@awsad.xxxx-xxxx.com)(sudoUser=%AWS\20Delegated\20Deleted\20Object\20Lifetime\20Administrators@awsad.xxxx-xxxx.com)(sudoUser=%AWS\20Delegated\20Distributed\20File\20System\20Administrators@awsad.xxxx-xxxx.com)(sudoUser=%AWS\20Delegated\20Dynamic\20Host\20Configuration\20Protocol\20Administrators@awsad.xxxx-xxxx.com)(sudoUser=%AWS\20Delegated\20Enterprise\20Certificate\20Authority\20Administrators@awsad.xxxx-xxxx.com)(sudoUser=%AWS\20Delegated\20Fine\20Grained\20Password\20Policy\20Administrators@awsad.xxxx-xxxx.com)(sudoUser=%AWS\20Delegated\20Group\20Policy\20Administrators@awsad.xxxx-xxxx.com)(sudoUser=%AWS\20Delegated\20Managed\20Service\20Account\20Administrators@awsad.xxxx-xxxx.com)(sudoUser=%AWS\20Delegated\20Remote\20Access\20Service\20Administrators@awsad.xxxx-xxxx.com)(sudoUser=%AWS\20Delegated\20Replicate\20Directory\20Changes\20Administrators@awsad.xxxx-xxxx.com)(sudoUser=%AWS\20Delegated\20Sites\20and\20Services\20Administrators@awsad.xxxx-xxxx.com)(sudoUser=%AWS\20Delegated\20System\20Management\20Administrators@awsad.xxxx-xxxx.com)(sudoUser=%AWS\20Delegated\20Terminal\20Server\20Licensing\20Administrators@awsad.xxxx-xxxx.com)(sudoUser=%AWS\20Delegated\20User\20Principal\20Name\20Suffix\20Administrators@awsad.xxxx-xxxx.com)(sudoUser=%AWS\20Delegated\20Add\20Workstations\20To\20Domain\20Users@awsad.xxxx-xxxx.com)(sudoUser=%DnsAdmins@awsad.xxxx-xxxx.com)(sudoUser=%AWS\20Delegated\20Domain\20Name\20System\20Administrators@awsad.xxxx-xxxx.com)(sudoUser=%AWS\20Delegated\20Kerberos\20Delegation\20Administrators@awsad.xxxx-xxxx.com)(sudoUser=%AWS\20Delegated\20Server\20Administrators@awsad.xxxx-xxxx.com)(sudoUser=%TESTS@awsad.xxxx-xxxx.com)(sudoUser=%Domain\20Users(a)awsad.xxxx-xxxx.com)(sudoUser=+*)))]
(Mon Jul 1 08:25:02 2019) [sssd[sudo]] [sudosrv_refresh_rules_send] (0x0400): No expired
rules were found for [Admin@awsad.xxxx-xxxx.com(a)awsad.xxxx-xxxx.com].
(Mon Jul 1 08:25:02 2019) [sssd[sudo]] [sudosrv_fetch_rules] (0x0400): Retrieving
default options for [Admin@awsad.xxxx-xxxx.com(a)awsad.xxxx-xxxx.com]
(Mon Jul 1 08:25:02 2019) [sssd[sudo]] [sudosrv_query_cache] (0x0200): Searching sysdb
with [(&(objectClass=sudoRule)(name=defaults))]
(Mon Jul 1 08:25:02 2019) [sssd[sudo]] [sudosrv_fetch_rules] (0x0400): Returning 0
default options for [Admin@awsad.xxxx-xxxx.com(a)awsad.xxxx-xxxx.com]
(Mon Jul 1 08:25:02 2019) [sssd[sudo]] [sudosrv_build_response] (0x2000): error: [0]
(Mon Jul 1 08:25:02 2019) [sssd[sudo]] [sudosrv_build_response] (0x2000): rules_num:
[0]
(Mon Jul 1 08:25:02 2019) [sssd[sudo]] [sudosrv_cmd] (0x2000): Using protocol version
[1]
(Mon Jul 1 08:25:02 2019) [sssd[sudo]] [sudosrv_get_rules_send] (0x0400): Running
initgroups for [admin(a)awsad.xxxx-xxxx.com]
(Mon Jul 1 08:25:02 2019) [sssd[sudo]] [cache_req_set_plugin] (0x2000): CR #9: Setting
"Initgroups by name" plugin
(Mon Jul 1 08:25:02 2019) [sssd[sudo]] [cache_req_send] (0x0400): CR #9: New request
'Initgroups by name'
(Mon Jul 1 08:25:02 2019) [sssd[sudo]] [cache_req_process_input] (0x0400): CR #9:
Parsing input name [admin(a)awsad.xxxx-xxxx.com]
(Mon Jul 1 08:25:02 2019) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name
'admin(a)awsad.xxxx-xxxx.com' matched expression for domain
'awsad.xxxx-xxxx.com', user is admin
(Mon Jul 1 08:25:02 2019) [sssd[sudo]] [cache_req_set_name] (0x0400): CR #9: Setting
name [admin]
(Mon Jul 1 08:25:02 2019) [sssd[sudo]] [cache_req_select_domains] (0x0400): CR #9:
Performing a single domain search
(Mon Jul 1 08:25:02 2019) [sssd[sudo]] [sss_domain_get_state] (0x1000): Domain
awsad.xxxx-xxxx.com is Active
(Mon Jul 1 08:25:02 2019) [sssd[sudo]] [cache_req_search_domains] (0x0400): CR #9:
Search will check the cache and check the data provider
(Mon Jul 1 08:25:02 2019) [sssd[sudo]] [cache_req_validate_domain_type] (0x2000):
Request type POSIX-only for domain awsad.xxxx-xxxx.com type POSIX is valid
(Mon Jul 1 08:25:02 2019) [sssd[sudo]] [cache_req_set_domain] (0x0400): CR #9: Using
domain [awsad.xxxx-xxxx.com]
(Mon Jul 1 08:25:02 2019) [sssd[sudo]] [cache_req_prepare_domain_data] (0x0400): CR #9:
Preparing input data for domain [awsad.xxxx-xxxx.com] rules
(Mon Jul 1 08:25:02 2019) [sssd[sudo]] [cache_req_search_send] (0x0400): CR #9: Looking
up admin(a)awsad.xxxx-xxxx.com
(Mon Jul 1 08:25:02 2019) [sssd[sudo]] [cache_req_search_ncache] (0x0400): CR #9:
Checking negative cache for [admin(a)awsad.xxxx-xxxx.com]
(Mon Jul 1 08:25:02 2019) [sssd[sudo]] [sss_ncache_check_str] (0x2000): Checking
negative cache for [NCE/USER/awsad.xxxx-xxxx.com/admin@awsad.xxxx-xxxx.com]
(Mon Jul 1 08:25:02 2019) [sssd[sudo]] [cache_req_search_ncache] (0x0400): CR #9:
[admin(a)awsad.xxxx-xxxx.com] is not present in negative cache
(Mon Jul 1 08:25:02 2019) [sssd[sudo]] [cache_req_search_cache] (0x0400): CR #9: Looking
up [admin(a)awsad.xxxx-xxxx.com] in cache
(Mon Jul 1 08:25:02 2019) [sssd[sudo]] [cache_req_search_send] (0x0400): CR #9: Object
found, but needs to be refreshed.
