thr3ads.net - samba - [Samba] sssd_sudo search results different from command line ldapsearch [Jul 2014]

If this information is useful, please help other people find it:
Share via:

Teemu Keinonen

2014-Jul-02 10:35 UTC

[Samba] sssd_sudo search results different from command line ldapsearch

Hi all! I'm attempting to configure sudo rights from Samba ldap. Alas,
libsssd_samba receives 0 rules and config doesn't work. I think I have
the problem identified here but I don't understand why. The way
sssd_sudo searches for sudoers leave all important attributes out and
of course filtering then fails. Can you help me to understand why
following search results are so different (and how to fix it)?

[root at dc1 var]# kinit administrator at TEEMU.LOCAL
Password for administrator at TEEMU.LOCAL:
Warning: Your password will expire in 35 days on Wed Aug  6 22:20:25 2014
[root at dc1 var]# ldapsearch  -h dc1 -Y GSSAPI -b ou=SUDOers,dc=teemu,dc=local
SASL/GSSAPI authentication started
SASL username: administrator at TEEMU.LOCAL
SASL SSF: 56
SASL data security layer installed.
# extended LDIF
#
# LDAPv3
# base <ou=SUDOers,dc=teemu,dc=local> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# reima, SUDOers, teemu.local
dn: CN=reima,OU=SUDOers,DC=teemu,DC=local
objectClass: top
objectClass: sudoRole
cn: reima
instanceType: 4
whenCreated: 20140625194650.0Z
whenChanged: 20140625194650.0Z
uSNCreated: 3799
uSNChanged: 3799
name: reima
objectGUID:: U1paZdVOSke2zmInSenFTg=objectCategory:
CN=sudoRole,CN=Schema,CN=Configuration,DC=teemu,DC=local
sudoUser: reima
sudoHost: ALL
sudoCommand: ALL
distinguishedName: CN=reima,OU=SUDOers,DC=teemu,DC=local

# SUDOers, teemu.local
dn: OU=SUDOers,DC=teemu,DC=local
objectClass: top
objectClass: organizationalUnit
ou: SUDOers
instanceType: 4
whenCreated: 20140625194301.0Z
whenChanged: 20140625194301.0Z
uSNCreated: 3797
uSNChanged: 3797
name: SUDOers
objectGUID:: avd+e6OrGkOV5qqtjV39vQ=objectCategory:
CN=Organizational-Unit,CN=Schema,CN=Configuration,DC=teemu,DC local
distinguishedName: OU=SUDOers,DC=teemu,DC=local

# defaults, SUDOers, teemu.local
dn: CN=defaults,OU=SUDOers,DC=teemu,DC=local
objectClass: top
objectClass: sudoRole
cn: defaults
description: Default sudoOption's go here
instanceType: 4
whenCreated: 20140625194645.0Z
whenChanged: 20140625194645.0Z
uSNCreated: 3798
uSNChanged: 3798
name: defaults
objectGUID:: vrCxbL/QkUGFyZWvELWj/w=objectCategory:
CN=sudoRole,CN=Schema,CN=Configuration,DC=teemu,DC=local
sudoOption: env_keep+=SSH_AUTH_SOCK
distinguishedName: CN=defaults,OU=SUDOers,DC=teemu,DC=local

# %wheel, SUDOers, teemu.local
dn: CN=%wheel,OU=SUDOers,DC=teemu,DC=local
objectClass: top
objectClass: sudoRole
cn: %wheel
instanceType: 4
whenCreated: 20140626094147.0Z
whenChanged: 20140626094147.0Z
uSNCreated: 3800
uSNChanged: 3800
name: %wheel
objectGUID:: jpGX5AmGUkimPw1yl+oZkA=objectCategory:
CN=sudoRole,CN=Schema,CN=Configuration,DC=teemu,DC=local
sudoUser: %wheel
sudoHost: ALL
sudoCommand: ALL
distinguishedName: CN=%wheel,OU=SUDOers,DC=teemu,DC=local

