Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SSSD Sudo not applying cn=defaults #6591

Open
sveldhuisen opened this issue Feb 23, 2023 · 11 comments
Open

SSSD Sudo not applying cn=defaults #6591

sveldhuisen opened this issue Feb 23, 2023 · 11 comments
Assignees

Comments

@sveldhuisen
Copy link

sveldhuisen commented Feb 23, 2023

I'm using SSSD with sudo from ldap through NSS (not sudo-ldap). My SSD version is 2.5.2 (SLES 15 SP4). My LDAP backend is eDirectory 9.2.7.

After a day of troubleshooting I came to the conclusion that SSD is not retrieving/ applying my sudo defaults from LDAP.

sssd.conf

[domain/LDAP]
enumerate = true
cache_credentials = false
sudo_provider = ldap
ldap_sudo_search_base = ou=Sudoers,o=Org
ldap_sudorule_object_class = sudoRole
ldap_sudo_use_host_filter = true
ldap_sudorule_name = cn
ldap_sudorule_command = sudoCommand
ldap_sudorule_host = sudoHost
ldap_sudorule_user = sudoUser
ldap_sudorule_option = sudoOption
ldap_sudorule_order = sudoOrder
ldap_sudorule_notbefore = sudoNotBefore
ldap_sudorule_notafter = sudoNotAfter
ldap_sudorule_runasuser = sudoRunAsUser
ldap_sudo_full_refresh_interval = 7200
ldap_sudo_smart_refresh_interval = 300
ldap_sudo_include_regexp = true

nsswitch.conf

sudoers: sss

Initially SSD did not retrieve my sudo defaults at all:

sssd_sudo.log

(2023-02-23 18:59:55): [sudo] [sort_sudo_rules] (0x0400): Sorting rules with higher-wins logic
(2023-02-23 18:59:55): [sudo] [find_domain_by_object_name_ex] (0x0080): Unable to parse name 'ALL' [1432158284]: The internal name format cannot be parsed
(2023-02-23 18:59:55): [sudo] [sudosrv_fetch_rules] (0x0400): Returning 1 rules for [testuser@ldap@LDAP]
(2023-02-23 18:59:55): [sudo] [sudosrv_build_response] (0x2000): error: [0]
(2023-02-23 18:59:55): [sudo] [sudosrv_build_response] (0x2000): rules_num: [0]
(2023-02-23 18:59:55): [sudo] [sudosrv_build_response] (0x2000): rule [1]/[1]
(2023-02-23 18:59:55): [sudo] [sudosrv_response_append_attr] (0x2000): cn:%linuxadmin
(2023-02-23 18:59:55): [sudo] [sudosrv_response_append_attr] (0x2000): objectClass:sudoRule
(2023-02-23 18:59:55): [sudo] [sudosrv_response_append_attr] (0x2000): sudoCommand:ALL
(2023-02-23 18:59:55): [sudo] [sudosrv_response_append_attr] (0x2000): sudoHost:ALL
(2023-02-23 18:59:55): [sudo] [sudosrv_response_append_attr] (0x2000): sudoOption:authenticate
(2023-02-23 18:59:55): [sudo] [sudosrv_response_append_attr] (0x2000): sudoOrder:3
(2023-02-23 18:59:55): [sudo] [sudosrv_response_append_attr] (0x2000): sudoRunAsUser:ALL
(2023-02-23 18:59:55): [sudo] [sudosrv_response_append_attr] (0x2000): sudoUser:#1001
(2023-02-23 18:59:55): [sudo] [client_recv] (0x0200): Client disconnected!
(2023-02-23 18:59:55): [sudo] [client_close_fn] (0x2000): Terminated client [0x55f8718dca40][23]

After reading #5108 I have added sudoUser=ALL and that resulted into the retrieval of the sudo defaults (regression bug as this was fixed in SSSD 2.2.1?)

