-
Notifications
You must be signed in to change notification settings - Fork 235
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SSSD Sudo not applying for local user root #6595
Comments
Some extra checks with sssctl sssctl user-checks root
sssctl user-checks zabbix
|
On 2/26/23 09:59, Sebastiaan Veldhuisen wrote:
I'm using SSSD with sudo from ldap through NSS (not sudo-ldap). My SSD
version is 2.8.2 (SLES 15 SP4). My LDAP backend is eDirectory 9.2.7.
I have setup SSSD with both a LDAP and a files domain, so I can use sudo
rights from LDAP for both local and LDAP users. This seems to be working
fine for LDAP users and regular local users from /etc/passwd.
However it does not seems to work for the local user root.
Hi, root user is not handled by SSSD. This is on purpose.
root is permanently stored in negative cache so SSSD can not resolve it.
It is by design so you can always log in as root in case SSSD
misbehaves. Root user is always handled by nss_files and pam_unix.
…
sssd.conf
|[sssd] config_file_version = 2 services = nss, pam, sudo
reconnection_retries = 3 domains = files, LDAP debug_backtrace_enabled =
false debug_level = 9 [nss] reconnection_retries = 3
debug_backtrace_enabled = false debug_level = 9 [pam]
debug_backtrace_enabled = false debug_level = 9 [sudo]
debug_backtrace_enabled = false debug_level = 9 [domain/files]
id_provider = files sudo_provider = ldap ldap_uri =
ldaps://127.0.0.1:636 ldap_tls_cacertdir = /etc/openldap/certs
ldap_tls_reqcert = demand ldap_default_bind_dn = cn=SSSDBind,o=services
ldap_default_authtok_type = password ldap_default_authtok =
**************** ldap_search_timeout = 3 ldap_network_timeout = 3
enumerate = true ldap_enumeration_refresh_timeout = 300
ldap_purge_cache_timeout = 10800 ldap_sudo_search_base =
ou=Sudoers,o=POSIX ldap_sudorule_object_class = sudoRole
ldap_sudo_use_host_filter = true ldap_sudorule_name = cn
ldap_sudorule_command = sudoCommand ldap_sudorule_host = sudoHost
ldap_sudorule_user = sudoUser ldap_sudorule_option = sudoOption
ldap_sudorule_order = sudoOrder ldap_sudorule_notbefore = sudoNotBefore
ldap_sudorule_notafter = sudoNotAfter ldap_sudorule_runasuser =
sudoRunAsUser ldap_sudo_full_refresh_interval = 7200
ldap_sudo_smart_refresh_interval = 300 ldap_sudo_include_regexp = true
debug_backtrace_enabled = false debug_level = 9 |
My relevant sudoRoles inside LDAP:
|# defaults, Sudoers, POSIX dn: cn=defaults,ou=Sudoers,o=POSIX
sudoOrder: 1 sudoOption: always_set_home sudoOption:
secure_path="/usr/sbin:/usr/bin:/sbin:/bin:/usr/local/bin:/usr/loc
al/sbin" sudoOption: env_reset sudoOption: env_keep = "LANG LC_ADDRESS
LC_CTYPE LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES
LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHO NE LC_TIME LC_ALL
LANGUAGE LINGUAS XDG_SESSION_COOKIE" sudoOption: !insults sudoOption:
timestamp_timeout=5 sudoOption: logfile=/var/log/sudo.log sudoOption:
!visiblepw objectClass: Top objectClass: sudoRole description: Default
sudoOption's go here cn: defaults # root, Sudoers, POSIX dn:
cn=root,ou=Sudoers,o=POSIX sudoOrder: 2 sudoRunAsGroup: ALL
sudoRunAsUser: ALL sudoCommand: ALL sudoHost: ALL sudoUser: root
objectClass: Top objectClass: sudoRole cn: root # zabbix, Sudoers, POSIX
dn: cn=zabbix,ou=Sudoers,o=POSIX sudoOrder: 6 sudoRunAsUser: root
sudoOption: !authenticate sudoCommand: /usr/sbin/apachectl -t -D
DUMP_VHOSTS sudoCommand: /usr/bin/find /var/spool/postfix/maildrop -type
f sudoCommand: /usr/bin/find /var/spool/postfix/deferred -type f
sudoCommand: /usr/bin/find /var/spool/postfix/incoming -type f
sudoCommand: /usr/bin/find /var/spool/postfix/active -type f
sudoCommand: /usr/bin/mailq sudoCommand: /usr/local/bin/nivo-osutil *
sudoCommand: /usr/local/bin/nivo-javautil * sudoCommand:
/usr/local/bin/nivo-ssprutil * sudoCommand: /usr/local/bin/nivo-idmutil
* sudoHost: ALL sudoUser: zabbix objectClass: Top objectClass: sudoRole
description: Allow Zabbix agent to monitor various services cn: zabbix |
