Learn more about these different git repos.
Other Git URLs
SUMMARY I updated SSSD last night and subsequently lost my ability to use sudo and/or pkexec. I was able to recreate the issue on another machine and have narrowed it down to running apt-get upgrade whilst logged in with an Active Directory account that had sudo privs. After the update runs all accounts lost sudo privs and I have to use the recovery console to give root a passwd, log in, and remove sss from the nsswtich.conf file
Also detailed here: https://askubuntu.com/questions/1045439/apt-get-upgrade-modified-sudoers-file
Ubuntu 16.04LTS -
I just ran apt-get update && apt-get upgrade -y
apt-get update && apt-get upgrade -y
After it was finished I tried to run another command with sudo and was greeted by the following error:
sudo
username is not in the sudoers file. This incident will be reported.
I tried another account with sudo permissions and got the same message. What in the world just happened?
I was able to see the following packages got updated:
will@will-laptop:/mnt/c/Users/wdavis$ cat updates.txt Setting up perl-base (5.22.1-9ubuntu0.3) ... Setting up libpam0g:amd64 (1.1.8-3.2ubuntu2.1) ... Setting up libpam-modules-bin (1.1.8-3.2ubuntu2.1) ... Setting up libpam-modules:amd64 (1.1.8-3.2ubuntu2.1) ... Setting up libpam-runtime (1.1.8-3.2ubuntu2.1) ... Setting up perl-modules-5.22 (5.22.1-9ubuntu0.3) ... Setting up libperl5.22:amd64 (5.22.1-9ubuntu0.3) ... Setting up perl (5.22.1-9ubuntu0.3) ... Setting up grub-common (2.02~beta2-36ubuntu3.18) ... Setting up grub2-common (2.02~beta2-36ubuntu3.18) ... Setting up grub-pc-bin (2.02~beta2-36ubuntu3.18) ... Setting up grub-pc (2.02~beta2-36ubuntu3.18) ... Setting up libprocps4:amd64 (2:3.3.10-4ubuntu2.4) ... Setting up procps (2:3.3.10-4ubuntu2.4) ... Setting up distro-info-data (0.28ubuntu0.8) ... Setting up ifupdown (0.8.10ubuntu1.4) ... Setting up libssl1.0.0:amd64 (1.0.2g-1ubuntu4.12) ... Setting up linux-base (4.5ubuntu1~16.04.1) ... Setting up hdparm (9.48+ds-1ubuntu0.1) ... Setting up libldap-2.4-2:amd64 (2.4.42+dfsg-2ubuntu3.3) ... Setting up libcurl3-gnutls:amd64 (7.47.0-1ubuntu2.8) ... Setting up curl (7.47.0-1ubuntu2.8) ... Setting up ldap-utils (2.4.42+dfsg-2ubuntu3.3) ... Setting up libelf1:amd64 (0.165-3ubuntu1.1) ... Setting up libdw1:amd64 (0.165-3ubuntu1.1) ... Setting up libplymouth4:amd64 (0.9.2-3ubuntu13.5) ... Setting up openssl (1.0.2g-1ubuntu4.12) ... Setting up plymouth (0.9.2-3ubuntu13.5) ... Setting up plymouth-theme-ubuntu-text (0.9.2-3ubuntu13.5) ... Setting up wget (1.17.1-1ubuntu1.4) ... Setting up xdg-user-dirs (0.15-2ubuntu6.16.04.1) ... Setting up python3-problem-report (2.20.1-0ubuntu2.18) ... Setting up python3-apport (2.20.1-0ubuntu2.18) ... Setting up apport (2.20.1-0ubuntu2.18) ... Setting up docker-ce (18.03.1~ce-0~ubuntu) ... Setting up git-man (1:2.7.4-0ubuntu1.4) ... Setting up git (1:2.7.4-0ubuntu1.4) ... Setting up linux-cloud-tools-common (4.4.0-127.153) ... Setting up linux-cloud-tools-virtual-lts-xenial (4.4.0.127.133) ... Setting up linux-firmware (1.157.19) ... Setting up linux-libc-dev:amd64 (4.4.0-127.153) ... Setting up linux-tools-common (4.4.0-127.153) ... Setting up linux-tools-virtual-lts-xenial (4.4.0.127.133) ... Setting up linux-virtual-lts-xenial (4.4.0.127.133) ... Setting up patch (2.7.5-1ubuntu0.16.04.1) ... Setting up snapd (2.32.9) ... Setting up cloud-guest-utils (0.27-0ubuntu25.1) ... Setting up datadog-agent (1:6.2.1-1) ... Setting up grub-legacy-ec2 (18.2-4-g05926e48-0ubuntu1~16.04.2) ... Setting up python-sss (1.13.4-1ubuntu1.11) ... Setting up libsss-idmap0 (1.13.4-1ubuntu1.11) ... Setting up libsss-nss-idmap0 (1.13.4-1ubuntu1.11) ... Setting up sssd-common (1.13.4-1ubuntu1.11) ... Setting up sssd-tools (1.13.4-1ubuntu1.11) ... Setting up sssd-proxy (1.13.4-1ubuntu1.11) ... Setting up sssd-krb5-common (1.13.4-1ubuntu1.11) ... Setting up sssd-ldap (1.13.4-1ubuntu1.11) ... Setting up sssd-krb5 (1.13.4-1ubuntu1.11) ... Setting up libipa-hbac0 (1.13.4-1ubuntu1.11) ... Setting up sssd-ad-common (1.13.4-1ubuntu1.11) ... Setting up sssd-ipa (1.13.4-1ubuntu1.11) ... Setting up sssd-ad (1.13.4-1ubuntu1.11) ... Setting up sssd (1.13.4-1ubuntu1.11) ... Setting up libnss-sss:amd64 (1.13.4-1ubuntu1.11) ... Setting up libpam-sss:amd64 (1.13.4-1ubuntu1.11) ... Setting up libsss-sudo (1.13.4-1ubuntu1.11) ... Setting up vlan (1.9-3.2ubuntu1.16.04.5) ... Setting up python3-distupgrade (1:16.04.25) ... Setting up python3-update-manager (1:16.04.13) ... Setting up ubuntu-release-upgrader-core (1:16.04.25) ... Setting up update-manager-core (1:16.04.13) ...