sssd_sudo.log

(2023-02-23 18:48:53): [sudo] [sort_sudo_rules] (0x0400): Sorting rules with higher-wins logic
(2023-02-23 18:48:53): [sudo] [find_domain_by_object_name_ex] (0x0080): Unable to parse name 'ALL' [1432158284]: The internal name format cannot be parsed
(2023-02-23 18:48:53): [sudo] [sudosrv_fetch_rules] (0x0400): Returning 2 rules for [testuser@ldap@LDAP]
(2023-02-23 18:48:53): [sudo] [sudosrv_build_response] (0x2000): error: [0]
(2023-02-23 18:48:53): [sudo] [sudosrv_build_response] (0x2000): rules_num: [0]
(2023-02-23 18:48:53): [sudo] [sudosrv_build_response] (0x2000): rule [1]/[2]
(2023-02-23 18:48:53): [sudo] [sudosrv_response_append_attr] (0x2000): cn:%linuxadmin
(2023-02-23 18:48:53): [sudo] [sudosrv_response_append_attr] (0x2000): objectClass:sudoRule
(2023-02-23 18:48:53): [sudo] [sudosrv_response_append_attr] (0x2000): sudoCommand:ALL
(2023-02-23 18:48:53): [sudo] [sudosrv_response_append_attr] (0x2000): sudoHost:ALL
(2023-02-23 18:48:53): [sudo] [sudosrv_response_append_attr] (0x2000): sudoOption:authenticate
(2023-02-23 18:48:53): [sudo] [sudosrv_response_append_attr] (0x2000): sudoOrder:3
(2023-02-23 18:48:53): [sudo] [sudosrv_response_append_attr] (0x2000): sudoRunAsUser:ALL
(2023-02-23 18:48:53): [sudo] [sudosrv_response_append_attr] (0x2000): sudoUser:#1001
(2023-02-23 18:48:53): [sudo] [sudosrv_build_response] (0x2000): rule [2]/[2]
(2023-02-23 18:48:53): [sudo] [sudosrv_response_append_attr] (0x2000): cn:defaults
(2023-02-23 18:48:53): [sudo] [sudosrv_response_append_attr] (0x2000): objectClass:sudoRule
(2023-02-23 18:48:53): [sudo] [sudosrv_response_append_attr] (0x2000): sudoOption:!insults
(2023-02-23 18:48:53): [sudo] [sudosrv_response_append_attr] (0x2000): sudoOption:always_set_home
(2023-02-23 18:48:53): [sudo] [sudosrv_response_append_attr] (0x2000): sudoOption:env_keep = "LANG LC_ADDRESS LC_CTYPE LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE LC_TIME LC_ALL LANGUAGE LINGUAS XDG_SESSION_COOKIE"
(2023-02-23 18:48:53): [sudo] [sudosrv_response_append_attr] (0x2000): sudoOption:env_reset
(2023-02-23 18:48:53): [sudo] [sudosrv_response_append_attr] (0x2000): sudoOption:secure_path="/usr/sbin:/usr/bin:/sbin:/bin:/usr/local/bin:/usr/local/sbin"
(2023-02-23 18:48:53): [sudo] [sudosrv_response_append_attr] (0x2000): sudoOrder:1
(2023-02-23 18:48:53): [sudo] [sudosrv_response_append_attr] (0x2000): sudoUser:#1001
(2023-02-23 18:48:53): [sudo] [client_recv] (0x0200): Client disconnected!
(2023-02-23 18:48:53): [sudo] [client_close_fn] (0x2000): Terminated client [0x55f1e5acd160][24]
(2023-02-23 18:48:58): [sudo] [setup_client_idle_timer] (0x4000): Idle timer re-set for client [0x55f1e5abea80][23]

However the sudo defaults are still not being applied:

sudo -ll -U testuser

User testuser may run the following commands on build:

LDAP Role: %linuxadmin
    RunAsUsers: ALL
    Options: authenticate
    Commands:
	ALL

The retrieval from LDAP seems te be working fine.

