i have sssd working with nss, pam, sudo and autofs against openldap and mit kerberos, using the rfc2307 schema for posix account types. with it, i am able to sudo without passwords as i have a sudoOption set to "! authenticate".
i am building a new, parallel environment updated to use rfc2307bis, and have sssd working with nss, pam, sudo and autofs, but when i attempt sudo, i am prompted for my password. i have checked the sudoOption, and it is set to "!authenticate". i am allowed to sudo if i enter my password, but it seems the NOPASSWD equivalent is not being picked up for some reason.
another interesting tidbit is that when i run "sudo -l" in the old environment, the output ends with:
User brendan may run the following commands on desktop: (ALL) NOPASSWD: ALL
when i run "sudo -l" in the new environment, the output ends with:
User brendan may run the following commands on server1: (ALL) ALL (ALL) ALL (ALL) NOPASSWD: ALL
it seems to me that sudoHost, sudoCommand or some other objects are causing conflict and something does not compute correctly. why are there 3 lines of access rules, when only one exists for my ID.
oddly enough, i just found this behavior: when i first attempt to sudo, i am prompted for my password. if i enter it, and gain sudo access, any subsequent requests for sudo are not authenticated, per session. if i logout/end my ssh session, and go back in i have to enter my password once for sudo access and again subsequent sudo requests do not prompt for a password.
is there a setting that i need to change other than ldap_schema? the ldap_sudo_search_base is set to the correct location in the directory, since i am not using the default.
selinux is disabled
my sssd.conf ------------
[sssd] domains = bpk2.com services = nss, pam, sudo, autofs config_file_version = 2 #debug_level = 4
[nss] filter_groups = root filter_users = root
[pam]
[sudo]
[autofs]
[domain/bpk2.com] #debug_level = 4 id_provider = ldap ldap_schema = rfc2307bis ldap_uri = _srv_,ldap://ldap1.bpk2.com,ldap://ldap2.bpk2.com ldap_search_base = dc=bpk2,dc=com ldap_sasl_mech = GSSAPI ldap_sasl_authid = host/server1.bpk2.com ldap_sasl_realm = BPK2.COM
auth_provider = krb5 krb5_server = _srv_,kerberos.bpk2.com krb5_realm = BPK2.COM krb5_renewable_lifetime = 7d krb5_lifetime = 24h krb5_renew_interval = 1h krb5_store_password_if_offline = true cache_credentials = true
sudo_provider = ldap ldap_sudo_search_base = ou=SUDO Groups,ou=Roles,dc=bpk2,dc=com #ldap_sudo_full_refresh_interval = 86400 #ldap_sudo_smart_refresh_interval = 3600
autofs_provider = ldap ldap_autofs_search_base = cn=autofs,ou=Daemons,dc=bpk2,dc=com ldap_autofs_map_object_class = automountMap ldap_autofs_entry_object_class = automount ldap_autofs_map_name = automountMapName ldap_autofs_entry_key = automountKey ldap_autofs_entry_value = automountInformation
#min_id = 1000 #max_id = 2000 enumerate = false
/var/log/sssd/sssd_nss.log contains some lines: (Sun Dec 21 12:02:58 2014) [sssd[nss]] [nss_cmd_getgrgid_search] (0x0010): getgrgid call returned more than one result !?! (Sun Dec 21 12:07:59 2014) [sssd[nss]] [nss_cmd_getgrgid_search] (0x0010): getgrgid call returned more than one result !?! (Sun Dec 21 13:19:33 2014) [sssd[nss]] [nss_cmd_getgrgid_search] (0x0010): getgrgid call returned more than one result !?! (Sun Dec 21 13:21:36 2014) [sssd[nss]] [nss_cmd_getgrgid_search] (0x0010): getgrgid call returned more than one result !?! (Sun Dec 21 13:21:51 2014) [sssd[nss]] [nss_cmd_getgrgid_search] (0x0010): getgrgid call returned more than one result !?! (Sun Dec 21 13:22:09 2014) [sssd[nss]] [nss_cmd_getgrgid_search] (0x0010): getgrgid call returned more than one result !?! (Sun Dec 21 13:22:30 2014) [sssd[nss]] [nss_cmd_getgrgid_search] (0x0010): getgrgid call returned more than one result !?! (Sun Dec 21 13:22:45 2014) [sssd[nss]] [nss_cmd_getgrgid_search] (0x0010): getgrgid call returned more than one result !?! (Sun Dec 21 13:23:21 2014) [sssd[nss]] [nss_cmd_getgrgid_search] (0x0010): getgrgid call returned more than one result !?! (Sun Dec 21 13:23:41 2014) [sssd[nss]] [nss_cmd_getgrgid_search] (0x0010): getgrgid call returned more than one result !?! (Sun Dec 21 13:29:53 2014) [sssd[nss]] [nss_cmd_getgrgid_search] (0x0010): getgrgid call returned more than one result !?! (Sun Dec 21 13:31:42 2014) [sssd[nss]] [nss_cmd_getgrgid_search] (0x0010): getgrgid call returned more than one result !?! (Sun Dec 21 13:32:09 2014) [sssd[nss]] [nss_cmd_getgrgid_search] (0x0010): getgrgid call returned more than one result !?!
i am also seeing in /var/log/sssd/sssd_bpk2.com.log: (Sun Dec 21 11:24:31 2014) [sssd[be[bpk2.com]]] [load_backend_module] (0x0010): Error (22) in module (ldap) initialization (sssm_ldap_sudo_init)! (Sun Dec 21 11:24:31 2014) [sssd[be[bpk2.com]]] [be_process_init] (0x0010): fatal error initializing data providers (Sun Dec 21 11:24:31 2014) [sssd[be[bpk2.com]]] [main] (0x0010): Could not initialize backend [22]
sssd-users@lists.fedorahosted.org