Hi,
I found a bug in sssd stable 1.9.2 and 1.9.4. I found no place to report this so maybe somene here is able to help with this.
The sudoers ldap lookups fail with a timeout message (see below) when using ldap_uri = _srv_ (which works with anything else i.e. ldap_users, ldap_groups, ...).
This is how it looks with ldap_uri set to _srv_:
(Thu Apr 18 20:51:03 2013) [sssd[be[MYDOMAIN]]] [sdap_sudo_full_refresh_send] (0x0400): Issuing a full refresh of sudo rules (Thu Apr 18 20:51:03 2013) [sssd[be[MYDOMAIN]]] [sdap_sudo_refresh_connect_done] (0x0400): SUDO LDAP connection successful (Thu Apr 18 20:51:03 2013) [sssd[be[MYDOMAIN]]] [sdap_sudo_load_sudoers_next_base] (0x0400): Searching for sudo rules with base [dc=mydomain,dc=org] (Thu Apr 18 20:51:03 2013) [sssd[be[MYDOMAIN]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(objectClass=sudoRole)][dc=mydomain,dc=org]. (Thu Apr 18 20:51:03 2013) [sssd[be[MYDOMAIN]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sudoCommand] (Thu Apr 18 20:51:03 2013) [sssd[be[MYDOMAIN]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sudoHost] (Thu Apr 18 20:51:03 2013) [sssd[be[MYDOMAIN]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sudoUser] (Thu Apr 18 20:51:03 2013) [sssd[be[MYDOMAIN]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sudoOption] (Thu Apr 18 20:51:03 2013) [sssd[be[MYDOMAIN]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sudoRunAsUser] (Thu Apr 18 20:51:03 2013) [sssd[be[MYDOMAIN]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sudoRunAsGroup] (Thu Apr 18 20:51:03 2013) [sssd[be[MYDOMAIN]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sudoNotBefore] (Thu Apr 18 20:51:03 2013) [sssd[be[MYDOMAIN]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sudoNotAfter] (Thu Apr 18 20:51:03 2013) [sssd[be[MYDOMAIN]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sudoOrder] (Thu Apr 18 20:52:03 2013) [sssd[be[MYDOMAIN]]] [sdap_sudo_load_sudoers_process] (0x0400): Receiving sudo rules with base [dc=mydomain,dc=org] (Thu Apr 18 20:52:03 2013) [sssd[be[MYDOMAIN]]] [sdap_sudo_periodical_first_refresh_done] (0x0040): Periodical full refresh of sudo rules failed [110]: Connection timed out)
For debugging I turned of ldap_sudo_use_host_filter just in case someone is wondering about the short ldap filter.
With an ldap_uri set to a FQHN anything works as expected.
Is there anyone who can help creating a patch for this? I have very little knowledge about the sssd source.
Thanks,
Marcus
On Thu, Apr 18, 2013 at 07:29:42PM +0000, Marc us wrote:
Hi,
I found a bug in sssd stable 1.9.2 and 1.9.4. I found no place to report this so maybe somene here is able to help with this.
The sudoers ldap lookups fail with a timeout message (see below) when using ldap_uri = _srv_ (which works with anything else i.e. ldap_users, ldap_groups, ...).
This is how it looks with ldap_uri set to _srv_:
(Thu Apr 18 20:51:03 2013) [sssd[be[MYDOMAIN]]] [sdap_sudo_full_refresh_send] (0x0400): Issuing a full refresh of sudo rules (Thu Apr 18 20:51:03 2013) [sssd[be[MYDOMAIN]]] [sdap_sudo_refresh_connect_done] (0x0400): SUDO LDAP connection successful (Thu Apr 18 20:51:03 2013) [sssd[be[MYDOMAIN]]] [sdap_sudo_load_sudoers_next_base] (0x0400): Searching for sudo rules with base [dc=mydomain,dc=org] (Thu Apr 18 20:51:03 2013) [sssd[be[MYDOMAIN]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(objectClass=sudoRole)][dc=mydomain,dc=org]. (Thu Apr 18 20:51:03 2013) [sssd[be[MYDOMAIN]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sudoCommand] (Thu Apr 18 20:51:03 2013) [sssd[be[MYDOMAIN]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sudoHost] (Thu Apr 18 20:51:03 2013) [sssd[be[MYDOMAIN]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sudoUser] (Thu Apr 18 20:51:03 2013) [sssd[be[MYDOMAIN]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sudoOption] (Thu Apr 18 20:51:03 2013) [sssd[be[MYDOMAIN]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sudoRunAsUser] (Thu Apr 18 20:51:03 2013) [sssd[be[MYDOMAIN]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sudoRunAsGroup] (Thu Apr 18 20:51:03 2013) [sssd[be[MYDOMAIN]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sudoNotBefore] (Thu Apr 18 20:51:03 2013) [sssd[be[MYDOMAIN]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sudoNotAfter] (Thu Apr 18 20:51:03 2013) [sssd[be[MYDOMAIN]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sudoOrder] (Thu Apr 18 20:52:03 2013) [sssd[be[MYDOMAIN]]] [sdap_sudo_load_sudoers_process] (0x0400): Receiving sudo rules with base [dc=mydomain,dc=org] (Thu Apr 18 20:52:03 2013) [sssd[be[MYDOMAIN]]] [sdap_sudo_periodical_first_refresh_done] (0x0040): Periodical full refresh of sudo rules failed [110]: Connection timed out)
For debugging I turned of ldap_sudo_use_host_filter just in case someone is wondering about the short ldap filter.