(Mon Jul 1 08:25:02 2019) [sssd[sudo]] [cache_req_search_dp] (0x0400): CR #9: Looking up
[admin(a)awsad.xxxx-xxxx.com] in data provider
(Mon Jul 1 08:25:02 2019) [sssd[sudo]] [sss_dp_issue_request] (0x0400): Issuing request
for [0x55c2341d5360:3:admin@awsad.xxxx-xxxx.com@awsad.xxxx-xxxx.com]
(Mon Jul 1 08:25:02 2019) [sssd[sudo]] [sss_dp_get_account_msg] (0x0400): Creating
request for
[awsad.xxxx-xxxx.com][0x3][BE_REQ_INITGROUPS][name=admin@awsad.xxxx-xxxx.com:-]
(Mon Jul 1 08:25:02 2019) [sssd[sudo]] [sbus_add_timeout] (0x2000): 0x55c236313f70
(Mon Jul 1 08:25:02 2019) [sssd[sudo]] [sss_dp_internal_get_send] (0x0400): Entering
request [0x55c2341d5360:3:admin@awsad.xxxx-xxxx.com@awsad.xxxx-xxxx.com]
(Mon Jul 1 08:25:02 2019) [sssd[sudo]] [sbus_remove_timeout] (0x2000): 0x55c236313f70
(Mon Jul 1 08:25:02 2019) [sssd[sudo]] [sss_dp_get_reply] (0x0010): The Data Provider
returned an error [org.freedesktop.sssd.Error.DataProvider.Offline]
(Mon Jul 1 08:25:02 2019) [sssd[sudo]] [cache_req_common_dp_recv] (0x0040): CR #9: Data
Provider Error: 3, 5, Failed to get reply from Data Provider
(Mon Jul 1 08:25:02 2019) [sssd[sudo]] [cache_req_common_dp_recv] (0x0400): CR #9: Due
to an error we will return cached data
(Mon Jul 1 08:25:02 2019) [sssd[sudo]] [cache_req_search_cache] (0x0400): CR #9: Looking
up [admin(a)awsad.xxxx-xxxx.com] in cache
(Mon Jul 1 08:25:02 2019) [sssd[sudo]] [cache_req_search_ncache_filter] (0x0400): CR #9:
This request type does not support filtering result by negative cache
(Mon Jul 1 08:25:02 2019) [sssd[sudo]] [cache_req_search_done] (0x0400): CR #9:
Returning updated object [admin(a)awsad.xxxx-xxxx.com]
(Mon Jul 1 08:25:02 2019) [sssd[sudo]] [cache_req_create_and_add_result] (0x0400): CR
#9: Found 24 entries in domain awsad.xxxx-xxxx.com
(Mon Jul 1 08:25:02 2019) [sssd[sudo]] [sss_dp_req_destructor] (0x0400): Deleting
request: [0x55c2341d5360:3:admin@awsad.xxxx-xxxx.com@awsad.xxxx-xxxx.com]
(Mon Jul 1 08:25:02 2019) [sssd[sudo]] [cache_req_done] (0x0400): CR #9: Finished:
Success
(Mon Jul 1 08:25:02 2019) [sssd[sudo]] [sysdb_get_sudo_user_info] (0x0400): original
name: Admin(a)awsad.xxxx-xxxx.com
(Mon Jul 1 08:25:02 2019) [sssd[sudo]] [sudosrv_query_cache] (0x0200): Searching sysdb
with
[(&(objectClass=sudoRule)(dataExpireTimestamp<=1561969502)(|(name=defaults)(sudoUser=ALL)(sudoUser=Admin@awsad.xxxx-xxxx.com)(sudoUser=#1979001109)(sudoUser=%Domain\20Users@awsad.xxxx-xxxx.com)(sudoUser=%AWS\20Delegated\20Administrators@awsad.xxxx-xxxx.com)(sudoUser=%AWS\20Delegated\20Account\20Operators@awsad.xxxx-xxxx.com)(sudoUser=%AWS\20Delegated\20Active\20Directory\20Based\20Activation\20Administrators@awsad.xxxx-xxxx.com)(sudoUser=%AWS\20Delegated\20Deleted\20Object\20Lifetime\20Administrators@awsad.xxxx-xxxx.com)(sudoUser=%AWS\20Delegated\20Distributed\20File\20System\20Administrators@awsad.xxxx-xxxx.com)(sudoUser=%AWS\20Delegated\20Dynamic\20Host\20Configuration\20Protocol\20Administrators@awsad.xxxx-xxxx.com)(sudoUser=%AWS\20Delegated\20Enterprise\20Certificate\20Authority\20Administrators@awsad.xxxx-xxxx.com)(sudoUser=%AWS\20Delegated\20Fine\20Grained\20Password\20Policy\20Administrators@awsad.xxxx-xxxx.com)(sudoUser=%AWS\20Delegated\20Group\20Policy\20Administrators@awsad.xxxx-xxxx.com)(sudoUser=%AWS\20Delegated\20Managed\20Service\20Account\20Administrators@awsad.xxxx-xxxx.com)(sudoUser=%AWS\20Delegated\20Remote\20Access\20Service\20Administrators@awsad.xxxx-xxxx.com)(sudoUser=%AWS\20Delegated\20Replicate\20Directory\20Changes\20Administrators@awsad.xxxx-xxxx.com)(sudoUser=%AWS\20Delegated\20Sites\20and\20Services\20Administrators@awsad.xxxx-xxxx.com)(sudoUser=%AWS\20Delegated\20System\20Management\20Administrators@awsad.xxxx-xxxx.com)(sudoUser=%AWS\20Delegated\20Terminal\20Server\20Licensing\20Administrators@awsad.xxxx-xxxx.com)(sudoUser=%AWS\20Delegated\20User\20Principal\20Name\20Suffix\20Administrators@awsad.xxxx-xxxx.com)(sudoUser=%AWS\20Delegated\20Add\20Workstations\20To\20Domain\20Users@awsad.xxxx-xxxx.com)(sudoUser=%DnsAdmins@awsad.xxxx-xxxx.com)(sudoUser=%AWS\20Delegated\20Domain\20Name\20System\20Administrators@awsad.xxxx-xxxx.com)(sudoUser=%AWS\20Delegated\20Kerberos\20Delegation\20Administrators@awsad.xxxx-xxxx.com)(sudoUser=%AWS\20Delegated\20Server\20Administrators@awsad.xxxx-xxxx.com)(sudoUser=%TESTS@awsad.xxxx-xxxx.com)(sudoUser=%Domain\20Users(a)awsad.xxxx-xxxx.com)(sudoUser=+*)))]
(Mon Jul 1 08:25:02 2019) [sssd[sudo]] [sudosrv_refresh_rules_send] (0x0400): No expired
rules were found for [Admin@awsad.xxxx-xxxx.com(a)awsad.xxxx-xxxx.com].
