#3761 SSSD Update Broke Sudo

Created 6 days ago by wjdavis5
Modified 3 days ago

SUMMARY
I updated SSSD last night and subsequently lost my ability to use sudo and/or pkexec. I was able to recreate the issue on another machine and have narrowed it down to running apt-get upgrade whilst logged in with an Active Directory account that had sudo privs. After the update runs all accounts lost sudo privs and I have to use the recovery console to give root a passwd, log in, and remove sss from the nsswtich.conf file

Also detailed here:
https://askubuntu.com/questions/1045439/apt-get-upgrade-modified-sudoers-file

Ubuntu 16.04LTS -

I just ran apt-get update && apt-get upgrade -y

After it was finished I tried to run another command with sudo and was greeted by the following error:

username is not in the sudoers file.  This incident will be reported.

I tried another account with sudo permissions and got the same message. What in the world just happened?

I was able to see the following packages got updated:

will@will-laptop:/mnt/c/Users/wdavis$ cat updates.txt
Setting up perl-base (5.22.1-9ubuntu0.3) ...
Setting up libpam0g:amd64 (1.1.8-3.2ubuntu2.1) ...
Setting up libpam-modules-bin (1.1.8-3.2ubuntu2.1) ...
Setting up libpam-modules:amd64 (1.1.8-3.2ubuntu2.1) ...
Setting up libpam-runtime (1.1.8-3.2ubuntu2.1) ...
Setting up perl-modules-5.22 (5.22.1-9ubuntu0.3) ...
Setting up libperl5.22:amd64 (5.22.1-9ubuntu0.3) ...
Setting up perl (5.22.1-9ubuntu0.3) ...
Setting up grub-common (2.02~beta2-36ubuntu3.18) ...
Setting up grub2-common (2.02~beta2-36ubuntu3.18) ...
Setting up grub-pc-bin (2.02~beta2-36ubuntu3.18) ...
Setting up grub-pc (2.02~beta2-36ubuntu3.18) ...
Setting up libprocps4:amd64 (2:3.3.10-4ubuntu2.4) ...
Setting up procps (2:3.3.10-4ubuntu2.4) ...
Setting up distro-info-data (0.28ubuntu0.8) ...
Setting up ifupdown (0.8.10ubuntu1.4) ...
Setting up libssl1.0.0:amd64 (1.0.2g-1ubuntu4.12) ...
Setting up linux-base (4.5ubuntu1~16.04.1) ...
Setting up hdparm (9.48+ds-1ubuntu0.1) ...
Setting up libldap-2.4-2:amd64 (2.4.42+dfsg-2ubuntu3.3) ...
Setting up libcurl3-gnutls:amd64 (7.47.0-1ubuntu2.8) ...
Setting up curl (7.47.0-1ubuntu2.8) ...
Setting up ldap-utils (2.4.42+dfsg-2ubuntu3.3) ...
Setting up libelf1:amd64 (0.165-3ubuntu1.1) ...
Setting up libdw1:amd64 (0.165-3ubuntu1.1) ...
Setting up libplymouth4:amd64 (0.9.2-3ubuntu13.5) ...
Setting up openssl (1.0.2g-1ubuntu4.12) ...
Setting up plymouth (0.9.2-3ubuntu13.5) ...
Setting up plymouth-theme-ubuntu-text (0.9.2-3ubuntu13.5) ...
Setting up wget (1.17.1-1ubuntu1.4) ...
Setting up xdg-user-dirs (0.15-2ubuntu6.16.04.1) ...
Setting up python3-problem-report (2.20.1-0ubuntu2.18) ...
Setting up python3-apport (2.20.1-0ubuntu2.18) ...
Setting up apport (2.20.1-0ubuntu2.18) ...
Setting up docker-ce (18.03.1~ce-0~ubuntu) ...
Setting up git-man (1:2.7.4-0ubuntu1.4) ...
Setting up git (1:2.7.4-0ubuntu1.4) ...
Setting up linux-cloud-tools-common (4.4.0-127.153) ...
Setting up linux-cloud-tools-virtual-lts-xenial (4.4.0.127.133) ...
Setting up linux-firmware (1.157.19) ...
Setting up linux-libc-dev:amd64 (4.4.0-127.153) ...
Setting up linux-tools-common (4.4.0-127.153) ...
Setting up linux-tools-virtual-lts-xenial (4.4.0.127.133) ...
Setting up linux-virtual-lts-xenial (4.4.0.127.133) ...
Setting up patch (2.7.5-1ubuntu0.16.04.1) ...
Setting up snapd (2.32.9) ...
Setting up cloud-guest-utils (0.27-0ubuntu25.1) ...
Setting up datadog-agent (1:6.2.1-1) ...
Setting up grub-legacy-ec2 (18.2-4-g05926e48-0ubuntu1~16.04.2) ...
Setting up python-sss (1.13.4-1ubuntu1.11) ...
Setting up libsss-idmap0 (1.13.4-1ubuntu1.11) ...
Setting up libsss-nss-idmap0 (1.13.4-1ubuntu1.11) ...
Setting up sssd-common (1.13.4-1ubuntu1.11) ...
Setting up sssd-tools (1.13.4-1ubuntu1.11) ...
Setting up sssd-proxy (1.13.4-1ubuntu1.11) ...
Setting up sssd-krb5-common (1.13.4-1ubuntu1.11) ...
Setting up sssd-ldap (1.13.4-1ubuntu1.11) ...
Setting up sssd-krb5 (1.13.4-1ubuntu1.11) ...
Setting up libipa-hbac0 (1.13.4-1ubuntu1.11) ...
Setting up sssd-ad-common (1.13.4-1ubuntu1.11) ...
Setting up sssd-ipa (1.13.4-1ubuntu1.11) ...
Setting up sssd-ad (1.13.4-1ubuntu1.11) ...
Setting up sssd (1.13.4-1ubuntu1.11) ...
Setting up libnss-sss:amd64 (1.13.4-1ubuntu1.11) ...
Setting up libpam-sss:amd64 (1.13.4-1ubuntu1.11) ...
Setting up libsss-sudo (1.13.4-1ubuntu1.11) ...
Setting up vlan (1.9-3.2ubuntu1.16.04.5) ...
Setting up python3-distupgrade (1:16.04.25) ...
Setting up python3-update-manager (1:16.04.13) ...
Setting up ubuntu-release-upgrader-core (1:16.04.25) ...
Setting up update-manager-core (1:16.04.13) ...

