View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0000083 | AlmaLinux-8 | sudo | public | 2021-05-26 11:51 | 2021-06-08 19:47 |
Reporter | Najum | Assigned To | alukoshko | ||
Priority | high | Severity | minor | Reproducibility | always |
Status | closed | Resolution | fixed | ||
Summary | 0000083: SSSD works with standard AD users on joining the realm, but sudo never works | ||||
Description | [sssd] domains = DOMAIN.CORP config_file_version = 2 services = nss, pam, sudo [pam] offline_credentials_expiration = 2 offline_failed_login_attempts = 3 offline_failed_login_delay = 5 debug_level = 5 [domain/DOMAIN.CORP] ad_domain = DOMAIN.CORP krb5_realm = DOMAIN.CORP debug_level = 2 id_provider = ad auth_provider = ad chpass_provider = ad access_provider = ad realmd_tags = manages-system joined-with-adcli cache_credentials = True id_provider = ad krb5_store_password_if_offline = True default_shell = /bin/bash ldap_id_mapping = True fallback_homedir = /home/%u@%d access_provider = ad sudo_provider = ldap ldap_uri = ldap://ldapserver.DOMAIN.CORP:50000 ldap_sudo_search_base = OU=SUDOers,DC=dcs,DC=intern ad_gpo_ignore_unreadable = True ad_gpo_access_control = permissive | ||||
Steps To Reproduce | [sssd] domains = DOMAIN.CORP config_file_version = 2 services = nss, pam, sudo [pam] offline_credentials_expiration = 2 offline_failed_login_attempts = 3 offline_failed_login_delay = 5 debug_level = 5 [domain/DOMAIN.CORP] ad_domain = DOMAIN.CORP krb5_realm = DOMAIN.CORP debug_level = 2 id_provider = ad auth_provider = ad chpass_provider = ad access_provider = ad realmd_tags = manages-system joined-with-adcli cache_credentials = True id_provider = ad krb5_store_password_if_offline = True default_shell = /bin/bash ldap_id_mapping = True fallback_homedir = /home/%u@%d access_provider = ad sudo_provider = ldap ldap_uri = ldap://ldap.DOMAIN.CORP:50000 ldap_sudo_search_base = OU=SUDOers,DC=dcs,DC=intern ad_gpo_ignore_unreadable = True ad_gpo_access_control = permissive ---- nsswitch.conf passwd: sss files systemd group: sss files systemd netgroup: sss files automount: sss files services: sss files shadow: files sss hosts: files dns myhostname aliases: files ethers: files gshadow: files networks: files dns protocols: files publickey: files rpc: files sudoers: sss ldap | ||||
Additional Information | AlmaLinux 8.3 (Stable) Microsoft AD users can login, home directory is automatically created (the NFS automount works too since I tested that too). However unable to sudo [ad-user@server ~]$ sudo -l [sudo] password for ad-user: Authenticated with cached credentials, your cached password will expire at: Fri 28 May 2021 13:21:24 CEST. Sorry, user ad-user may not run sudo on server. [ad-user@server ~]$ The identical configuration works on Debian / Ubuntu / CentOS 7 / CentOS 8. ---------- I also see the following erros a lot in log, but things seems to work fine apart from sudo. (2021-05-26 13:25:00): [be[DOMAIN.CORP]] [fo_resolve_service_send] (0x0020): No available servers for service 'LDAP' (2021-05-26 13:25:00): [be[DOMAIN.CORP]] [sdap_id_op_connect_done] (0x0020): Failed to connect, going offline (5 [Input/output error]) (2021-05-26 13:25:00): [be[DOMAIN.CORP]] [sdap_sudo_refresh_connect_done] (0x0020): SUDO LDAP connection failed [11]: Resource temporarily unavailable (2021-05-26 13:25:00): [be[DOMAIN.CORP]] [be_ptask_done] (0x0040): Task [SUDO Full Refresh]: failed with [11]: Resource temporarily unavailable (2021-05-26 13:25:01): [be[DOMAIN.CORP]] [sssd_async_connect_send] (0x0020): connect failed [13][Permission denied]. (2021-05-26 13:25:01): [be[DOMAIN.CORP]] [sssd_async_socket_init_done] (0x0020): sdap_async_sys_connect request failed: [13]: Permission denied. (2021-05-26 13:25:01): [be[DOMAIN.CORP]] [sss_ldap_init_sys_connect_done] (0x0020): sssd_async_socket_init request failed: [13]: Permission denied. (2021-05-26 