(Mon Jul 1 08:25:02 2019) [sssd[sudo]] [sudosrv_fetch_rules] (0x0400): Retrieving rules
for [Admin@awsad.xxxx-xxxx.com(a)awsad.xxxx-xxxx.com]
(Mon Jul 1 08:25:02 2019) [sssd[sudo]] [sudosrv_query_cache] (0x0200): Searching sysdb
with
[(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=Admin@awsad.xxxx-xxxx.com)(sudoUser=#1979001109)(sudoUser=%Domain\20Users@awsad.xxxx-xxxx.com)(sudoUser=%AWS\20Delegated\20Administrators@awsad.xxxx-xxxx.com)(sudoUser=%AWS\20Delegated\20Account\20Operators@awsad.xxxx-xxxx.com)(sudoUser=%AWS\20Delegated\20Active\20Directory\20Based\20Activation\20Administrators@awsad.xxxx-xxxx.com)(sudoUser=%AWS\20Delegated\20Deleted\20Object\20Lifetime\20Administrators@awsad.xxxx-xxxx.com)(sudoUser=%AWS\20Delegated\20Distributed\20File\20System\20Administrators@awsad.xxxx-xxxx.com)(sudoUser=%AWS\20Delegated\20Dynamic\20Host\20Configuration\20Protocol\20Administrators@awsad.xxxx-xxxx.com)(sudoUser=%AWS\20Delegated\20Enterprise\20Certificate\20Authority\20Administrators@awsad.xxxx-xxxx.com)(sudoUser=%AWS\20Delegated\20Fine\20Grained\20Password\20Policy\20Administrators@awsad.xxxx-xxxx.com)(sudoUser=%AWS\20Delegated\20Group\20Policy\20Administrators@awsad.xxxx-xxxx.com)(sudoUser=%AWS\20Delegated\20Managed\20Service\20Account\20Administrators@awsad.xxxx-xxxx.com)(sudoUser=%AWS\20Delegated\20Remote\20Access\20Service\20Administrators@awsad.xxxx-xxxx.com)(sudoUser=%AWS\20Delegated\20Replicate\20Directory\20Changes\20Administrators@awsad.xxxx-xxxx.com)(sudoUser=%AWS\20Delegated\20Sites\20and\20Services\20Administrators@awsad.xxxx-xxxx.com)(sudoUser=%AWS\20Delegated\20System\20Management\20Administrators@awsad.xxxx-xxxx.com)(sudoUser=%AWS\20Delegated\20Terminal\20Server\20Licensing\20Administrators@awsad.xxxx-xxxx.com)(sudoUser=%AWS\20Delegated\20User\20Principal\20Name\20Suffix\20Administrators@awsad.xxxx-xxxx.com)(sudoUser=%AWS\20Delegated\20Add\20Workstations\20To\20Domain\20Users@awsad.xxxx-xxxx.com)(sudoUser=%DnsAdmins@awsad.xxxx-xxxx.com)(sudoUser=%AWS\20Delegated\20Domain\20Name\20System\20Administrators@awsad.xxxx-xxxx.com)(sudoUser=%AWS\20Delegated\20Kerberos\20Delegation\20Administrators@awsad.xxxx-xxxx.com)(sudoUser=%AWS\20Delegated\20Server\20Administrators@awsad.xxxx-xxxx.com)(sudoUser=%TESTS@awsad.xxxx-xxxx.com)(sudoUser=%Domain\20Users(a)awsad.xxxx-xxxx.com)))]
(Mon Jul 1 08:25:02 2019) [sssd[sudo]] [sudosrv_cached_rules_by_user] (0x0400):
Replacing sudoUser attribute with sudoUser: #1979001109
(Mon Jul 1 08:25:02 2019) [sssd[sudo]] [sudosrv_query_cache] (0x0200): Searching sysdb
with
[(&(objectClass=sudoRule)(sudoUser=+*)(!(|(sudoUser=ALL)(sudoUser=Admin@awsad.xxxx-xxxx.com)(sudoUser=#1979001109)(sudoUser=%Domain\20Users@awsad.xxxx-xxxx.com)(sudoUser=%AWS\20Delegated\20Administrators@awsad.xxxx-xxxx.com)(sudoUser=%AWS\20Delegated\20Account\20Operators@awsad.xxxx-xxxx.com)(sudoUser=%AWS\20Delegated\20Active\20Directory\20Based\20Activation\20Administrators@awsad.xxxx-xxxx.com)(sudoUser=%AWS\20Delegated\20Deleted\20Object\20Lifetime\20Administrators@awsad.xxxx-xxxx.com)(sudoUser=%AWS\20Delegated\20Distributed\20File\20System\20Administrators@awsad.xxxx-xxxx.com)(sudoUser=%AWS\20Delegated\20Dynamic\20Host\20Configuration\20Protocol\20Administrators@awsad.xxxx-xxxx.com)(sudoUser=%AWS\20Delegated\20Enterprise\20Certificate\20Authority\20Administrators@awsad.xxxx-xxxx.com)(sudoUser=%AWS\20Delegated\20Fine\20Grained\20Password\20Policy\20Administrators@awsad.xxxx-xxxx.com)(sudoUser=%AWS\20Delegated\20Group\20Policy\20Administrators@awsad.xxxx-xxxx.com)(sudoUser=%AWS\20Delegated\20Managed\20Service\20Account\20Administrators@awsad.xxxx-xxxx.com)(sudoUser=%AWS\20Delegated\20Remote\20Access\20Service\20Administrators@awsad.xxxx-xxxx.com)(sudoUser=%AWS\20Delegated\20Replicate\20Directory\20Changes\20Administrators@awsad.xxxx-xxxx.com)(sudoUser=%AWS\20Delegated\20Sites\20and\20Services\20Administrators@awsad.xxxx-xxxx.com)(sudoUser=%AWS\20Delegated\20System\20Management\20Administrators@awsad.xxxx-xxxx.com)(sudoUser=%AWS\20Delegated\20Terminal\20Server\20Licensing\20Administrators@awsad.xxxx-xxxx.com)(sudoUser=%AWS\20Delegated\20User\20Principal\20Name\20Suffix\20Administrators@awsad.xxxx-xxxx.com)(sudoUser=%AWS\20Delegated\20Add\20Workstations\20To\20Domain\20Users@awsad.xxxx-xxxx.com)(sudoUser=%DnsAdmins@awsad.xxxx-xxxx.com)(sudoUser=%AWS\20Delegated\20Domain\20Name\20System\20Administrators@awsad.xxxx-xxxx.com)(sudoUser=%AWS\20Delegated\20Kerberos\20Delegation\20Administrators@awsad.xxxx-xxxx.com)(sudoUser=%AWS\20Delegated\20Server\20Administrators@awsad.xxxx-xxxx.com)(sudoUser=%TESTS@awsad.xxxx-xxxx.com)(sudoUser=%Domain\20Users(a)awsad.xxxx-xxxx.com))))]
(Mon Jul 1 08:25:02 2019) [sssd[sudo]] [sudosrv_fetch_rules] (0x0400): Returning 0 rules
for [Admin@awsad.xxxx-xxxx.com(a)awsad.xxxx-xxxx.com]
(Mon Jul 1 08:25:02 2019) [sssd[sudo]] [sudosrv_build_response] (0x2000): error: [0]
(Mon Jul 1 08:25:02 2019) [sssd[sudo]] [sudosrv_build_response] (0x2000): rules_num:
[0]
/var/log/sssd/sssd_LDAP_AWSAD.XXXX-XXXX.COM.log
(Mon Jul 1 08:19:38 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [sysdb_sudo_store_rule]
(0x0400): Adding sudo rule %TESTS(a)awsad.xxxx-xxxx.com
(Mon Jul 1 08:19:38 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [sysdb_sudo_store_rule]
(0x0400): Adding sudo rule r3
(Mon Jul 1 08:19:38 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [sysdb_sudo_store_rule]
(0x0400): Adding sudo rule defaults
(Mon Jul 1 08:19:38 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [sdap_sudo_refresh_done]
(0x0400): Sudoers is successfully stored in cache
(Mon Jul 1 08:19:38 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [sdap_sudo_set_usn]
(0x0200): SUDO higher USN value: [245544]
(Mon Jul 1 08:19:38 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]]
[sdap_sudo_full_refresh_done] (0x0400): Successful full refresh of sudo rules
(Mon Jul 1 08:19:38 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [be_ptask_done] (0x0400):
Task [SUDO Full Refresh]: finished successfully
(Mon Jul 1 08:19:38 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [be_ptask_schedule]
(0x0400): Task [SUDO Full Refresh]: scheduling task 21600 seconds from last execution time
[1561990778]
(Mon Jul 1 08:19:38 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [sdap_process_result]
(0x2000): Trace: sh[0x55f8831b51f0], connected[1], ops[(nil)], ldap[0x55f8831bc530]
(Mon Jul 1 08:19:38 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [sdap_process_result]
(0x2000): Trace: end of ldap_result list
(Mon Jul 1 08:20:02 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [sbus_message_handler]
(0x2000): Received SBUS method org.freedesktop.sssd.dataprovider.getAccountInfo on path
/org/freedesktop/sssd/dataprovider
(Mon Jul 1 08:20:02 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [sbus_get_sender_id_send]
(0x2000): Not a sysbus message, quit
(Mon Jul 1 08:20:02 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]]
[dp_get_account_info_handler] (0x0200): Got request for
[0x3][BE_REQ_INITGROUPS][name=ubuntu(a)ldap_awsad.xxxx-xxxx.com]
(Mon Jul 1 08:20:02 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [sss_domain_get_state]
(0x1000): Domain LDAP_AWSAD.xxxx-xxxx.COM is Active
(Mon Jul 1 08:20:02 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [dp_attach_req] (0x0400):
DP Request [Initgroups #5]: New request. Flags [0x0001].