# search result
search: 4
result: 0 Success

# numResponses: 5
# numEntries: 4


[root at dc1 var]# kdestroy
[root at dc1 var]# kinit 'dc1$@TEEMU.LOCAL' -k -t /etc/krb5.sssd.keytab
[root at dc1 var]# ldapsearch  -h dc1 -Y GSSAPI -b ou=SUDOers,dc=teemu,dc=local
SASL/GSSAPI authentication started
SASL username: dc1$@TEEMU.LOCAL
SASL SSF: 56
SASL data security layer installed.
# extended LDIF
#
# LDAPv3
# base <ou=SUDOers,dc=teemu,dc=local> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# reima, SUDOers, teemu.local
dn: CN=reima,OU=SUDOers,DC=teemu,DC=local

# SUDOers, teemu.local
dn: OU=SUDOers,DC=teemu,DC=local
objectClass: top
objectClass: organizationalUnit
ou: SUDOers
instanceType: 4
whenCreated: 20140625194301.0Z
whenChanged: 20140625194301.0Z
uSNCreated: 3797
uSNChanged: 3797
name: SUDOers
objectGUID:: avd+e6OrGkOV5qqtjV39vQ=objectCategory:
CN=Organizational-Unit,CN=Schema,CN=Configuration,DC=teemu,DC local
distinguishedName: OU=SUDOers,DC=teemu,DC=local

