Hi all, I use SSSD with OpenLDAP and I am able to authenticate users. I am trying to configure SSSD for managing and caching sudo but I can't use sudo and the system reply me with this:
Sorry, user xxx is not allowed to execute '/usr/bin/apt-get update' as root on MACHINE.
This is my sssd.conf
[nss] filter_groups = root,andrea filter_users = root,andrea reconnection_retries = 3 debug_level = 4
[pam] reconnection_retries = 3 debug_level = 4 offline_credentials_expiration = 90
[sudo] debug_level = 7 # valori di default in secondi #ldap_sudo_full_refresh_interval=21600 #ldap_sudo_smart_refresh_interval=900 ldap_sudo_full_refresh_interval=10 ldap_sudo_smart_refresh_interval=10
[sssd] config_file_version = 2 reconnection_retries = 3 services = nss, pam, sudo domains = mydomain.com
[domain/mydomain.com] debug_level = 7 cache_credentials = true account_cache_expiration = 90 # With this as false, a simple "getent passwd" for testing won't work. You must do getent passwd user@domain.com # enumerate = false enumerate = true
id_provider = ldap auth_provider = ldap access_provider = ldap sudo_provider = ldap # chpass_provider = ldap
ldap_id_use_start_tls = true ldap_tls_reqcert = demand ldap_tls_cacert = /etc/ssl/certs/ca-certificates.crt
ldap_uri = ldap://LDAPSERVER ldap_search_base = dc=mydomain,dc=com ldap_access_filter = (uidNumber=*) ldap_sudo_search_base = ou=sudoers,dc=mydomain,dc=com
This is my nssswitch.conf
passwd: compat sss group: compat sss shadow: compat sss sudoers: files sss
This is the log's output
tail -f /var/log/auth.log /var/log/sssd/sssd_sudo.log /var/log/sssd/sssd_widegroup.eu.log
==> /var/log/auth.log <== Nov 8 15:50:46 andrea-X550LA sudo: pam_unix(sudo:auth): authentication failure; logname=MYUSER uid=1126 euid=0 tty=/dev/pts/7 ruser=MYUSER rhost= user=MYUSER
==> /var/log/sssd/sssd_mydomain.com.log <== (Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [be_get_account_info] (0x0200): Got request for [0x3][BE_REQ_INITGROUPS][1][name=MYUSER] (Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [be_req_set_domain] (0x0400): Changing request domain from [mydomain.com] to [mydomain.com] (Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [sdap_get_initgr_next_base] (0x0400): Searching for users with base [dc=mydomain,dc=eu] (Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(uid=MYUSER)(objectclass=posixAccount)(&(uidNumber=*)(! (uidNumber=0))))][dc=mydomain,dc=eu]. (Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uid] (Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPassword] (Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uidNumber] (Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber] (Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gecos] (Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [homeDirectory] (Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginShell] (Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbPrincipalName] (Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp] (Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp] (Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowLastChange] (Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMin] (Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMax] (Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowWarning] (Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowInactive] (Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowExpire] (Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowFlag] (Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbLastPwdChange] (Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbPasswordExpiration] (Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [pwdAttribute] (Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [authorizedService] (Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [accountExpires] (Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userAccountControl] (Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [nsAccountLock] (Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [host] (Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginDisabled] (Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginExpirationTime] (Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginAllowedTimeMap] (Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sshPublicKey] (Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [sdap_parse_entry] (0x1000): OriginalDN: [uid=MYUSER,ou=people,dc=mydomain,dc=eu]. (Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [sdap_save_user] (0x0400): Save user (Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [sdap_attrs_get_sid_str] (0x1000): No [objectSID] attribute. [0][Success] (Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [sdap_get_primary_name] (0x0400): Processing object MYUSER (Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [sdap_save_user] (0x0400): Processing user MYUSER (Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [sdap_save_user] (0x0400): Original memberOf is not available for [MYUSER]. (Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [sdap_save_user] (0x0400): User principal is not available for [MYUSER]. (Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [sdap_save_user] (0x0400): Storing info for user MYUSER (Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [sdap_initgr_rfc2307_next_base] (0x0400): Searching for groups with base [dc=mydomain,dc=eu] (Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(memberuid=MYUSER)(objectClass=posixGroup)(cn=*)( &(gidNumber=*)(!(gidNumber=0))))][dc=mydomain,dc=eu]. (Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPassword] (Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber] (Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp] (Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp] (Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [sdap_parse_entry] (0x1000): OriginalDN: [cn=netsudo,ou=groups,dc=mydomain,dc=eu]. (Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [sdap_get_initgr_done] (0x0400): Primary group already cached, nothing to do. (Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success (Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [be_req_set_domain] (0x0400): Changing request domain from [mydomain.com] to [mydomain.com] (Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [be_pam_handler] (0x0100): Got request with the following data (Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [pam_print_data] (0x0100): command: SSS_PAM_AUTHENTICATE (Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [pam_print_data] (0x0100): domain: mydomain.com (Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [pam_print_data] (0x0100): user: MYUSER (Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [pam_print_data] (0x0100): service: sudo (Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [pam_print_data] (0x0100): tty: /dev/pts/7 (Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [pam_print_data] (0x0100): ruser: MYUSER (Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [pam_print_data] (0x0100): rhost: (Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [pam_print_data] (0x0100): authtok type: 1 (Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [pam_print_data] (0x0100): newauthtok type: 0 (Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [pam_print_data] (0x0100): priv: 0 (Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [pam_print_data] (0x0100): cli_pid: 7144 (Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [pam_print_data] (0x0100): logon name: not set (Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'LDAP' (Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [get_server_status] (0x1000): Status of server 'LDAPSERVER' is 'working' (Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [get_port_status] (0x1000): Port status of port 389 for server 'LDAPSERVER' is 'working' (Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [get_server_status] (0x1000): Status of server 'LDAPSERVER' is 'working' (Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [be_resolve_server_process] (0x1000): Saving the first resolved server (Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [be_resolve_server_process] (0x0200): Found address for server LDAPSERVER: [xxx.xxx.xxx.xxx] TTL 2222 (Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [sdap_uri_callback] (0x0400): Constructed uri 'ldap://LDAPSERVER' (Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [sss_ldap_init_send] (0x0400): Setting 6 seconds timeout for connecting (Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [sdap_ldap_connect_callback_add] (0x1000): New LDAP connection to [ldap://LDAPSERVER:389/??base] with fd [24]. (Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [sdap_sys_connect_done] (0x0100): Executing START TLS (Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [sdap_connect_done] (0x0080): START TLS result: Success(0), (null) (Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [fo_set_port_status] (0x0100): Marking port 389 of server 'LDAPSERVER' as 'working' (Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [set_server_common_status] (0x0100): Marking server 'LDAPSERVER' as 'working' (Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [fo_set_port_status] (0x0400): Marking port 389 of duplicate server 'LDAPSERVER' as 'working' (Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [simple_bind_send] (0x0100): Executing simple bind as: uid=MYUSER,ou=people,dc=mydomain,dc=eu (Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [simple_bind_done] (0x1000): Password Policy Response: expire [-1] grace [-1] error [No error]. (Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [simple_bind_done] (0x0400): Bind result: Success(0), no errmsg set (Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [sdap_pam_auth_done] (0x0100): Password successfully cached for MYUSER (Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [be_pam_handler_callback] (0x0100): Backend returned: (0, 0, <NULL>) [Success] (Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [be_pam_handler_callback] (0x0100): Sending result [0][mydomain.com] (Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [be_pam_handler_callback] (0x0100): Sent result [0][mydomain.com]
==> /var/log/auth.log <== Nov 8 15:50:46 andrea-X550LA sudo: pam_sss(sudo:auth): authentication success; logname=MYUSER uid=1126 euid=0 tty=/dev/pts/7 ruser=MYUSER rhost= user=MYUSER
==> /var/log/sssd/sssd_mydomain.com.log <== (Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [be_req_set_domain] (0x0400): Changing request domain from [mydomain.com] to [mydomain.com] (Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [be_pam_handler] (0x0100): Got request with the following data (Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [pam_print_data] (0x0100): command: SSS_PAM_ACCT_MGMT (Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [pam_print_data] (0x0100): domain: mydomain.com (Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [pam_print_data] (0x0100): user: MYUSER (Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [pam_print_data] (0x0100): service: sudo (Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [pam_print_data] (0x0100): tty: /dev/pts/7 (Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [pam_print_data] (0x0100): ruser: MYUSER (Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [pam_print_data] (0x0100): rhost: (Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [pam_print_data] (0x0100): authtok type: 0 (Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [pam_print_data] (0x0100): newauthtok type: 0 (Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [pam_print_data] (0x0100): priv: 0 (Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [pam_print_data] (0x0100): cli_pid: 7144 (Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [pam_print_data] (0x0100): logon name: not set (Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [sdap_access_send] (0x0400): Performing access check for user [MYUSER] (Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [sdap_access_filter_send] (0x0400): Performing access filter check for user [MYUSER] (Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [sdap_access_filter_send] (0x0400): Checking filter against LDAP (Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(uid=MYUSER)(objectclass=posixAccount)(uidNumber=*))][ uid=MYUSER,ou=people,dc=mydomain,dc=eu]. (Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [sdap_parse_entry] (0x1000): OriginalDN: [uid=MYUSER,ou=people,dc=mydomain,dc=eu]. (Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [sdap_access_filter_done] (0x0400): Access granted by online lookup (Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [be_pam_handler_callback] (0x0100): Backend returned: (0, 0, <NULL>) [Success] (Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [be_pam_handler_callback] (0x0400): SELinux provider doesn't exist, not sending the request to it. (Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [be_pam_handler_callback] (0x0100): Sending result [0][mydomain.com] (Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [be_pam_handler_callback] (0x0100): Sent result [0][mydomain.com]
==> /var/log/auth.log <== Nov 8 15:50:46 andrea-X550LA sudo: MYUSER : command not allowed ; TTY=pts/7 ; PWD=/home/MYUSER ; USER=root ; COMMAND=/usr/bin/apt-get update
==> /var/log/sssd/sssd_sudo.log <== (Wed Nov 8 15:50:46 2017) [sssd[sudo]] [client_recv] (0x0200): Client disconnected!
Please, could you help me to understand what's wrong?
Many thanks in advance and any help is appreciated.
Regards.