[Samba] sssd_sudo search results different from command line ldapsearch
Teemu Keinonen
tkeinonen at gmail.com
Wed Jul 2 04:52:27 MDT 2014
Oops: forgot to mention I'm using Samba 4.1.8 compiled according to
wiki instructions (with rfc2307) on CentOS 6.5. LDAP is Samba's own.
---
Hi all! I'm attempting to configure sudo rights from Samba ldap. Alas,
libsssd_samba receives 0 rules and config doesn't work. I think I have
the problem identified here but I don't understand why. The way
sssd_sudo searches for sudoers leave all important attributes out and
of course filtering then fails. Can you help me to understand why
following search results are so different (and how to fix it)?
[root at dc1 var]# kinit administrator at TEEMU.LOCAL
Password for administrator at TEEMU.LOCAL:
Warning: Your password will expire in 35 days on Wed Aug 6 22:20:25 2014
[root at dc1 var]# ldapsearch -h dc1 -Y GSSAPI -b ou=SUDOers,dc=teemu,dc=local
SASL/GSSAPI authentication started
SASL username: administrator at TEEMU.LOCAL
SASL SSF: 56
SASL data security layer installed.
# extended LDIF
#
# LDAPv3
# base <ou=SUDOers,dc=teemu,dc=local> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# reima, SUDOers, teemu.local
dn: CN=reima,OU=SUDOers,DC=teemu,DC=local
objectClass: top
objectClass: sudoRole
cn: reima
instanceType: 4
whenCreated: 20140625194650.0Z
whenChanged: 20140625194650.0Z
uSNCreated: 3799
uSNChanged: 3799
name: reima
objectGUID:: U1paZdVOSke2zmInSenFTg==
objectCategory: CN=sudoRole,CN=Schema,CN=Configuration,DC=teemu,DC=local
sudoUser: reima
sudoHost: ALL
sudoCommand: ALL
distinguishedName: CN=reima,OU=SUDOers,DC=teemu,DC=local
# SUDOers, teemu.local
dn: OU=SUDOers,DC=teemu,DC=local
objectClass: top
objectClass: organizationalUnit
ou: SUDOers
instanceType: 4
whenCreated: 20140625194301.0Z
whenChanged: 20140625194301.0Z
uSNCreated: 3797
uSNChanged: 3797
name: SUDOers
objectGUID:: avd+e6OrGkOV5qqtjV39vQ==
objectCategory: CN=Organizational-Unit,CN=Schema,CN=Configuration,DC=teemu,DC=
local
distinguishedName: OU=SUDOers,DC=teemu,DC=local
# defaults, SUDOers, teemu.local
dn: CN=defaults,OU=SUDOers,DC=teemu,DC=local
objectClass: top
objectClass: sudoRole
cn: defaults
description: Default sudoOption's go here
instanceType: 4
whenCreated: 20140625194645.0Z
whenChanged: 20140625194645.0Z
uSNCreated: 3798
uSNChanged: 3798
name: defaults
objectGUID:: vrCxbL/QkUGFyZWvELWj/w==
objectCategory: CN=sudoRole,CN=Schema,CN=Configuration,DC=teemu,DC=local
sudoOption: env_keep+=SSH_AUTH_SOCK
distinguishedName: CN=defaults,OU=SUDOers,DC=teemu,DC=local
# %wheel, SUDOers, teemu.local
dn: CN=%wheel,OU=SUDOers,DC=teemu,DC=local
objectClass: top
objectClass: sudoRole
cn: %wheel
instanceType: 4
whenCreated: 20140626094147.0Z
whenChanged: 20140626094147.0Z
uSNCreated: 3800
uSNChanged: 3800
name: %wheel
objectGUID:: jpGX5AmGUkimPw1yl+oZkA==
objectCategory: CN=sudoRole,CN=Schema,CN=Configuration,DC=teemu,DC=local
sudoUser: %wheel
sudoHost: ALL
sudoCommand: ALL
distinguishedName: CN=%wheel,OU=SUDOers,DC=teemu,DC=local
# search result
search: 4
result: 0 Success
# numResponses: 5
# numEntries: 4
[root at dc1 var]# kdestroy
[root at dc1 var]# kinit 'dc1$@TEEMU.LOCAL' -k -t /etc/krb5.sssd.keytab
[root at dc1 var]# ldapsearch -h dc1 -Y GSSAPI -b ou=SUDOers,dc=teemu,dc=local
SASL/GSSAPI authentication started
SASL username: dc1$@TEEMU.LOCAL
SASL SSF: 56
SASL data security layer installed.
# extended LDIF
#
# LDAPv3
# base <ou=SUDOers,dc=teemu,dc=local> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# reima, SUDOers, teemu.local
dn: CN=reima,OU=SUDOers,DC=teemu,DC=local
# SUDOers, teemu.local
dn: OU=SUDOers,DC=teemu,DC=local
objectClass: top
objectClass: organizationalUnit
ou: SUDOers
instanceType: 4
whenCreated: 20140625194301.0Z
whenChanged: 20140625194301.0Z
uSNCreated: 3797
uSNChanged: 3797
name: SUDOers
objectGUID:: avd+e6OrGkOV5qqtjV39vQ==
objectCategory: CN=Organizational-Unit,CN=Schema,CN=Configuration,DC=teemu,DC=
local
distinguishedName: OU=SUDOers,DC=teemu,DC=local
# defaults, SUDOers, teemu.local
dn: CN=defaults,OU=SUDOers,DC=teemu,DC=local
# %wheel, SUDOers, teemu.local
dn: CN=%wheel,OU=SUDOers,DC=teemu,DC=local
# search result
search: 4
result: 0 Success
# numResponses: 5
# numEntries: 4
--
--Teemu Keinonen
More information about the samba
mailing list