[sudo-users] SudoUsers matching regardless of netgroup

Choure, Sidd schoure at apartments.com
Tue Dec 3 11:13:21 MST 2013


Yes, those two users have completely separate UIDs. I created a new user -
test with a UID that was never used before and is not part of the Testing
net group and here is the output of the debug log -

Dec  3 13:09:07 sudo[2281] -> sudo_sss_open @ ./sssd.c:248
Dec  3 13:09:07 sudo[2281] handle=0x7fb38508b3e0
Dec  3 13:09:07 sudo[2281] <- sudo_sss_open @ ./sssd.c:303 := 0
Dec  3 13:09:07 sudo[2281] -> sudo_sss_parse @ ./sssd.c:324
Dec  3 13:09:07 sudo[2281] <- sudo_sss_parse @ ./sssd.c:325 := 0
Dec  3 13:09:07 sudo[2281] -> sudo_sss_setdefs @ ./sssd.c:336
Dec  3 13:09:07 sudo[2281] Looking for cn=defaults
Dec  3 13:09:07 sudo[2281] Parsing cn=defaults, 0/1
Dec  3 13:09:07 sudo[2281] -> sudo_sss_parse_options @ ./sssd.c:801
Dec  3 13:09:07 sudo[2281] sssd/ldap sudoOption: 'requiretty'
Dec  3 13:09:07 sudo[2281] sssd/ldap sudoOption: 'env_reset'
Dec  3 13:09:07 sudo[2281] sssd/ldap sudoOption: 'env_keep+="COLORS
DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS"'
Dec  3 13:09:07 sudo[2281] sssd/ldap sudoOption: 'env_keep+="MAIL PS1 PS2
QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE"'
Dec  3 13:09:07 sudo[2281] sssd/ldap sudoOption: 'env_keep+="LC_COLLATE
LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES"'
Dec  3 13:09:07 sudo[2281] sssd/ldap sudoOption: 'env_keep+="LC_MONETARY
LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE"'
Dec  3 13:09:07 sudo[2281] sssd/ldap sudoOption: 'env_keep+="LC_TIME
LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY"'
Dec  3 13:09:07 sudo[2281] <- sudo_sss_parse_options @ ./sssd.c:847
Dec  3 13:09:07 sudo[2281] <- sudo_sss_setdefs @ ./sssd.c:367 := 0
Dec  3 13:09:07 sudo[2281] -> sudo_sss_lookup @ ./sssd.c:859
Dec  3 13:09:07 sudo[2281] -> sudo_sss_result_get @ ./sssd.c:614
Dec  3 13:09:07 sudo[2281] -> sudo_sss_checkpw @ ./sssd.c:373
Dec  3 13:09:07 sudo[2281] <- sudo_sss_checkpw @ ./sssd.c:385 := 0
Dec  3 13:09:07 sudo[2281]   username=test
Dec  3 13:09:07 sudo[2281] domainname=(null)
Dec  3 13:09:07 sudo[2281] state |= USERMATCH
Dec  3 13:09:07 sudo[2281] Received 1 rule(s)
Dec  3 13:09:07 sudo[2281] -> sudo_sss_filter_result @ ./sssd.c:180
Dec  3 13:09:07 sudo[2281] in_res=0x7fb38507ce60, count=1, act=INCLUDE
Dec  3 13:09:07 sudo[2281] emalloc: cnt=1
Dec  3 13:09:07 sudo[2281] -> sudo_sss_result_filterp @ ./sssd.c:600
Dec  3 13:09:07 sudo[2281] -> sudo_sss_check_host @ ./sssd.c:557
