[Pkg-sssd-devel] Bug#805462: sssd ignores filter_users = root. Ldap provided sudo not working
shuld wert
entrop92 at gmail.com
Wed Nov 18 12:24:06 UTC 2015
Package: sssd
Version: 1.8.4-2
Severity: important
Dear Maintainer,
We have a working setup with sssd and ldap-krb5 domain working (A kind of
SSO). Sssd gets users, groups and sudo via kerberos from ldap. The setup is
working just fine on centos and debian8, but not on debian wheezy.
What is expected: user from ldap is able to login via ssh to a debian 7
machine, after this, he's able to use sudo if he is allowed to (via ldap or
locally)
What happens: the user logins to the machine, he's allowed to 'sudo -s' in
ldap, but he it's able to do that.
Here is what the sssd-log says:
(Tue Nov 17 13:31:09 2015) [sssd[nss]] [nss_cmd_initgroups_search]
(0x0040): User [root] does not exist in [RNET.RU]! (negative cache)
(Tue Nov 17 13:31:09 2015) [sssd[nss]] [nss_cmd_initgroups_search]
(0x0040): No matching domain found for [root], fail!
Here is the nsswitch.conf:
passwd: compat sss
group: compat sss
shadow: compat sss
gshadow: files
hosts: files dns
networks: files
protocols: db files
services: db files sss
ethers: db files
rpc: db files
netgroup: nis sss
sudoers: sss files
And here is the sssd config file:
[domain/RNET.RU]
autofs_provider = ldap
cache_credentials = false
ldap_search_base = dc=rnet,dc=ru
krb5_realm = RNET.RU
krb5_server = kdc1.rnet.ru
id_provider = ldap
auth_provider = krb5
chpass_provider = krb5
ldap_uri = ldaps://kdc1.rnet.ru, ldaps://kdc2.rnet.ru
krb5_kpasswd = kdc1.rnet.ru
ldap_id_use_start_tls = true
krb5_renew_interval=10s
ldap_sasl_mech = GSSAPI
ldap_tls_cacert = /etc/ssl/rnet.ru/STAR_rnet_ru.ca-bundle
access_provider = simple
[sssd]
config_file_version = 2
services = nss, pam, sudo
domains = RNET.RU
[nss]
filter_users = root
filter_groups = root
[pam]
[sudo]
sudo_provider = ldap
ldap_sudo_search_base = ou=sudoers,dc=rnet,dc=ru
Just the same configuration works everywhere else, but not on debian 7.
Both x86_64 and 32-bit are affected.
Thank you in advance for any help you can provide
Best regards, Petr Zaytsev
-- System Information:
Debian Release: 7.9
APT prefers oldstable-updates
APT policy: (500, 'oldstable-updates'), (500, 'oldstable')
Architecture: i386 (i686)
Kernel: Linux 3.2.0-4-686-pae (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages sssd depends on:
ii libc-ares2 1.9.1-3
ii libc6 2.13-38+deb7u8
ii libcollection2 0.1.3-2
ii libcomerr2 1.42.5-1.1+deb7u1
ii libdbus-1-3 1.6.8-1+deb7u6
ii libdhash1 0.1.3-2
ii libini-config2 0.1.3-2
ii libipa-hbac0 1.8.4-2
ii libk5crypto3 1.10.1+dfsg-5+deb7u4
ii libkeyutils1 1.5.5-3+deb7u1
ii libkrb5-3 1.10.1+dfsg-5+deb7u4
ii libldap-2.4-2 2.4.31-2+deb7u1
ii libldb1 1:1.1.6-1
ii libnl1 1.1-7
ii libnspr4 2:4.9.2-1+deb7u2
ii libnss3 2:3.14.5-1+deb7u5
ii libpam0g 1.1.3-7.1
ii libpcre3 1:8.30-5
ii libpopt0 1.16-7
ii libtalloc2 2.0.7+git20120207-1
ii libtdb1 1.2.10-2
ii libtevent0 0.9.16-1
ii libunistring0 0.9.3-5
ii multiarch-support 2.13-38+deb7u8
ii python 2.7.3-4+deb7u1
ii python-sss 1.8.4-2
Versions of packages sssd recommends:
ii bind9-host 1:9.8.4.dfsg.P1-6+nmu2+deb7u7
ii ldap-utils 2.4.31-2+deb7u1
ii libnss-sss 1.8.4-2
ii libpam-sss 1.8.4-2
ii libsasl2-modules-gssapi-mit 2.1.25.dfsg1-6+deb7u1
ii libsasl2-modules-ldap 2.1.25.dfsg1-6+deb7u1
Versions of packages sssd suggests:
pn apparmor <none>
pn sssd-tools <none>
-- no debconf information
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/pkg-sssd-devel/attachments/20151118/1ab093d0/attachment.html>
More information about the Pkg-sssd-devel
mailing list