(Mon Jul 1 08:20:02 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [dp_attach_req] (0x0400):
Number of active DP request: 1
(Mon Jul 1 08:20:02 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [sss_domain_get_state]
(0x1000): Domain LDAP_AWSAD.xxxx-xxxx.COM is Active
(Mon Jul 1 08:20:02 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]]
[sdap_get_initgr_next_base] (0x0400): Searching for users with base
[DC=awsad,DC=xxxx-xxxx,DC=com]
(Mon Jul 1 08:20:02 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [sdap_print_server]
(0x2000): Searching 10.80.100.196:389
(Mon Jul 1 08:20:02 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]]
[sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with
[(&(uid=ubuntu)(objectclass=posixAccount)(&(uidNumber=*)(!(uidNumber=0))))][DC=awsad,DC=xxxx-xxxx,DC=com].
(Mon Jul 1 08:20:02 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass]
(Mon Jul 1 08:20:02 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uid]
(Mon Jul 1 08:20:02 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPassword]
(Mon Jul 1 08:20:02 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uidNumber]
(Mon Jul 1 08:20:02 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber]
(Mon Jul 1 08:20:02 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gecos]
(Mon Jul 1 08:20:02 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [homeDirectory]
(Mon Jul 1 08:20:02 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginShell]
(Mon Jul 1 08:20:02 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbPrincipalName]
(Mon Jul 1 08:20:02 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn]
(Mon Jul 1 08:20:02 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp]
(Mon Jul 1 08:20:02 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uSNChanged]
(Mon Jul 1 08:20:02 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowLastChange]
(Mon Jul 1 08:20:02 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMin]
(Mon Jul 1 08:20:02 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMax]
(Mon Jul 1 08:20:02 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowWarning]
(Mon Jul 1 08:20:02 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowInactive]
(Mon Jul 1 08:20:02 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowExpire]
(Mon Jul 1 08:20:02 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowFlag]
(Mon Jul 1 08:20:02 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbLastPwdChange]
(Mon Jul 1 08:20:02 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbPasswordExpiration]
(Mon Jul 1 08:20:02 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [pwdAttribute]
(Mon Jul 1 08:20:02 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [authorizedService]
(Mon Jul 1 08:20:02 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [accountExpires]
(Mon Jul 1 08:20:02 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userAccountControl]
(Mon Jul 1 08:20:02 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [nsAccountLock]
(Mon Jul 1 08:20:02 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [host]
(Mon Jul 1 08:20:02 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [rhost]
(Mon Jul 1 08:20:02 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginDisabled]
(Mon Jul 1 08:20:02 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginExpirationTime]
(Mon Jul 1 08:20:02 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginAllowedTimeMap]
(Mon Jul 1 08:20:02 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sshPublicKey]
(Mon Jul 1 08:20:02 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userCertificate;binary]
(Mon Jul 1 08:20:02 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [mail]
(Mon Jul 1 08:20:02 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]]
[sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 15
(Mon Jul 1 08:20:02 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [sdap_op_add] (0x2000):
New operation 15 timeout 6
(Mon Jul 1 08:20:02 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [sdap_process_result]
(0x2000): Trace: sh[0x55f8831b51f0], connected[1], ops[0x55f8831dbbe0],
ldap[0x55f8831bc530]
(Mon Jul 1 08:20:02 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]]
[sdap_ldap_connect_callback_add] (0x1000): New LDAP connection to
[ldap://ForestDnsZones.awsad.xxxx-xxxx.com/DC=ForestDnsZones,DC=awsad,DC=x...]
with fd [23].
(Mon Jul 1 08:20:02 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]]
[sdap_ldap_connect_callback_add] (0x1000): New LDAP connection to
[ldap://DomainDnsZones.awsad.xxxx-xxxx.com/DC=DomainDnsZones,DC=awsad,DC=x...]
with fd [24].
(Mon Jul 1 08:20:02 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]]
[sdap_ldap_connect_callback_add] (0x1000): New LDAP connection to
[ldap://awsad.xxxx-xxxx.com/CN=Configuration,DC=awsad,DC=xxxx-xxxx,DC=com] with fd [25].
(Mon Jul 1 08:20:02 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [sdap_rebind_proc]
(0x1000): Successfully bind to
[ldap://awsad.xxxx-xxxx.com/CN=Configuration,DC=awsad,DC=xxxx-xxxx,DC=com].
(Mon Jul 1 08:20:02 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [sdap_rebind_proc]
(0x1000): Successfully bind to
[ldap://DomainDnsZones.awsad.xxxx-xxxx.com/DC=DomainDnsZones,DC=awsad,DC=x...].
(Mon Jul 1 08:20:02 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [sdap_rebind_proc]
(0x1000): Successfully bind to
[ldap://ForestDnsZones.awsad.xxxx-xxxx.com/DC=ForestDnsZones,DC=awsad,DC=x...].
(Mon Jul 1 08:20:02 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]]
[sdap_get_generic_ext_add_references] (0x1000): Additional References:
ldap://ForestDnsZones.awsad.xxxx-xxxx.com/DC=ForestDnsZones,DC=awsad,DC=x...
(Mon Jul 1 08:20:02 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [sdap_process_result]
(0x2000): Trace: sh[0x55f8831b51f0], connected[1], ops[0x55f8831dbbe0],
ldap[0x55f8831bc530]
(Mon Jul 1 08:20:02 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]]
[sdap_get_generic_ext_add_references] (0x1000): Additional References:
ldap://awsad.xxxx-xxxx.com/CN=Configuration,DC=awsad,DC=xxxx-xxxx,DC=com
(Mon Jul 1 08:20:02 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [sdap_process_result]
(0x2000): Trace: sh[0x55f8831b51f0], connected[1], ops[0x55f8831dbbe0],
ldap[0x55f8831bc530]
(Mon Jul 1 08:20:02 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]]
[sdap_get_generic_ext_add_references] (0x1000): Additional References:
ldap://DomainDnsZones.awsad.xxxx-xxxx.com/DC=DomainDnsZones,DC=awsad,DC=x...
Here we see many referrals being followed. This is typical with AD and
with LDAP provider with AD you'll want to switch off the referral
support:
ldap_referrals = false
this is documented here:
https://docs.pagure.org/SSSD.sssd/users/ldap_with_ad.html
Is there a reason to use the LDAP provider and not the AD provider?
> (Mon Jul 1 08:20:02 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [sdap_process_result]
(0x2000): Trace: sh[0x55f8831b51f0], connected[1], ops[0x55f8831dbbe0],
ldap[0x55f8831bc530]
> (Mon Jul 1 08:20:02 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [sdap_process_result]
(0x2000): Trace: end of ldap_result list
> (Mon Jul 1 08:20:02 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [sdap_process_result]
(0x2000): Trace: sh[0x55f8831b51f0], connected[1], ops[0x55f8831dbbe0],
ldap[0x55f8831bc530]
> (Mon Jul 1 08:20:02 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]]
[sdap_get_generic_ext_add_references] (0x1000): Additional References:
ldap://awsad.xxxx-xxxx.com/CN=Schema,CN=Configuration,DC=awsad,DC=xxxx-xx...
> (Mon Jul 1 08:20:02 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [sdap_process_result]
(0x2000): Trace: sh[0x55f8831b51f0], connected[1], ops[0x55f8831dbbe0],
ldap[0x55f8831bc530]
> (Mon Jul 1 08:20:02 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [sdap_process_result]
(0x2000): Trace: end of ldap_result list
> (Mon Jul 1 08:20:02 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [sdap_process_result]
(0x2000): Trace: sh[0x55f8831b51f0], connected[1], ops[0x55f8831dbbe0],
ldap[0x55f8831bc530]
> (Mon Jul 1 08:20:02 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]]
[sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set
> (Mon Jul 1 08:20:02 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [sdap_op_destructor]
(0x2000): Operation 15 finished
> (Mon Jul 1 08:20:02 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]]
[sysdb_search_user_by_upn] (0x0400): No entry with upn [ubuntu(a)ldap_awsad.xxxx-xxxx.com]
found.