OUTPUT OF GROUPS
willd@syn.local@DockerSwarm02:~$ groups domain users@syn.local domain admins@syn.local enterprise admins@syn.local denied rodc password replication group@syn.local sql admins@syn.local synadmin@syn.local syndevel@syn.local synitops@syn.local syn admins@syn.local syndevelopers@syn.local syndb-read-prod@syn.local syndb-read-qa@syn.local syndb-write-backups@syn.local syndb-write-prod@syn.local syndb-write-qa@syn.local synlma-itops@syn.local synlma-prod@syn.local synlma-qa@syn.local synlma-synutilserver@syn.local synrdp-fin@syn.local synrdp-prod@syn.local synrdp-qa@syn.local synrdp-utility@syn.local vpn users@syn.local strictpasswordpolicygroup@syn.local syntechnology@syn.local syn@DockerSwarm02:~$ groups syn adm cdrom sudo dip plugdev lxd lpadmin sambashare
OUTPUT OF nsswitch.conf
syn@DockerSwarm02:~$ cat cat /etc/nsswitch.conf cat: cat: No such file or directory # /etc/nsswitch.conf # # Example configuration of GNU Name Service Switch functionality. # If you have the `glibc-doc-reference' and `info' packages installed, try: # `info libc "Name Service Switch"' for information about this file. passwd: compat sss group: compat sss shadow: compat sss gshadow: files hosts: files dns networks: files protocols: db files services: db files sss ethers: db files rpc: db files netgroup: nis sss sudoers: file sss
UPDATE SUDOERS:
Defaults env_reset Defaults mail_badpass Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin" # Host alias specification # User alias specification # Cmnd alias specification # User privilege specification root ALL=(ALL:ALL) ALL # Members of the admin group may gain root privileges %admin ALL=(ALL) ALL # Allow members of group sudo to execute any command %sudo ALL=(ALL:ALL) ALL # See sudoers(5) for more information on "#include" directives: #includedir /etc/sudoers.d %Domain\ Admins@syn.local ALL=(ALL) ALL %domain\ admins@syn.local ALL=(ALL) ALL
UPDATE PKEXEC:
syn@DockerSwarm02:~$ pkexec cat /etc/sudoers ==== AUTHENTICATING FOR org.freedesktop.policykit.exec === Authentication is needed to run `/bin/cat' as the super user Authenticating as: syn,,, (syn) Password: polkit-agent-helper-1: error response to PolicyKit daemon: GDBus.Error:org.freedesktop.PolicyKit1.Error.Failed: No session for cookie ==== AUTHENTICATION FAILED === Error executing command as another user: Not authorized This incident has been reported.
UPDATE PAM.D/SUDO
root@DockerSwarm02:/etc/pam.d# cat sudo #%PAM-1.0 session required pam_env.so readenv=1 user_readenv=0 session required pam_env.so readenv=1 envfile=/etc/default/locale user_readenv=0 @include common-auth @include common-account @include common-session-noninteractive
UPDATE SSS
After removing sss from nsswitch.conf things are working again. Seems this update of SSS broke something.
When you say that removing sssd from nsswitch.conf fixes things -- which database do you remove sss from? All of them or just sudo?
Why do you use compat as the first database for passwd/group?
Are there some logs we can take a look at?
Sorry for not being specific. I removed it from sudo. Regarding compat, I haven't changed anything there, so other than the change I just made to sudo this file is the same as it was post install.
I'll see what logs I can grab. B/c this was a production system we got this resolved as fast as possible so I'd have to stand up another system to recreate the issue.
update I looked through all the SSS* logs and didnt find much at all. One file had a couple of lines in it from a couple months ago, but thats it.
By default, sssd doesn't log much except critical failures. You might want to look at either https://docs.pagure.org/SSSD.sssd/users/sudo_troubleshooting.html or https://docs.pagure.org/SSSD.sssd/users/troubleshooting.html to check how to get logs.
Since there was no reply for about two weeks, I'm going to close the ticket. Please reopen if the issue is still valid with the information requested in my previous comment.
Metadata Update from @jhrozek: - Issue close_status updated to: worksforme - Issue status updated to: Closed (was: Open)
SSSD is moving from Pagure to Github. This means that new issues and pull requests will be accepted only in SSSD's github repository.
This issue has been cloned to Github and is available here: - https://github.com/SSSD/sssd/issues/4767
If you want to receive further updates on the issue, please navigate to the github issue and click on subscribe button.
subscribe
Thank you for understanding. We apologize for all inconvenience.
Login to comment on this ticket.