SSD domain LDAP log

(2023-02-23 19:19:51): [be[LDAP]] [sdap_parse_entry] (0x1000): OriginalDN: [cn=defaults,ou=Sudoers,o=Org].
(2023-02-23 19:19:51): [be[LDAP]] [sdap_parse_range] (0x2000): No sub-attributes for [sudoOrder]
(2023-02-23 19:19:51): [be[LDAP]] [sdap_parse_range] (0x2000): No sub-attributes for [sudoOption]
(2023-02-23 19:19:51): [be[LDAP]] [sdap_parse_range] (0x2000): No sub-attributes for [cn]
(2023-02-23 19:19:51): [be[LDAP]] [sdap_parse_range] (0x2000): No sub-attributes for [objectClass]
(2023-02-23 19:19:51): [be[LDAP]] [sdap_parse_range] (0x2000): No sub-attributes for [modifyTimestamp]
(2023-02-23 19:19:51): [be[LDAP]] [sdap_process_result] (0x2000): Trace: sh[0x560baa32ee80], connected[1], ops[0x560baa3c2b90], ldap[0x560baa32c3a0]
(2023-02-23 19:19:51): [be[LDAP]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set
(2023-02-23 19:19:51): [be[LDAP]] [sdap_get_generic_op_finished] (0x2000): Total count [7]
(2023-02-23 19:19:51): [be[LDAP]] [sdap_op_destructor] (0x2000): Operation 9 finished
(2023-02-23 19:19:51): [be[LDAP]] [sdap_search_bases_ex_done] (0x0400): Receiving data from base [ou=Sudoers,o=NIVO]
(2023-02-23 19:19:51): [be[LDAP]] [sdap_sudo_load_sudoers_done] (0x0200): Received 7 sudo rules
(2023-02-23 19:19:51): [be[LDAP]] [sdap_sudo_refresh_done] (0x0400): Received 7 rules
(2023-02-23 19:19:51): [be[LDAP]] [sysdb_sudo_purge_byrules] (0x0400): About to remove rules from sudo cache
(2023-02-23 19:19:51): [be[LDAP]] [sysdb_sudo_purge_byname] (0x2000): Deleting sudo rule support
(2023-02-23 19:19:51): [be[LDAP]] [sysdb_sudo_purge_byname] (0x2000): Deleting sudo rule root
(2023-02-23 19:19:51): [be[LDAP]] [sysdb_sudo_purge_byname] (0x2000): Deleting sudo rule dehydrated
(2023-02-23 19:19:51): [be[LDAP]] [sysdb_sudo_purge_byname] (0x2000): Deleting sudo rule %linuxadmin
(2023-02-23 19:19:51): [be[LDAP]] [sysdb_sudo_purge_byname] (0x2000): Deleting sudo rule tomcat
(2023-02-23 19:19:51): [be[LDAP]] [sysdb_sudo_purge_byname] (0x2000): Deleting sudo rule zabbix
(2023-02-23 19:19:51): [be[LDAP]] [sysdb_sudo_purge_byname] (0x2000): Deleting sudo rule defaults
(2023-02-23 19:19:51): [be[LDAP]] [sysdb_sudo_store_rule] (0x0400): Adding sudo rule support
(2023-02-23 19:19:51): [be[LDAP]] [sysdb_sudo_store_rule] (0x0400): Adding sudo rule root
(2023-02-23 19:19:51): [be[LDAP]] [sysdb_sudo_store_rule] (0x0400): Adding sudo rule dehydrated
(2023-02-23 19:19:51): [be[LDAP]] [sysdb_sudo_store_rule] (0x0400): Adding sudo rule %linuxadmin
(2023-02-23 19:19:51): [be[LDAP]] [sysdb_sudo_store_rule] (0x0400): Adding sudo rule tomcat
(2023-02-23 19:19:51): [be[LDAP]] [sysdb_sudo_store_rule] (0x0400): Adding sudo rule zabbix
(2023-02-23 19:19:51): [be[LDAP]] [sysdb_sudo_store_rule] (0x0400): Adding sudo rule defaults
(2023-02-23 19:19:51): [be[LDAP]] [sdap_sudo_refresh_done] (0x0400): Sudoers is successfully stored in cache
@sveldhuisen
Copy link
Author

A small update: I have compiled SSSD 2.8.2 from source and the behaviour is still the same.

@sveldhuisen sveldhuisen changed the title SSSD 2.5.2 Sudo not applying cn=defaults SSSD Sudo not applying cn=defaults Feb 24, 2023
@sveldhuisen
Copy link
Author

A minor bump to get some attention on this issue. Can anybody provide some input on how to troubleshoot this?

@alexey-tikhonov
Copy link
Member

Hi,

@sveldhuisen, could you please show defenition of your 'defaults' rules?

@pbrezina, is this normal that 'defaults' rule miss 'sudoCommand'/'sudoHost'?