> (Mon Jul 1 08:20:02 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]]
[sysdb_search_entry_by_sid_str] (0x0400): No such entry
> (Mon Jul 1 08:20:02 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]]
[sysdb_search_object_attr] (0x0400): No such entry.
> (Mon Jul 1 08:20:02 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [sysdb_get_real_name]
(0x0040): Cannot find user [ubuntu(a)ldap_awsad.xxxx-xxxx.com] in cache
> (Mon Jul 1 08:20:02 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [groups_by_user_done]
(0x2000): Failed to canonicalize name, using [ubuntu(a)ldap_awsad.xxxx-xxxx.com] [2]: No
such file or directory.
> (Mon Jul 1 08:20:02 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]]
[sysdb_search_by_name] (0x0400): No such entry
> (Mon Jul 1 08:20:02 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]]
[sysdb_cache_search_groups] (0x2000): Search groups with filter:
(&(objectCategory=group)(ghost=ubuntu(a)ldap_awsad.xxxx-xxxx.com))
> (Mon Jul 1 08:20:02 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]]
[sysdb_cache_search_groups] (0x2000): No such entry
> (Mon Jul 1 08:20:02 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [sysdb_delete_user]
(0x0400): Error: 2 (No such file or directory)
> (Mon Jul 1 08:20:02 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [dp_req_done]
(0x0400): DP Request [Initgroups #5]: Request handler finished [0]: Success
> (Mon Jul 1 08:20:02 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [_dp_req_recv]
(0x0400): DP Request [Initgroups #5]: Receiving request data.
> (Mon Jul 1 08:20:02 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]]
[dp_req_reply_list_success] (0x0400): DP Request [Initgroups #5]: Finished. Success.
> (Mon Jul 1 08:20:02 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [dp_req_reply_std]
(0x1000): DP Request [Initgroups #5]: Returning [Success]: 0,0,Success
> (Mon Jul 1 08:20:02 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]]
[dp_table_value_destructor] (0x0400): Removing
[0:1:0x0001:3::LDAP_AWSAD.xxxx-xxxx.COM:name=ubuntu@ldap_awsad.xxxx-xxxx.com] from reply
table
> (Mon Jul 1 08:20:02 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [dp_req_destructor]
(0x0400): DP Request [Initgroups #5]: Request removed.
> (Mon Jul 1 08:20:02 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [dp_req_destructor]
(0x0400): Number of active DP request: 0
> (Mon Jul 1 08:20:02 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [sdap_process_result]
(0x2000): Trace: sh[0x55f8831b51f0], connected[1], ops[(nil)], ldap[0x55f8831bc530]
> (Mon Jul 1 08:20:02 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [sdap_process_result]
(0x2000): Trace: end of ldap_result list
> (Mon Jul 1 08:20:09 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]]
[sbus_message_handler] (0x2000): Received SBUS method
org.freedesktop.sssd.dataprovider.getAccountInfo on path
/org/freedesktop/sssd/dataprovider
> (Mon Jul 1 08:20:09 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]]
[sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit
> (Mon Jul 1 08:20:09 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]]
[dp_get_account_info_handler] (0x0200): Got request for
[0x3][BE_REQ_INITGROUPS][name=ubuntu(a)ldap_awsad.xxxx-xxxx.com]
> (Mon Jul 1 08:20:09 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]]
[sss_domain_get_state] (0x1000): Domain LDAP_AWSAD.xxxx-xxxx.COM is Active
> (Mon Jul 1 08:20:09 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [dp_attach_req]
(0x0400): DP Request [Initgroups #6]: New request. Flags [0x0001].
> (Mon Jul 1 08:20:09 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [dp_attach_req]
(0x0400): Number of active DP request: 1
> (Mon Jul 1 08:20:09 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]]
[sss_domain_get_state] (0x1000): Domain LDAP_AWSAD.xxxx-xxxx.COM is Active
> (Mon Jul 1 08:20:09 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]]
[sdap_get_initgr_next_base] (0x0400): Searching for users with base
[DC=awsad,DC=xxxx-xxxx,DC=com]
> (Mon Jul 1 08:20:09 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [sdap_print_server]
(0x2000): Searching 10.80.100.196:389
> (Mon Jul 1 08:20:09 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]]
[sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with
[(&(uid=ubuntu)(objectclass=posixAccount)(&(uidNumber=*)(!(uidNumber=0))))][DC=awsad,DC=xxxx-xxxx,DC=com].
> (Mon Jul 1 08:20:09 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass]
> (Mon Jul 1 08:20:09 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uid]
> (Mon Jul 1 08:20:09 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPassword]
> (Mon Jul 1 08:20:09 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uidNumber]
> (Mon Jul 1 08:20:09 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber]
> (Mon Jul 1 08:20:09 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gecos]
> (Mon Jul 1 08:20:09 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [homeDirectory]
> (Mon Jul 1 08:20:09 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginShell]
> (Mon Jul 1 08:20:09 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbPrincipalName]
> (Mon Jul 1 08:20:09 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn]
> (Mon Jul 1 08:20:09 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp]
> (Mon Jul 1 08:20:09 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uSNChanged]
> (Mon Jul 1 08:20:09 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowLastChange]
> (Mon Jul 1 08:20:09 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMin]
> (Mon Jul 1 08:20:09 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMax]
> (Mon Jul 1 08:20:09 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowWarning]
> (Mon Jul 1 08:20:09 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowInactive]
> (Mon Jul 1 08:20:09 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowExpire]
> (Mon Jul 1 08:20:09 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowFlag]
> (Mon Jul 1 08:20:09 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbLastPwdChange]
> (Mon Jul 1 08:20:09 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbPasswordExpiration]
> (Mon Jul 1 08:20:09 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [pwdAttribute]
> (Mon Jul 1 08:20:09 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [authorizedService]
> (Mon Jul 1 08:20:09 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [accountExpires]
> (Mon Jul 1 08:20:09 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userAccountControl]
> (Mon Jul 1 08:20:09 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [nsAccountLock]
> (Mon Jul 1 08:20:09 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [host]
> (Mon Jul 1 08:20:09 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [rhost]
> (Mon Jul 1 08:20:09 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginDisabled]
> (Mon Jul 1 08:20:09 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginExpirationTime]
> (Mon Jul 1 08:20:09 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginAllowedTimeMap]
> (Mon Jul 1 08:20:09 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sshPublicKey]
> (Mon Jul 1 08:20:09 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userCertificate;binary]
> (Mon Jul 1 08:20:09 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [mail]
> (Mon Jul 1 08:20:09 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]]
[sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 26
> (Mon Jul 1 08:20:09 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [sdap_op_add]
(0x2000): New operation 26 timeout 6
> (Mon Jul 1 08:20:09 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [sdap_process_result]
(0x2000): Trace: sh[0x55f8831b51f0], connected[1], ops[0x55f8831dbd60],
ldap[0x55f8831bc530]
> (Mon Jul 1 08:20:09 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]]
[sdap_ldap_connect_callback_add] (0x1000): New LDAP connection to
[ldap://ForestDnsZones.awsad.xxxx-xxxx.com/DC=ForestDnsZones,DC=awsad,DC=x...]
with fd [23].
> (Mon Jul 1 08:20:09 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]]
[sdap_ldap_connect_callback_add] (0x1000): New LDAP connection to
[ldap://DomainDnsZones.awsad.xxxx-xxxx.com/DC=DomainDnsZones,DC=awsad,DC=x...]
with fd [24].
> (Mon Jul 1 08:20:09 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]]
[sdap_ldap_connect_callback_add] (0x1000): New LDAP connection to
[ldap://awsad.xxxx-xxxx.com/CN=Configuration,DC=awsad,DC=xxxx-xxxx,DC=com] with fd [25].
