On (13/11/17 11:20), Andrea Passuello wrote:
Thanks all for the answers.
This is the debug with level=10.
(Mon Nov 13 10:35:40 2017) [sssd[be[MYDOMAIN.COM]]] [sbus_dispatch] (0x4000): dbus conn: 0xe76180 (Mon Nov 13 10:35:40 2017) [sssd[be[MYDOMAIN.COM]]] [sbus_dispatch] (0x4000): Dispatching. (Mon Nov 13 10:35:40 2017) [sssd[be[MYDOMAIN.COM]]] [sbus_message_handler] (0x2000): Received SBUS method org.freedesktop.sssd.service.ping on path /org/freedesktop/sssd/service (Mon Nov 13 10:35:40 2017) [sssd[be[MYDOMAIN.COM]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit
==> sssd_sudo.log <== (Mon Nov 13 10:35:47 2017) [sssd[sudo]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0x1f4b430][19] (Mon Nov 13 10:35:47 2017) [sssd[sudo]] [client_recv] (0x0200): Client disconnected! (Mon Nov 13 10:35:47 2017) [sssd[sudo]] [client_destructor] (0x2000): Terminated client [0x1f4b430][19]
==> sssd_MYDOMAIN.COM.log <== (Mon Nov 13 10:35:50 2017) [sssd[be[MYDOMAIN.COM]]] [sbus_dispatch] (0x4000): dbus conn: 0xe76180 (Mon Nov 13 10:35:50 2017) [sssd[be[MYDOMAIN.COM]]] [sbus_dispatch] (0x4000): Dispatching. (Mon Nov 13 10:35:50 2017) [sssd[be[MYDOMAIN.COM]]] [sbus_message_handler] (0x2000): Received SBUS method org.freedesktop.sssd.service.ping on path /org/freedesktop/sssd/service (Mon Nov 13 10:35:50 2017) [sssd[be[MYDOMAIN.COM]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit
==> sssd_sudo.log <== (Mon Nov 13 10:35:50 2017) [sssd[sudo]] [sbus_dispatch] (0x4000): dbus conn: 0x1f3d6d0 (Mon Nov 13 10:35:50 2017) [sssd[sudo]] [sbus_dispatch] (0x4000): Dispatching. (Mon Nov 13 10:35:50 2017) [sssd[sudo]] [sbus_message_handler] (0x2000): Received SBUS method org.freedesktop.sssd.service.ping on path /org/freedesktop/sssd/service (Mon Nov 13 10:35:50 2017) [sssd[sudo]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit
You didn't provided sudo logs only sssd logs.
This is the output of "sudo -l"
$ sudo -l Matching Defaults entries for MYUSER on andrea-X550LA: env_reset, mail_badpass, secure_path=/usr/local/sbin:/ usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin
User MYUSER may run the following commands on andrea-X550LA: (root) NOPASSWD: /usr/lib/linuxmint/mintUpdate/checkAPT.py (ALL : ALL)
OK, sudo says that you are allowed to run some commands. I cannot see any problem.
My sudo version is 1.8.16, I think it should be quite up-to-date. Isn't it?
If i check the MYUSER's groups I can see the SystemAdmin group that is the group I set in LDAP and it's referred by LDAP's sudoers.
$ groups MYUSER adm cdrom dip plugdev lpadmin sambashare wireshark SystemAdmin
This is the ldapsearch's output
$ ldapsearch -H ldap://LDAPSERVER -b ou=sudoers,dc=MYDOMAIN,dc=COM -ZZ '(&(objectClass=sudoRole))' -x # extended LDIF # # LDAPv3 # base <ou=sudoers,dc=MYDOMAIN,dc=COM> with scope subtree # filter: (&(objectClass=sudoRole)) # requesting: ALL #
# SystemAdmin, sudoers, MYDOMAIN.COM dn: cn=SystemAdmin,ou=sudoers,dc=MYDOMAIN,dc=COM cn: SystemAdmin sudoRunAsUser: ALL sudoRunAsGroup: ALL sudoHost: ALL sudoUser: %SystemAdmin sudoOrder: 0 objectClass: sudoRole
Ahh, you want check this rule.
Is that sudo rule stored in sssd cache? You can check with ldbsearch ldbsearch -H /var/lib/sss/db/cache_${domain}.ldb
Output looks like LDIF but it is not the same as stored in directory sarver. Because it is sssd internal cache and not mirror of directory server.
BTW is your user member of group SystemAdmin? call "id" without any parameters in the same shell as sudo.
I would also recommend to check sudo logs https://docs.pagure.org/SSSD.sssd/users/sudo_troubleshooting.html -> "a) How do I get sudo logs?"
LS