@sveldhuisen
Copy link
Author

sveldhuisen commented Mar 17, 2023

Hi alexey,

Here you go (LDIF, currently without sudoUser configured):

version: 1

dn: cn=defaults,ou=Sudoers,o=Org
objectClass: sudoRole
objectClass: Top
cn: defaults
description: Default sudoOption's go here
sudoOption: !insults
sudoOption: !visiblepw
sudoOption: always_set_home
sudoOption: env_keep = "LANG LC_ADDRESS LC_CTYPE LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE LC_TIME LC_ALL LANGUAGE LINGUAS XDG_SESSION_COOKIE"
sudoOption: env_reset
sudoOption: requiretty
sudoOption: secure_path="/usr/sbin:/usr/bin:/sbin:/bin:/usr/local/bin:/usr/local/sbin"
sudoOption: timestamp_timeout=5
sudoOrder: 1

@sveldhuisen
Copy link
Author

Hi Team,

Any update regarding this issue? If you need more information please let me know.

@pbrezina
Copy link
Member

Hi,

@sveldhuisen, could you please show defenition of your 'defaults' rules?

@pbrezina, is this normal that 'defaults' rule miss 'sudoCommand'/'sudoHost'?

Yes. This is a special rule that represents "Defaults" section in sudoers.

@pbrezina
Copy link
Member

I couldn't reproduce it, can you please share full sssd_sudo.log file? I am especially interested in the search filter used to retrieve defaults rule. This is what I got:

(2023-04-20  9:30:55): [sudo] [sudosrv_fetch_rules] (0x0400): [CID#1] Retrieving default options for [user-1@test@test]
(2023-04-20  9:30:55): [sudo] [sudosrv_query_cache] (0x0200): [CID#1] Searching sysdb with [(&(objectClass=sudoRule)(name=defaults))]

@sveldhuisen
Copy link
Author

I couldn't reproduce it, can you please share full sssd_sudo.log file? I am especially interested in the search filter used to retrieve defaults rule. This is what I got:

(2023-04-20  9:30:55): [sudo] [sudosrv_fetch_rules] (0x0400): [CID#1] Retrieving default options for [user-1@test@test]
(2023-04-20  9:30:55): [sudo] [sudosrv_query_cache] (0x0200): [CID#1] Searching sysdb with [(&(objectClass=sudoRule)(name=defaults))]

Thanks for the effort. Let me retest it, but I'm pretty sure that my log did not contain any reference to "sudosrv_query_cache".

@pbrezina
Copy link
Member

You can bump the debug level prior testing if needed, for example with sudo sssctl debug-level 0xfff0

@alexey-tikhonov
Copy link
Member

No feedback, candidate to close.