> (Mon Jul 1 08:20:09 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [sdap_rebind_proc]
(0x1000): Successfully bind to
[ldap://awsad.xxxx-xxxx.com/CN=Configuration,DC=awsad,DC=xxxx-xxxx,DC=com].
> (Mon Jul 1 08:20:09 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [sdap_rebind_proc]
(0x1000): Successfully bind to
[ldap://DomainDnsZones.awsad.xxxx-xxxx.com/DC=DomainDnsZones,DC=awsad,DC=x...].
> (Mon Jul 1 08:20:09 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [sdap_rebind_proc]
(0x1000): Successfully bind to
[ldap://ForestDnsZones.awsad.xxxx-xxxx.com/DC=ForestDnsZones,DC=awsad,DC=x...].
> (Mon Jul 1 08:20:09 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]]
[sdap_get_generic_ext_add_references] (0x1000): Additional References:
ldap://ForestDnsZones.awsad.xxxx-xxxx.com/DC=ForestDnsZones,DC=awsad,DC=x...
> (Mon Jul 1 08:20:09 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [sdap_process_result]
(0x2000): Trace: sh[0x55f8831b51f0], connected[1], ops[0x55f8831dbd60],
ldap[0x55f8831bc530]
> (Mon Jul 1 08:20:09 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]]
[sdap_get_generic_ext_add_references] (0x1000): Additional References:
ldap://awsad.xxxx-xxxx.com/CN=Configuration,DC=awsad,DC=xxxx-xxxx,DC=com
> (Mon Jul 1 08:20:09 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [sdap_process_result]
(0x2000): Trace: sh[0x55f8831b51f0], connected[1], ops[0x55f8831dbd60],
ldap[0x55f8831bc530]
> (Mon Jul 1 08:20:09 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]]
[sdap_get_generic_ext_add_references] (0x1000): Additional References:
ldap://DomainDnsZones.awsad.xxxx-xxxx.com/DC=DomainDnsZones,DC=awsad,DC=x...
> (Mon Jul 1 08:20:09 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [sdap_process_result]
(0x2000): Trace: sh[0x55f8831b51f0], connected[1], ops[0x55f8831dbd60],
ldap[0x55f8831bc530]
> (Mon Jul 1 08:20:09 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [sdap_process_result]
(0x2000): Trace: end of ldap_result list
> (Mon Jul 1 08:20:09 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [sdap_process_result]
(0x2000): Trace: sh[0x55f8831b51f0], connected[1], ops[0x55f8831dbd60],
ldap[0x55f8831bc530]
> (Mon Jul 1 08:20:09 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]]
[sdap_get_generic_ext_add_references] (0x1000): Additional References:
ldap://awsad.xxxx-xxxx.com/CN=Schema,CN=Configuration,DC=awsad,DC=xxxx-xx...
> (Mon Jul 1 08:20:09 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [sdap_process_result]
(0x2000): Trace: sh[0x55f8831b51f0], connected[1], ops[0x55f8831dbd60],
ldap[0x55f8831bc530]
> (Mon Jul 1 08:20:09 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [sdap_process_result]
(0x2000): Trace: end of ldap_result list
> (Mon Jul 1 08:20:09 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [sdap_process_result]
(0x2000): Trace: sh[0x55f8831b51f0], connected[1], ops[0x55f8831dbd60],
ldap[0x55f8831bc530]
> (Mon Jul 1 08:20:09 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]]
[sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set
> (Mon Jul 1 08:20:09 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [sdap_op_destructor]
(0x2000): Operation 26 finished
> (Mon Jul 1 08:20:09 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]]
[sysdb_search_user_by_upn] (0x0400): No entry with upn [ubuntu(a)ldap_awsad.xxxx-xxxx.com]
found.
> (Mon Jul 1 08:20:09 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]]
[sysdb_search_entry_by_sid_str] (0x0400): No such entry
> (Mon Jul 1 08:20:09 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]]
[sysdb_search_object_attr] (0x0400): No such entry.
> (Mon Jul 1 08:20:09 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [sysdb_get_real_name]
(0x0040): Cannot find user [ubuntu(a)ldap_awsad.xxxx-xxxx.com] in cache
> (Mon Jul 1 08:20:09 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [groups_by_user_done]
(0x2000): Failed to canonicalize name, using [ubuntu(a)ldap_awsad.xxxx-xxxx.com] [2]: No
such file or directory.
> (Mon Jul 1 08:20:09 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]]
[sysdb_search_by_name] (0x0400): No such entry
> (Mon Jul 1 08:20:09 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]]
[sysdb_cache_search_groups] (0x2000): Search groups with filter:
(&(objectCategory=group)(ghost=ubuntu(a)ldap_awsad.xxxx-xxxx.com))
> (Mon Jul 1 08:20:09 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]]
[sysdb_cache_search_groups] (0x2000): No such entry
> (Mon Jul 1 08:20:09 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [sysdb_delete_user]
(0x0400): Error: 2 (No such file or directory)
> (Mon Jul 1 08:20:09 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [dp_req_done]
(0x0400): DP Request [Initgroups #6]: Request handler finished [0]: Success
> (Mon Jul 1 08:20:09 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [_dp_req_recv]
(0x0400): DP Request [Initgroups #6]: Receiving request data.
> (Mon Jul 1 08:20:09 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]]
[dp_req_reply_list_success] (0x0400): DP Request [Initgroups #6]: Finished. Success.
> (Mon Jul 1 08:20:09 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [dp_req_reply_std]
(0x1000): DP Request [Initgroups #6]: Returning [Success]: 0,0,Success
> (Mon Jul 1 08:20:09 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]]
[dp_table_value_destructor] (0x0400): Removing
[0:1:0x0001:3::LDAP_AWSAD.xxxx-xxxx.COM:name=ubuntu@ldap_awsad.xxxx-xxxx.com] from reply
table
> (Mon Jul 1 08:20:09 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [dp_req_destructor]
(0x0400): DP Request [Initgroups #6]: Request removed.
> (Mon Jul 1 08:20:09 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [dp_req_destructor]
(0x0400): Number of active DP request: 0
> (Mon Jul 1 08:20:09 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [sdap_process_result]
(0x2000): Trace: sh[0x55f8831b51f0], connected[1], ops[(nil)], ldap[0x55f8831bc530]
> (Mon Jul 1 08:20:09 2019) [sssd[be[LDAP_AWSAD.xxxx-xxxx.COM]]] [sdap_process_result]
(0x2000): Trace: end of ldap_result list
>
>
> ldbsearch -H /var/lib/sss/db/cache_LDAP_AWSAD.XXXX-XXXX.COM.ldb
>
> asq: Unable to register control with rootdse!
