Teemu Keinonen
2014-Jul-02 10:35 UTC
[Samba] sssd_sudo search results different from command line ldapsearch
Hi all! I'm attempting to configure sudo rights from Samba ldap. Alas, libsssd_samba receives 0 rules and config doesn't work. I think I have the problem identified here but I don't understand why. The way sssd_sudo searches for sudoers leave all important attributes out and of course filtering then fails. Can you help me to understand why following search results are so different (and how to fix it)? [root at dc1 var]# kinit administrator at TEEMU.LOCAL Password for administrator at TEEMU.LOCAL: Warning: Your password will expire in 35 days on Wed Aug 6 22:20:25 2014 [root at dc1 var]# ldapsearch -h dc1 -Y GSSAPI -b ou=SUDOers,dc=teemu,dc=local SASL/GSSAPI authentication started SASL username: administrator at TEEMU.LOCAL SASL SSF: 56 SASL data security layer installed. # extended LDIF # # LDAPv3 # base <ou=SUDOers,dc=teemu,dc=local> with scope subtree # filter: (objectclass=*) # requesting: ALL # # reima, SUDOers, teemu.local dn: CN=reima,OU=SUDOers,DC=teemu,DC=local objectClass: top objectClass: sudoRole cn: reima instanceType: 4 whenCreated: 20140625194650.0Z whenChanged: 20140625194650.0Z uSNCreated: 3799 uSNChanged: 3799 name: reima objectGUID:: U1paZdVOSke2zmInSenFTg=objectCategory: CN=sudoRole,CN=Schema,CN=Configuration,DC=teemu,DC=local sudoUser: reima sudoHost: ALL sudoCommand: ALL distinguishedName: CN=reima,OU=SUDOers,DC=teemu,DC=local # SUDOers, teemu.local dn: OU=SUDOers,DC=teemu,DC=local objectClass: top objectClass: organizationalUnit ou: SUDOers instanceType: 4 whenCreated: 20140625194301.0Z whenChanged: 20140625194301.0Z uSNCreated: 3797 uSNChanged: 3797 name: SUDOers objectGUID:: avd+e6OrGkOV5qqtjV39vQ=objectCategory: CN=Organizational-Unit,CN=Schema,CN=Configuration,DC=teemu,DC local distinguishedName: OU=SUDOers,DC=teemu,DC=local # defaults, SUDOers, teemu.local dn: CN=defaults,OU=SUDOers,DC=teemu,DC=local objectClass: top objectClass: sudoRole cn: defaults description: Default sudoOption's go here instanceType: 4 whenCreated: 20140625194645.0Z whenChanged: 20140625194645.0Z uSNCreated: 3798 uSNChanged: 3798 name: defaults objectGUID:: vrCxbL/QkUGFyZWvELWj/w=objectCategory: CN=sudoRole,CN=Schema,CN=Configuration,DC=teemu,DC=local sudoOption: env_keep+=SSH_AUTH_SOCK distinguishedName: CN=defaults,OU=SUDOers,DC=teemu,DC=local # %wheel, SUDOers, teemu.local dn: CN=%wheel,OU=SUDOers,DC=teemu,DC=local objectClass: top objectClass: sudoRole cn: %wheel instanceType: 4 whenCreated: 20140626094147.0Z whenChanged: 20140626094147.0Z uSNCreated: 3800 uSNChanged: 3800 name: %wheel objectGUID:: jpGX5AmGUkimPw1yl+oZkA=objectCategory: CN=sudoRole,CN=Schema,CN=Configuration,DC=teemu,DC=local sudoUser: %wheel sudoHost: ALL sudoCommand: ALL distinguishedName: CN=%wheel,OU=SUDOers,DC=teemu,DC=local # search result search: 4 result: 0 Success # numResponses: 5 # numEntries: 4 [root at dc1 var]# kdestroy [root at dc1 var]# kinit 'dc1$@TEEMU.LOCAL' -k -t /etc/krb5.sssd.keytab [root at dc1 var]# ldapsearch -h dc1 -Y GSSAPI -b ou=SUDOers,dc=teemu,dc=local SASL/GSSAPI authentication started SASL username: dc1$@TEEMU.LOCAL SASL SSF: 56 SASL data security layer installed. # extended LDIF # # LDAPv3 # base <ou=SUDOers,dc=teemu,dc=local> with scope subtree # filter: (objectclass=*) # requesting: ALL # # reima, SUDOers, teemu.local dn: CN=reima,OU=SUDOers,DC=teemu,DC=local # SUDOers, teemu.local dn: OU=SUDOers,DC=teemu,DC=local objectClass: top objectClass: organizationalUnit ou: SUDOers instanceType: 4 whenCreated: 20140625194301.0Z whenChanged: 20140625194301.0Z uSNCreated: 3797 uSNChanged: 3797 name: SUDOers objectGUID:: avd+e6OrGkOV5qqtjV39vQ=objectCategory: CN=Organizational-Unit,CN=Schema,CN=Configuration,DC=teemu,DC local distinguishedName: OU=SUDOers,DC=teemu,DC=local # defaults, SUDOers, teemu.local dn: CN=defaults,OU=SUDOers,DC=teemu,DC=local # %wheel, SUDOers, teemu.local dn: CN=%wheel,OU=SUDOers,DC=teemu,DC=local # search result search: 4 result: 0 Success # numResponses: 5 # numEntries: 4 -- --Teemu Keinonen
Rowland Penny
2014-Jul-02 11:58 UTC
[Samba] sssd_sudo search results different from command line ldapsearch
