[Samba] sssd_sudo search results different from command line ldapsearch
Rowland Penny
rowlandpenny at googlemail.com
Wed Jul 2 05:58:31 MDT 2014
On 02/07/14 11:35, Teemu Keinonen wrote:
> Hi all! I'm attempting to configure sudo rights from Samba ldap. Alas,
> libsssd_samba receives 0 rules and config doesn't work. I think I have
> the problem identified here but I don't understand why. The way
> sssd_sudo searches for sudoers leave all important attributes out and
> of course filtering then fails. Can you help me to understand why
> following search results are so different (and how to fix it)?
>
> [root at dc1 var]# kinit administrator at TEEMU.LOCAL
> Password for administrator at TEEMU.LOCAL:
> Warning: Your password will expire in 35 days on Wed Aug 6 22:20:25 2014
> [root at dc1 var]# ldapsearch -h dc1 -Y GSSAPI -b ou=SUDOers,dc=teemu,dc=local
> SASL/GSSAPI authentication started
> SASL username: administrator at TEEMU.LOCAL
> SASL SSF: 56
> SASL data security layer installed.
> # extended LDIF
> #
> # LDAPv3
> # base <ou=SUDOers,dc=teemu,dc=local> with scope subtree
> # filter: (objectclass=*)
> # requesting: ALL
> #
>
> # reima, SUDOers, teemu.local
> dn: CN=reima,OU=SUDOers,DC=teemu,DC=local
> objectClass: top
> objectClass: sudoRole
> cn: reima
> instanceType: 4
> whenCreated: 20140625194650.0Z
> whenChanged: 20140625194650.0Z
> uSNCreated: 3799
> uSNChanged: 3799
> name: reima
> objectGUID:: U1paZdVOSke2zmInSenFTg==
> objectCategory: CN=sudoRole,CN=Schema,CN=Configuration,DC=teemu,DC=local
> sudoUser: reima
> sudoHost: ALL
> sudoCommand: ALL
> distinguishedName: CN=reima,OU=SUDOers,DC=teemu,DC=local
>
> # SUDOers, teemu.local
> dn: OU=SUDOers,DC=teemu,DC=local
> objectClass: top
> objectClass: organizationalUnit
> ou: SUDOers
> instanceType: 4
> whenCreated: 20140625194301.0Z
> whenChanged: 20140625194301.0Z
> uSNCreated: 3797
> uSNChanged: 3797
> name: SUDOers
> objectGUID:: avd+e6OrGkOV5qqtjV39vQ==
> objectCategory: CN=Organizational-Unit,CN=Schema,CN=Configuration,DC=teemu,DC=
> local
> distinguishedName: OU=SUDOers,DC=teemu,DC=local
>
> # defaults, SUDOers, teemu.local
> dn: CN=defaults,OU=SUDOers,DC=teemu,DC=local
> objectClass: top
> objectClass: sudoRole
> cn: defaults
> description: Default sudoOption's go here
> instanceType: 4
> whenCreated: 20140625194645.0Z
> whenChanged: 20140625194645.0Z
> uSNCreated: 3798
> uSNChanged: 3798
> name: defaults
> objectGUID:: vrCxbL/QkUGFyZWvELWj/w==
> objectCategory: CN=sudoRole,CN=Schema,CN=Configuration,DC=teemu,DC=local
> sudoOption: env_keep+=SSH_AUTH_SOCK
> distinguishedName: CN=defaults,OU=SUDOers,DC=teemu,DC=local
>
> # %wheel, SUDOers, teemu.local
> dn: CN=%wheel,OU=SUDOers,DC=teemu,DC=local
> objectClass: top
> objectClass: sudoRole
> cn: %wheel
> instanceType: 4
> whenCreated: 20140626094147.0Z
> whenChanged: 20140626094147.0Z
> uSNCreated: 3800
> uSNChanged: 3800
> name: %wheel
> objectGUID:: jpGX5AmGUkimPw1yl+oZkA==
> objectCategory: CN=sudoRole,CN=Schema,CN=Configuration,DC=teemu,DC=local
> sudoUser: %wheel
> sudoHost: ALL
> sudoCommand: ALL
> distinguishedName: CN=%wheel,OU=SUDOers,DC=teemu,DC=local
>
> # search result
> search: 4
> result: 0 Success
>
> # numResponses: 5
> # numEntries: 4
>
>
> [root at dc1 var]# kdestroy
> [root at dc1 var]# kinit 'dc1$@TEEMU.LOCAL' -k -t /etc/krb5.sssd.keytab
> [root at dc1 var]# ldapsearch -h dc1 -Y GSSAPI -b ou=SUDOers,dc=teemu,dc=local
> SASL/GSSAPI authentication started
> SASL username: dc1$@TEEMU.LOCAL
> SASL SSF: 56
> SASL data security layer installed.
> # extended LDIF
> #
> # LDAPv3
> # base <ou=SUDOers,dc=teemu,dc=local> with scope subtree
> # filter: (objectclass=*)
> # requesting: ALL
> #
>
> # reima, SUDOers, teemu.local
> dn: CN=reima,OU=SUDOers,DC=teemu,DC=local
>
> # SUDOers, teemu.local
> dn: OU=SUDOers,DC=teemu,DC=local
> objectClass: top
> objectClass: organizationalUnit
> ou: SUDOers
> instanceType: 4
> whenCreated: 20140625194301.0Z
> whenChanged: 20140625194301.0Z
> uSNCreated: 3797
> uSNChanged: 3797
> name: SUDOers
> objectGUID:: avd+e6OrGkOV5qqtjV39vQ==
> objectCategory: CN=Organizational-Unit,CN=Schema,CN=Configuration,DC=teemu,DC=
> local
> distinguishedName: OU=SUDOers,DC=teemu,DC=local
>
> # defaults, SUDOers, teemu.local
> dn: CN=defaults,OU=SUDOers,DC=teemu,DC=local
>
> # %wheel, SUDOers, teemu.local
> dn: CN=%wheel,OU=SUDOers,DC=teemu,DC=local
>
> # search result
> search: 4
> result: 0 Success
>
> # numResponses: 5
> # numEntries: 4
>
The difference in outputs is probably down to permissions, Administrator
can see and alter everything, dc1 is probably very limited in what it
can see and change.
The output from the Administrator search looks ok, so, how have you
setup sssd & sudo and are you using the correct sudo package? sudo-ldap
is not the right one ;-)
Rowland
More information about the samba
mailing list