> # record 1
> dn: cn=users,cn=LDAP_AWSAD.xxxx-xxxx.COM,cn=sysdb
> cn: Users
> distinguishedName: cn=users,cn=LDAP_AWSAD.xxxx-xxxx.COM,cn=sysdb
>
> # record 2
> dn: name=r2,cn=sudorules,cn=custom,cn=LDAP_AWSAD.xxxx-xxxx.COM,cn=sysdb
> cn: r2
> dataExpireTimestamp: 1561974578
> entryUSN: 245385
> name: r2
> objectClass: sudoRule
> originalDN: CN=r2,OU=SUDOers,OU=awsad,DC=awsad,DC=xxxx-xxxx,DC=com
> sudoCommand: ALL
> sudoHost: ALL
> sudoOption: !authenticate
> sudoUser: Admin(a)awsad.xxxx-xxxx.com
> sudoUser: admin(a)awsad.xxxx-xxxx.com
> distinguishedName: name=r2,cn=sudorules,cn=custom,cn=LDAP_AWSAD.xxxx-xxxx.COM,
> cn=sysdb
>
> # record 3
> dn: cn=LDAP_AWSAD.xxxx-xxxx.COM,cn=sysdb
> cn: LDAP_AWSAD.xxxx-xxxx.COM
> distinguishedName: cn=LDAP_AWSAD.xxxx-xxxx.COM,cn=sysdb
>
> # record 4
> dn: name=defaults,cn=sudorules,cn=custom,cn=LDAP_AWSAD.xxxx-xxxx.COM,cn=sysdb
> cn: defaults
> dataExpireTimestamp: 1561974578
> entryUSN: 245543
> name: defaults
> objectClass: sudoRule
> originalDN: CN=defaults,OU=SUDOers,OU=awsad,DC=awsad,DC=xxxx-xxxx,DC=com
> sudoCommand: ALL
> sudoHost: ALL
> sudoOption: !authenticate
> sudoUser: ALL
> sudoUser: all
> distinguishedName: name=defaults,cn=sudorules,cn=custom,cn=LDAP_AWSAD.YARA-DFD
> P.COM,cn=sysdb
>
> # record 5
> dn:
name=%TESTS(a)awsad.xxxx-xxxx.com,cn=sudorules,cn=custom,cn=LDAP_AWSAD.xxxx-xxxx.COM,cn=sysdb
> cn: %TESTS(a)awsad.xxxx-xxxx.com
> dataExpireTimestamp: 1561974578
> entryUSN: 245477
> name: %TESTS(a)awsad.xxxx-xxxx.com
> objectClass: sudoRule
> originalDN: CN=%TESTS(a)awsad.xxxx-xxxx.com,OU=SUDOers,OU=awsad,DC=awsad,DC=yara
> -dfdp,DC=com
> sudoCommand: ALL
> sudoHost: ALL
> sudoOption: !authenticate
> sudoUser: %TESTS(a)awsad.xxxx-xxxx.com
> sudoUser: %tests(a)awsad.xxxx-xxxx.com
> distinguishedName: name=%TESTS(a)awsad.xxxx-xxxx.com,cn=sudorules,cn=custom,cn=L
> DAP_AWSAD.xxxx-xxxx.COM,cn=sysdb
>
> # record 6
> dn: cn=ranges,cn=sysdb
> cn: ranges
> distinguishedName: cn=ranges,cn=sysdb
>
> # record 7
> dn: name=r3,cn=sudorules,cn=custom,cn=LDAP_AWSAD.xxxx-xxxx.COM,cn=sysdb
> cn: r3
> dataExpireTimestamp: 1561974578
> entryUSN: 245509
> name: r3
> objectClass: sudoRule
> originalDN: CN=r3,OU=SUDOers,OU=awsad,DC=awsad,DC=xxxx-xxxx,DC=com
> sudoCommand: ALL
> sudoHost: ALL
> sudoOption: ALL
> sudoUser: Admin(a)ldap_awsad.xxxx-xxxx.com
> sudoUser: admin(a)ldap_awsad.xxxx-xxxx.com
> distinguishedName: name=r3,cn=sudorules,cn=custom,cn=LDAP_AWSAD.xxxx-xxxx.COM,
> cn=sysdb
>
> # record 8
> dn: cn=sudorules,cn=custom,cn=LDAP_AWSAD.xxxx-xxxx.COM,cn=sysdb
> cn: sudorules
> sudoLastFullRefreshTime: 1561969178
> distinguishedName: cn=sudorules,cn=custom,cn=LDAP_AWSAD.xxxx-xxxx.COM,cn=sysdb
>
> # record 9
> dn: cn=sysdb
> cn: sysdb
> description: base object
> version: 0.20
> distinguishedName: cn=sysdb
>
> # record 10
> dn: cn=groups,cn=LDAP_AWSAD.xxxx-xxxx.COM,cn=sysdb
> cn: Groups
> distinguishedName: cn=groups,cn=LDAP_AWSAD.xxxx-xxxx.COM,cn=sysdb
>
> # record 11
> dn: name=r1,cn=sudorules,cn=custom,cn=LDAP_AWSAD.xxxx-xxxx.COM,cn=sysdb
> cn: r1
> dataExpireTimestamp: 1561974578
> entryUSN: 245304
> name: r1
> objectClass: sudoRule
> originalDN: CN=r1,OU=SUDOers,OU=awsad,DC=awsad,DC=xxxx-xxxx,DC=com
> sudoCommand: ALL
> sudoHost: ALL
> sudoOption: !authenticate
> sudoUser: ubuntu(a)ldap_awsad.xxxx-xxxx.com
> distinguishedName: name=r1,cn=sudorules,cn=custom,cn=LDAP_AWSAD.xxxx-xxxx.COM,
> cn=sysdb
>
> # returned 11 records
> # 11 entries
> # 0 referrals
> root@dfdp-080100016:~# ldbsearch -H
/var/lib/sss/db/cache_LDAP_AWSAD.xxxx-xxxx.COM.ldb
> asq: Unable to register control with rootdse!
> # record 1
> dn: cn=users,cn=LDAP_AWSAD.xxxx-xxxx.COM,cn=sysdb
> cn: Users
> distinguishedName: cn=users,cn=LDAP_AWSAD.xxxx-xxxx.COM,cn=sysdb
>
> # record 2
> dn: name=r2,cn=sudorules,cn=custom,cn=LDAP_AWSAD.xxxx-xxxx.COM,cn=sysdb
> cn: r2
> dataExpireTimestamp: 1561974578
> entryUSN: 245385
> name: r2
> objectClass: sudoRule
> originalDN: CN=r2,OU=SUDOers,OU=awsad,DC=awsad,DC=xxxx-xxxx,DC=com
> sudoCommand: ALL
> sudoHost: ALL
> sudoOption: !authenticate
> sudoUser: Admin(a)awsad.xxxx-xxxx.com
> sudoUser: admin(a)awsad.xxxx-xxxx.com
> distinguishedName: name=r2,cn=sudorules,cn=custom,cn=LDAP_AWSAD.xxxx-xxxx.COM,
> cn=sysdb
>
> # record 3
> dn: cn=LDAP_AWSAD.xxxx-xxxx.COM,cn=sysdb
> cn: LDAP_AWSAD.xxxx-xxxx.COM
> distinguishedName: cn=LDAP_AWSAD.xxxx-xxxx.COM,cn=sysdb
>
> # record 4
> dn: name=defaults,cn=sudorules,cn=custom,cn=LDAP_AWSAD.xxxx-xxxx.COM,cn=sysdb
> cn: defaults
> dataExpireTimestamp: 1561974578
> entryUSN: 245543
> name: defaults
> objectClass: sudoRule
> originalDN: CN=defaults,OU=SUDOers,OU=awsad,DC=awsad,DC=xxxx-xxxx,DC=com
> sudoCommand: ALL
> sudoHost: ALL
> sudoOption: !authenticate
> sudoUser: ALL
> sudoUser: all
> distinguishedName: name=defaults,cn=sudorules,cn=custom,cn=LDAP_AWSAD.YARA-DFD
> P.COM,cn=sysdb
>
> # record 5
> dn:
name=%TESTS(a)awsad.xxxx-xxxx.com,cn=sudorules,cn=custom,cn=LDAP_AWSAD.xxxx-xxxx.COM,cn=sysdb
> cn: %TESTS(a)awsad.xxxx-xxxx.com
> dataExpireTimestamp: 1561974578
> entryUSN: 245477
> name: %TESTS(a)awsad.xxxx-xxxx.com
> objectClass: sudoRule
> originalDN: CN=%TESTS(a)awsad.xxxx-xxxx.com,OU=SUDOers,OU=awsad,DC=awsad,DC=yara
> -dfdp,DC=com
> sudoCommand: ALL
> sudoHost: ALL
> sudoOption: !authenticate
> sudoUser: %TESTS(a)awsad.xxxx-xxxx.com
> sudoUser: %tests(a)awsad.xxxx-xxxx.com
> distinguishedName: name=%TESTS(a)awsad.xxxx-xxxx.com,cn=sudorules,cn=custom,cn=L
> DAP_AWSAD.xxxx-xxxx.COM,cn=sysdb
>
> # record 6
> dn: cn=ranges,cn=sysdb
> cn: ranges
> distinguishedName: cn=ranges,cn=sysdb
>
> # record 7
> dn: name=r3,cn=sudorules,cn=custom,cn=LDAP_AWSAD.xxxx-xxxx.COM,cn=sysdb
> cn: r3
> dataExpireTimestamp: 1561974578
> entryUSN: 245509
> name: r3
> objectClass: sudoRule
> originalDN: CN=r3,OU=SUDOers,OU=awsad,DC=awsad,DC=xxxx-xxxx,DC=com
> sudoCommand: ALL
> sudoHost: ALL
> sudoOption: ALL
> sudoUser: Admin(a)ldap_awsad.xxxx-xxxx.com
> sudoUser: admin(a)ldap_awsad.xxxx-xxxx.com
> distinguishedName: name=r3,cn=sudorules,cn=custom,cn=LDAP_AWSAD.xxxx-xxxx.COM,
> cn=sysdb
>
> # record 8
> dn: cn=sudorules,cn=custom,cn=LDAP_AWSAD.xxxx-xxxx.COM,cn=sysdb
> cn: sudorules
> sudoLastFullRefreshTime: 1561969178
> distinguishedName: cn=sudorules,cn=custom,cn=LDAP_AWSAD.xxxx-xxxx.COM,cn=sysdb
>
> # record 9
> dn: cn=sysdb
> cn: sysdb
> description: base object
> version: 0.20
> distinguishedName: cn=sysdb
>
> # record 10
> dn: cn=groups,cn=LDAP_AWSAD.xxxx-xxxx.COM,cn=sysdb
> cn: Groups
> distinguishedName: cn=groups,cn=LDAP_AWSAD.xxxx-xxxx.COM,cn=sysdb
>
> # record 11
> dn: name=r1,cn=sudorules,cn=custom,cn=LDAP_AWSAD.xxxx-xxxx.COM,cn=sysdb
> cn: r1
> dataExpireTimestamp: 1561974578
> entryUSN: 245304
> name: r1
> objectClass: sudoRule
> originalDN: CN=r1,OU=SUDOers,OU=awsad,DC=awsad,DC=xxxx-xxxx,DC=com
> sudoCommand: ALL
> sudoHost: ALL
> sudoOption: !authenticate
> sudoUser: ubuntu(a)ldap_awsad.xxxx-xxxx.com
> distinguishedName: name=r1,cn=sudorules,cn=custom,cn=LDAP_AWSAD.xxxx-xxxx.COM,
> cn=sysdb
>
> # returned 11 records
> # 11 entries
> # 0 referrals
>
> /etc/sssd/sssd.conf
>
> [sssd]
> services = nss, pam,ssh, sudo
> debug_level = 0x7FFF
> domains = awsad.xxxx-xxxx.com, aws.dfdp.com, LDAP_AWSAD.xxxx-xxxx.COM
>
> [sudo]
> debug_level = 0x3ff0
>
> [domain/LDAP_AWSAD.xxxx-xxxx.COM]
> case_sensitive=false
> debug_level = 0x3ff0
> access_provider = ldap
> id_provider = ldap
> sudo_provider = ldap
> ldap_uri = ldap://xxx.xxx.xxx.xxx
> ldap_default_bind_dn = account(a)awsad.xxxx-xxxx.com
> ldap_default_authtok = xxxxxxxxx
> ldap_sudo_search_base = OU=SUDOers,OU=awsad,DC=awsad,DC=xxxx-xxxx,DC=com
>
> [domain/awsad.xxxx-xxxx.com]
> debug_level = 0x0200
> id_provider = ad
> access_provider = ad
> enumerate = true
> subdomain_enumerate = all
> ad_domain = AWSAD.xxxx-xxxx.COM
> krb5_realm = AWSAD.xxxx-xxxx.COM
> realmd_tags = manages-system joined-with-adcli
> cache_credentials = True
> krb5_store_password_if_offline = True
> default_shell = /bin/bash
> ldap_id_mapping = True
> use_fully_qualified_names = True
> fallback_homedir = /home/%d/%u
>
> [domain/aws.xxxx.com]
> debug_level = 0x0200
> id_provider = ad
> access_provider = ad
> enumerate = true
> ad_domain = AWS.xxxx.COM
> krb5_realm = AWS.xxxx.COM
> realmd_tags = manages-system joined-with-adcli
> cache_credentials = True
> krb5_store_password_if_offline = True
> default_shell = /bin/bash
> ldap_id_mapping = True
> use_fully_qualified_names = True
> fallback_homedir = /home/%d/%u
>
>
> [domain/ad.xxxx.com]
> debug_level = 0x0200
> id_provider = ad
> access_provider = ad
> ad_server = xxx.ad.xxxx.com
> ad_server_backup = xxx.ad.xxxx.com
> enumerate = true
> ad_domain = AD.XXXX.COM
> krb5_realm = AD.XXXX.COM
> realmd_tags = manages-system joined-with-adcli
> cache_credentials = True
> krb5_store_password_if_offline = True
> default_shell = /bin/bash
> ldap_id_mapping = True
> use_fully_qualified_names = True
> fallback_homedir = /home/%d/%u
>
>
>
> /etc/nsswitch.conf
>
> # /etc/nsswitch.conf
> #
> # Example configuration of GNU Name Service Switch functionality.
> # If you have the `glibc-doc-reference' and `info' packages installed, try:
> # `info libc "Name Service Switch"' for information about this file.
>
> passwd: compat systemd sss
> group: compat systemd sss
> shadow: compat sss
> gshadow: files
>
> hosts: files dns
> networks: files
>
> protocols: db files
> services: db files sss
> ethers: db files
> rpc: db files
>
> netgroup: nis sss
> sudoers: sss files
>
>
> Windows AD using the SUDO schema (imported).
>
> Only 1 entry from MS AD for the sake of example:
>
> PS C:\Windows\system32> Get-ADObject –Identity
"CN=r2,OU=SUDOers,OU=awsad,DC=awsad,DC=xxxx-xxxx,DC=com" -Property *
>
>
> CanonicalName : awsad.xxxx-xxxx.com/awsad/SUDOers/r2
> CN : r2
> Created : 6/30/2019 8:59:46 AM
> createTimeStamp : 6/30/2019 8:59:46 AM
> Deleted :
> Description :
> DisplayName :
> DistinguishedName :
CN=r2,OU=SUDOers,OU=awsad,DC=awsad,DC=xxxx-xxxx,DC=com
> dSCorePropagationData : {1/1/1601 12:00:00 AM}
> instanceType : 4
> isDeleted :
> LastKnownParent :
> Modified : 6/30/2019 8:59:56 AM
> modifyTimeStamp : 6/30/2019 8:59:56 AM
> Name : r2
> nTSecurityDescriptor : System.DirectoryServices.ActiveDirectorySecurity
> ObjectCategory :
CN=sudoRole,CN=Schema,CN=Configuration,DC=awsad,DC=xxxx-xxxx,DC=com
> ObjectClass : sudoRole
> ObjectGUID : 9b660613-94f8-4f58-86bc-21e813027fbf
> ProtectedFromAccidentalDeletion : False
> sDRightsEffective : 7
> sudoCommand : {ALL}
> sudoHost : {ALL}
> sudoOption : {!authenticate}
> sudoUser : {Admin(a)awsad.xxxx-xxxx.com}
> uSNChanged : 245385
> uSNCreated : 245385
> whenChanged : 6/30/2019 8:59:56 AM
> whenCreated : 6/30/2019 8:59:46 AM
>
>
>
>
> PS C:\Windows\system32>
>
>
> Thx a lot! and Cheers!
> _______________________________________________
> sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
> To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahoste...
1621
days inactive
1623
days old
sssd-users@lists.fedorahosted.org
3 comments
3 participants
participants (3)
-
B M -
Bruno Monteiro
-
Jakub Hrozek