On 02/07/14 11:35, Teemu Keinonen wrote:> Hi all! I'm attempting to configure sudo rights from Samba ldap. Alas, > libsssd_samba receives 0 rules and config doesn't work. I think I have > the problem identified here but I don't understand why. The way > sssd_sudo searches for sudoers leave all important attributes out and > of course filtering then fails. Can you help me to understand why > following search results are so different (and how to fix it)? > > [root at dc1 var]# kinit administrator at TEEMU.LOCAL > Password for administrator at TEEMU.LOCAL: > Warning: Your password will expire in 35 days on Wed Aug 6 22:20:25 2014 > [root at dc1 var]# ldapsearch -h dc1 -Y GSSAPI -b ou=SUDOers,dc=teemu,dc=local > SASL/GSSAPI authentication started > SASL username: administrator at TEEMU.LOCAL > SASL SSF: 56 > SASL data security layer installed. > # extended LDIF > # > # LDAPv3 > # base <ou=SUDOers,dc=teemu,dc=local> with scope subtree > # filter: (objectclass=*) > # requesting: ALL > # > > # reima, SUDOers, teemu.local > dn: CN=reima,OU=SUDOers,DC=teemu,DC=local > objectClass: top > objectClass: sudoRole > cn: reima > instanceType: 4 > whenCreated: 20140625194650.0Z > whenChanged: 20140625194650.0Z > uSNCreated: 3799 > uSNChanged: 3799 > name: reima > objectGUID:: U1paZdVOSke2zmInSenFTg=> objectCategory: CN=sudoRole,CN=Schema,CN=Configuration,DC=teemu,DC=local > sudoUser: reima > sudoHost: ALL > sudoCommand: ALL > distinguishedName: CN=reima,OU=SUDOers,DC=teemu,DC=local > > # SUDOers, teemu.local > dn: OU=SUDOers,DC=teemu,DC=local > objectClass: top > objectClass: organizationalUnit > ou: SUDOers > instanceType: 4 > whenCreated: 20140625194301.0Z > whenChanged: 20140625194301.0Z > uSNCreated: 3797 > uSNChanged: 3797 > name: SUDOers > objectGUID:: avd+e6OrGkOV5qqtjV39vQ=> objectCategory: CN=Organizational-Unit,CN=Schema,CN=Configuration,DC=teemu,DC> local > distinguishedName: OU=SUDOers,DC=teemu,DC=local > > # defaults, SUDOers, teemu.local > dn: CN=defaults,OU=SUDOers,DC=teemu,DC=local > objectClass: top > objectClass: sudoRole > cn: defaults > description: Default sudoOption's go here > instanceType: 4 > whenCreated: 20140625194645.0Z > whenChanged: 20140625194645.0Z > uSNCreated: 3798 > uSNChanged: 3798 > name: defaults > objectGUID:: vrCxbL/QkUGFyZWvELWj/w=> objectCategory: CN=sudoRole,CN=Schema,CN=Configuration,DC=teemu,DC=local > sudoOption: env_keep+=SSH_AUTH_SOCK > distinguishedName: CN=defaults,OU=SUDOers,DC=teemu,DC=local > > # %wheel, SUDOers, teemu.local > dn: CN=%wheel,OU=SUDOers,DC=teemu,DC=local > objectClass: top > objectClass: sudoRole > cn: %wheel > instanceType: 4 > whenCreated: 20140626094147.0Z > whenChanged: 20140626094147.0Z > uSNCreated: 3800 > uSNChanged: 3800 > name: %wheel > objectGUID:: jpGX5AmGUkimPw1yl+oZkA=> objectCategory: CN=sudoRole,CN=Schema,CN=Configuration,DC=teemu,DC=local > sudoUser: %wheel > sudoHost: ALL > sudoCommand: ALL > distinguishedName: CN=%wheel,OU=SUDOers,DC=teemu,DC=local > > # search result > search: 4 > result: 0 Success > > # numResponses: 5 > # numEntries: 4 > > > [root at dc1 var]# kdestroy > [root at dc1 var]# kinit 'dc1$@TEEMU.LOCAL' -k -t /etc/krb5.sssd.keytab > [root at dc1 var]# ldapsearch -h dc1 -Y GSSAPI -b ou=SUDOers,dc=teemu,dc=local > SASL/GSSAPI authentication started > SASL username: dc1$@TEEMU.LOCAL > SASL SSF: 56 > SASL data security layer installed. > # extended LDIF > # > # LDAPv3 > # base <ou=SUDOers,dc=teemu,dc=local> with scope subtree > # filter: (objectclass=*) > # requesting: ALL > # > > # reima, SUDOers, teemu.local > dn: CN=reima,OU=SUDOers,DC=teemu,DC=local > > # SUDOers, teemu.local > dn: OU=SUDOers,DC=teemu,DC=local > objectClass: top > objectClass: organizationalUnit > ou: SUDOers > instanceType: 4 > whenCreated: 20140625194301.0Z > whenChanged: 20140625194301.0Z > uSNCreated: 3797 > uSNChanged: 3797 > name: SUDOers > objectGUID:: avd+e6OrGkOV5qqtjV39vQ=> objectCategory: CN=Organizational-Unit,CN=Schema,CN=Configuration,DC=teemu,DC> local > distinguishedName: OU=SUDOers,DC=teemu,DC=local > > # defaults, SUDOers, teemu.local > dn: CN=defaults,OU=SUDOers,DC=teemu,DC=local > > # %wheel, SUDOers, teemu.local > dn: CN=%wheel,OU=SUDOers,DC=teemu,DC=local > > # search result > search: 4 > result: 0 Success > > # numResponses: 5 > # numEntries: 4 >The difference in outputs is probably down to permissions, Administrator can see and alter everything, dc1 is probably very limited in what it can see and change. The output from the Administrator search looks ok, so, how have you setup sssd & sudo and are you using the correct sudo package? sudo-ldap is not the right one ;-) Rowland