#4150 SSSD Sudo not applying cn=defaults
Closed: Fixed a year ago by lordlimecat. Opened a year ago by lordlimecat.

It appears that sssd is not applying cn=defaults when using the AD provider.

SSSD Version: 2.2.0
Steps to reproduce:
1. Extend AD schema as per documents
2. Create containers for sudoroles: OU=sudoers,OU=Unix,DC=domain,DC=name,DC=fqdn
3. Create a sudorole cn=defaults. Set sudoOptionAttribute. Examples: @{sudoOptions="ignore_local_sudoers"} (as per sudoers man), or @{sudoOptions="env_keep+=SSH_AUTH_SOCK"} (as per sudoers.ldap man)
4. Set sssd.conf as follows:
[domain/domain.name.fqdn]
ldap_sudo_search_base = ou=sudoers,ou=Unix,dc=domain,dc=name,dc=fqdn
ldap_sudo_smart_refresh_interval = 15
ldap_sudo_full_refresh_interval = 30
5. Restart sssd, wait 30 seconds, check sudo -l

Expected results:
* Defaults indicates options from ldap. When ignore_local_sudoers is set, no entries from /etc/sudoers should appear

Actual results:
* Defaults from /etc/sudoers and /etc/sudoers.d/ are shown. ignore_local_sudoers has no effect
* Other sudoroles apply, and their sudoOptions are respected.

Log files indicate that cn=defaults is found. Attaching logs as a separate comment.


cn=defaults

PS C:\> get-adobject -filter "name -eq 'defaults' -and objectCategory -eq 'sudorole'" -properties * | select distinguishedname,name,sudouser,sudohost,sudocommand,sudooption

distinguishedname : CN=defaults,OU=sudoers,OU=Unix,DC=domain,DC=name,DC=fqdn
name              : defaults
sudouser          : {}
sudohost          : {}
sudocommand       : {}
sudooption        : {visiblepw, ignore_local_sudoers}

/var/log/sssd/sssd_domain.name.fqdn.log (showing only lines containing sudo)

