[sudo-users] SudoUsers matching regardless of netgroup

Choure, Sidd schoure at apartments.com
Tue Dec 3 15:00:15 MST 2013 

Wow, would never have come across that easily. Thanks. I think I am
getting closer. Now, none of the users are getting sudo access and it
maybe because of the config option you mentioned in sssd.conf. I added
ldap_include_netgroups = True but that made no difference.

Here is my debug log -

Dec  3 16:14:31 sudo[1869] -> sudo_sss_open @ ./sssd.c:249
Dec  3 16:14:31 sudo[1869] handle=0x7f35fb9613d0
Dec  3 16:14:31 sudo[1869] <- sudo_sss_open @ ./sssd.c:304 := 0
Dec  3 16:14:31 sudo[1869] -> sudo_sss_parse @ ./sssd.c:325
Dec  3 16:14:31 sudo[1869] <- sudo_sss_parse @ ./sssd.c:326 := 0
Dec  3 16:14:31 sudo[1869] -> sudo_sss_setdefs @ ./sssd.c:337
Dec  3 16:14:31 sudo[1869] Looking for cn=defaults
Dec  3 16:14:31 sudo[1869] Parsing cn=defaults, 0/1
Dec  3 16:14:31 sudo[1869] -> sudo_sss_parse_options @ ./sssd.c:868
Dec  3 16:14:31 sudo[1869] sssd/ldap sudoOption: 'requiretty'
Dec  3 16:14:31 sudo[1869] sssd/ldap sudoOption: 'env_reset'
Dec  3 16:14:31 sudo[1869] sssd/ldap sudoOption: 'env_keep+="COLORS
DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS"'
Dec  3 16:14:31 sudo[1869] sssd/ldap sudoOption: 'env_keep+="MAIL PS1 PS2
QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE"'
Dec  3 16:14:31 sudo[1869] sssd/ldap sudoOption: 'env_keep+="LC_COLLATE
LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES"'
Dec  3 16:14:31 sudo[1869] sssd/ldap sudoOption: 'env_keep+="LC_MONETARY
LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE"'
Dec  3 16:14:31 sudo[1869] sssd/ldap sudoOption: 'env_keep+="LC_TIME
LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY"'
Dec  3 16:14:31 sudo[1869] <- sudo_sss_parse_options @ ./sssd.c:914
Dec  3 16:14:31 sudo[1869] <- sudo_sss_setdefs @ ./sssd.c:368 := 0
Dec  3 16:14:31 sudo[1869] -> sudo_sss_lookup @ ./sssd.c:926
Dec  3 16:14:31 sudo[1869] -> sudo_sss_result_get @ ./sssd.c:681
Dec  3 16:14:31 sudo[1869] -> sudo_sss_checkpw @ ./sssd.c:374
Dec  3 16:14:31 sudo[1869] <- sudo_sss_checkpw @ ./sssd.c:386 := 0
Dec  3 16:14:31 sudo[1869]   username=schoure
Dec  3 16:14:31 sudo[1869] domainname=(null)
Dec  3 16:14:31 sudo[1869] state |= USERMATCH
Dec  3 16:14:31 sudo[1869] Received 1 rule(s)
Dec  3 16:14:31 sudo[1869] -> sudo_sss_filter_result @ ./sssd.c:181
Dec  3 16:14:31 sudo[1869] in_res=0x7f35fb952e60, count=1, act=INCLUDE
Dec  3 16:14:31 sudo[1869] emalloc: cnt=1
Dec  3 16:14:31 sudo[1869] -> sudo_sss_result_filterp @ ./sssd.c:666
Dec  3 16:14:31 sudo[1869] -> sudo_sss_check_host @ ./sssd.c:577
Dec  3 16:14:31 sudo[1869] val[0]=ALL
Dec  3 16:14:31 sudo[1869] sssd/ldap sudoHost 'ALL' ... MATCH!
Dec  3 16:14:31 sudo[1869] <- sudo_sss_check_host @ ./sssd.c:613 := true
Dec  3 16:14:31 sudo[1869] -> sudo_sss_filter_user_netgroup @ ./sssd.c:629
Dec  3 16:14:31 sudo[1869] val[0]=+Test
Dec  3 16:14:31 sudo[1869] <- sudo_sss_filter_user_netgroup @ ./sssd.c:658
:= false
Dec  3 16:14:31 sudo[1869] <- sudo_sss_result_filterp @ ./sssd.c:672 := 0
Dec  3 16:14:31 sudo[1869] reallocating result: 0x7f35fb962390 (count: 1
-> 0)
Dec  3 16:14:31 sudo[1869] <- sudo_sss_filter_result @ ./sssd.c:226 :=
0x7f35fb952fe0
Dec  3 16:14:31 sudo[1869] u_sss_result=(0x7f35fb952e60, 1) =>
f_sss_result=(0x7f35fb952fe0, 0)
Dec  3 16:14:31 sudo[1869] <- sudo_sss_result_get @ ./sssd.c:742 :=
