Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

"Unable to obtain cached rules" filling up sssd_sudo.log #5839

Closed
nkukard opened this issue Oct 26, 2021 · 7 comments
Closed

"Unable to obtain cached rules" filling up sssd_sudo.log #5839

nkukard opened this issue Oct 26, 2021 · 7 comments
Assignees
@alexey-tikhonov
Labels
Closed: Fixed Issue was closed as fixed.

Comments

@nkukard
Copy link

nkukard commented Oct 26, 2021

I'm running sssd 2.6.0 under Arch Linux and seem to be getting the following messages filling up my logs.

2021-10-26  0:58:48): [sudo] [sudosrv_cmd_done] (0x0020): Unable to obtain cached rules [2]: No such file or directory
********************** PREVIOUS MESSAGE WAS TRIGGERED BY THE FOLLOWING BACKTRACE:
   *  (2021-10-26  0:58:48): [sudo] [sudosrv_build_response] (0x2000): error: [2]
   *  (2021-10-26  0:58:48): [sudo] [sudosrv_cmd] (0x2000): Using protocol version [1]
   *  (2021-10-26  0:58:48): [sudo] [sudosrv_get_rules_send] (0x0400): Running initgroups for [zabbix-agent]
   *  (2021-10-26  0:58:48): [sudo] [cache_req_set_plugin] (0x2000): CR #2159: Setting "Initgroups by name" plugin
   *  (2021-10-26  0:58:48): [sudo] [cache_req_send] (0x0400): CR #2159: REQ_TRACE: New request [CID #1080] 'Initgroups by name'
   *  (2021-10-26  0:58:48): [sudo] [cache_req_process_input] (0x0400): CR #2159: Parsing input name [zabbix-agent]
   *  (2021-10-26  0:58:48): [sudo] [sss_parse_name_for_domains] (0x0200): name 'zabbix-agent' matched without domain, user is zabbix-agent
   *  (2021-10-26  0:58:48): [sudo] [cache_req_set_name] (0x0400): CR #2159: Setting name [zabbix-agent]
   *  (2021-10-26  0:58:48): [sudo] [cache_req_select_domains] (0x0400): CR #2159: Performing a multi-domain search
   *  (2021-10-26  0:58:48): [sudo] [cache_req_search_domains] (0x0400): CR #2159: Search will check the cache and check the data provider
   *  (2021-10-26  0:58:48): [sudo] [cache_req_validate_domain_type] (0x2000): Request type POSIX-only for domain REDACTED type POSIX is valid
   *  (2021-10-26  0:58:48): [sudo] [cache_req_set_domain] (0x0400): CR #2159: Using domain [REDACTED]
   *  (2021-10-26  0:58:48): [sudo] [cache_req_prepare_domain_data] (0x0400): CR #2159: Preparing input data for domain [REDACTED] rules
   *  (2021-10-26  0:58:48): [sudo] [cache_req_search_send] (0x0400): CR #2159: Looking up zabbix-agent@REDACTED
   *  (2021-10-26  0:58:48): [sudo] [cache_req_search_ncache] (0x0400): CR #2159: Checking negative cache for [zabbix-agent@REDACTED]
   *  (2021-10-26  0:58:48): [sudo] [sss_ncache_check_str] (0x2000): Checking negative cache for [NCE/USER/REDACTED/zabbix-agent@REDACTED]
   *  (2021-10-26  0:58:48): [sudo] [cache_req_search_ncache] (0x0400): CR #2159: [zabbix-agent@REDACTED] does not exist (negative cache)
   *  (2021-10-26  0:58:48): [sudo] [cache_req_process_result] (0x0400): CR #2159: Finished: Not found
   *  (2021-10-26  0:58:48): [sudo] [sudosrv_cmd_done] (0x0020): Unable to obtain cached rules [2]: No such file or directory
********************** BACKTRACE DUMP ENDS HERE *********************************

In terms of my setup, I have a local sudoers entry for zabbix-agent so it may execute a privileged command to return system stats. This user is not setup under LDAP.
@alexey-tikhonov
Copy link
Member

Hi @nkukard,

what is in your /etc/nsswitch.conf::sudoers?

@nkukard
Copy link
Author

nkukard commented Oct 26, 2021

@alexey-tikhonov Here is the contents of my nsswitch.conf...

# Name Service Switch configuration file.
# See nsswitch.conf(5) for details.

passwd: files sss systemd
group: files sss systemd
shadow: files sss

publickey: files

hosts: files mymachines myhostname resolve [!UNAVAIL=return] dns
networks: files

protocols: files
services: files
ethers: files
rpc: files

netgroup: files

sudoers: files sss

@alexey-tikhonov
Copy link
Member

alexey-tikhonov commented Oct 26, 2021
edited
Loading

sudoers: files sss

Ah, reading man sudoers.ldap:

Configuring nsswitch.conf
... sudo does not stop searching after the first match and
later matches take precedence over earlier ones.

So this is expected sudo talks to SSSD despite it finds user in files.
Ok, it seems severity level needs to be decreased in this case.

@alexey-tikhonov alexey-tikhonov self-assigned this Oct 26, 2021
@nkukard
Copy link
Author

nkukard commented Oct 26, 2021

Yea, I think the severity for that message needs to be decreased so it doesn't fill the logs by default.

If you have a patch I'd be more than willing to test if required :)

alexey-tikhonov added a commit to alexey-tikhonov/sssd that referenced this issue Oct 26, 2021
@alexey-tikhonov
SUDO: decrease log level in case object wasn't found
77d6fbe 
It is expected sudo responder can be requested to lookup unknown entry.
One of typical examples is lookup for a local user.

Resolves: SSSD#5839
alexey-tikhonov added a commit to alexey-tikhonov/sssd that referenced this issue Oct 26, 2021
@alexey-tikhonov
SUDO: decrease log level in case object wasn't found
68b5713 
It is expected sudo responder can be requested to lookup unknown entry.
One of typical examples is lookup for a local user.

Resolves: SSSD#5839
@alexey-tikhonov alexey-tikhonov mentioned this issue Oct 26, 2021
Closed
@alexey-tikhonov
Copy link
Member

If you have a patch I'd be more than willing to test if required :)

#5840

@nkukard
Copy link
Author

nkukard commented Oct 27, 2021

If you have a patch I'd be more than willing to test if required :)

#5840

Working like a charm! thanks!

@pbrezina
Copy link
Member

Pushed PR: #5840

  • master
    • 86413e5 - SUDO: decrease log level in case object wasn't found

@pbrezina pbrezina added the Closed: Fixed Issue was closed as fixed. label Oct 27, 2021
shridhargadekar pushed a commit to shridhargadekar/sssd that referenced this issue Apr 1, 2022
@alexey-tikhonov
SUDO: decrease log level in case object wasn't found
b0fc772 
It is expected sudo responder can be requested to lookup unknown entry.
One of typical examples is lookup for a local user.

Resolves: SSSD#5839

Reviewed-by: Pawel Polawski <ppolawsk@redhat.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@alexey-tikhonov alexey-tikhonov

Labels
Closed: Fixed Issue was closed as fixed.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

SUDO: decrease log level in case object wasn't found alexey-tikhonov/sssd
3 participants
@nkukard @pbrezina @alexey-tikhonov