Dec  3 13:09:07 sudo[2281] val[0]=ALL
Dec  3 13:09:07 sudo[2281] sssd/ldap sudoHost 'ALL' ... MATCH!
Dec  3 13:09:07 sudo[2281] <- sudo_sss_check_host @ ./sssd.c:592 := 1
Dec  3 13:09:07 sudo[2281] <- sudo_sss_result_filterp @ ./sssd.c:603 := 1
Dec  3 13:09:07 sudo[2281] COPY (included): 0x7fb38507ce80[0] =>
0x7fb38508c3a0[0] (= 0x7fb38507ce80)
Dec  3 13:09:07 sudo[2281] -> sudo_sss_rulecpy @ ./sssd.c:152
Dec  3 13:09:07 sudo[2281] dst=0x7fb38508c3a0, src=0x7fb38507ce80
Dec  3 13:09:07 sudo[2281] emalloc: cnt=7
Dec  3 13:09:07 sudo[2281] -> sudo_sss_attrcpy @ ./sssd.c:133
Dec  3 13:09:07 sudo[2281] dst=0x7fb38508c640, src=0x7fb38508c430
Dec  3 13:09:07 sudo[2281] emalloc: cnt=1
Dec  3 13:09:07 sudo[2281] <- sudo_sss_attrcpy @ ./sssd.c:145
Dec  3 13:09:07 sudo[2281] -> sudo_sss_attrcpy @ ./sssd.c:133
Dec  3 13:09:07 sudo[2281] dst=0x7fb38508c658, src=0x7fb38508c448
Dec  3 13:09:07 sudo[2281] emalloc: cnt=1
Dec  3 13:09:07 sudo[2281] <- sudo_sss_attrcpy @ ./sssd.c:145
Dec  3 13:09:07 sudo[2281] -> sudo_sss_attrcpy @ ./sssd.c:133
Dec  3 13:09:07 sudo[2281] dst=0x7fb38508c670, src=0x7fb38508c460
Dec  3 13:09:07 sudo[2281] emalloc: cnt=1
Dec  3 13:09:07 sudo[2281] <- sudo_sss_attrcpy @ ./sssd.c:145
Dec  3 13:09:07 sudo[2281] -> sudo_sss_attrcpy @ ./sssd.c:133
Dec  3 13:09:07 sudo[2281] dst=0x7fb38508c688, src=0x7fb38508c478
Dec  3 13:09:07 sudo[2281] emalloc: cnt=1
Dec  3 13:09:07 sudo[2281] <- sudo_sss_attrcpy @ ./sssd.c:145
Dec  3 13:09:07 sudo[2281] -> sudo_sss_attrcpy @ ./sssd.c:133
Dec  3 13:09:07 sudo[2281] dst=0x7fb38508c6a0, src=0x7fb38508c490
Dec  3 13:09:07 sudo[2281] emalloc: cnt=1
Dec  3 13:09:07 sudo[2281] <- sudo_sss_attrcpy @ ./sssd.c:145
Dec  3 13:09:07 sudo[2281] -> sudo_sss_attrcpy @ ./sssd.c:133
Dec  3 13:09:07 sudo[2281] dst=0x7fb38508c6b8, src=0x7fb38508c4a8
Dec  3 13:09:07 sudo[2281] emalloc: cnt=1
Dec  3 13:09:07 sudo[2281] <- sudo_sss_attrcpy @ ./sssd.c:145
Dec  3 13:09:07 sudo[2281] -> sudo_sss_attrcpy @ ./sssd.c:133
Dec  3 13:09:07 sudo[2281] dst=0x7fb38508c6d0, src=0x7fb38508c4c0
Dec  3 13:09:07 sudo[2281] emalloc: cnt=1
Dec  3 13:09:07 sudo[2281] <- sudo_sss_attrcpy @ ./sssd.c:145
Dec  3 13:09:07 sudo[2281] <- sudo_sss_rulecpy @ ./sssd.c:163
Dec  3 13:09:07 sudo[2281] <- sudo_sss_filter_result @ ./sssd.c:225 :=
0x7fb38507cfe0
Dec  3 13:09:07 sudo[2281] state |= HOSTMATCH
Dec  3 13:09:07 sudo[2281] u_sss_result=(0x7fb38507ce60, 1) =>
f_sss_result=(0x7fb38507cfe0, 1)
Dec  3 13:09:07 sudo[2281] <- sudo_sss_result_get @ ./sssd.c:675 :=
0x7fb38507cfe0
Dec  3 13:09:07 sudo[2281] perform search for pwflag 52