13:25:01): [be[DOMAIN.CORP]] [sdap_sys_connect_done] (0x0020): sdap_async_connect_call request failed: [13]: Permission denied. (2021-05-26 13:25:01): [be[DOMAIN.CORP]] [fo_resolve_service_send] (0x0020): No available servers for service 'LDAP' (2021-05-26 13:25:01): [be[DOMAIN.CORP]] [sdap_id_op_connect_done] (0x0020): Failed to connect, going offline (5 [Input/output error]) (2021-05-26 13:25:01): [be[DOMAIN.CORP]] [sdap_sudo_refresh_connect_done] (0x0020): SUDO LDAP connection failed [11]: Resource temporarily unavailable (2021-05-26 13:25:01): [be[DOMAIN.CORP]] [be_ptask_done] (0x0040): Task [SUDO Full Refresh]: failed with [11]: Resource temporarily unavailable (2021-05-26 13:25:13): [be[DOMAIN.CORP]] [sbus_issue_request_done] (0x0040): sssd.dataprovider.getAccountInfo: Error [1432158212]: SSSD is offline (2021-05-26 13:25:13): [be[DOMAIN.CORP]] [sbus_issue_request_done] (0x0040): sssd.dataprovider.getAccountInfo: Error [1432158212]: SSSD is offline (2021-05-26 13:25:18): [be[DOMAIN.CORP]] [sbus_issue_request_done] (0x0040): sssd.dataprovider.getAccountInfo: Error [1432158212]: SSSD is offline (2021-05-26 13:25:18): [be[DOMAIN.CORP]] [sbus_issue_request_done] (0x0040): sssd.dataprovider.getAccountInfo: Error [1432158212]: SSSD is offline (2021-05-26 13:25:18): [be[DOMAIN.CORP]] [sbus_issue_request_done] (0x0040): sssd.dataprovider.getAccountInfo: Error [1432158212]: SSSD is offline (2021-05-26 13:25:18): [be[DOMAIN.CORP]] [sbus_issue_request_done] (0x0040): sssd.dataprovider.getAccountInfo: Error [1432158212]: SSSD is offline (2021-05-26 13:25:18): [be[DOMAIN.CORP]] [sbus_issue_request_done] (0x0040): sssd.dataprovider.getAccountInfo: Error [1432158212]: SSSD is offline (2021-05-26 13:25:18): [be[DOMAIN.CORP]] [sbus_issue_request_done] (0x0040): sssd.dataprovider.getAccountInfo: Error [1432158212]: SSSD is offline (2021-05-26 13:25:18): [be[DOMAIN.CORP]] [sbus_issue_request_done] (0x0040): sssd.dataprovider.getAccountInfo: Error [1432158212]: SSSD is offline (2021-05-26 13:25:18): [be[DOMAIN.CORP]] [sbus_issue_request_done] (0x0040): sssd.dataprovider.getAccountInfo: Error [1432158212]: SSSD is offline (2021-05-26 13:25:18): [be[DOMAIN.CORP]] [sbus_issue_request_done] (0x0040): sssd.dataprovider.getAccountInfo: Error [1432158212]: SSSD is offline (2021-05-26 13:25:18): [be[DOMAIN.CORP]] [sbus_issue_request_done] (0x0040): sssd.dataprovider.getAccountInfo: Error [1432158212]: SSSD is offline (2021-05-26 13:25:18): [be[DOMAIN.CORP]] [sbus_issue_request_done] (0x0040): sssd.dataprovider.getAccountInfo: Error [1432158212]: SSSD is offline (2021-05-26 13:25:18): [be[DOMAIN.CORP]] [sbus_issue_request_done] (0x0040): sssd.dataprovider.getAccountInfo: Error [1432158212]: SSSD is offline | ||||
Tags | active direcotry, ldap sudo, sssd, sssd sudo | ||||
abrt_hash | |||||
URL | |||||
|
Hello. Permission denied errors look strange. Could you please disable SELinux and repeat? setenforce 0 |
|
Please also compare openldap and samba configurations with working installations |
|
Disabling SELinux resolved the issue. Thanks, this can now be closed. BTW, Samba was already working I only had issue with sudo and this is now resolved by disabling SELinux. |
Date Modified | Username | Field | Change |
---|---|---|---|
2021-05-26 11:51 | Najum | New Issue | |
2021-05-26 11:51 | Najum | Tag Attached: active direcotry | |
2021-05-26 11:51 | Najum | Tag Attached: ldap sudo | |
2021-05-26 11:51 | Najum | Tag Attached: sssd | |
2021-05-26 11:51 | Najum | Tag Attached: sssd sudo | |
2021-05-26 13:19 | alukoshko | Note Added: 0000220 | |
2021-05-26 13:23 | alukoshko | Note Added: 0000221 | |
2021-05-26 15:11 | Najum | Note Added: 0000222 | |
2021-06-08 19:47 | alukoshko | Assigned To | => alukoshko |
2021-06-08 19:47 | alukoshko | Status | new => closed |
2021-06-08 19:47 | alukoshko | Resolution | open => fixed |