# defaults, SUDOers, teemu.local
dn: CN=defaults,OU=SUDOers,DC=teemu,DC=local

# %wheel, SUDOers, teemu.local
dn: CN=%wheel,OU=SUDOers,DC=teemu,DC=local

# search result
search: 4
result: 0 Success

# numResponses: 5
# numEntries: 4

-- 

--Teemu Keinonen

Rowland Penny

2014-Jul-02 11:58 UTC

head link

[Samba] sssd_sudo search results different from command line ldapsearch

On 02/07/14 11:35, Teemu Keinonen wrote:> Hi all! I'm attempting to configure sudo rights from Samba ldap. Alas,
> libsssd_samba receives 0 rules and config doesn't work. I think I have
> the problem identified here but I don't understand why. The way
> sssd_sudo searches for sudoers leave all important attributes out and
> of course filtering then fails. Can you help me to understand why
> following search results are so different (and how to fix it)?
>
> [root at dc1 var]# kinit administrator at TEEMU.LOCAL
> Password for administrator at TEEMU.LOCAL:
> Warning: Your password will expire in 35 days on Wed Aug  6 22:20:25 2014
> [root at dc1 var]# ldapsearch  -h dc1 -Y GSSAPI -b
ou=SUDOers,dc=teemu,dc=local
> SASL/GSSAPI authentication started
> SASL username: administrator at TEEMU.LOCAL
> SASL SSF: 56
> SASL data security layer installed.
> # extended LDIF
> #
> # LDAPv3
> # base <ou=SUDOers,dc=teemu,dc=local> with scope subtree
> # filter: (objectclass=*)
> # requesting: ALL
> #
>
> # reima, SUDOers, teemu.local
> dn: CN=reima,OU=SUDOers,DC=teemu,DC=local
> objectClass: top
> objectClass: sudoRole
> cn: reima
> instanceType: 4
> whenCreated: 20140625194650.0Z
> whenChanged: 20140625194650.0Z
> uSNCreated: 3799
> uSNChanged: 3799
> name: reima
> objectGUID:: U1paZdVOSke2zmInSenFTg=> objectCategory:
CN=sudoRole,CN=Schema,CN=Configuration,DC=teemu,DC=local
> sudoUser: reima
> sudoHost: ALL
> sudoCommand: ALL
> distinguishedName: CN=reima,OU=SUDOers,DC=teemu,DC=local
>
> # SUDOers, teemu.local
> dn: OU=SUDOers,DC=teemu,DC=local
> objectClass: top
> objectClass: organizationalUnit
> ou: SUDOers
> instanceType: 4
> whenCreated: 20140625194301.0Z
> whenChanged: 20140625194301.0Z
> uSNCreated: 3797
> uSNChanged: 3797
> name: SUDOers
> objectGUID:: avd+e6OrGkOV5qqtjV39vQ=> objectCategory:
CN=Organizational-Unit,CN=Schema,CN=Configuration,DC=teemu,DC>   local
> distinguishedName: OU=SUDOers,DC=teemu,DC=local
>
> # defaults, SUDOers, teemu.local
> dn: CN=defaults,OU=SUDOers,DC=teemu,DC=local
> objectClass: top
> objectClass: sudoRole
> cn: defaults
> description: Default sudoOption's go here
> instanceType: 4
> whenCreated: 20140625194645.0Z
> whenChanged: 20140625194645.0Z
> uSNCreated: 3798
> uSNChanged: 3798
> name: defaults
> objectGUID:: vrCxbL/QkUGFyZWvELWj/w=> objectCategory:
CN=sudoRole,CN=Schema,CN=Configuration,DC=teemu,DC=local
> sudoOption: env_keep+=SSH_AUTH_SOCK
> distinguishedName: CN=defaults,OU=SUDOers,DC=teemu,DC=local
>
> # %wheel, SUDOers, teemu.local
> dn: CN=%wheel,OU=SUDOers,DC=teemu,DC=local
> objectClass: top
> objectClass: sudoRole
> cn: %wheel
> instanceType: 4
> whenCreated: 20140626094147.0Z
> whenChanged: 20140626094147.0Z
> uSNCreated: 3800
> uSNChanged: 3800
> name: %wheel
> objectGUID:: jpGX5AmGUkimPw1yl+oZkA=> objectCategory:
CN=sudoRole,CN=Schema,CN=Configuration,DC=teemu,DC=local
> sudoUser: %wheel
> sudoHost: ALL
> sudoCommand: ALL
> distinguishedName: CN=%wheel,OU=SUDOers,DC=teemu,DC=local
>
> # search result
> search: 4
> result: 0 Success
>
> # numResponses: 5
> # numEntries: 4
>
>
> [root at dc1 var]# kdestroy
> [root at dc1 var]# kinit 'dc1$@TEEMU.LOCAL' -k -t
/etc/krb5.sssd.keytab
> [root at dc1 var]# ldapsearch  -h dc1 -Y GSSAPI -b
ou=SUDOers,dc=teemu,dc=local
> SASL/GSSAPI authentication started
> SASL username: dc1$@TEEMU.LOCAL
> SASL SSF: 56
> SASL data security layer installed.
> # extended LDIF
> #
> # LDAPv3
> # base <ou=SUDOers,dc=teemu,dc=local> with scope subtree
> # filter: (objectclass=*)
> # requesting: ALL
> #
>
> # reima, SUDOers, teemu.local
> dn: CN=reima,OU=SUDOers,DC=teemu,DC=local
>
> # SUDOers, teemu.local
> dn: OU=SUDOers,DC=teemu,DC=local
> objectClass: top
> objectClass: organizationalUnit
> ou: SUDOers
> instanceType: 4
> whenCreated: 20140625194301.0Z
> whenChanged: 20140625194301.0Z
> uSNCreated: 3797
> uSNChanged: 3797
> name: SUDOers
> objectGUID:: avd+e6OrGkOV5qqtjV39vQ=> objectCategory:
CN=Organizational-Unit,CN=Schema,CN=Configuration,DC=teemu,DC>   local
> distinguishedName: OU=SUDOers,DC=teemu,DC=local
>
> # defaults, SUDOers, teemu.local
> dn: CN=defaults,OU=SUDOers,DC=teemu,DC=local
>
> # %wheel, SUDOers, teemu.local
> dn: CN=%wheel,OU=SUDOers,DC=teemu,DC=local
>
> # search result
> search: 4
> result: 0 Success
>
> # numResponses: 5
> # numEntries: 4
>The difference in outputs is probably down to permissions, Administrator 
can see and alter everything, dc1 is probably very limited in what it 
can see and change.

The output from the Administrator search looks ok, so, how have you 
setup sssd & sudo and are you using the correct sudo package? sudo-ldap 
is not the right one ;-)

Rowland

Maybe Matching Threads

Search for more reasonably related threads

samba - Jul 2014 - sssd_sudo search results different from command line ldapsearch

[Samba] sssd_sudo search results different from command line ldapsearch

[Samba] sssd_sudo search results different from command line ldapsearch

Maybe Matching Threads