Hi sssd-users list,
I am facing a strange issue on several CentOS servers. It seems that after a while ( days ) sudo does not work any more for some of my users. We keep rudo rules in OpenLDAP. If a user uses 'sudo su - ' , he gets a an error message ( "User abc is not allowed to run sudo on ....") however if he user runs 'id' followed by 'sudo su -' then in some of the cases, it works fine, user can get root access. I even upgraded to the unofficial repo hoping that the issue we see is similar/same to https://fedorahosted.org/sssd/ticket/2970. But I think it's a different issue.
Any ideas? Next I will be looking at dumping the local sssd cache files. I can provide debug =9 log files offline if needed.
Thank you
root@server yum.repos.d # rpm -qa | egrep sssd sssd-common-pac-1.13.4-4.el6.x86_64 sssd-ldap-1.13.4-4.el6.x86_64 sssd-tools-1.13.4-4.el6.x86_64 sssd-client-1.13.4-4.el6.x86_64 sssd-ad-1.13.4-4.el6.x86_64 python-sssdconfig-1.13.4-4.el6.noarch sssd-common-1.13.4-4.el6.x86_64 sssd-ipa-1.13.4-4.el6.x86_64 sssd-proxy-1.13.4-4.el6.x86_64 sssd-krb5-common-1.13.4-4.el6.x86_64 sssd-krb5-1.13.4-4.el6.x86_64 sssd-1.13.4-4.el6.x86_64
root@server sssd # vim /etc/sssd/sssd.conf # set debug = 9
root@server sssd # sudo -U abc -l* **User abc is not allowed to run sudo on **server**.*
root@server sssd # egrep sudo /etc/nsswitch.conf sudoers: sss
root@server sssd # ip a s dev eth0 | egrep global inet 216.X.Y.Z/26 brd 216.X.Y.Z scope global eth0
root@server sssd # id abc uid=100001044(abc) gid=1009(...) groups=1202(...),1168(...),1191(...),1102(...),1009(...),1101(...),1127(...),1167(...),1111(...),1178(...),1109(...),1199(...),1208(stage),1117(...),1198(...),1192(...),1206(...),1176(...),1404(...),1183(...),1103(...),1110(...),1205
root@abc sssd # sudo -U abc -l Matching Defaults entries for abc on this host: [...]
*User **abc**may run the following commands on this host:** ** (ALL) PASSWD: ALL*
# LDAP Sudo def dn: cn=stage,ou=sudoers,o=Domain,dc=domain,dc=com sudoOrder: 42 [...] sudoUser: %stage sudoRunAs: ALL cn: stage description: Allow Trusted Senior stuff become root sudoCommand: ALL sudoHost: 216.X.Y.Z [...] objectClass: top objectClass: sudoRole sudoOption: authenticate
# Group def dn: cn=stage,ou=groups,o=Domain,dc=domain,dc=com gidNumber: 1208 cn: stage description: stage Group objectClass: posixGroup objectClass: top memberUid: abc hMemberDN: uid=abc,ou=users,o=Domain,dc=domain,dc=com
Sanitized sssd.conf:
[sssd] config_file_version = 2 sbus_timeout = 30 services = nss, pam, sudo, ssh domains = LOCAL, DOMAIN1, DOMAIN2
[nss] filter_users = adm,apache,avahi,bin,daemon,dbus,ecryptfs,ftp,git,games,gopher,haldaemon,halt,hfallback,ldap,lp,mail,mailnull,named,news,nfsnobody,nobody,nscd,nslcd,ntp,operator,oprofile,ossec,postfix,puppet,puppet-dashboard,pulse,pulse-access,radiusd,root,rpc,rpcuser,rtkit,saslauth,sfallback,shutdown,slocate,smmsp,sshd,sync,tcpdump,tss,uucp,vcsa filter_groups = adm,apache,audio,bin,cdrom,cgred,daemon,dbus,dialout,dip,disk,ecryptfs,floppy,fuse,git,hfallback,kmem,ldap,lock,lp,mail,mailnull,man,mem,nfsnobody,nobody,nscd,ntp,ossec,oprofile,postdrop,postfix,puppet,puppet-dashboard,pulse,pulse-access,root,rpc,rpcuser,rtkit,saslauth,sfallback,slocate,smmsp,sshd,sys,tape,tcpdump,tss,tty,users,utempter,utmp,vcsa,video override_shell = /bin/bash
[pam] debug_level = 3 reconnection_retries = 3 offline_credentials_expiration = 2 offline_failed_login_attempts = 3 offline_failed_login_delay = 5 pam_verbosity = 1 pam_pwd_expiration_warning = 21 pam_account_expired_message = Account expired, please use selfservice portal to change your password and extend account.
