sssd can't fine sudo users

To: debian-user@lists.debian.org
Subject: sssd can't fine sudo users
From: Joshua Schaeffer <jschaeffer0922@gmail.com>
Date: Sat, 20 Feb 2016 21:47:19 -0700
Message-id: <[🔎] 56C94157.3030302@gmail.com>

I setup an SSO environment using Debian 8 systems. I have a Kerberos server which uses LDAP as its backend. I have users and groups created in OpenLDAP. The SSO environment seems to be working correctly. I installed SASL, GSSAPI, and SSSD on a test client. I can see my users and groups using getent from my test client and I can log into the server (locally and through SSH).

I also have sudo-ldap installed and I'm trying to get SSSD to lookup my sudo users in LDAP, but I can seem to get this to work. I keep getting a "user is not in the sudoers file.  This incident will be reported." error. My configuration for the test client is below:

root@korhal: cat /etc/sssd/sssd.conf
[sssd]
config_file_version		= 2
services			= nss,pam
domains				= HARMONYWAVE

[nss]
debug_level			= 5
filter_users			= root
filter_groups			= root
#fallback_homedir		= /home/%u

[pam]

[domain/HARMONYWAVE]
debug_level			= 5
auth_provider			= krb5
chpass_provider			= krb5
krb5_server			= immortal.harmonywave.com
krb5_realm			= HARMONYWAVE.COM
cache_credentials		= false

access_provider			= simple
id_provider			= ldap
ldap_uri			= ldap://baneling.harmonywave.com
ldap_tls_reqcert		= demand
ldap_tls_cacert			= /etc/ssl/certs/ca.harmonywave.com.pem
ldap_search_base		= dc=harmonywave,dc=com
ldap_id_use_start_tls		= true
ldap_sasl_mech			= GSSAPI
ldap_user_search_base		= ou=People,dc=harmonywave,dc=com
ldap_group_search_base		= ou=Group,dc=harmonywave,dc=com
ldap_user_object_class		= posixAccount
ldap_user_name			= uid
ldap_fullname			= cn
ldap_user_home_directory	= homeDirectory
ldap_group_object_class		= posixGroup
ldap_group_name			= cn
ldap_sudo_search_base		= ou=SUDOers,dc=harmonywave,dc=com

sudo_provider			= ldap

Getent shows that it can find me, my group, and that I am part of the wheel group:

root@korhal:/home/jschaeffer# getent passwd jschaeffer
jschaeffer:*:5000:5000:Joshua Schaeffer:/home/jschaeffer:/bin/bash
root@korhal:/home/jschaeffer# getent group jschaeffer
jschaeffer:*:5000:jschaeffer
root@korhal:/home/jschaeffer# getent group wheel
wheel:*:4002:jschaeffer

I have the wheel group in OpenLDAP:

root@korhal:/home/jschaeffer# ldapsearch -LLL -Y GSSAPI -H ldap://baneling.harmonywave.com -b ou=SUDOers,dc=harmonywave,dc=com
SASL/GSSAPI authentication started
SASL username: jschaeffer@HARMONYWAVE.COM
SASL SSF: 56
SASL data security layer installed.
dn: ou=SUDOers,dc=harmonywave,dc=com
objectClass: top
objectClass: organizationalUnit
ou: SUDOers

dn: cn=%wheel,ou=SUDOers,dc=harmonywave,dc=com
objectClass: top
objectClass: sudoRole
cn: %wheel
sudoUser: %wheel
sudoHost: ALL
sudoCommand: ALL

dn: cn=defaults,ou=SUDOers,dc=harmonywave,dc=com
objectClass: top
objectClass: sudoRole
cn: defaults
description: Add default sudoOptions's here

When I try to run any command with sudo it fails:

jschaeffer@korhal:~$ sudo ls
[sudo] password for jschaeffer:
jschaeffer is not in the sudoers file.  This incident will be reported.

Any help would be appreciated. Thanks,
Joshua

Reply to:

Follow-Ups:
- Re: sssd can't find sudo users
  - From: Joshua Schaeffer <jschaeffer0922@gmail.com>

Prev by Date: Re: nytimes pages that fail in iceweasel [SOLVED]
Next by Date: Re: sssd can't find sudo users
Previous by thread: Re: Help on figuring out where to file bug on font corruption?
Next by thread: Re: sssd can't find sudo users
Index(es):
- Date
- Thread