(Thu Jan 30 13:57:02 2020) [sssd[be[domain.name.fqdn]]] [dp_load_configuration] (0x0100): Using [ad] provider for [sudo]
(Thu Jan 30 13:57:02 2020) [sssd[be[domain.name.fqdn]]] [dp_get_options] (0x0400): Option ldap_sudo_search_base has value ou=sudoers,ou=Unix,dc=domain,dc=name,dc=fqdn
(Thu Jan 30 13:57:02 2020) [sssd[be[domain.name.fqdn]]] [dp_get_options] (0x0400): Option ldap_sudo_full_refresh_interval has value 30
(Thu Jan 30 13:57:02 2020) [sssd[be[domain.name.fqdn]]] [dp_get_options] (0x0400): Option ldap_sudo_smart_refresh_interval has value 15
(Thu Jan 30 13:57:02 2020) [sssd[be[domain.name.fqdn]]] [dp_get_options] (0x0400): Option ldap_sudo_use_host_filter is TRUE
(Thu Jan 30 13:57:02 2020) [sssd[be[domain.name.fqdn]]] [dp_get_options] (0x0400): Option ldap_sudo_hostnames has no value
(Thu Jan 30 13:57:02 2020) [sssd[be[domain.name.fqdn]]] [dp_get_options] (0x0400): Option ldap_sudo_ip has no value
(Thu Jan 30 13:57:02 2020) [sssd[be[domain.name.fqdn]]] [dp_get_options] (0x0400): Option ldap_sudo_include_netgroups is TRUE
(Thu Jan 30 13:57:02 2020) [sssd[be[domain.name.fqdn]]] [dp_get_options] (0x0400): Option ldap_sudo_include_regexp is TRUE
(Thu Jan 30 13:57:02 2020) [sssd[be[domain.name.fqdn]]] [ad_gpo_parse_map_option] (0x4000): Default service (not explicitly removed): sudo
(Thu Jan 30 13:57:02 2020) [sssd[be[domain.name.fqdn]]] [ad_gpo_parse_map_option] (0x4000): Default service (not explicitly removed): sudo-i
(Thu Jan 30 13:57:02 2020) [sssd[be[domain.name.fqdn]]] [dp_target_init] (0x0400): Initializing target [sudo] with module [ad]
(Thu Jan 30 13:57:02 2020) [sssd[be[domain.name.fqdn]]] [dp_target_run_constructor] (0x0400): Executing target [sudo] constructor
(Thu Jan 30 13:57:02 2020) [sssd[be[domain.name.fqdn]]] [sssm_ad_sudo_init] (0x2000): Initializing AD sudo handler
(Thu Jan 30 13:57:02 2020) [sssd[be[domain.name.fqdn]]] [ad_sudo_init] (0x2000): Initializing sudo AD back end
(Thu Jan 30 13:57:02 2020) [sssd[be[domain.name.fqdn]]] [sdap_sudo_init] (0x2000): Initializing sudo LDAP back end
(Thu Jan 30 13:57:02 2020) [sssd[be[domain.name.fqdn]]] [ldap_get_sudo_options] (0x0400): Search base not set, trying to discover it later connecting to the LDAP server.
(Thu Jan 30 13:57:02 2020) [sssd[be[domain.name.fqdn]]] [common_parse_search_base] (0x0100): Search base added: [SUDO][ou=sudoers,ou=Unix,dc=domain,dc=name,dc=fqdn][SUBTREE][]
(Thu Jan 30 13:57:02 2020) [sssd[be[domain.name.fqdn]]] [sdap_get_map] (0x0400): Option ldap_sudorule_object_class has value sudoRole
(Thu Jan 30 13:57:02 2020) [sssd[be[domain.name.fqdn]]] [sdap_get_map] (0x0400): Option ldap_sudorule_name has value cn
(Thu Jan 30 13:57:02 2020) [sssd[be[domain.name.fqdn]]] [sdap_get_map] (0x0400): Option ldap_sudorule_command has value sudoCommand
(Thu Jan 30 13:57:02 2020) [sssd[be[domain.name.fqdn]]] [sdap_get_map] (0x0400): Option ldap_sudorule_host has value sudoHost
(Thu Jan 30 13:57:02 2020) [sssd[be[domain.name.fqdn]]] [sdap_get_map] (0x0400): Option ldap_sudorule_user has value sudoUser
(Thu Jan 30 13:57:02 2020) [sssd[be[domain.name.fqdn]]] [sdap_get_map] (0x0400): Option ldap_sudorule_option has value sudoOption
(Thu Jan 30 13:57:02 2020) [sssd[be[domain.name.fqdn]]] [sdap_get_map] (0x0400): Option ldap_sudorule_runas has value sudoRunAs
(Thu Jan 30 13:57:02 2020) [sssd[be[domain.name.fqdn]]] [sdap_get_map] (0x0400): Option ldap_sudorule_runasuser has value sudoRunAsUser
(Thu Jan 30 13:57:02 2020) [sssd[be[domain.name.fqdn]]] [sdap_get_map] (0x0400): Option ldap_sudorule_runasgroup has value sudoRunAsGroup
(Thu Jan 30 13:57:02 2020) [sssd[be[domain.name.fqdn]]] [sdap_get_map] (0x0400): Option ldap_sudorule_notbefore has value sudoNotBefore
(Thu Jan 30 13:57:02 2020) [sssd[be[domain.name.fqdn]]] [sdap_get_map] (0x0400): Option ldap_sudorule_notafter has value sudoNotAfter
(Thu Jan 30 13:57:02 2020) [sssd[be[domain.name.fqdn]]] [sdap_get_map] (0x0400): Option ldap_sudorule_order has value sudoOrder
(Thu Jan 30 13:57:02 2020) [sssd[be[domain.name.fqdn]]] [sdap_get_map] (0x0400): Option ldap_sudorule_entry_usn has no value
(Thu Jan 30 13:57:02 2020) [sssd[be[domain.name.fqdn]]] [sbus_server_bus_request_name] (0x0400): Requesting name: sssd.sudo
(Thu Jan 30 13:57:02 2020) [sssd[be[domain.name.fqdn]]] [sbus_name_owner_changed] (0x4000): Name of owner sssd.sudo has changed from [] to [sssd.sudo]