@sveldhuisen
Copy link
Author

sveldhuisen commented Sep 26, 2023

(2023-09-26 11:40:05): [sudo] [cache_req_prepare_domain_data] (0x0400): CR #0: Preparing input data for domain [LDAP] rules
(2023-09-26 11:40:05): [sudo] [cache_req_search_send] (0x0400): CR #0: Looking up sveldhuisen@ldap
(2023-09-26 11:40:05): [sudo] [cache_req_search_ncache] (0x0400): CR #0: Checking negative cache for [sveldhuisen@ldap]
(2023-09-26 11:40:05): [sudo] [sss_ncache_check_str] (0x2000): Checking negative cache for [NCE/USER/LDAP/sveldhuisen@ldap]
(2023-09-26 11:40:05): [sudo] [cache_req_search_ncache] (0x0400): CR #0: [sveldhuisen@ldap] is not present in negative cache
(2023-09-26 11:40:05): [sudo] [cache_req_search_cache] (0x0400): CR #0: Looking up [sveldhuisen@ldap] in cache
(2023-09-26 11:40:05): [sudo] [cache_req_search_send] (0x0400): CR #0: Returning [sveldhuisen@ldap] from cache
(2023-09-26 11:40:05): [sudo] [cache_req_search_ncache_filter] (0x0400): CR #0: This request type does not support filtering result by negative cache
(2023-09-26 11:40:05): [sudo] [cache_req_create_and_add_result] (0x0400): CR #0: Found 3 entries in domain LDAP
(2023-09-26 11:40:05): [sudo] [cache_req_done] (0x0400): CR #0: Finished: Success
(2023-09-26 11:40:05): [sudo] [sysdb_get_sudo_user_info] (0x0400): Original name: sveldhuisen@ldap
(2023-09-26 11:40:05): [sudo] [sysdb_get_sudo_user_info] (0x0400): Cased name: sveldhuisen@ldap
(2023-09-26 11:40:05): [sudo] [sudosrv_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(dataExpireTimestamp<=1695721205)(|(name=defaults)(sudoUser=ALL)(sudoUser=sveldhuisen@ldap)(sudoUser=#10000)(sudoUser=%nivooperator@ldap)(sudoUser=%nivoadmin@ldap)(sudoUser=%nivooperator@ldap)(sudoUser=+*)))]
(2023-09-26 11:40:05): [sudo] [sudosrv_refresh_rules_send] (0x0400): No expired rules were found for [sveldhuisen@ldap@LDAP].
(2023-09-26 11:40:05): [sudo] [sudosrv_fetch_rules] (0x0400): Retrieving default options for [sveldhuisen@ldap@LDAP]
(2023-09-26 11:40:05): [sudo] [sudosrv_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(name=defaults))]
(2023-09-26 11:40:05): [sudo] [sysdb_merge_res_ts_attrs] (0x2000): TS cache doesn't handle this DN type, skipping
(2023-09-26 11:40:05): [sudo] [sudosrv_fetch_rules] (0x0400): Returning 1 default options for [sveldhuisen@ldap@LDAP]
(2023-09-26 11:40:05): [sudo] [sudosrv_build_response] (0x2000): error: [0]
(2023-09-26 11:40:05): [sudo] [sudosrv_build_response] (0x2000): rules_num: [0]
(2023-09-26 11:40:05): [sudo] [sudosrv_build_response] (0x2000): rule [1]/[1]
(2023-09-26 11:40:05): [sudo] [sudosrv_response_append_attr] (0x2000): cn:defaults
(2023-09-26 11:40:05): [sudo] [sudosrv_response_append_attr] (0x2000): objectClass:sudoRule
(2023-09-26 11:40:05): [sudo] [sudosrv_response_append_attr] (0x2000): sudoOption:!insults
(2023-09-26 11:40:05): [sudo] [sudosrv_response_append_attr] (0x2000): sudoOption:always_set_home
(2023-09-26 11:40:05): [sudo] [sudosrv_response_append_attr] (0x2000): sudoOption:env_keep = "LANG LC_ADDRESS LC_CTYPE LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE LC_TIME LC_ALL LANGUAGE LINGUAS XDG_SESSION_COOKIE"
(2023-09-26 11:40:05): [sudo] [sudosrv_response_append_attr] (0x2000): sudoOption:env_reset
(2023-09-26 11:40:05): [sudo] [sudosrv_response_append_attr] (0x2000): sudoOption:secure_path="/usr/sbin:/usr/bin:/sbin:/bin:/usr/local/bin:/usr/local/sbin"
(2023-09-26 11:40:05): [sudo] [sudosrv_response_append_attr] (0x2000): sudoOption:!visiblepw
(2023-09-26 11:40:05): [sudo] [sudosrv_response_append_attr] (0x2000): sudoOption:requiretty
(2023-09-26 11:40:05): [sudo] [sudosrv_response_append_attr] (0x2000): sudoOption:timestamp_timeout=5
(2023-09-26 11:40:05): [sudo] [sudosrv_response_append_attr] (0x2000): sudoOrder:1
(2023-09-26 11:40:05): [sudo] [sudosrv_cmd] (0x2000): Using protocol version [1]

sudo listing on CLI:

# sudo -ll -U sveldhuisen
Matching Defaults entries for sveldhuisen on nivo-firda:
    always_set_home, secure_path=/usr/sbin\:/usr/bin\:/sbin\:/bin\:/usr/local/bin\:/usr/local/sbin, env_reset, env_keep="LANG LC_ADDRESS LC_CTYPE LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES
    LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE LC_TIME LC_ALL LANGUAGE LINGUAS XDG_SESSION_COOKIE", !insults

User sveldhuisen may run the following commands on nivo-firda:

LDAP Role: %nivooperator
    RunAsUsers: root
    Options: !authenticate
    Commands:
	/sbin/shutdown -h now
	/sbin/reboot

LDAP Role: %nivoadmin
    RunAsUsers: ALL
    Options: authenticate
    Commands:
	ALL

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

3 participants