OUTPUT OF GROUPS

willd@syn.local@DockerSwarm02:~$ groups
domain users@syn.local domain admins@syn.local enterprise admins@syn.local denied rodc password replication group@syn.local sql admins@syn.local synadmin@syn.local syndevel@syn.local synitops@syn.local syn admins@syn.local syndevelopers@syn.local syndb-read-prod@syn.local syndb-read-qa@syn.local syndb-write-backups@syn.local syndb-write-prod@syn.local syndb-write-qa@syn.local synlma-itops@syn.local synlma-prod@syn.local synlma-qa@syn.local synlma-synutilserver@syn.local synrdp-fin@syn.local synrdp-prod@syn.local synrdp-qa@syn.local synrdp-utility@syn.local vpn users@syn.local strictpasswordpolicygroup@syn.local syntechnology@syn.local

syn@DockerSwarm02:~$ groups
syn adm cdrom sudo dip plugdev lxd lpadmin sambashare

OUTPUT OF nsswitch.conf

syn@DockerSwarm02:~$ cat cat /etc/nsswitch.conf
cat: cat: No such file or directory
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.

passwd:         compat sss
group:          compat sss
shadow:         compat sss
gshadow:        files

hosts:          files dns
networks:       files

protocols:      db files
services:       db files sss
ethers:         db files
rpc:            db files

netgroup:       nis sss
sudoers:        file sss

UPDATE SUDOERS:

Defaults        env_reset
Defaults        mail_badpass
Defaults        secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin"

# Host alias specification

# User alias specification

# Cmnd alias specification

# User privilege specification
root    ALL=(ALL:ALL) ALL

# Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL

# Allow members of group sudo to execute any command
%sudo   ALL=(ALL:ALL) ALL

# See sudoers(5) for more information on "#include" directives:

#includedir /etc/sudoers.d
%Domain\ Admins@syn.local ALL=(ALL) ALL
%domain\ admins@syn.local ALL=(ALL) ALL

UPDATE PKEXEC:

syn@DockerSwarm02:~$ pkexec cat /etc/sudoers
==== AUTHENTICATING FOR org.freedesktop.policykit.exec ===
Authentication is needed to run `/bin/cat' as the super user
Authenticating as: syn,,, (syn)
Password:
polkit-agent-helper-1: error response to PolicyKit daemon: GDBus.Error:org.freedesktop.PolicyKit1.Error.Failed: No session for cookie
==== AUTHENTICATION FAILED ===
Error executing command as another user: Not authorized

This incident has been reported.

UPDATE PAM.D/SUDO

root@DockerSwarm02:/etc/pam.d# cat sudo
#%PAM-1.0

session    required   pam_env.so readenv=1 user_readenv=0
session    required   pam_env.so readenv=1 envfile=/etc/default/locale user_readenv=0
@include common-auth
@include common-account
@include common-session-noninteractive

UPDATE SSS

After removing sss from nsswitch.conf things are working again. Seems this update of SSS broke something.

When you say that removing sssd from nsswitch.conf fixes things -- which database do you remove sss from? All of them or just sudo?

Why do you use compat as the first database for passwd/group?

Are there some logs we can take a look at?

Sorry for not being specific. I removed it from sudo. Regarding compat, I haven't changed anything there, so other than the change I just made to sudo this file is the same as it was post install.

I'll see what logs I can grab. B/c this was a production system we got this resolved as fast as possible so I'd have to stand up another system to recreate the issue.

update
I looked through all the SSS* logs and didnt find much at all. One file had a couple of lines in it from a couple months ago, but thats it.

Edited 6 days ago by wjdavis5

By default, sssd doesn't log much except critical failures. You might want to look at either https://docs.pagure.org/SSSD.sssd/users/sudo_troubleshooting.html or https://docs.pagure.org/SSSD.sssd/users/troubleshooting.html to check how to get logs.

Login to comment on this ticket.

cancel