Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SSSD Sudo not applying for local user root #6595

Closed
sveldhuisen opened this issue Feb 26, 2023 · 3 comments
Closed

SSSD Sudo not applying for local user root #6595

sveldhuisen opened this issue Feb 26, 2023 · 3 comments

Comments

@sveldhuisen
Copy link

sveldhuisen commented Feb 26, 2023
edited
Loading

I'm using SSSD with sudo from ldap through NSS (not sudo-ldap). My SSD version is 2.8.2 (SLES 15 SP4). My LDAP backend is eDirectory 9.2.7.

I have setup SSSD with both a LDAP and a files domain, so I can use sudo rights from LDAP for both local and LDAP users. This seems to be working fine for LDAP users and regular local users from /etc/passwd.

However it does not seems to work for the local user root.

sssd.conf

[sssd]
config_file_version = 2
services = nss, pam, sudo
reconnection_retries = 3
domains = files, LDAP
debug_backtrace_enabled = false
debug_level = 9

[nss]
reconnection_retries = 3
debug_backtrace_enabled = false
debug_level = 9

[pam]
debug_backtrace_enabled = false
debug_level = 9

[sudo]
debug_backtrace_enabled = false
debug_level = 9

[domain/files]
id_provider = files
sudo_provider = ldap
ldap_uri = ldaps://127.0.0.1:636
ldap_tls_cacertdir = /etc/openldap/certs
ldap_tls_reqcert = demand
ldap_default_bind_dn = cn=SSSDBind,o=services
ldap_default_authtok_type = password
ldap_default_authtok = ****************
ldap_search_timeout = 3
ldap_network_timeout = 3
enumerate = true
ldap_enumeration_refresh_timeout = 300
ldap_purge_cache_timeout = 10800
ldap_sudo_search_base = ou=Sudoers,o=POSIX
ldap_sudorule_object_class = sudoRole
ldap_sudo_use_host_filter = true
ldap_sudorule_name = cn
ldap_sudorule_command = sudoCommand
ldap_sudorule_host = sudoHost
ldap_sudorule_user = sudoUser
ldap_sudorule_option = sudoOption
ldap_sudorule_order = sudoOrder
ldap_sudorule_notbefore = sudoNotBefore
ldap_sudorule_notafter = sudoNotAfter
ldap_sudorule_runasuser = sudoRunAsUser
ldap_sudo_full_refresh_interval = 7200
ldap_sudo_smart_refresh_interval = 300
ldap_sudo_include_regexp = true
debug_backtrace_enabled = false
debug_level = 9

My relevant sudoRoles inside LDAP:

# defaults, Sudoers, POSIX
dn: cn=defaults,ou=Sudoers,o=POSIX
sudoOrder: 1
sudoOption: always_set_home
sudoOption: secure_path="/usr/sbin:/usr/bin:/sbin:/bin:/usr/local/bin:/usr/loc
 al/sbin"
sudoOption: env_reset
sudoOption: env_keep = "LANG LC_ADDRESS LC_CTYPE LC_COLLATE LC_IDENTIFICATION
 LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHO
 NE LC_TIME LC_ALL LANGUAGE LINGUAS XDG_SESSION_COOKIE"
sudoOption: !insults
sudoOption: timestamp_timeout=5
sudoOption: logfile=/var/log/sudo.log
sudoOption: !visiblepw
objectClass: Top
objectClass: sudoRole
description: Default sudoOption's go here
cn: defaults

# root, Sudoers, POSIX
dn: cn=root,ou=Sudoers,o=POSIX
sudoOrder: 2
sudoRunAsGroup: ALL
sudoRunAsUser: ALL
sudoCommand: ALL
sudoHost: ALL
sudoUser: root
objectClass: Top
objectClass: sudoRole
cn: root

# zabbix, Sudoers, POSIX
dn: cn=zabbix,ou=Sudoers,o=POSIX
sudoOrder: 6
sudoRunAsUser: root
sudoOption: !authenticate
sudoCommand: /usr/sbin/apachectl -t -D DUMP_VHOSTS
sudoCommand: /usr/bin/find /var/spool/postfix/maildrop -type f
sudoCommand: /usr/bin/find /var/spool/postfix/deferred -type f
sudoCommand: /usr/bin/find /var/spool/postfix/incoming -type f
sudoCommand: /usr/bin/find /var/spool/postfix/active -type f
sudoCommand: /usr/bin/mailq
sudoCommand: /usr/local/bin/nivo-osutil *
sudoCommand: /usr/local/bin/nivo-javautil *
sudoCommand: /usr/local/bin/nivo-ssprutil *
sudoCommand: /usr/local/bin/nivo-idmutil *
sudoHost: ALL
sudoUser: zabbix
objectClass: Top
objectClass: sudoRole
description: Allow Zabbix agent to monitor various services
cn: zabbix

Effective sudo rules for local user zabbix from CLI:

User zabbix may run the following commands on server:

LDAP Role: zabbix
    RunAsUsers: root
    Options: !authenticate
    Commands:
	/usr/sbin/apachectl -t -D DUMP_VHOSTS
	/usr/bin/find /var/spool/postfix/maildrop -type f
	/usr/bin/find /var/spool/postfix/deferred -type f
	/usr/bin/find /var/spool/postfix/incoming -type f
	/usr/bin/find /var/spool/postfix/active -type f
	/usr/bin/mailq
	/usr/local/bin/nivo-osutil *
	/usr/local/bin/nivo-javautil *
	/usr/local/bin/nivo-ssprutil *
	/usr/local/bin/nivo-idmutil *

Effective sudo rules for local user root from CLI:

User root is not allowed to run sudo on server.

sssd_sudo.log

(2023-02-26  9:56:28): [sudo] [sudosrv_get_rules_send] (0x0400): [CID#15] Running initgroups for [root]
(2023-02-26  9:56:28): [sudo] [cache_req_set_plugin] (0x2000): [CID#15] CR #28: Setting "Initgroups by name" plugin
(2023-02-26  9:56:28): [sudo] [cache_req_send] (0x0400): [CID#15] CR #28: REQ_TRACE: New request [CID #15] 'Initgroups by name'
(2023-02-26  9:56:28): [sudo] [cache_req_process_input] (0x0400): [CID#15] CR #28: Parsing input name [root]
(2023-02-26  9:56:28): [sudo] [sss_domain_get_state] (0x1000): [CID#15] Domain LDAP is Active
(2023-02-26  9:56:28): [sudo] [sss_parse_name_for_domains] (0x0200): [CID#15] name 'root' matched without domain, user is root
(2023-02-26  9:56:28): [sudo] [cache_req_set_name] (0x0400): [CID#15] CR #28: Setting name [root]
(2023-02-26  9:56:28): [sudo] [cache_req_select_domains] (0x0400): [CID#15] CR #28: Performing a multi-domain search
(2023-02-26  9:56:28): [sudo] [cache_req_search_domains] (0x0400): [CID#15] CR #28: Search will check the cache and check the data provider
(2023-02-26  9:56:28): [sudo] [cache_req_validate_domain_type] (0x2000): [CID#15] Request type POSIX-only for domain files type POSIX is valid
(2023-02-26  9:56:28): [sudo] [cache_req_set_domain] (0x0400): [CID#15] CR #28: Using domain [files]
(2023-02-26  9:56:28): [sudo] [cache_req_prepare_domain_data] (0x0400): [CID#15] CR #28: Preparing input data for domain [files] rules
(2023-02-26  9:56:28): [sudo] [cache_req_search_send] (0x0400): [CID#15] CR #28: Looking up root@files
(2023-02-26  9:56:28): [sudo] [cache_req_search_ncache] (0x0400): [CID#15] CR #28: Checking negative cache for [root@files]
(2023-02-26  9:56:28): [sudo] [sss_ncache_check_str] (0x2000): [CID#15] Checking negative cache for [NCE/USER/files/root@files]
(2023-02-26  9:56:28): [sudo] [cache_req_search_ncache] (0x0400): [CID#15] CR #28: [root@files] does not exist (negative cache)
(2023-02-26  9:56:28): [sudo] [cache_req_validate_domain_type] (0x2000): [CID#15] Request type POSIX-only for domain LDAP type POSIX is valid
(2023-02-26  9:56:28): [sudo] [cache_req_set_domain] (0x0400): [CID#15] CR #28: Using domain [LDAP]
(2023-02-26  9:56:28): [sudo] [cache_req_prepare_domain_data] (0x0400): [CID#15] CR #28: Preparing input data for domain [LDAP] rules
(2023-02-26  9:56:28): [sudo] [cache_req_search_send] (0x0400): [CID#15] CR #28: Looking up root@ldap
(2023-02-26  9:56:28): [sudo] [cache_req_search_ncache] (0x0400): [CID#15] CR #28: Checking negative cache for [root@ldap]
(2023-02-26  9:56:28): [sudo] [sss_ncache_check_str] (0x2000): [CID#15] Checking negative cache for [NCE/USER/LDAP/root@ldap]
(2023-02-26  9:56:28): [sudo] [cache_req_search_ncache] (0x0400): [CID#15] CR #28: [root@ldap] does not exist (negative cache)
(2023-02-26  9:56:28): [sudo] [cache_req_process_result] (0x0400): [CID#15] CR #28: Finished: Not found
(2023-02-26  9:56:28): [sudo] [sudosrv_cmd_done] (0x0080): [CID#15] Unable to obtain cached rules [2]: No such file or directory
(2023-02-26  9:56:28): [sudo] [sudosrv_build_response] (0x2000): [CID#15] error: [2]
(2023-02-26  9:56:28): [sudo] [sudosrv_cmd] (0x2000): [CID#15] Using protocol version [1]
(2023-02-26  9:56:28): [sudo] [sudosrv_get_rules_send] (0x0400): [CID#15] Running initgroups for [root]
(2023-02-26  9:56:28): [sudo] [cache_req_set_plugin] (0x2000): [CID#15] CR #29: Setting "Initgroups by name" plugin
(2023-02-26  9:56:28): [sudo] [cache_req_send] (0x0400): [CID#15] CR #29: REQ_TRACE: New request [CID #15] 'Initgroups by name'
(2023-02-26  9:56:28): [sudo] [cache_req_process_input] (0x0400): [CID#15] CR #29: Parsing input name [root]
(2023-02-26  9:56:28): [sudo] [sss_domain_get_state] (0x1000): [CID#15] Domain LDAP is Active
(2023-02-26  9:56:28): [sudo] [sss_parse_name_for_domains] (0x0200): [CID#15] name 'root' matched without domain, user is root
(2023-02-26  9:56:28): [sudo] [cache_req_set_name] (0x0400): [CID#15] CR #29: Setting name [root]
(2023-02-26  9:56:28): [sudo] [cache_req_select_domains] (0x0400): [CID#15] CR #29: Performing a multi-domain search
(2023-02-26  9:56:28): [sudo] [cache_req_search_domains] (0x0400): [CID#15] CR #29: Search will check the cache and check the data provider
(2023-02-26  9:56:28): [sudo] [cache_req_validate_domain_type] (0x2000): [CID#15] Request type POSIX-only for domain files type POSIX is valid
(2023-02-26  9:56:28): [sudo] [cache_req_set_domain] (0x0400): [CID#15] CR #29: Using domain [files]
(2023-02-26  9:56:28): [sudo] [cache_req_prepare_domain_data] (0x0400): [CID#15] CR #29: Preparing input data for domain [files] rules
(2023-02-26  9:56:28): [sudo] [cache_req_search_send] (0x0400): [CID#15] CR #29: Looking up root@files
(2023-02-26  9:56:28): [sudo] [cache_req_search_ncache] (0x0400): [CID#15] CR #29: Checking negative cache for [root@files]
(2023-02-26  9:56:28): [sudo] [sss_ncache_check_str] (0x2000): [CID#15] Checking negative cache for [NCE/USER/files/root@files]
(2023-02-26  9:56:28): [sudo] [cache_req_search_ncache] (0x0400): [CID#15] CR #29: [root@files] does not exist (negative cache)
(2023-02-26  9:56:28): [sudo] [cache_req_validate_domain_type] (0x2000): [CID#15] Request type POSIX-only for domain LDAP type POSIX is valid
(2023-02-26  9:56:28): [sudo] [cache_req_set_domain] (0x0400): [CID#15] CR #29: Using domain [LDAP]
(2023-02-26  9:56:28): [sudo] [cache_req_prepare_domain_data] (0x0400): [CID#15] CR #29: Preparing input data for domain [LDAP] rules
(2023-02-26  9:56:28): [sudo] [cache_req_search_send] (0x0400): [CID#15] CR #29: Looking up root@ldap
(2023-02-26  9:56:28): [sudo] [cache_req_search_ncache] (0x0400): [CID#15] CR #29: Checking negative cache for [root@ldap]
(2023-02-26  9:56:28): [sudo] [sss_ncache_check_str] (0x2000): [CID#15] Checking negative cache for [NCE/USER/LDAP/root@ldap]
(2023-02-26  9:56:28): [sudo] [cache_req_search_ncache] (0x0400): [CID#15] CR #29: [root@ldap] does not exist (negative cache)
(2023-02-26  9:56:28): [sudo] [cache_req_process_result] (0x0400): [CID#15] CR #29: Finished: Not found
(2023-02-26  9:56:28): [sudo] [sudosrv_cmd_done] (0x0080): [CID#15] Unable to obtain cached rules [2]: No such file or directory
(2023-02-26  9:56:28): [sudo] [sudosrv_build_response] (0x2000): [CID#15] error: [2]
(2023-02-26  9:56:28): [sudo] [client_recv] (0x0200): [CID#15] Client disconnected!
@sveldhuisen
Copy link
Author

Some extra checks with sssctl

sssctl user-checks root

user: root
action: acct
service: system-auth

sss_getpwnam_r failed with [0].
User name lookup with [root] failed.
InfoPipe User lookup with [root] failed.
testing pam_acct_mgmt

pam_acct_mgmt: Authentication failure

PAM Environment:
 - no env -

sssctl user-checks zabbix

user: zabbix
action: acct
service: system-auth

SSSD nss user lookup result:
 - user name: zabbix
 - user id: 1004
 - group id: 100
 - gecos:
 - home directory: /home/zabbix
 - shell: /bin/bash

SSSD InfoPipe user lookup result:
 - name: zabbix
 - uidNumber: 1004
 - gidNumber: 100
 - gecos: not set
 - homeDirectory: /home/zabbix
 - loginShell: /bin/bash

testing pam_acct_mgmt

pam_acct_mgmt: Authentication failure

PAM Environment:
 - no env -

@pbrezina
Copy link
Member

pbrezina commented Feb 27, 2023 via email

@sveldhuisen
Copy link
Author

Hi, root user is not handled by SSSD. This is on purpose. root is permanently stored in negative cache so SSSD can not resolve it. It is by design so you can always log in as root in case SSSD misbehaves. Root user is always handled by nss_files and pam_unix.

Hi Pavel,

Thanks for the clarification. I wasn't aware of this design constraint, but it makes sense. I'll change my nsswitch.conf to use files and nss instead.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@sveldhuisen @pbrezina