0x7f35fb952fe0
Dec  3 16:14:31 sudo[1869] perform search for pwflag 52
Dec  3 16:14:31 sudo[1869] Done with LDAP searches
Dec  3 16:14:31 sudo[1869] sudo_sss_lookup(52)=0x82
Dec  3 16:14:31 sudo[1869] <- sudo_sss_lookup @ ./sssd.c:1036 := 130
Dec  3 16:14:36 sudo[1869] -> sudo_sss_display_defaults @ ./sssd.c:1098
Dec  3 16:14:36 sudo[1869] <- sudo_sss_display_defaults @ ./sssd.c:1152 :=
7
Dec  3 16:14:36 sudo[1869] -> sudo_sss_display_bound_defaults @
./sssd.c:1160
Dec  3 16:14:36 sudo[1869] <- sudo_sss_display_bound_defaults @
./sssd.c:1161 := 0
Dec  3 16:14:36 sudo[1869] -> sudo_sss_display_privs @ ./sssd.c:1378
Dec  3 16:14:36 sudo[1869] -> sudo_sss_checkpw @ ./sssd.c:374
Dec  3 16:14:36 sudo[1869] <- sudo_sss_checkpw @ ./sssd.c:386 := 0
Dec  3 16:14:36 sudo[1869] sssd/ldap search for command list
Dec  3 16:14:36 sudo[1869] -> sudo_sss_result_get @ ./sssd.c:681
Dec  3 16:14:36 sudo[1869] -> sudo_sss_checkpw @ ./sssd.c:374
Dec  3 16:14:36 sudo[1869] <- sudo_sss_checkpw @ ./sssd.c:386 := 0
Dec  3 16:14:36 sudo[1869]   username=schoure
Dec  3 16:14:36 sudo[1869] domainname=(null)
Dec  3 16:14:36 sudo[1869] Received 1 rule(s)
Dec  3 16:14:36 sudo[1869] -> sudo_sss_filter_result @ ./sssd.c:181
Dec  3 16:14:36 sudo[1869] in_res=0x7f35fb97fd90, count=1, act=INCLUDE
Dec  3 16:14:36 sudo[1869] emalloc: cnt=1
Dec  3 16:14:36 sudo[1869] -> sudo_sss_result_filterp @ ./sssd.c:666
Dec  3 16:14:36 sudo[1869] -> sudo_sss_check_host @ ./sssd.c:577
Dec  3 16:14:36 sudo[1869] val[0]=ALL
Dec  3 16:14:36 sudo[1869] sssd/ldap sudoHost 'ALL' ... MATCH!
Dec  3 16:14:36 sudo[1869] <- sudo_sss_check_host @ ./sssd.c:613 := true
Dec  3 16:14:36 sudo[1869] -> sudo_sss_filter_user_netgroup @ ./sssd.c:629
Dec  3 16:14:36 sudo[1869] val[0]=+Test
Dec  3 16:14:36 sudo[1869] <- sudo_sss_filter_user_netgroup @ ./sssd.c:658
:= false
Dec  3 16:14:36 sudo[1869] <- sudo_sss_result_filterp @ ./sssd.c:672 := 0
Dec  3 16:14:36 sudo[1869] reallocating result: 0x7f35fb97bd80 (count: 1
-> 0)
Dec  3 16:14:36 sudo[1869] <- sudo_sss_filter_result @ ./sssd.c:226 :=
0x7f35fb97fd70
Dec  3 16:14:36 sudo[1869] u_sss_result=(0x7f35fb97fd90, 1) =>
f_sss_result=(0x7f35fb97fd70, 0)
Dec  3 16:14:36 sudo[1869] <- sudo_sss_result_get @ ./sssd.c:742 :=
0x7f35fb97fd70
Dec  3 16:14:36 sudo[1869] <- sudo_sss_display_privs @ ./sssd.c:1404 := 0
Dec  3 16:14:36 sudo[1869] -> sudo_sss_close @ ./sssd.c:311
Dec  3 16:14:36 sudo[1869] <- sudo_sss_close @ ./sssd.c:319 := 0


In the above log, this line stands out - sudo_sss_filter_user_netgroup @
./sssd.c:658 := false. Am I missing an option?





Siddharth Choure
Senior Systems Engineer
 






On 12/3/13, 2:48 PM, "Todd C. Miller" <Todd.Miller at courtesan.com> wrote:

>From http://rhn.redhat.com/errata/RHSA-2013-1701.html
>
>    Previously, sudo did not support netgroup filtering for sources
>    from the System Security Services Daemon (SSSD). Consequently,
>    SSSD rules were applied to all users even when they did not
>    belong to the specified netgroup. With this update, netgroup
>    filtering for SSSD sources has been implemented. As a result,
>    rules with a netgroup specification are applied only to users
>    that are part of the netgroup.  (BZ#880150)
>
>It looks like this should be fixed in the sudo-1.8.6p3-12 package.
>
> - todd

More information about the sudo-users mailing list