这是Ubuntu 12.04.5 LTS
我试图实现SSSD作为一个客户端,一切正常,但SUDO我什么都看不到在sssd_sudo.log文件中发生的一切,但通常的文件刷新
安装版本:
我可以在日志中看到sssd在ldap服务器中的sudoers内search。 (注意是一个freeIPA 4.1 ldap服务器和这个实现是使用PLANE sssd所以在Ubuntu客户端框中没有任何相关的Ipa)
CONFIGS:
的nsswitch.conf
# /etc/nsswitch.conf # # Example configuration of GNU Name Service Switch functionality. # If you have the `glibc-doc-reference' and `info' packages installed, try: # `info libc "Name Service Switch"' for information about this file. # passwd: compat sss # pre_auth-client-config # passwd: compat passwd: compat sss # group: compat sss # pre_auth-client-config # group: compat group: compat sss # shadow: compat # pre_auth-client-config # shadow: compat shadow: compat hosts: files dns networks: files protocols: db files services: db files ethers: db files rpc: db files sudoers: files sss sudoers_debug: 1 # netgroup: nis sss # pre_auth-client-config # netgroup: nis netgroup: nis sssd.conf
[sssd] debug_level = 5 config_file_version = 2 reconnection_retries = 3 sbus_timeout = 30 #services = nss, pam services = nss,pam,sudo domains = corp.company.com [nss] debug_level = 9 reconnection_retries = 3 entry_cache_nowait_percentage = 50 [pam] debug_level = 9 reconnection_retries = 3 offline_failed_login_attempts = 5 offline_failed_login_delay = 5 [domain/corp.company.com] ldap_tls_cacert = /etc/ldap/cacerts/389.crt enumerate = True #min_id = 200 debug_level = 5 ldap_tls_reqcert = demand ldap_id_use_start_tls = True cache_credentials = True ldap_uri = ldaps://freeipa.server.com #auth_provider = krb5 #chpass_provider = ldap #krb5_realm = corp.company.com auth_provider = ldap id_provider = ldap access_provider = simple ldap_search_base = dc=corp,dc=company,dc=com ldap_schema = rfc2307 ldap_user_search_base = cn=users,cn=accounts,dc=corp,dc=company,dc=com ldap_group_search_base = cn=groups,cn=accounts,dc=corp,dc=company,dc=com ldap_default_bind_dn = uid=specialuser,cn=users,cn=accounts,dc=corp,dc=company,dc=com ldap_default_authtok_type = obfuscated_password ldap_default_authtok = <password> sudo_provider = ldap ldap_sudo_search_base = ou=sudoers,DC=corp,DC=company,DC=com [sudo] debug_level = 9
日志文件
sssd_sudo.log
(Thu Mar 26 20:47:26 2015) [sssd[sudo]] [sss_process_init] (0x0020): Responder Initialization complete (Thu Mar 26 20:47:26 2015) [sssd[sudo]] [sudo_process_init] (0x0400): SUDO Initialization complete (Thu Mar 26 20:47:26 2015) [sssd[sudo]] [sbus_dispatch] (0x4000): dbus conn: 7BEB40 (Thu Mar 26 20:47:26 2015) [sssd[sudo]] [sbus_dispatch] (0x4000): dbus conn: 7BEB40 (Thu Mar 26 20:47:26 2015) [sssd[sudo]] [sbus_dispatch] (0x4000): dbus conn: 7C0FE0 (Thu Mar 26 20:47:26 2015) [sssd[sudo]] [sbus_dispatch] (0x4000): dbus conn: 7C0FE0 (Thu Mar 26 20:47:26 2015) [sssd[sudo]] [sbus_toggle_watch] (0x4000): 0x7bde20/0x7bb700 (13), R/- (disabled) (Thu Mar 26 20:47:26 2015) [sssd[sudo]] [sbus_toggle_watch] (0x4000): 0x7bde20/0x7bb6b0 (13), -/W (enabled) (Thu Mar 26 20:47:26 2015) [sssd[sudo]] [sbus_toggle_watch] (0x4000): 0x7c1570/0x7c0b60 (14), R/- (disabled) (Thu Mar 26 20:47:26 2015) [sssd[sudo]] [sbus_toggle_watch] (0x4000): 0x7c1570/0x7c0b10 (14), -/W (enabled) (Thu Mar 26 20:47:26 2015) [sssd[sudo]] [sbus_toggle_watch] (0x4000): 0x7bde20/0x7bb700 (13), R/- (enabled) (Thu Mar 26 20:47:26 2015) [sssd[sudo]] [sbus_toggle_watch] (0x4000): 0x7bde20/0x7bb6b0 (13), -/W (disabled) (Thu Mar 26 20:47:26 