Dec  3 13:09:07 sudo[2281] -> sudo_sss_check_bool @ ./sssd.c:688
Dec  3 13:09:07 sudo[2281] No result.
Dec  3 13:09:07 sudo[2281] <- sudo_sss_check_bool @ ./sssd.c:698 := -1
Dec  3 13:09:07 sudo[2281] Done with LDAP searches
Dec  3 13:09:07 sudo[2281] sudo_sss_lookup(52)=0x82
Dec  3 13:09:07 sudo[2281] <- sudo_sss_lookup @ ./sssd.c:969 := 130
Dec  3 13:09:09 sudo[2281] -> sudo_sss_display_defaults @ ./sssd.c:1031
Dec  3 13:09:09 sudo[2281] <- sudo_sss_display_defaults @ ./sssd.c:1085 :=
7
Dec  3 13:09:09 sudo[2281] -> sudo_sss_display_bound_defaults @
./sssd.c:1093
Dec  3 13:09:09 sudo[2281] <- sudo_sss_display_bound_defaults @
./sssd.c:1094 := 0
Dec  3 13:09:09 sudo[2281] -> sudo_sss_display_privs @ ./sssd.c:1311
Dec  3 13:09:09 sudo[2281] -> sudo_sss_checkpw @ ./sssd.c:373
Dec  3 13:09:09 sudo[2281] <- sudo_sss_checkpw @ ./sssd.c:385 := 0
Dec  3 13:09:09 sudo[2281] sssd/ldap search for command list
Dec  3 13:09:09 sudo[2281] -> sudo_sss_result_get @ ./sssd.c:614
Dec  3 13:09:09 sudo[2281] -> sudo_sss_checkpw @ ./sssd.c:373
Dec  3 13:09:09 sudo[2281] <- sudo_sss_checkpw @ ./sssd.c:385 := 0
Dec  3 13:09:09 sudo[2281]   username=test
Dec  3 13:09:09 sudo[2281] domainname=(null)
Dec  3 13:09:09 sudo[2281] Received 1 rule(s)
Dec  3 13:09:09 sudo[2281] -> sudo_sss_filter_result @ ./sssd.c:180
Dec  3 13:09:09 sudo[2281] in_res=0x7fb3850aa360, count=1, act=INCLUDE
Dec  3 13:09:09 sudo[2281] emalloc: cnt=1
Dec  3 13:09:09 sudo[2281] -> sudo_sss_result_filterp @ ./sssd.c:600
Dec  3 13:09:09 sudo[2281] -> sudo_sss_check_host @ ./sssd.c:557
Dec  3 13:09:09 sudo[2281] val[0]=ALL
Dec  3 13:09:09 sudo[2281] sssd/ldap sudoHost 'ALL' ... MATCH!
Dec  3 13:09:09 sudo[2281] <- sudo_sss_check_host @ ./sssd.c:592 := 1
Dec  3 13:09:09 sudo[2281] <- sudo_sss_result_filterp @ ./sssd.c:603 := 1
Dec  3 13:09:09 sudo[2281] COPY (included): 0x7fb3850aa4d0[0] =>
0x7fb3850aa980[0] (= 0x7fb3850aa4d0)
Dec  3 13:09:09 sudo[2281] -> sudo_sss_rulecpy @ ./sssd.c:152
Dec  3 13:09:09 sudo[2281] dst=0x7fb3850aa980, src=0x7fb3850aa4d0
Dec  3 13:09:09 sudo[2281] emalloc: cnt=7
Dec  3 13:09:09 sudo[2281] -> sudo_sss_attrcpy @ ./sssd.c:133
Dec  3 13:09:09 sudo[2281] dst=0x7fb3850ab050, src=0x7fb3850aaf40
Dec  3 13:09:09 sudo[2281] emalloc: cnt=1
Dec  3 13:09:09 sudo[2281] <- sudo_sss_attrcpy @ ./sssd.c:145
Dec  3 13:09:09 sudo[2281] -> sudo_sss_attrcpy @ ./sssd.c:133
Dec  3 13:09:09 sudo[2281] dst=0x7fb3850ab068, src=0x7fb3850aaf58
Dec  3 13:09:09 sudo[2281] emalloc: cnt=1
Dec  3 13:09:09 sudo[2281] <- sudo_sss_attrcpy @ ./sssd.c:145
Dec  3 13:09:09 sudo[2281] -> sudo_sss_attrcpy @ ./sssd.c:133
Dec  3 13:09:09 sudo[2281] dst=0x7fb3850ab080, src=0x7fb3850aaf70
Dec  3 13:09:09 sudo[2281] emalloc: cnt=1
Dec  3 13:09:09 sudo[2281] <- sudo_sss_attrcpy @ ./sssd.c:145
Dec  3 13:09:09 sudo[2281] -> sudo_sss_attrcpy @ ./sssd.c:133
Dec  3 13:09:09 sudo[2281] dst=0x7fb3850ab098, src=0x7fb3850aaf88
Dec  3 13:09:09 sudo[2281] emalloc: cnt=1
Dec  3 13:09:09 sudo[2281] <- sudo_sss_attrcpy @ ./sssd.c:145
Dec  3 13:09:09 sudo[2281] -> sudo_sss_attrcpy @ ./sssd.c:133
Dec  3 13:09:09 sudo[2281] dst=0x7fb3850ab0b0, src=0x7fb3850aafa0
Dec  3 13:09:09 sudo[2281] emalloc: cnt=1
Dec  3 13:09:09 sudo[2281] <- sudo_sss_attrcpy @ ./sssd.c:145
Dec  3 13:09:09 sudo[2281] -> sudo_sss_attrcpy @ ./sssd.c:133
Dec  3 13:09:09 sudo[2281] dst=0x7fb3850ab0c8, src=0x7fb3850aafb8
Dec  3 13:09:09 sudo[2281] emalloc: cnt=1
Dec  3 13:09:09 sudo[2281] <- sudo_sss_attrcpy @ ./sssd.c:145
Dec  3 13:09:09 sudo[2281] -> sudo_sss_attrcpy @ ./sssd.c:133
Dec  3 13:09:09 sudo[2281] dst=0x7fb3850ab0e0, src=0x7fb3850aafd0
Dec  3 13:09:09 sudo[2281] emalloc: cnt=1
Dec  3 13:09:09 sudo[2281] <- sudo_sss_attrcpy @ ./sssd.c:145
Dec  3 13:09:09 sudo[2281] <- sudo_sss_rulecpy @ ./sssd.c:163
Dec  3 13:09:09 sudo[2281] <- sudo_sss_filter_result @ ./sssd.c:225 :=
0x7fb3850aa340
Dec  3 13:09:09 sudo[2281] u_sss_result=(0x7fb3850aa360, 1) =>
f_sss_result=(0x7fb3850aa340, 1)
Dec  3 13:09:09 sudo[2281] <- sudo_sss_result_get @ ./sssd.c:675 :=
0x7fb3850aa340
Dec  3 13:09:09 sudo[2281] -> sudo_sss_display_entry_short @ ./sssd.c:1198
Dec  3 13:09:09 sudo[2281] No result.
Dec  3 13:09:09 sudo[2281] <- sudo_sss_display_entry_short @ ./sssd.c:1299
:= 1
Dec  3 13:09:09 sudo[2281] <- sudo_sss_display_privs @ ./sssd.c:1337 := 1
Dec  3 13:09:09 sudo[2281] -> sudo_sss_close @ ./sssd.c:310
Dec  3 13:09:09 sudo[2281] <- sudo_sss_close @ ./sssd.c:318 := 0

What is missing in sssd.conf?




Siddharth Choure
 






On 12/3/13, 10:42 AM, "Todd C. Miller" <Todd.Miller at courtesan.com> wrote:

>The sssd backend doesn't use ldap.conf.  You can add a line like
>this to /etc/sudo.conf:
>
>Debug sudo /var/log/sudo_debug sssd at debug,ldap at debug
>
>which will write sssd and ldap debug output to /var/log/sudo_debug.
>From a quick check of the sssd code, I don't actually see support
>for matching a user by netgroup, only hosts and runas users.
>
>Do the schoure and mchoure accounts have distinct uidnumbers?
>
> - todd




More information about the sudo-users mailing list