[sudo] debug_level=9
[ssh] # debug_level=9
[domain/LOCAL] description = LOCAL Users domain id_provider = local enumerate = true min_id = 500 max_id = 999 default_shell = /bin/bash base_directory = /home create_homedir = false remove_homedir = true homedir_umask = 077 skel_dir = /etc/skel mail_dir = /var/spool/mail
######### SECTION: DOMAIN1 [domain/DOMAIN1] min_id = 499 debug_level = 9 cache_credentials = True entry_cache_timeout = 864000
auth_provider = ldap id_provider = ldap access_provider = ldap #chpass_provider = ldap sudo_provider = ldap selinux_provider = none autofs_provider = none
# LDAP Search ldap_search_base = dc=domain,dc=com ldap_group_search_base = ou=groups,o=Domain,dc=domain,dc=com ldap_user_search_base = ou=users,o=Domain,dc=domain,dc=com?subtree?(|(description=cn=stage,ou=groups,o=Domain,dc=domain,dc=com)(.....)(.....))
# LDAP Custom Schema ldap_group_member = hMemberDN ldap_user_member_of = description # this should really be rfc2307 ldap_schema = rfc2307bis
ldap_network_timeout = 3 ldap_id_use_start_tls = False ldap_tls_reqcert = never ldap_tls_cacertdir = /etc/openldap/cacerts
ldap_uri = ldaps://s1.sec.domain.com, ldaps://s2.sec.domain.com, ldaps://s3.sec.domain.com ldap_backup_uri = ldaps://66.X.Y.Z
ldap_default_authtok_type = obfuscated_password ldap_default_bind_dn = uid=MYDN ldap_default_authtok = MYPASS
ldap_user_ssh_public_key = sshPublicKey
ldap_pwd_policy = none ldap_account_expire_policy = shadow ldap_user_shadow_expire = shadowExpire # shadowExpire: days since Jan 1, 1970 that account is disabled: $ echo $(($(date --utc --date "$1" +%s)/86400))
ldap_chpass_update_last_change = false
ldap_access_order = filter, expire ldap_access_filter = (&(objectClass=posixAccount)(uidNumber=*)(hAccountInitialSetup=1)(|(description=cn=stage,ou=groups,o=Domain,dc=domain,dc=com)))
# SUDO ldap_sudo_search_base = ou=sudoers,o=Domain,dc=domain,dc=com ldap_sudo_full_refresh_interval = 86400 ldap_sudo_smart_refresh_interval = 3600 #entry_cache_sudo_timeout = 5400
The same options for DOMAIN2 except filters and user/group base.
hMemberDN is defined in nis.schema, a relic of OpenLDAP 2.2, a workaround applied before transitioning to 2.4.40.
# Modification to posixGroup attributetype ( 1.3.6.1.1.1.1.28 NAME 'hMemberDN' DESC 'RFC2256: member of a group' SUP distinguishedName )
objectclass ( 1.3.6.1.1.1.2.2 NAME 'posixGroup' DESC 'Abstraction of a group of accounts' SUP top STRUCTURAL MUST ( cn $ gidNumber ) MAY ( userPassword $ memberUid $ hMemberDN $ description ) )
hMemberDN: uid=abc,ou=users,o=Domain,dc=domain,dc=com