Effective sudo rules for local user zabbix from CLI:
|User zabbix may run the following commands on nivo-school: LDAP Role:
zabbix RunAsUsers: root Options: !authenticate Commands:
/usr/sbin/apachectl -t -D DUMP_VHOSTS /usr/bin/find
/var/spool/postfix/maildrop -type f /usr/bin/find
/var/spool/postfix/deferred -type f /usr/bin/find
/var/spool/postfix/incoming -type f /usr/bin/find
/var/spool/postfix/active -type f /usr/bin/mailq
/usr/local/bin/nivo-osutil * /usr/local/bin/nivo-javautil *
/usr/local/bin/nivo-ssprutil * /usr/local/bin/nivo-idmutil * |
Effective sudo rules for local user root from CLI:
|User root is not allowed to run sudo on server.|
sssd_sudo.log
|(2023-02-26 9:56:28): [sudo] [sudosrv_get_rules_send] (0x0400):
[CID#15] Running initgroups for [root] (2023-02-26 9:56:28): [sudo]
[cache_req_set_plugin] (0x2000): [CID#15] CR #28: Setting "Initgroups by
name" plugin (2023-02-26 9:56:28): [sudo] [cache_req_send] (0x0400):
[CID#15] CR #28: REQ_TRACE: New request [CID #15] 'Initgroups by name'
(2023-02-26 9:56:28): [sudo] [cache_req_process_input] (0x0400):
[CID#15] CR #28: Parsing input name [root] (2023-02-26 9:56:28): [sudo]
[sss_domain_get_state] (0x1000): [CID#15] Domain LDAP is Active
(2023-02-26 9:56:28): [sudo] [sss_parse_name_for_domains] (0x0200):
[CID#15] name 'root' matched without domain, user is root (2023-02-26
9:56:28): [sudo] [cache_req_set_name] (0x0400): [CID#15] CR #28: Setting
name [root] (2023-02-26 9:56:28): [sudo] [cache_req_select_domains]
(0x0400): [CID#15] CR #28: Performing a multi-domain search (2023-02-26
9:56:28): [sudo] [cache_req_search_domains] (0x0400): [CID#15] CR #28:
Search will check the cache and check the data provider (2023-02-26
9:56:28): [sudo] [cache_req_validate_domain_type] (0x2000): [CID#15]
Request type POSIX-only for domain files type POSIX is valid (2023-02-26
9:56:28): [sudo] [cache_req_set_domain] (0x0400): [CID#15] CR #28: Using
domain [files] (2023-02-26 9:56:28): [sudo]
[cache_req_prepare_domain_data] (0x0400): [CID#15] CR #28: Preparing
input data for domain [files] rules (2023-02-26 9:56:28): [sudo]
[cache_req_search_send] (0x0400): [CID#15] CR #28: Looking up ***@***.***
(2023-02-26 9:56:28): [sudo] [cache_req_search_ncache] (0x0400):
[CID#15] CR #28: Checking negative cache for ***@***.*** (2023-02-26
9:56:28): [sudo] [sss_ncache_check_str] (0x2000): [CID#15] Checking
negative cache for ***@***.*** (2023-02-26 9:56:28):
[sudo] [cache_req_search_ncache] (0x0400): [CID#15] CR #28: ***@***.***
does not exist (negative cache) (2023-02-26 9:56:28): [sudo]
[cache_req_validate_domain_type] (0x2000): [CID#15] Request type
POSIX-only for domain LDAP type POSIX is valid (2023-02-26 9:56:28):
[sudo] [cache_req_set_domain] (0x0400): [CID#15] CR #28: Using domain
[LDAP] (2023-02-26 9:56:28): [sudo] [cache_req_prepare_domain_data]
(0x0400): [CID#15] CR #28: Preparing input data for domain [LDAP] rules
(2023-02-26 9:56:28): [sudo] [cache_req_search_send] (0x0400): [CID#15]
CR #28: Looking up ***@***.*** (2023-02-26 9:56:28): [sudo]
[cache_req_search_ncache] (0x0400): [CID#15] CR #28: Checking negative
cache for ***@***.*** (2023-02-26 9:56:28): [sudo]
[sss_ncache_check_str] (0x2000): [CID#15] Checking negative cache for
***@***.*** (2023-02-26 9:56:28): [sudo]
[cache_req_search_ncache] (0x0400): [CID#15] CR #28: ***@***.*** does
not exist (negative cache) (2023-02-26 9:56:28): [sudo]
[cache_req_process_result] (0x0400): [CID#15] CR #28: Finished: Not
found (2023-02-26 9:56:28): [sudo] [sudosrv_cmd_done] (0x0080): [CID#15]
Unable to obtain cached rules [2]: No such file or directory (2023-02-26
9:56:28): [sudo] [sudosrv_build_response] (0x2000): [CID#15] error: [2]
(2023-02-26 9:56:28): [sudo] [sudosrv_cmd] (0x2000): [CID#15] Using
protocol version [1] (2023-02-26 9:56:28): [sudo]
[sudosrv_get_rules_send] (0x0400): [CID#15] Running initgroups for
[root] (2023-02-26 9:56:28): [sudo] [cache_req_set_plugin] (0x2000):
[CID#15] CR #29: Setting "Initgroups by name" plugin (2023-02-26
