I'm having issues getting LDAP sudoers rules to work. My environment is:
- Active Directory on Windows Server 2012 R2
- Ubuntu 16.04.2
- SSSD 1.13.4-1ubuntu1.5
- sudo 1.8.20-3 (latest as of the posting, tried both LDAP and non-LDAP versions)
I followed these instructions to create a sudo_debug.log (sanitized):
Jun 19 14:53:28 sudo[60452] Received 2 rule(s)
Jun 19 14:53:28 sudo[60452] -> sudo_sss_filter_result @ ./sssd.c:225
...
Jun 19 14:53:28 sudo[60452] sssd/ldap sudoHost 'ALL' ... MATCH!
...
Jun 19 14:53:28 sudo[60452] val[0]=%linuxadmins
...
Jun 19 14:53:28 sudo[60452] sudo_get_grlist: looking up group names for user@domain.com
...
Jun 19 14:53:28 sudo[60452] sudo_getgrgid: gid 1157000513 [] -> group domain users@domain.com [] (cache hit)
...
Jun 19 14:53:28 sudo[60452] user_in_group: user user@domain.com NOT in group linuxadmins
Jun 19 14:53:28 sudo[60452] <- user_in_group @ ./pwutil.c:1031 := false
Jun 19 14:53:28 sudo[60452] user user@domain.com matches group linuxadmins: false @ usergr_matches() ./match.c:969
Jun 19 14:53:28 sudo[60452] <- usergr_matches @ ./match.c:970 := false
Jun 19 14:53:28 sudo[60452] sssd/ldap sudoUser '%linuxadmins' ... not (user@domain.com)
...
From this log, you can see that:
- the sudoers rules are getting from AD to sudo (2 rules, the one displayed matching an AD entry)
- the match fails on the
linuxadmins
group
However, the user is in the linuxadmins
group (sanitized, but "user" matches):
$ getent group linuxadmins
linuxadmins@domain.com:*:1157001133:user@domain.com,otheruser@domain.com
The only odd thing about this log is that it sudo_get_grlist
appears to return only the user's Primary Group domain users@domain.com
. This would explain the lack of a match.
Has anyone seen this before? Any idea if the list of groups is resolved inside sudo (that I should continue to wait on my question to sudo-users
) or somewhere else like SSSD (that I should find their list)?
Best Answer
Yeah, the lack of primary groups is probably the issue. The fact that
getent group
works is irrelevant,sudo
uses the initgroups output which is more or less what you get when you callid
.And you're also right that sssd-users is the best one: https://lists.fedorahosted.org/admin/lists/sssd-users.lists.fedorahosted.org/
We even fixed our troubleshooting guide not so long ago at https://pagure.io/docs/SSSD/sssd/, the direct link is https://docs.pagure.org/SSSD.sssd/users/troubleshooting.html