(Thu Jan 30 13:57:02 2020) [sssd[be[domain.name.fqdn]]] [sbus_senders_delete] (0x2000): Removing identity of sender [sssd.sudo]
(Thu Jan 30 13:57:02 2020) [sssd[be[domain.name.fqdn]]] [sbus_name_owner_changed] (0x4000): Name of owner sssd.sudo has changed from [] to [sssd.sudo]
(Thu Jan 30 13:57:02 2020) [sssd[be[domain.name.fqdn]]] [sbus_senders_delete] (0x2000): Removing identity of sender [sssd.sudo]
(Thu Jan 30 13:57:02 2020) [sssd[be[domain.name.fqdn]]] [sbus_senders_lookup] (0x2000): Looking for identity of sender [sssd.sudo]
(Thu Jan 30 13:57:02 2020) [sssd[be[domain.name.fqdn]]] [sbus_senders_lookup] (0x2000): Looking for identity of sender [sssd.sudo]
(Thu Jan 30 13:57:02 2020) [sssd[be[domain.name.fqdn]]] [sbus_requests_add] (0x4000): Chaining request: -:0:org.freedesktop.DBus.GetConnectionUnixUser:/org/freedesktop/DBus:sssd.sudo
(Thu Jan 30 13:57:02 2020) [sssd[be[domain.name.fqdn]]] [sbus_senders_lookup] (0x2000): Looking for identity of sender [sssd.sudo]
(Thu Jan 30 13:57:02 2020) [sssd[be[domain.name.fqdn]]] [sbus_senders_add] (0x2000): Inserting identity of sender [sssd.sudo]: 0
(Thu Jan 30 13:57:02 2020) [sssd[be[domain.name.fqdn]]] [sbus_senders_lookup] (0x2000): Looking for identity of sender [sssd.sudo]
(Thu Jan 30 13:57:02 2020) [sssd[be[domain.name.fqdn]]] [dp_client_register] (0x0100): Added Frontend client [sudo]
(Thu Jan 30 13:57:02 2020) [sssd[be[domain.name.fqdn]]] [sdap_sudo_online_cb] (0x0400): We are back online. SUDO host information will be renewed on next refresh.
(Thu Jan 30 13:57:12 2020) [sssd[be[domain.name.fqdn]]] [sdap_sudo_full_refresh_send] (0x0400): Issuing a full refresh of sudo rules
(Thu Jan 30 13:57:12 2020) [sssd[be[domain.name.fqdn]]] [sdap_sudo_refresh_connect_done] (0x0400): SUDO LDAP connection successful
(Thu Jan 30 13:57:12 2020) [sssd[be[domain.name.fqdn]]] [sdap_sudo_get_ip_addresses] (0x2000): Found IP address: [masked]
<-------- MANY DUPLICATE LINES SNIPPED --->
(Thu Jan 30 13:57:12 2020) [sssd[be[domain.name.fqdn]]] [sdap_sudo_get_ip_addresses] (0x2000): Found IP address: [masked]
(Thu Jan 30 13:57:12 2020) [sssd[be[domain.name.fqdn]]] [sdap_sudo_get_hostnames_send] (0x2000): Found fqdn: myHostName.domain.name.fqdn
(Thu Jan 30 13:57:12 2020) [sssd[be[domain.name.fqdn]]] [sdap_sudo_get_hostnames_send] (0x2000): Found hostname: myHostName
(Thu Jan 30 13:57:12 2020) [sssd[be[domain.name.fqdn]]] [sdap_sudo_load_sudoers_send] (0x0400): About to fetch sudo rules
(Thu Jan 30 13:57:12 2020) [sssd[be[domain.name.fqdn]]] [sdap_search_bases_ex_next_base] (0x0400): Issuing LDAP lookup with base [ou=sudoers,ou=Unix,dc=domain,dc=name,dc=fqdn]
(Thu Jan 30 13:57:12 2020) [sssd[be[domain.name.fqdn]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(objectClass=sudoRole)(|(&(!(sudoHost=*))(cn=defaults))(sudoHost=ALL)(sudoHost=myHostName.domain.name.fqdn)(sudoHost=myHostName)(sudoHost=[IP.ADDR])(sudoHost=[SUBNET]/CIDR)(sudoHost=[IP.ADDR])(sudoHost=[SUBNET]/CIDR)(sudoHost=[IP.ADDR])(sudoHost=[SUBNET]/CIDR)(sudoHost=[IP.ADDR])(sudoHost=[SUBNET]/CIDR)(sudoHost=[IP:V6:ADDR])(sudoHost=[IP:V6:ADDR])(sudoHost=[IP:V6:ADDR])(sudoHost=[IP:V6:ADDR])(sudoHost=[IP:V6:ADDR])(sudoHost=[IP:V6:ADDR])(sudoHost=[IP:V6:ADDR])(sudoHost=[IP:V6:ADDR])(sudoHost=[IP:V6:ADDR])(sudoHost=[IP:V6:ADDR])(sudoHost=[IP:V6:ADDR])(sudoHost=[IP:V6:ADDR])(sudoHost=[IP:V6:ADDR])(sudoHost=[IP:V6:ADDR])(sudoHost=[IP:V6:ADDR])(sudoHost=[IP:V6:ADDR])(sudoHost=[IP:V6:ADDR])(sudoHost=[IP:V6:ADDR])(sudoHost=[IP:V6:ADDR])(sudoHost=[IP:V6:ADDR])(sudoHost=[IP:V6:ADDR])(sudoHost=[IP:V6:ADDR])(sudoHost=[IP:V6:ADDR])(sudoHost=[IP:V6:ADDR])(sudoHost=[IP:V6:ADDR])(sudoHost=[IP:V6:ADDR])(sudoHost=[IP:V6:ADDR])(sudoHost=[IP:V6:ADDR])(sudoHost=[IP:V6:ADDR])(sudoHost=[IP:V6:ADDR])(sudoHost=[IP:V6:ADDR])(sudoHost=[IP:V6:ADDR])(sudoHost=[IP:V6:ADDR])(sudoHost=[IP:V6:ADDR])(sudoHost=[IP:V6:ADDR])(sudoHost=[IP:V6:ADDR])(sudoHost=[IP:V6:ADDR])(sudoHost=[IP:V6:ADDR])(sudoHost=[IP:V6:ADDR])(sudoHost=[IP:V6:ADDR])(sudoHost=[IP:V6:ADDR])(sudoHost=[IP:V6:ADDR])(sudoHost=[IP:V6:ADDR])(sudoHost=[IP:V6:ADDR])(sudoHost=[IP:V6:ADDR])(sudoHost=[IP:V6:ADDR])(sudoHost=[IP:V6:ADDR])(sudoHost=[IP:V6:ADDR])(sudoHost=[IP:V6:ADDR])(sudoHost=[IP:V6:ADDR])(sudoHost=[IP:V6:ADDR])(sudoHost=[IP:V6:ADDR])(sudoHost=[IP:V6:ADDR])(sudoHost=[IP:V6:ADDR])(sudoHost=[IP:V6:ADDR])(sudoHost=[IP:V6:ADDR])(sudoHost=[IP:V6:ADDR])(sudoHost=[IP:V6:ADDR])(sudoHost=+*)(|(sudoHost=*\\*)(sudoHost=*?*)(sudoHost=*\2A*)(sudoHost=*[*]*))))][ou=sudoers,ou=Unix,dc=domain,dc=name,dc=fqdn].
(Thu Jan 30 13:57:12 2020) [sssd[be[domain.name.fqdn]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sudoCommand]
(Thu Jan 30 13:57:12 2020) [sssd[be[domain.name.fqdn]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sudoHost]
(Thu Jan 30 13:57:12 2020) [sssd[be[domain.name.fqdn]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sudoUser]
(Thu Jan 30 13:57:12 2020) [sssd[be[domain.name.fqdn]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sudoOption]
(Thu Jan 30 13:57:12 2020) [sssd[be[domain.name.fqdn]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sudoRunAs]
(Thu Jan 30 13:57:12 2020) [sssd[be[domain.name.fqdn]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sudoRunAsUser]
(Thu Jan 30 13:57:12 2020) [sssd[be[domain.name.fqdn]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sudoRunAsGroup]
(Thu Jan 30 13:57:12 2020) [sssd[be[domain.name.fqdn]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sudoNotBefore]
(Thu Jan 30 13:57:12 2020) [sssd[be[domain.name.fqdn]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sudoNotAfter]
(Thu Jan 30 13:57:12 2020) [sssd[be[domain.name.fqdn]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sudoOrder]
(Thu Jan 30 13:57:12 2020) [sssd[be[domain.name.fqdn]]] [sdap_parse_range] (0x2000): No sub-attributes for [sudoCommand]
(Thu Jan 30 13:57:12 2020) [sssd[be[domain.name.fqdn]]] [sdap_parse_range] (0x2000): No sub-attributes for [sudoUser]
(Thu Jan 30 13:57:12 2020) [sssd[be[domain.name.fqdn]]] [sdap_parse_range] (0x2000): No sub-attributes for [sudoOrder]
(Thu Jan 30 13:57:12 2020) [sssd[be[domain.name.fqdn]]] [sdap_parse_range] (0x2000): No sub-attributes for [sudoHost]
<-------- MANY DUPLICATE LINES SNIPPED --->
(Thu Jan 30 13:57:12 2020) [sssd[be[domain.name.fqdn]]] [sdap_parse_range] (0x2000): No sub-attributes for [sudoCommand]
(Thu Jan 30 13:57:12 2020) [sssd[be[domain.name.fqdn]]] [sdap_parse_range] (0x2000): No sub-attributes for [sudoUser]
(Thu Jan 30 13:57:12 2020) [sssd[be[domain.name.fqdn]]] [sdap_parse_range] (0x2000): No sub-attributes for [sudoOrder]
(Thu Jan 30 13:57:12 2020) [sssd[be[domain.name.fqdn]]] [sdap_parse_range] (0x2000): No sub-attributes for [sudoOption]
(Thu Jan 30 13:57:12 2020) [sssd[be[domain.name.fqdn]]] [sdap_parse_range] (0x2000): No sub-attributes for [sudoHost]
(Thu Jan 30 13:57:12 2020) [sssd[be[domain.name.fqdn]]] [sdap_parse_entry] (0x1000): OriginalDN: [CN=defaults,OU=sudoers,OU=Unix,DC=domain,DC=name,dc=fqdn].
(Thu Jan 30 13:57:12 2020) [sssd[be[domain.name.fqdn]]] [sdap_parse_range] (0x2000): No sub-attributes for [sudoOption]
(Thu Jan 30 13:57:12 2020) [sssd[be[domain.name.fqdn]]] [sdap_search_bases_ex_done] (0x0400): Receiving data from base [ou=sudoers,ou=Unix,dc=domain,dc=name,dc=fqdn]
(Thu Jan 30 13:57:12 2020) [sssd[be[domain.name.fqdn]]] [sdap_sudo_load_sudoers_done] (0x0040): Received 58 sudo rules
(Thu Jan 30 13:57:12 2020) [sssd[be[domain.name.fqdn]]] [sdap_sudo_refresh_done] (0x0400): Received 58 rules
(Thu Jan 30 13:57:12 2020) [sssd[be[domain.name.fqdn]]] [sysdb_sudo_purge_all] (0x0400): Deleting all cached sudo rules
(Thu Jan 30 13:57:12 2020) [sssd[be[domain.name.fqdn]]] [sysdb_delete_recursive] (0x4000): Trying to delete [name=defaults,cn=sudorules,cn=custom,cn=domain.name.fqdn,cn=sysdb].
(Thu Jan 30 13:57:12 2020) [sssd[be[domain.name.fqdn]]] [sysdb_delete_recursive] (0x4000): Trying to delete [cn=sudorules,cn=custom,cn=domain.name.fqdn,cn=sysdb].
(Thu Jan 30 13:57:12 2020) [sssd[be[domain.name.fqdn]]] [sysdb_sudo_store_rule] (0x0400): Adding sudo rule defaults
(Thu Jan 30 13:57:12 2020) [sssd[be[domain.name.fqdn]]] [ldb] (0x4000): Target entry (name=defaults,cn=sudorules,cn=custom,cn=domain.name.fqdn,cn=sysdb) not found
(Thu Jan 30 13:57:12 2020) [sssd[be[domain.name.fqdn]]] [sdap_sudo_refresh_done] (0x0400): Sudoers is successfully stored in cache
(Thu Jan 30 13:57:12 2020) [sssd[be[domain.name.fqdn]]] [sdap_sudo_set_usn] (0x0200): SUDO higher USN value: [13760852]
(Thu Jan 30 13:57:12 2020) [sssd[be[domain.name.fqdn]]] [sdap_sudo_full_refresh_done] (0x0400): Successful full refresh of sudo rules

Also interestingly, when sssd_sudo querys the sysdb cache, it uses a few very similar but different queries. On line 94 it includes a query for cn=defaults as well as for netgroups ((sudoUser=+*)), but on lines 97 and 107 it excludes both of those from its query. It appears that this causes the results returned starting on line 111 to exclude cn=defaults.
/var/log/sssd/sssd_sudo.log

(Thu Jan 30 14:23:12 2020) [sssd[sudo]] [accept_fd_handler] (0x0400): Client connected!
(Thu Jan 30 14:23:12 2020) [sssd[sudo]] [sss_cmd_get_version] (0x0200): Received client version [1].
(Thu Jan 30 14:23:12 2020) [sssd[sudo]] [sss_cmd_get_version] (0x0200): Offered version [1].
(Thu Jan 30 14:23:12 2020) [sssd[sudo]] [sudosrv_cmd] (0x2000): Using protocol version [1]
(Thu Jan 30 14:23:12 2020) [sssd[sudo]] [sudosrv_get_rules_send] (0x0400): Running initgroups for [root]
(Thu Jan 30 14:23:12 2020) [sssd[sudo]] [cache_req_set_plugin] (0x2000): CR #0: Setting "Initgroups by name" plugin
(Thu Jan 30 14:23:12 2020) [sssd[sudo]] [cache_req_send] (0x0400): CR #0: New request 'Initgroups by name'
(Thu Jan 30 14:23:12 2020) [sssd[sudo]] [cache_req_process_input] (0x0400): CR #0: Parsing input name [root]
(Thu Jan 30 14:23:12 2020) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'root' matched without domain, user is root
(Thu Jan 30 14:23:12 2020) [sssd[sudo]] [cache_req_set_name] (0x0400): CR #0: Setting name [root]
(Thu Jan 30 14:23:12 2020) [sssd[sudo]] [cache_req_select_domains] (0x0400): CR #0: Performing a multi-domain search
(Thu Jan 30 14:23:12 2020) [sssd[sudo]] [cache_req_search_domains] (0x0400): CR #0: Search will check the cache and check the data provider
(Thu Jan 30 14:23:12 2020) [sssd[sudo]] [cache_req_validate_domain_type] (0x2000): Request type POSIX-only for domain implicit_files type POSIX is valid
(Thu Jan 30 14:23:12 2020) [sssd[sudo]] [cache_req_set_domain] (0x0400): CR #0: Using domain [implicit_files]
(Thu Jan 30 14:23:12 2020) [sssd[sudo]] [cache_req_prepare_domain_data] (0x0400): CR #0: Preparing input data for domain [implicit_files] rules
(Thu Jan 30 14:23:12 2020) [sssd[sudo]] [cache_req_search_send] (0x0400): CR #0: Looking up root@implicit_files
(Thu Jan 30 14:23:12 2020) [sssd[sudo]] [cache_req_search_ncache] (0x0400): CR #0: Checking negative cache for [root@implicit_files]
(Thu Jan 30 14:23:12 2020) [sssd[sudo]] [sss_ncache_check_str] (0x2000): Checking negative cache for [NCE/USER/implicit_files/root@implicit_files]
(Thu Jan 30 14:23:12 2020) [sssd[sudo]] [cache_req_search_ncache] (0x0400): CR #0: [root@implicit_files] does not exist (negative cache)
(Thu Jan 30 14:23:12 2020) [sssd[sudo]] [cache_req_validate_domain_type] (0x2000): Request type POSIX-only for domain domain.name.fqdn type POSIX is valid
(Thu Jan 30 14:23:12 2020) [sssd[sudo]] [cache_req_set_domain] (0x0400): CR #0: Using domain [domain.name.fqdn]
(Thu Jan 30 14:23:12 2020) [sssd[sudo]] [cache_req_prepare_domain_data] (0x0400): CR #0: Preparing input data for domain [domain.name.fqdn] rules
(Thu Jan 30 14:23:12 2020) [sssd[sudo]] [cache_req_search_send] (0x0400): CR #0: Looking up root@domain.name.fqdn
(Thu Jan 30 14:23:12 2020) [sssd[sudo]] [cache_req_search_ncache] (0x0400): CR #0: Checking negative cache for [root@domain.name.fqdn]
(Thu Jan 30 14:23:12 2020) [sssd[sudo]] [sss_ncache_check_str] (0x2000): Checking negative cache for [NCE/USER/domain.name.fqdn/root@domain.name.fqdn]
(Thu Jan 30 14:23:12 2020) [sssd[sudo]] [cache_req_search_ncache] (0x0400): CR #0: [root@domain.name.fqdn] does not exist (negative cache)
(Thu Jan 30 14:23:12 2020) [sssd[sudo]] [cache_req_process_result] (0x0400): CR #0: Finished: Not found
(Thu Jan 30 14:23:12 2020) [sssd[sudo]] [sudosrv_cmd_done] (0x0020): Unable to obtain cached rules [2]: No such file or directory
(Thu Jan 30 14:23:12 2020) [sssd[sudo]] [sudosrv_build_response] (0x2000): error: [2]
(Thu Jan 30 14:23:12 2020) [sssd[sudo]] [sudosrv_cmd] (0x2000): Using protocol version [1]
(Thu Jan 30 14:23:12 2020) [sssd[sudo]] [sudosrv_get_rules_send] (0x0400): Running initgroups for [root]
(Thu Jan 30 14:23:12 2020) [sssd[sudo]] [cache_req_set_plugin] (0x2000): CR #1: Setting "Initgroups by name" plugin
(Thu Jan 30 14:23:12 2020) [sssd[sudo]] [cache_req_send] (0x0400): CR #1: New request 'Initgroups by name'
(Thu Jan 30 14:23:12 2020) [sssd[sudo]] [cache_req_process_input] (0x0400): CR #1: Parsing input name [root]
(Thu Jan 30 14:23:12 2020) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'root' matched without domain, user is root
(Thu Jan 30 14:23:12 2020) [sssd[sudo]] [cache_req_set_name] (0x0400): CR #1: Setting name [root]
(Thu Jan 30 14:23:12 2020) [sssd[sudo]] [cache_req_select_domains] (0x0400): CR #1: Performing a multi-domain search
(Thu Jan 30 14:23:12 2020) [sssd[sudo]] [cache_req_search_domains] (0x0400): CR #1: Search will check the cache and check the data provider
(Thu Jan 30 14:23:12 2020) [sssd[sudo]] [cache_req_validate_domain_type] (0x2000): Request type POSIX-only for domain implicit_files type POSIX is valid
(Thu Jan 30 14:23:12 2020) [sssd[sudo]] [cache_req_set_domain] (0x0400): CR #1: Using domain [implicit_files]
(Thu Jan 30 14:23:12 2020) [sssd[sudo]] [cache_req_prepare_domain_data] (0x0400): CR #1: Preparing input data for domain [implicit_files] rules
(Thu Jan 30 14:23:12 2020) [sssd[sudo]] [cache_req_search_send] (0x0400): CR #1: Looking up root@implicit_files
(Thu Jan 30 14:23:12 2020) [sssd[sudo]] [cache_req_search_ncache] (0x0400): CR #1: Checking negative cache for [root@implicit_files]
(Thu Jan 30 14:23:12 2020) [sssd[sudo]] [sss_ncache_check_str] (0x2000): Checking negative cache for [NCE/USER/implicit_files/root@implicit_files]
(Thu Jan 30 14:23:12 2020) [sssd[sudo]] [cache_req_search_ncache] (0x0400): CR #1: [root@implicit_files] does not exist (negative cache)
(Thu Jan 30 14:23:12 2020) [sssd[sudo]] [cache_req_validate_domain_type] (0x2000): Request type POSIX-only for domain domain.name.fqdn type POSIX is valid
(Thu Jan 30 14:23:12 2020) [sssd[sudo]] [cache_req_set_domain] (0x0400): CR #1: Using domain [domain.name.fqdn]
(Thu Jan 30 14:23:12 2020) [sssd[sudo]] [cache_req_prepare_domain_data] (0x0400): CR #1: Preparing input data for domain [domain.name.fqdn] rules
(Thu Jan 30 14:23:12 2020) [sssd[sudo]] [cache_req_search_send] (0x0400): CR #1: Looking up root@domain.name.fqdn
(Thu Jan 30 14:23:12 2020) [sssd[sudo]] [cache_req_search_ncache] (0x0400): CR #1: Checking negative cache for [root@domain.name.fqdn]
(Thu Jan 30 14:23:12 2020) [sssd[sudo]] [sss_ncache_check_str] (0x2000): Checking negative cache for [NCE/USER/domain.name.fqdn/root@domain.name.fqdn]
(Thu Jan 30 14:23:12 2020) [sssd[sudo]] [cache_req_search_ncache] (0x0400): CR #1: [root@domain.name.fqdn] does not exist (negative cache)
(Thu Jan 30 14:23:12 2020) [sssd[sudo]] [cache_req_process_result] (0x0400): CR #1: Finished: Not found
(Thu Jan 30 14:23:12 2020) [sssd[sudo]] [sudosrv_cmd_done] (0x0020): Unable to obtain cached rules [2]: No such file or directory
(Thu Jan 30 14:23:12 2020) [sssd[sudo]] [sudosrv_build_response] (0x2000): error: [2]
(Thu Jan 30 14:23:12 2020) [sssd[sudo]] [sudosrv_cmd] (0x2000): Using protocol version [1]
(Thu Jan 30 14:23:12 2020) [sssd[sudo]] [sudosrv_get_rules_send] (0x0400): Running initgroups for [myUser.name]
(Thu Jan 30 14:23:12 2020) [sssd[sudo]] [cache_req_set_plugin] (0x2000): CR #2: Setting "Initgroups by name" plugin
(Thu Jan 30 14:23:12 2020) [sssd[sudo]] [cache_req_send] (0x0400): CR #2: New request 'Initgroups by name'
(Thu Jan 30 14:23:12 2020) [sssd[sudo]] [cache_req_process_input] (0x0400): CR #2: Parsing input name [myUser.name]
(Thu Jan 30 14:23:12 2020) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'myUser.name' matched without domain, user is myUser.name
(Thu Jan 30 14:23:12 2020) [sssd[sudo]] [cache_req_set_name] (0x0400): CR #2: Setting name [myUser.name]
(Thu Jan 30 14:23:12 2020) [sssd[sudo]] [cache_req_select_domains] (0x0400): CR #2: Performing a multi-domain search
(Thu Jan 30 14:23:12 2020) [sssd[sudo]] [cache_req_search_domains] (0x0400): CR #2: Search will check the cache and check the data provider
(Thu Jan 30 14:23:12 2020) [sssd[sudo]] [cache_req_validate_domain_type] (0x2000): Request type POSIX-only for domain implicit_files type POSIX is valid
(Thu Jan 30 14:23:12 2020) [sssd[sudo]] [cache_req_set_domain] (0x0400): CR #2: Using domain [implicit_files]
(Thu Jan 30 14:23:12 2020) [sssd[sudo]] [cache_req_prepare_domain_data] (0x0400): CR #2: Preparing input data for domain [implicit_files] rules
(Thu Jan 30 14:23:12 2020) [sssd[sudo]] [cache_req_search_send] (0x0400): CR #2: Looking up myUser.name@implicit_files
(Thu Jan 30 14:23:12 2020) [sssd[sudo]] [cache_req_search_ncache] (0x0400): CR #2: Checking negative cache for [myUser.name@implicit_files]
(Thu Jan 30 14:23:12 2020) [sssd[sudo]] [sss_ncache_check_str] (0x2000): Checking negative cache for [NCE/USER/implicit_files/myUser.name@implicit_files]
(Thu Jan 30 14:23:12 2020) [sssd[sudo]] [cache_req_search_ncache] (0x0400): CR #2: [myUser.name@implicit_files] is not present in negative cache
(Thu Jan 30 14:23:12 2020) [sssd[sudo]] [cache_req_search_cache] (0x0400): CR #2: Looking up [myUser.name@implicit_files] in cache
(Thu Jan 30 14:23:12 2020) [sssd[sudo]] [cache_req_search_cache] (0x0400): CR #2: Object [myUser.name@implicit_files] was not found in cache
(Thu Jan 30 14:23:12 2020) [sssd[sudo]] [cache_req_search_dp] (0x0400): CR #2: Looking up [myUser.name@implicit_files] in data provider
(Thu Jan 30 14:23:12 2020) [sssd[sudo]] [sss_dp_account_files_params] (0x2000): The entries in the files domain are up-to-date
(Thu Jan 30 14:23:12 2020) [sssd[sudo]] [cache_req_search_cache] (0x0400): CR #2: Looking up [myUser.name@implicit_files] in cache
(Thu Jan 30 14:23:12 2020) [sssd[sudo]] [cache_req_search_cache] (0x0400): CR #2: Object [myUser.name@implicit_files] was not found in cache
(Thu Jan 30 14:23:12 2020) [sssd[sudo]] [cache_req_search_ncache_add_to_domain] (0x0400): CR #2: Adding [myUser.name@implicit_files] to negative cache
(Thu Jan 30 14:23:12 2020) [sssd[sudo]] [sss_ncache_set_str] (0x0400): Adding [NCE/USER/implicit_files/myUser.name@implicit_files] to negative cache
(Thu Jan 30 14:23:12 2020) [sssd[sudo]] [cache_req_validate_domain_type] (0x2000): Request type POSIX-only for domain domain.name.fqdn type POSIX is valid
(Thu Jan 30 14:23:12 2020) [sssd[sudo]] [cache_req_set_domain] (0x0400): CR #2: Using domain [domain.name.fqdn]
(Thu Jan 30 14:23:12 2020) [sssd[sudo]] [cache_req_prepare_domain_data] (0x0400): CR #2: Preparing input data for domain [domain.name.fqdn] rules
(Thu Jan 30 14:23:12 2020) [sssd[sudo]] [cache_req_search_send] (0x0400): CR #2: Looking up myUser.name@domain.name.fqdn
(Thu Jan 30 14:23:12 2020) [sssd[sudo]] [cache_req_search_ncache] (0x0400): CR #2: Checking negative cache for [myUser.name@domain.name.fqdn]
(Thu Jan 30 14:23:12 2020) [sssd[sudo]] [sss_ncache_check_str] (0x2000): Checking negative cache for [NCE/USER/domain.name.fqdn/myUser.name@domain.name.fqdn]
(Thu Jan 30 14:23:12 2020) [sssd[sudo]] [cache_req_search_ncache] (0x0400): CR #2: [myUser.name@domain.name.fqdn] is not present in negative cache
(Thu Jan 30 14:23:12 2020) [sssd[sudo]] [cache_req_search_cache] (0x0400): CR #2: Looking up [myUser.name@domain.name.fqdn] in cache
(Thu Jan 30 14:23:12 2020) [sssd[sudo]] [cache_req_search_send] (0x0400): CR #2: Returning [myUser.name@domain.name.fqdn] from cache
(Thu Jan 30 14:23:12 2020) [sssd[sudo]] [cache_req_search_ncache_filter] (0x0400): CR #2: This request type does not support filtering result by negative cache
(Thu Jan 30 14:23:12 2020) [sssd[sudo]] [cache_req_create_and_add_result] (0x0400): CR #2: Found 87 entries in domain domain.name.fqdn
(Thu Jan 30 14:23:12 2020) [sssd[sudo]] [cache_req_done] (0x0400): CR #2: Finished: Success
(Thu Jan 30 14:23:12 2020) [sssd[sudo]] [sysdb_get_sudo_user_info] (0x0400): Original name: myUser.name@domain.name.fqdn
(Thu Jan 30 14:23:12 2020) [sssd[sudo]] [sysdb_get_sudo_user_info] (0x0400): Cased name: myUser.name@domain.name.fqdn
(Thu Jan 30 14:23:12 2020) [sssd[sudo]] [sudosrv_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(dataExpireTimestamp<=1580412192)(|(name=defaults)(sudoUser=ALL)(sudoUser=myUser.name@domain.name.fqdn)(sudoUser=#280401305)(sudoUser=%all-my-groups@domain.name.fqdn)(sudoUser=+*)))]
(Thu Jan 30 14:23:12 2020) [sssd[sudo]] [sudosrv_refresh_rules_send] (0x0400): No expired rules were found for [myUser.name@domain.name.fqdn@domain.name.fqdn].
(Thu Jan 30 14:23:12 2020) [sssd[sudo]] [sudosrv_fetch_rules] (0x0400): Retrieving rules for [myUser.name@domain.name.fqdn@domain.name.fqdn]
(Thu Jan 30 14:23:12 2020) [sssd[sudo]] [sudosrv_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=myUser.name@domain.name.fqdn)(sudoUser=#280401305)(sudoUser=%all-my-groups@domain.name.fqdn)))]
(Thu Jan 30 14:23:12 2020) [sssd[sudo]] [sysdb_merge_res_ts_attrs] (0x2000): TS cache doesn't handle this DN type, skipping
(Thu Jan 30 14:23:12 2020) [sssd[sudo]] [sysdb_merge_res_ts_attrs] (0x2000): TS cache doesn't handle this DN type, skipping
(Thu Jan 30 14:23:12 2020) [sssd[sudo]] [sysdb_merge_res_ts_attrs] (0x2000): TS cache doesn't handle this DN type, skipping
(Thu Jan 30 14:23:12 2020) [sssd[sudo]] [sysdb_merge_res_ts_attrs] (0x2000): TS cache doesn't handle this DN type, skipping
(Thu Jan 30 14:23:12 2020) [sssd[sudo]] [sysdb_merge_res_ts_attrs] (0x2000): TS cache doesn't handle this DN type, skipping
(Thu Jan 30 14:23:12 2020) [sssd[sudo]] [sysdb_merge_res_ts_attrs] (0x2000): TS cache doesn't handle this DN type, skipping
(Thu Jan 30 14:23:12 2020) [sssd[sudo]] [sysdb_merge_res_ts_attrs] (0x2000): TS cache doesn't handle this DN type, skipping
(Thu Jan 30 14:23:12 2020) [sssd[sudo]] [sysdb_merge_res_ts_attrs] (0x2000): TS cache doesn't handle this DN type, skipping
(Thu Jan 30 14:23:12 2020) [sssd[sudo]] [sudosrv_cached_rules_by_user] (0x0400): Replacing sudoUser attribute with sudoUser: #280401305
(Thu Jan 30 14:23:12 2020) [sssd[sudo]] [sudosrv_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(sudoUser=+*)(!(|(sudoUser=ALL)(sudoUser=myUser.name@domain.name.fqdn)(sudoUser=#280401305)(sudoUser=%all-my-groups@domain.name.fqdn))))]
(Thu Jan 30 14:23:12 2020) [sssd[sudo]] [sort_sudo_rules] (0x0400): Sorting rules with higher-wins logic
(Thu Jan 30 14:23:12 2020) [sssd[sudo]] [sudosrv_fetch_rules] (0x0400): Returning 8 rules for [myUser.name@domain.name.fqdn@domain.name.fqdn]
(Thu Jan 30 14:23:12 2020) [sssd[sudo]] [sudosrv_cmd_reply] (0x0400): Applying time restrictions on8 rules
(Thu Jan 30 14:23:12 2020) [sssd[sudo]] [sudosrv_cmd_reply] (0x0400): Got 8 rules after time filter
(Thu Jan 30 14:23:12 2020) [sssd[sudo]] [sudosrv_build_response] (0x2000): error: [0]
(Thu Jan 30 14:23:12 2020) [sssd[sudo]] [sudosrv_build_response] (0x2000): rules_num: [0]
(Thu Jan 30 14:23:12 2020) [sssd[sudo]] [sudosrv_build_response] (0x2000): rule [1]/[8]
(Thu Jan 30 14:23:12 2020) [sssd[sudo]] [sudosrv_response_append_attr] (0x2000): cn:global-sudoer-[masked]
(Thu Jan 30 14:23:12 2020) [sssd[sudo]] [sudosrv_response_append_attr] (0x2000): objectClass:sudoRule
(Thu Jan 30 14:23:12 2020) [sssd[sudo]] [sudosrv_response_append_attr] (0x2000): sudoCommand:[masked]
(Thu Jan 30 14:23:12 2020) [sssd[sudo]] [sudosrv_response_append_attr] (0x2000): sudoHost:ALL
(Thu Jan 30 14:23:12 2020) [sssd[sudo]] [sudosrv_response_append_attr] (0x2000): sudoOption:!authenticate
(Thu Jan 30 14:23:12 2020) [sssd[sudo]] [sudosrv_response_append_attr] (0x2000): sudoOrder:[masked]
(Thu Jan 30 14:23:12 2020) [sssd[sudo]] [sudosrv_response_append_attr] (0x2000): sudoUser:[masked]
<----- SNIPPED ----->
(Thu Jan 30 14:23:12 2020) [sssd[sudo]] [sudosrv_build_response] (0x2000): rule [8]/[8]
(Thu Jan 30 14:23:12 2020) [sssd[sudo]] [sudosrv_response_append_attr] (0x2000): cn:global-sudoer-[masked]
(Thu Jan 30 14:23:12 2020) [sssd[sudo]] [sudosrv_response_append_attr] (0x2000): objectClass:sudoRule
(Thu Jan 30 14:23:12 2020) [sssd[sudo]] [sudosrv_response_append_attr] (0x2000): sudoCommand:[masked]
(Thu Jan 30 14:23:12 2020) [sssd[sudo]] [sudosrv_response_append_attr] (0x2000): sudoHost:ALL
(Thu Jan 30 14:23:12 2020) [sssd[sudo]] [sudosrv_response_append_attr] (0x2000): sudoOption:noexec
(Thu Jan 30 14:23:12 2020) [sssd[sudo]] [sudosrv_response_append_attr] (0x2000): sudoOrder:[masked]
(Thu Jan 30 14:23:12 2020) [sssd[sudo]] [sudosrv_response_append_attr] (0x2000): sudoUser:[masked]
(Thu Jan 30 14:23:12 2020) [sssd[sudo]] [client_recv] (0x0200): Client disconnected!
(Thu Jan 30 14:23:12 2020) [sssd[sudo]] [client_close_fn] (0x2000): Terminated client [0x55d7dd1b5460][23]

This appears to be resolved in 2.2.1.

Workaround in 2.2.0 is to specify sudoUser=ALL

Metadata Update from @lordlimecat:
- Issue close_status updated to: Fixed
- Issue status updated to: Closed (was: Open)

a year ago

SSSD is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in SSSD's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/SSSD/sssd/issues/5108

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Login to comment on this ticket.

Metadata