9:56:28): [sudo] [cache_req_send] (0x0400): [CID#15] CR #29: REQ_TRACE:
New request [CID #15] 'Initgroups by name' (2023-02-26 9:56:28): [sudo]
[cache_req_process_input] (0x0400): [CID#15] CR #29: Parsing input name
[root] (2023-02-26 9:56:28): [sudo] [sss_domain_get_state] (0x1000):
[CID#15] Domain LDAP is Active (2023-02-26 9:56:28): [sudo]
[sss_parse_name_for_domains] (0x0200): [CID#15] name 'root' matched
without domain, user is root (2023-02-26 9:56:28): [sudo]
[cache_req_set_name] (0x0400): [CID#15] CR #29: Setting name [root]
(2023-02-26 9:56:28): [sudo] [cache_req_select_domains] (0x0400):
[CID#15] CR #29: Performing a multi-domain search (2023-02-26 9:56:28):
[sudo] [cache_req_search_domains] (0x0400): [CID#15] CR #29: Search will
check the cache and check the data provider (2023-02-26 9:56:28): [sudo]
[cache_req_validate_domain_type] (0x2000): [CID#15] Request type
POSIX-only for domain files type POSIX is valid (2023-02-26 9:56:28):
[sudo] [cache_req_set_domain] (0x0400): [CID#15] CR #29: Using domain
[files] (2023-02-26 9:56:28): [sudo] [cache_req_prepare_domain_data]
(0x0400): [CID#15] CR #29: Preparing input data for domain [files] rules
(2023-02-26 9:56:28): [sudo] [cache_req_search_send] (0x0400): [CID#15]
CR #29: Looking up ***@***.*** (2023-02-26 9:56:28): [sudo]
[cache_req_search_ncache] (0x0400): [CID#15] CR #29: Checking negative
cache for ***@***.*** (2023-02-26 9:56:28): [sudo]
[sss_ncache_check_str] (0x2000): [CID#15] Checking negative cache for
***@***.*** (2023-02-26 9:56:28): [sudo]
[cache_req_search_ncache] (0x0400): [CID#15] CR #29: ***@***.*** does
not exist (negative cache) (2023-02-26 9:56:28): [sudo]
[cache_req_validate_domain_type] (0x2000): [CID#15] Request type
POSIX-only for domain LDAP type POSIX is valid (2023-02-26 9:56:28):
[sudo] [cache_req_set_domain] (0x0400): [CID#15] CR #29: Using domain
[LDAP] (2023-02-26 9:56:28): [sudo] [cache_req_prepare_domain_data]
(0x0400): [CID#15] CR #29: Preparing input data for domain [LDAP] rules
(2023-02-26 9:56:28): [sudo] [cache_req_search_send] (0x0400): [CID#15]
CR #29: Looking up ***@***.*** (2023-02-26 9:56:28): [sudo]
[cache_req_search_ncache] (0x0400): [CID#15] CR #29: Checking negative
cache for ***@***.*** (2023-02-26 9:56:28): [sudo]
[sss_ncache_check_str] (0x2000): [CID#15] Checking negative cache for
***@***.*** (2023-02-26 9:56:28): [sudo]
[cache_req_search_ncache] (0x0400): [CID#15] CR #29: ***@***.*** does
not exist (negative cache) (2023-02-26 9:56:28): [sudo]
[cache_req_process_result] (0x0400): [CID#15] CR #29: Finished: Not
found (2023-02-26 9:56:28): [sudo] [sudosrv_cmd_done] (0x0080): [CID#15]
Unable to obtain cached rules [2]: No such file or directory (2023-02-26
9:56:28): [sudo] [sudosrv_build_response] (0x2000): [CID#15] error: [2]
(2023-02-26 9:56:28): [sudo] [client_recv] (0x0200): [CID#15] Client
disconnected! |
—
Reply to this email directly, view it on GitHub
<#6595>, or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AENQREVXLNNNAKBE3EIC6FDWZMLQFANCNFSM6AAAAAAVILA4VY>.
You are receiving this because you are subscribed to this thread.Message
ID: ***@***.***>
|
Hi Pavel, Thanks for the clarification. I wasn't aware of this design constraint, but it makes sense. I'll change my nsswitch.conf to use files and nss instead. |
I'm using SSSD with sudo from ldap through NSS (not sudo-ldap). My SSD version is 2.8.2 (SLES 15 SP4). My LDAP backend is eDirectory 9.2.7.
I have setup SSSD with both a LDAP and a files domain, so I can use sudo rights from LDAP for both local and LDAP users. This seems to be working fine for LDAP users and regular local users from /etc/passwd.
However it does not seems to work for the local user root.
sssd.conf
My relevant sudoRoles inside LDAP:
Effective sudo rules for local user zabbix from CLI:
Effective sudo rules for local user root from CLI:
User root is not allowed to run sudo on server.
sssd_sudo.log
The text was updated successfully, but these errors were encountered: