-
Notifications
You must be signed in to change notification settings - Fork 247
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Using fq format [%1$s@%2$s] #6440
Comments
Additional info: $ sssctl user-checks -s=sudo myuser
user: myuser
action: acct
service: sudo
SSSD nss user lookup result:
- user name: myuser
- user id: 1103
- group id: 501
- gecos: My User
- home directory: /home/myuser
- shell: /bin/zsh
SSSD InfoPipe user lookup result:
- name: myuser
- uidNumber: 1103
- gidNumber: 501
- gecos: My User
- homeDirectory: /home/myuser
- loginShell: /bin/zsh
testing pam_acct_mgmt
pam_acct_mgmt: Success
PAM Environment:
- no env - |
I've spent more time looking into how sssd works, and I am coming to the conclusion that the problem isn't with the caching or querying of data. If I use ldbsearch to query the $ ldbsearch -H /var/lib/sss/db/cache_LDAP.ldb So what have I got going on? Is there something in the data that fails to return a successful query? The data in OpenLDAP works with When using
nsswitch.confsudoers: files sss But I'm only seeing a prompt of |
Hi @paulb-opusvl, Looks like an issue is:
Could you please show output of |
Ok it's been a while, I appreciate you coming back. I reverted users to sudo and delivered This is from my system: $ sudo ldbsearch -H /var/lib/sss/db/cache_LDAP.ldb '(&(objectClass=sudoRule)(name=defaults))'
asq: Unable to register control with rootdse!
# record 1
dn: name=defaults,cn=sudorules,cn=custom,cn=LDAP,cn=sysdb
cn: defaults
dataExpireTimestamp: 1668693811
entryUSN: 20220825105355Z
name: defaults
objectCategory: sudoRole
objectCategory: top
objectClass: sudoRule
originalDN: cn=defaults,ou=SUDOers,dc=opusvl
sudoOption:: aW5zdWx0cwAA
sudoOption:: c3lzbG9nPXVzZXIAAA==
sudoOption: mailto=sysadmin@opusvl.com
sudoOption:: aWdub3JlX2xvY2FsX3N1ZG9lcnMAAA==
sudoOption:: bWFpbHN1Yj1zdWRvIGFjY2VzcyByZXBvcnQgZnJvbSAlaAA=
sudoOption: pwfeedback
sudoOption: passprompt=[sudo-ldap] Password for %u on %H:
sudoOption: env_reset
distinguishedName: name=defaults,cn=sudorules,cn=custom,cn=LDAP,cn=sysdb
# returned 1 records
# 1 entries
# 0 referrals decoded parts
This is didn't like: $ sudo ldbsearch -H /var/lib/sss/db/cache_LDAP.ldb '[(&(objectClass=sudoRule)(name=defaults))]'
asq: Unable to register control with rootdse!
allocating request failed: Unable to parse search expression |
Cleaner output: $ sudo ldbsearch -H /var/lib/sss/db/cache_LDAP.ldb '(&(objectClass=sudoRule)(name=defaults))' | perl -MMIME::Base64 -MEncode=decode -n -00 -e 's/\n +//g;s/(?<=:: )(\S+)/decode("UTF-8",decode_base64($1))/eg;print'
asq: Unable to register control with rootdse!
# record 1
dn: name=defaults,cn=sudorules,cn=custom,cn=LDAP,cn=sysdb
cn: defaults
dataExpireTimestamp: 1668693811
entryUSN: 20220825105355Z
name: defaults
objectCategory: sudoRole
objectCategory: top
objectClass: sudoRule
originalDN: cn=defaults,ou=SUDOers,dc=opusvl
sudoOption:: insults
sudoOption:: syslog=user
sudoOption: mailto=sysadmin@opusvl.com
sudoOption:: ignore_local_sudoers
sudoOption:: mailsub=sudo access report from %h
sudoOption: pwfeedback
sudoOption: passprompt=[sudo-ldap] Password for %u on %H:
sudoOption: env_reset
distinguishedName: name=defaults,cn=sudorules,cn=custom,cn=LDAP,cn=sysdb
# returned 1 records
# 1 entries
# 0 referrals |
It looks like the issue is with values:
-- there are unexpected chars that make SSSD think this is not a string. For example:
-- note '00 00' at the end. Can you check corresponding LDAP content? |
@pbrezina, do you think it would make sense to add a special case handling for trailing \0 at end of strings? |
Hi, I don't think so. sudoOption is supposed to be a string so I would just say it is malformed value that should be fixed. Is the value intentional? Does it work with sudoers: ldap? |
Yes, 100% with sudo-ldap. I see what you mean by the trailing nulls and have no clue where they come from. They aren't there in a direct ldap query. Actually they are! I use ldapsearch and find the same result. Exported cn=defaults to ldif, changed entries from base64 encoded to plain text. Imported and now they don't have the nulls. Just need to clear the cache and see if that resolves the issue. |
I wasn't seeing the cache get updated. Eventually, I updated all my No idea where all those nulls came from, but they were not just in the Thank you for your help in identifying the problem |
I can't get sssd working with sudo. Firstly I installed and setup ldap auth and tested with sudo-ldap. That's all good. Then I change to using
libsss-sudo
and make changes tonsswitch.conf
andpam.d
to usesss
.The log suggests that all LDAP queries get suffixed with the domain
@LDAP
and even worse@ldap@LDAP
No matter what I try I always see this in the
sssd_sudo.log
All help gratefully received.
OS
sssd_sudo.log
The text was updated successfully, but these errors were encountered: