#3761 SSSD Update Broke Sudo
Closed: worksforme 4 months ago by wjdavis5. Opened 4 months ago by wjdavis5.

SUMMARY
I updated SSSD last night and subsequently lost my ability to use sudo and/or pkexec. I was able to recreate the issue on another machine and have narrowed it down to running apt-get upgrade whilst logged in with an Active Directory account that had sudo privs. After the update runs all accounts lost sudo privs and I have to use the recovery console to give root a passwd, log in, and remove sss from the nsswtich.conf file

Also detailed here:
https://askubuntu.com/questions/1045439/apt-get-upgrade-modified-sudoers-file

Ubuntu 16.04LTS -

I just ran apt-get update && apt-get upgrade -y

After it was finished I tried to run another command with sudo and was greeted by the following error:

username is not in the sudoers file.  This incident will be reported.

I tried another account with sudo permissions and got the same message. What in the world just happened?

I was able to see the following packages got updated:

will@will-laptop:/mnt/c/Users/wdavis$ cat updates.txt
Setting up perl-base (5.22.1-9ubuntu0.3) ...
Setting up libpam0g:amd64 (1.1.8-3.2ubuntu2.1) ...
Setting up libpam-modules-bin (1.1.8-3.2ubuntu2.1) ...
Setting up libpam-modules:amd64 (1.1.8-3.2ubuntu2.1) ...
Setting up libpam-runtime (1.1.8-3.2ubuntu2.1) ...
Setting up perl-modules-5.22 (5.22.1-9ubuntu0.3) ...
Setting up libperl5.22:amd64 (5.22.1-9ubuntu0.3) ...
Setting up perl (5.22.1-9ubuntu0.3) ...
Setting up grub-common (2.02~beta2-36ubuntu3.18) ...
Setting up grub2-common (2.02~beta2-36ubuntu3.18) ...
Setting up grub-pc-bin (2.02~beta2-36ubuntu3.18) ...
Setting up grub-pc (2.02~beta2-36ubuntu3.18) ...
Setting up libprocps4:amd64 (2:3.3.10-4ubuntu2.4) ...
Setting up procps (2:3.3.10-4ubuntu2.4) ...
Setting up distro-info-data (0.28ubuntu0.8) ...
Setting up ifupdown (0.8.10ubuntu1.4) ...
Setting up libssl1.0.0:amd64 (1.0.2g-1ubuntu4.12) ...
Setting up linux-base (4.5ubuntu1~16.04.1) ...
Setting up hdparm (9.48+ds-1ubuntu0.1) ...
Setting up libldap-2.4-2:amd64 (2.4.42+dfsg-2ubuntu3.3) ...
Setting up libcurl3-gnutls:amd64 (7.47.0-1ubuntu2.8) ...
Setting up curl (7.47.0-1ubuntu2.8) ...
Setting up ldap-utils (2.4.42+dfsg-2ubuntu3.3) ...
Setting up libelf1:amd64 (0.165-3ubuntu1.1) ...
Setting up libdw1:amd64 (0.165-3ubuntu1.1) ...
Setting up libplymouth4:amd64 (0.9.2-3ubuntu13.5) ...
Setting up openssl (1.0.2g-1ubuntu4.12) ...
Setting up plymouth (0.9.2-3ubuntu13.5) ...
Setting up plymouth-theme-ubuntu-text (0.9.2-3ubuntu13.5) ...
Setting up wget (1.17.1-1ubuntu1.4) ...
Setting up xdg-user-dirs (0.15-2ubuntu6.16.04.1) ...
Setting up python3-problem-report (2.20.1-0ubuntu2.18) ...
Setting up python3-apport (2.20.1-0ubuntu2.18) ...
Setting up apport (2.20.1-0ubuntu2.18) ...
Setting up docker-ce (18.03.1~ce-0~ubuntu) ...
Setting up git-man (1:2.7.4-0ubuntu1.4) ...
Setting up git (1:2.7.4-0ubuntu1.4) ...
Setting up linux-cloud-tools-common (4.4.0-127.153) ...
Setting up linux-cloud-tools-virtual-lts-xenial (4.4.0.127.133) ...
Setting up linux-firmware (1.157.19) ...
Setting up linux-libc-dev:amd64 (4.4.0-127.153) ...
Setting up linux-tools-common (4.4.0-127.153) ...
Setting up linux-tools-virtual-lts-xenial (4.4.0.127.133) ...
Setting up linux-virtual-lts-xenial (4.4.0.127.133) ...
Setting up patch (2.7.5-1ubuntu0.16.04.1) ...
Setting up snapd (2.32.9) ...
Setting up cloud-guest-utils (0.27-0ubuntu25.1) ...
Setting up datadog-agent (1:6.2.1-1) ...
Setting up grub-legacy-ec2 (18.2-4-g05926e48-0ubuntu1~16.04.2) ...
Setting up python-sss (1.13.4-1ubuntu1.11) ...
Setting up libsss-idmap0 (1.13.4-1ubuntu1.11) ...
Setting up libsss-nss-idmap0 (1.13.4-1ubuntu1.11) ...
Setting up sssd-common (1.13.4-1ubuntu1.11) ...
Setting up sssd-tools (1.13.4-1ubuntu1.11) ...
Setting up sssd-proxy (1.13.4-1ubuntu1.11) ...
Setting up sssd-krb5-common (1.13.4-1ubuntu1.11) ...
Setting up sssd-ldap (1.13.4-1ubuntu1.11) ...
Setting up sssd-krb5 (1.13.4-1ubuntu1.11) ...
Setting up libipa-hbac0 (1.13.4-1ubuntu1.11) ...
Setting up sssd-ad-common (1.13.4-1ubuntu1.11) ...
Setting up sssd-ipa (1.13.4-1ubuntu1.11) ...
Setting up sssd-ad (1.13.4-1ubuntu1.11) ...
Setting up sssd (1.13.4-1ubuntu1.11) ...
Setting up libnss-sss:amd64 (1.13.4-1ubuntu1.11) ...
Setting up libpam-sss:amd64 (1.13.4-1ubuntu1.11) ...
Setting up libsss-sudo (1.13.4-1ubuntu1.11) ...
Setting up vlan (1.9-3.2ubuntu1.16.04.5) ...
Setting up python3-distupgrade (1:16.04.25) ...
Setting up python3-update-manager (1:16.04.13) ...
Setting up ubuntu-release-upgrader-core (1:16.04.25) ...
Setting up update-manager-core (1:16.04.13) ...

