View Issue Details

IDProjectCategoryView StatusLast Update
0000083AlmaLinux-8sudopublic2021-06-08 19:47
ReporterNajum Assigned Toalukoshko  
PriorityhighSeverityminorReproducibilityalways
Status closedResolutionfixed 
Summary0000083: SSSD works with standard AD users on joining the realm, but sudo never works
Description[sssd]
domains = DOMAIN.CORP
config_file_version = 2
services = nss, pam, sudo
 
[pam]
offline_credentials_expiration = 2
offline_failed_login_attempts = 3
offline_failed_login_delay = 5
debug_level = 5
 
[domain/DOMAIN.CORP]
ad_domain = DOMAIN.CORP
krb5_realm = DOMAIN.CORP
debug_level = 2
id_provider = ad
auth_provider = ad
chpass_provider = ad
access_provider = ad
realmd_tags = manages-system joined-with-adcli
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
fallback_homedir = /home/%u@%d
access_provider = ad
sudo_provider = ldap
ldap_uri = ldap://ldapserver.DOMAIN.CORP:50000
ldap_sudo_search_base = OU=SUDOers,DC=dcs,DC=intern
ad_gpo_ignore_unreadable = True
ad_gpo_access_control = permissive
Steps To Reproduce[sssd]
domains = DOMAIN.CORP
config_file_version = 2
services = nss, pam, sudo
 
[pam]
offline_credentials_expiration = 2
offline_failed_login_attempts = 3
offline_failed_login_delay = 5
debug_level = 5
 
[domain/DOMAIN.CORP]
ad_domain = DOMAIN.CORP
krb5_realm = DOMAIN.CORP
debug_level = 2
id_provider = ad
auth_provider = ad
chpass_provider = ad
access_provider = ad
realmd_tags = manages-system joined-with-adcli
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
fallback_homedir = /home/%u@%d
access_provider = ad
sudo_provider = ldap
ldap_uri = ldap://ldap.DOMAIN.CORP:50000
ldap_sudo_search_base = OU=SUDOers,DC=dcs,DC=intern
ad_gpo_ignore_unreadable = True
ad_gpo_access_control = permissive
----
nsswitch.conf
passwd: sss files systemd
group: sss files systemd
netgroup: sss files
automount: sss files
services: sss files



shadow: files sss
hosts: files dns myhostname

aliases: files
ethers: files
gshadow: files
networks: files dns
protocols: files
publickey: files
rpc: files
sudoers: sss ldap
Additional InformationAlmaLinux 8.3 (Stable)
Microsoft AD users can login, home directory is automatically created (the NFS automount works too since I tested that too). However unable to sudo

[ad-user@server ~]$ sudo -l
[sudo] password for ad-user:
Authenticated with cached credentials, your cached password will expire at: Fri 28 May 2021 13:21:24 CEST.
Sorry, user ad-user may not run sudo on server.
[ad-user@server ~]$

The identical configuration works on Debian / Ubuntu / CentOS 7 / CentOS 8.
----------
I also see the following erros a lot in log, but things seems to work fine apart from sudo.