2015) [sssd[sudo]] [sbus_toggle_watch] (0x4000): 0x7c1570/0x7c0b60 (14), R/- (enabled) (Thu Mar 26 20:47:26 2015) [sssd[sudo]] [sbus_toggle_watch] (0x4000): 0x7c1570/0x7c0b10 (14), -/W (disabled) (Thu Mar 26 20:47:26 2015) [sssd[sudo]] [sbus_toggle_watch] (0x4000): 0x7bde20/0x7bb700 (13), R/- (disabled) (Thu Mar 26 20:47:26 2015) [sssd[sudo]] [sbus_toggle_watch] (0x4000): 0x7bde20/0x7bb6b0 (13), -/W (enabled) (Thu Mar 26 20:47:26 2015) [sssd[sudo]] [sbus_toggle_watch] (0x4000): 0x7c1570/0x7c0b60 (14), R/- (disabled) (Thu Mar 26 20:47:26 2015) [sssd[sudo]] [sbus_toggle_watch] (0x4000): 0x7c1570/0x7c0b10 (14), -/W (enabled) (Thu Mar 26 20:47:26 2015) [sssd[sudo]] [sbus_toggle_watch] (0x4000): 0x7bde20/0x7bb700 (13), R/- (enabled) (Thu Mar 26 20:47:26 2015) [sssd[sudo]] [sbus_toggle_watch] (0x4000): 0x7bde20/0x7bb6b0 (13), -/W (disabled) (Thu Mar 26 20:47:26 2015) [sssd[sudo]] [sbus_toggle_watch] (0x4000): 0x7c1570/0x7c0b60 (14), R/- (enabled) (Thu Mar 26 20:47:26 2015) [sssd[sudo]] [sbus_toggle_watch] (0x4000): 0x7c1570/0x7c0b10 (14), -/W (disabled) (Thu Mar 26 20:47:26 2015) [sssd[sudo]] [sbus_remove_timeout] (0x2000): 0x7be830 (Thu Mar 26 20:47:26 2015) [sssd[sudo]] [sbus_dispatch] (0x4000): dbus conn: 7BEB40 (Thu Mar 26 20:47:26 2015) [sssd[sudo]] [sbus_dispatch] (0x4000): Dispatching. (Thu Mar 26 20:47:26 2015) [sssd[sudo]] [id_callback] (0x0100): Got id ack and version (1) from Monitor (Thu Mar 26 20:47:26 2015) [sssd[sudo]] [sbus_remove_timeout] (0x2000): 0x7c1a10 (Thu Mar 26 20:47:26 2015) [sssd[sudo]] [sbus_dispatch] (0x4000): dbus conn: 7C0FE0 (Thu Mar 26 20:47:26 2015) [sssd[sudo]] [sbus_dispatch] (0x4000): Dispatching. (Thu Mar 26 20:47:26 2015) [sssd[sudo]] [dp_id_callback] (0x0100): Got id ack and version (1) from DP (Thu Mar 26 20:47:36 2015) [sssd[sudo]] [sbus_dispatch] (0x4000): dbus conn: 7BEB40 (Thu Mar 26 20:47:36 2015) [sssd[sudo]] [sbus_dispatch] (0x4000): Dispatching. (Thu Mar 26 20:47:36 2015) [sssd[sudo]] [sbus_message_handler] (0x4000): Received SBUS method [ping] (Thu Mar 26 20:47:46 2015) [sssd[sudo]] [sbus_dispatch] (0x4000): dbus conn: 7BEB40 (Thu Mar 26 20:47:46 2015) [sssd[sudo]] [sbus_dispatch] (0x4000): Dispatching. (Thu Mar 26 20:47:46 2015) [sssd[sudo]] [sbus_message_handler] (0x4000): Received SBUS method [ping] (Thu Mar 26 20:47:56 2015) [sssd[sudo]] [sbus_dispatch] (0x4000): dbus conn: 7BEB40 (Thu Mar 26 20:47:56 2015) [sssd[sudo]] [sbus_dispatch] (0x4000): Dispatching. (Thu Mar 26 20:47:56 2015) [sssd[sudo]] [sbus_message_handler] (0x4000): Received SBUS method [ping] (Thu Mar 26 20:48:06 2015) [sssd[sudo]] [sbus_dispatch] (0x4000): dbus conn: 7BEB40 (Thu Mar 26 20:48:06 2015) [sssd[sudo]] [sbus_dispatch] (0x4000): Dispatching. (Thu Mar 26 20:48:06 2015) [sssd[sudo]] [sbus_message_handler] (0x4000): Received SBUS method [ping] (Thu Mar 26 20:48:16 2015) [sssd[sudo]] [sbus_dispatch] (0x4000): dbus conn: 7BEB40 (Thu Mar 26 20:48:16 2015) [sssd[sudo]] [sbus_dispatch] (0x4000): Dispatching. (Thu Mar 26 20:48:16 2015) [sssd[sudo]] [sbus_message_handler] (0x4000): Received SBUS method [ping] (Thu Mar 26 20:48:26 2015) [sssd[sudo]] [sbus_dispatch] (0x4000): dbus conn: 7BEB40 (Thu Mar 26 20:48:26 2015) [sssd[sudo]] [sbus_dispatch] (0x4000): Dispatching. (Thu Mar 26 20:48:26 2015) [sssd[sudo]] [sbus_message_handler] (0x4000): Received SBUS method [ping] (Thu Mar 26 20:48:36 2015) [sssd[sudo]] [sbus_dispatch] (0x4000): dbus conn: 7BEB40 (Thu Mar 26 20:48:36 2015) [sssd[sudo]] [sbus_dispatch] (0x4000): Dispatching. sudo_domain.log (Thu Mar 26 21:03:50 2015) [sssd[be[corp.company.com]]] [sssm_simple_access_init] (0x0020): No rules supplied for simple access provider. Access will be granted for all users. (Thu Mar 26 21:03:50 2015) [sssd[be[corp.company.com]]] [load_backend_module] (0x0200): no module name found in confdb, using [ldap]. (Thu Mar 26 21:03:50 2015) [sssd[be[corp.company.com]]] [load_backend_module] (0x0200): no module name found in confdb, using [ldap]. (Thu Mar 26 21:03:50 2015) [sssd[be[corp.company.com]]] [common_parse_search_base] (0x0100): Search base added: [SUDO][ou=sudoers,DC=corp,DC=company,DC=com][SUBTREE][] (Thu Mar 26 21:03:50 2015) [sssd[be[corp.company.com]]] [sdap_get_map] (0x0200): Option ldap_sudorule_object_class has value sudoRole (Thu Mar 26 21:03:50 2015) [sssd[be[corp.company.com]]] [sdap_get_map] (0x0200): Option ldap_sudorule_name has value cn (Thu Mar 26 21:03:50 2015) [sssd[be[corp.company.com]]] [sdap_get_map] (0x0200): Option ldap_sudorule_command has value sudoCommand (Thu Mar 26 21:03:50 2015) [sssd[be[corp.company.com]]] [sdap_get_map] (0x0200): Option ldap_sudorule_host has value sudoHost (Thu Mar 26 21:03:50 2015) [sssd[be[corp.company.com]]] [sdap_get_map] (0x0200): Option ldap_sudorule_user has value sudoUser (Thu Mar 26 21:03:50 2015) [sssd[be[corp.company.com]]] [sdap_get_map] (0x0200): Option ldap_sudorule_option has value sudoOption (Thu Mar 26 21:03:50 2015) [sssd[be[corp.company.com]]] [sdap_get_map] (0x0200): Option ldap_sudorule_runasuser has value sudoRunAsUser (Thu Mar 26 21:03:50 2015) [sssd[be[corp.company.com]]] [sdap_get_map] (0x0200): Option ldap_sudorule_runasgroup has value sudoRunAsGroup (Thu Mar 26 21:03:50 2015) [sssd[be[corp.company.com]]] [sdap_get_map] (0x0200): Option ldap_sudorule_notbefore has value sudoNotBefore (Thu Mar 26 21:03:50 2015) [sssd[be[corp.company.com]]] [sdap_get_map] (0x0200): Option ldap_sudorule_notafter has value sudoNotAfter (Thu Mar 26 21:03:50 2015) [sssd[be[corp.company.com]]] [sdap_get_map] (0x0200): Option ldap_sudorule_order has value sudoOrder (Thu Mar 26 21:03:50 2015) [sssd[be[corp.company.com]]] [load_backend_module] (0x0200): no module name found in confdb, using [ldap]. (Thu Mar 26 21:03:50 2015) [sssd[be[corp.company.com]]] [ldap_get_autofs_options] (0x0200): Option ldap_autofs_search_base set to dc=corp,dc=company,dc=com (Thu Mar 26 21:03:50 2015) [sssd[be[corp.company.com]]] [common_parse_search_base] (0x0100): Search base added: [AUTOFS][dc=corp,dc=company,dc=com][SUBTREE][] (Thu Mar 26 21:03:50 2015) [sssd[be[corp.company.com]]] [sdap_get_map] (0x0200): Option ldap_autofs_map_object_class has value automountMap (Thu Mar 26 21:03:50 2015) [sssd[be[corp.company.com]]] [sdap_get_map] (0x0200): Option ldap_autofs_map_name has value ou (Thu Mar 26 21:03:50 2015) [sssd[be[corp.company.com]]] [sdap_get_map] (0x0200): Option ldap_autofs_entry_object_class has value automount
首先,SSSD 1.8已经很老,不再受上游的支持。 我希望这是一个供应商支持的分配。
关于sudo,我在sssd_sudo日志中没有看到来自sudo的请求。 在这个旧版本中,你必须手动安装libsss_sudo IIRC,你可能也想检查一下ubuntu上的情况。
最后,我不明白你为什么使用id_provider = ldap与IPA服务器,而不是id_provider = ipa(由ipa-client-install设置)。 您的手工configuration不正确,至less架构不应该设置为rfc2307,您的组成员身份将无法正常工作,因为IPA使用rfc2307bis架构的变体。 出于性能原因,您也不应该使用enumerate = True。