With an ldap_uri set to a FQHN anything works as expected.
Earlier in the logs, you should see what the SRV query expanded to. Are these servers discovered from DNS what you expect?
The LDAP code that fetches the rules is the same when SRV records are used and when LDAP URI is used.
On Fri, Apr 19, 2013 at 10:56:36AM +0200, Jakub Hrozek wrote:
On Thu, Apr 18, 2013 at 07:29:42PM +0000, Marc us wrote:
Hi,
I found a bug in sssd stable 1.9.2 and 1.9.4. I found no place to report this so maybe somene here is able to help with this.
The sudoers ldap lookups fail with a timeout message (see below) when using ldap_uri = _srv_ (which works with anything else i.e. ldap_users, ldap_groups, ...).
This is how it looks with ldap_uri set to _srv_:
(Thu Apr 18 20:51:03 2013) [sssd[be[MYDOMAIN]]] [sdap_sudo_full_refresh_send] (0x0400): Issuing a full refresh of sudo rules (Thu Apr 18 20:51:03 2013) [sssd[be[MYDOMAIN]]] [sdap_sudo_refresh_connect_done] (0x0400): SUDO LDAP connection successful (Thu Apr 18 20:51:03 2013) [sssd[be[MYDOMAIN]]] [sdap_sudo_load_sudoers_next_base] (0x0400): Searching for sudo rules with base [dc=mydomain,dc=org] (Thu Apr 18 20:51:03 2013) [sssd[be[MYDOMAIN]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(objectClass=sudoRole)][dc=mydomain,dc=org]. (Thu Apr 18 20:51:03 2013) [sssd[be[MYDOMAIN]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sudoCommand] (Thu Apr 18 20:51:03 2013) [sssd[be[MYDOMAIN]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sudoHost] (Thu Apr 18 20:51:03 2013) [sssd[be[MYDOMAIN]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sudoUser] (Thu Apr 18 20:51:03 2013) [sssd[be[MYDOMAIN]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sudoOption] (Thu Apr 18 20:51:03 2013) [sssd[be[MYDOMAIN]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sudoRunAsUser] (Thu Apr 18 20:51:03 2013) [sssd[be[MYDOMAIN]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sudoRunAsGroup] (Thu Apr 18 20:51:03 2013) [sssd[be[MYDOMAIN]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sudoNotBefore] (Thu Apr 18 20:51:03 2013) [sssd[be[MYDOMAIN]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sudoNotAfter] (Thu Apr 18 20:51:03 2013) [sssd[be[MYDOMAIN]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sudoOrder] (Thu Apr 18 20:52:03 2013) [sssd[be[MYDOMAIN]]] [sdap_sudo_load_sudoers_process] (0x0400): Receiving sudo rules with base [dc=mydomain,dc=org] (Thu Apr 18 20:52:03 2013) [sssd[be[MYDOMAIN]]] [sdap_sudo_periodical_first_refresh_done] (0x0040): Periodical full refresh of sudo rules failed [110]: Connection timed out)
For debugging I turned of ldap_sudo_use_host_filter just in case someone is wondering about the short ldap filter.
With an ldap_uri set to a FQHN anything works as expected.
Earlier in the logs, you should see what the SRV query expanded to. Are these servers discovered from DNS what you expect?
The LDAP code that fetches the rules is the same when SRV records are used and when LDAP URI is used.
And if they are what you'd expect, can you try running the same query with ldapsearch?
ldapsearch -x -H ldap://ldap.mydomain.org -b dc=mydomain,dc=org '(objectClass=sudoRole)'
If you have access to the server logs, maybe they'd have some useful information, too.
sssd-users@lists.fedorahosted.org