(2021-05-26 13:25:00): [be[DOMAIN.CORP]] [fo_resolve_service_send] (0x0020): No available servers for service 'LDAP'
(2021-05-26 13:25:00): [be[DOMAIN.CORP]] [sdap_id_op_connect_done] (0x0020): Failed to connect, going offline (5 [Input/output error])
(2021-05-26 13:25:00): [be[DOMAIN.CORP]] [sdap_sudo_refresh_connect_done] (0x0020): SUDO LDAP connection failed [11]: Resource temporarily unavailable
(2021-05-26 13:25:00): [be[DOMAIN.CORP]] [be_ptask_done] (0x0040): Task [SUDO Full Refresh]: failed with [11]: Resource temporarily unavailable
(2021-05-26 13:25:01): [be[DOMAIN.CORP]] [sssd_async_connect_send] (0x0020): connect failed [13][Permission denied].
(2021-05-26 13:25:01): [be[DOMAIN.CORP]] [sssd_async_socket_init_done] (0x0020): sdap_async_sys_connect request failed: [13]: Permission denied.
(2021-05-26 13:25:01): [be[DOMAIN.CORP]] [sss_ldap_init_sys_connect_done] (0x0020): sssd_async_socket_init request failed: [13]: Permission denied.
(2021-05-26 13:25:01): [be[DOMAIN.CORP]] [sdap_sys_connect_done] (0x0020): sdap_async_connect_call request failed: [13]: Permission denied.
(2021-05-26 13:25:01): [be[DOMAIN.CORP]] [fo_resolve_service_send] (0x0020): No available servers for service 'LDAP'
(2021-05-26 13:25:01): [be[DOMAIN.CORP]] [sdap_id_op_connect_done] (0x0020): Failed to connect, going offline (5 [Input/output error])
(2021-05-26 13:25:01): [be[DOMAIN.CORP]] [sdap_sudo_refresh_connect_done] (0x0020): SUDO LDAP connection failed [11]: Resource temporarily unavailable
(2021-05-26 13:25:01): [be[DOMAIN.CORP]] [be_ptask_done] (0x0040): Task [SUDO Full Refresh]: failed with [11]: Resource temporarily unavailable
(2021-05-26 13:25:13): [be[DOMAIN.CORP]] [sbus_issue_request_done] (0x0040): sssd.dataprovider.getAccountInfo: Error [1432158212]: SSSD is offline
(2021-05-26 13:25:13): [be[DOMAIN.CORP]] [sbus_issue_request_done] (0x0040): sssd.dataprovider.getAccountInfo: Error [1432158212]: SSSD is offline
(2021-05-26 13:25:18): [be[DOMAIN.CORP]] [sbus_issue_request_done] (0x0040): sssd.dataprovider.getAccountInfo: Error [1432158212]: SSSD is offline
(2021-05-26 13:25:18): [be[DOMAIN.CORP]] [sbus_issue_request_done] (0x0040): sssd.dataprovider.getAccountInfo: Error [1432158212]: SSSD is offline
(2021-05-26 13:25:18): [be[DOMAIN.CORP]] [sbus_issue_request_done] (0x0040): sssd.dataprovider.getAccountInfo: Error [1432158212]: SSSD is offline
(2021-05-26 13:25:18): [be[DOMAIN.CORP]] [sbus_issue_request_done] (0x0040): sssd.dataprovider.getAccountInfo: Error [1432158212]: SSSD is offline
(2021-05-26 13:25:18): [be[DOMAIN.CORP]] [sbus_issue_request_done] (0x0040): sssd.dataprovider.getAccountInfo: Error [1432158212]: SSSD is offline
(2021-05-26 13:25:18): [be[DOMAIN.CORP]] [sbus_issue_request_done] (0x0040): sssd.dataprovider.getAccountInfo: Error [1432158212]: SSSD is offline
(2021-05-26 13:25:18): [be[DOMAIN.CORP]] [sbus_issue_request_done] (0x0040): sssd.dataprovider.getAccountInfo: Error [1432158212]: SSSD is offline
(2021-05-26 13:25:18): [be[DOMAIN.CORP]] [sbus_issue_request_done] (0x0040): sssd.dataprovider.getAccountInfo: Error [1432158212]: SSSD is offline
(2021-05-26 13:25:18): [be[DOMAIN.CORP]] [sbus_issue_request_done] (0x0040): sssd.dataprovider.getAccountInfo: Error [1432158212]: SSSD is offline
(2021-05-26 13:25:18): [be[DOMAIN.CORP]] [sbus_issue_request_done] (0x0040): sssd.dataprovider.getAccountInfo: Error [1432158212]: SSSD is offline
(2021-05-26 13:25:18): [be[DOMAIN.CORP]] [sbus_issue_request_done] (0x0040): sssd.dataprovider.getAccountInfo: Error [1432158212]: SSSD is offline
(2021-05-26 13:25:18): [be[DOMAIN.CORP]] [sbus_issue_request_done] (0x0040): sssd.dataprovider.getAccountInfo: Error [1432158212]: SSSD is offline

Tagsactive direcotry, ldap sudo, sssd, sssd sudo
abrt_hash
URL

Activities

alukoshko

2021-05-26 13:19

administrator   ~0000220

Hello.
Permission denied errors look strange.
Could you please disable SELinux and repeat?
setenforce 0

alukoshko

2021-05-26 13:23

administrator   ~0000221

Please also compare openldap and samba configurations with working installations

Najum

2021-05-26 15:11

reporter   ~0000222

Disabling SELinux resolved the issue. Thanks, this can now be closed.

BTW, Samba was already working I only had issue with sudo and this is now resolved by disabling SELinux.

Issue History

Date Modified Username Field Change
2021-05-26 11:51 Najum New Issue
2021-05-26 11:51 Najum Tag Attached: active direcotry
2021-05-26 11:51 Najum Tag Attached: ldap sudo
2021-05-26 11:51 Najum Tag Attached: sssd
2021-05-26 11:51 Najum Tag Attached: sssd sudo
2021-05-26 13:19 alukoshko Note Added: 0000220
2021-05-26 13:23 alukoshko Note Added: 0000221
2021-05-26 15:11 Najum Note Added: 0000222
2021-06-08 19:47 alukoshko Assigned To => alukoshko
2021-06-08 19:47 alukoshko Status new => closed
2021-06-08 19:47 alukoshko Resolution open => fixed