Re: sssd can't find sudo users

[Joshua Schaeffer <jschaeffer0922@gmail.com>]

Opps, typo in the subject.

On 02/20/2016 09:47 PM, Joshua Schaeffer wrote:
> I setup an SSO environment using Debian 8 systems. I have a Kerberos server which uses LDAP as its backend. I have users and groups created in OpenLDAP. The SSO environment seems to be working correctly. I installed SASL, GSSAPI, and SSSD on a test client. I can see my users and groups using getent from my test client and I can log into the server (locally and through SSH).
>
> I also have sudo-ldap installed and I'm trying to get SSSD to lookup my sudo users in LDAP, but I can seem to get this to work. I keep getting a "user is not in the sudoers file.  This incident will be reported." error. My configuration for the test client is below:
>
> root@korhal: cat /etc/sssd/sssd.conf
> [sssd]
> config_file_version        = 2
> services            = nss,pam
> domains                = HARMONYWAVE
>
> [nss]
> debug_level            = 5
> filter_users            = root
> filter_groups            = root
> #fallback_homedir        = /home/%u
>
> [pam]
>
> [domain/HARMONYWAVE]
> debug_level            = 5
> auth_provider            = krb5
> chpass_provider            = krb5
> krb5_server            = immortal.harmonywave.com
> krb5_realm            = HARMONYWAVE.COM
> cache_credentials        = false
>
> access_provider            = simple
> id_provider            = ldap
> ldap_uri            = ldap://baneling.harmonywave.com
> ldap_tls_reqcert        = demand
> ldap_tls_cacert            = /etc/ssl/certs/ca.harmonywave.com.pem
> ldap_search_base        = dc=harmonywave,dc=com
> ldap_id_use_start_tls        = true
> ldap_sasl_mech            = GSSAPI
> ldap_user_search_base        = ou=People,dc=harmonywave,dc=com
> ldap_group_search_base        = ou=Group,dc=harmonywave,dc=com
> ldap_user_object_class        = posixAccount
> ldap_user_name            = uid
> ldap_fullname            = cn
> ldap_user_home_directory    = homeDirectory
> ldap_group_object_class        = posixGroup
> ldap_group_name            = cn
> ldap_sudo_search_base        = ou=SUDOers,dc=harmonywave,dc=com
>
> sudo_provider            = ldap
>
> Getent shows that it can find me, my group, and that I am part of the wheel group:
>
> root@korhal:/home/jschaeffer# getent passwd jschaeffer
> jschaeffer:*:5000:5000:Joshua Schaeffer:/home/jschaeffer:/bin/bash
> root@korhal:/home/jschaeffer# getent group jschaeffer
> jschaeffer:*:5000:jschaeffer
> root@korhal:/home/jschaeffer# getent group wheel
> wheel:*:4002:jschaeffer
>
> I have the wheel group in OpenLDAP:
>
> root@korhal:/home/jschaeffer# ldapsearch -LLL -Y GSSAPI -H ldap://baneling.harmonywave.com -b ou=SUDOers,dc=harmonywave,dc=com
> SASL/GSSAPI authentication started
> SASL username: jschaeffer@HARMONYWAVE.COM
> SASL SSF: 56
> SASL data security layer installed.
> dn: ou=SUDOers,dc=harmonywave,dc=com
> objectClass: top
> objectClass: organizationalUnit
> ou: SUDOers
>
> dn: cn=%wheel,ou=SUDOers,dc=harmonywave,dc=com
> objectClass: top
> objectClass: sudoRole
> cn: %wheel
> sudoUser: %wheel
> sudoHost: ALL
> sudoCommand: ALL
>
> dn: cn=defaults,ou=SUDOers,dc=harmonywave,dc=com
> objectClass: top
> objectClass: sudoRole
> cn: defaults
> description: Add default sudoOptions's here
>
> When I try to run any command with sudo it fails:
>
> jschaeffer@korhal:~$ sudo ls
> [sudo] password for jschaeffer:
> jschaeffer is not in the sudoers file.  This incident will be reported.
>
> Any help would be appreciated. Thanks,
> Joshua