OUTPUT OF GROUPS

willd@syn.local@DockerSwarm02:~$ groups
domain users@syn.local domain admins@syn.local enterprise admins@syn.local denied rodc password replication group@syn.local sql admins@syn.local synadmin@syn.local syndevel@syn.local synitops@syn.local syn admins@syn.local syndevelopers@syn.local syndb-read-prod@syn.local syndb-read-qa@syn.local syndb-write-backups@syn.local syndb-write-prod@syn.local syndb-write-qa@syn.local synlma-itops@syn.local synlma-prod@syn.local synlma-qa@syn.local synlma-synutilserver@syn.local synrdp-fin@syn.local synrdp-prod@syn.local synrdp-qa@syn.local synrdp-utility@syn.local vpn users@syn.local strictpasswordpolicygroup@syn.local syntechnology@syn.local

syn@DockerSwarm02:~$ groups
syn adm cdrom sudo dip plugdev lxd lpadmin sambashare

OUTPUT OF nsswitch.conf

syn@DockerSwarm02:~$ cat cat /etc/nsswitch.conf
cat: cat: No such file or directory
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.

passwd:         compat sss
group:          compat sss
shadow:         compat sss
gshadow:        files

hosts:          files dns
networks:       files

protocols:      db files
services:       db files sss
ethers:         db files
rpc:            db files

netgroup:       nis sss
sudoers:        file sss

UPDATE SUDOERS:

Defaults        env_reset
Defaults        mail_badpass
Defaults        secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin"

# Host alias specification

# User alias specification

# Cmnd alias specification

# User privilege specification
root    ALL=(ALL:ALL) ALL

# Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL

# Allow members of group sudo to execute any command
%sudo   ALL=(ALL:ALL) ALL

# See sudoers(5) for more information on "#include" directives:

#includedir /etc/sudoers.d
%Domain\ Admins@syn.local ALL=(ALL) ALL
%domain\ admins@syn.local ALL=(ALL) ALL

UPDATE PKEXEC:

syn@DockerSwarm02:~$ pkexec cat /etc/sudoers
==== AUTHENTICATING FOR org.freedesktop.policykit.exec ===
Authentication is needed to run `/bin/cat' as the super user
Authenticating as: syn,,, (syn)
Password:
polkit-agent-helper-1: error response to PolicyKit daemon: GDBus.Error:org.freedesktop.PolicyKit1.Error.Failed: No session for cookie
==== AUTHENTICATION FAILED ===
Error executing command as another user: Not authorized

This incident has been reported.

UPDATE PAM.D/SUDO

root@DockerSwarm02:/etc/pam.d# cat sudo
#%PAM-1.0

session    required   pam_env.so readenv=1 user_readenv=0
session    required   pam_env.so readenv=1 envfile=/etc/default/locale user_readenv=0
@include common-auth
@include common-account
@include common-session-noninteractive

UPDATE SSS

After removing sss from nsswitch.conf things are working again. Seems this update of SSS broke something.


When you say that removing sssd from nsswitch.conf fixes things -- which database do you remove sss from? All of them or just sudo?

Why do you use compat as the first database for passwd/group?

Are there some logs we can take a look at?

Sorry for not being specific. I removed it from sudo. Regarding compat, I haven't changed anything there, so other than the change I just made to sudo this file is the same as it was post install.

I'll see what logs I can grab. B/c this was a production system we got this resolved as fast as possible so I'd have to stand up another system to recreate the issue.

update
I looked through all the SSS* logs and didnt find much at all. One file had a couple of lines in it from a couple months ago, but thats it.

By default, sssd doesn't log much except critical failures. You might want to look at either https://docs.pagure.org/SSSD.sssd/users/sudo_troubleshooting.html or https://docs.pagure.org/SSSD.sssd/users/troubleshooting.html to check how to get logs.

Since there was no reply for about two weeks, I'm going to close the ticket. Please reopen if the issue is still valid with the information requested in my previous comment.

Metadata Update from @jhrozek:
- Issue close_status updated to: worksforme
- Issue status updated to: Closed (was: Open)

4 months ago

Login to comment on this ticket.

Metadata