search

SSSD / sssd

A daemon to manage identity, authentication and authorization for centrally-managed systems.
https://sssd.io
GNU General Public License v3.0
611 stars 250 forks source link

Using fq format [%1$s@%2$s] #6440

Closed paulb-smartit closed 1 year ago

paulb-smartit commented 2 years ago

I can't get sssd working with sudo. Firstly I installed and setup ldap auth and tested with sudo-ldap. That's all good. Then I change to using libsss-sudo and make changes to nsswitch.conf and pam.d to use sss.

The log suggests that all LDAP queries get suffixed with the domain @LDAP and even worse @ldap@LDAP

No matter what I try I always see this in the sssd_sudo.log

[sudo] [sss_fqnames_init] (0x0100): Using fq format [%1$s@%2$s].
[sssd]
config_file_version = 2
services = nss, pam, sudo
domains = LDAP
use_fully_qualified_domain_name = False
use_fully_qualified_names = False
full_name_format = %1$s
debug_level = 0xFFF0

[domain/LDAP]
cache_credentials = true
enumerate = true
use_fully_qualified_domain_name = False
use_fully_qualified_names = False

full_name_format = %1$s

# LDAP settings redacted

All help gratefully received.

OS

$ sssd --version                              
2.6.3

$ cat /etc/os-release          
NAME="Linux Mint"
VERSION="21 (Vanessa)"
ID=linuxmint
ID_LIKE="ubuntu debian"
PRETTY_NAME="Linux Mint 21"
VERSION_ID="21"
HOME_URL="https://www.linuxmint.com/"
SUPPORT_URL="https://forums.linuxmint.com/"
BUG_REPORT_URL="http://linuxmint-troubleshooting-guide.readthedocs.io/en/latest/"
PRIVACY_POLICY_URL="https://www.linuxmint.com/"
VERSION_CODENAME=vanessa
UBUNTU_CODENAME=jammy

sssd_sudo.log

(2022-11-16 13:13:23): [sudo] [sudosrv_response_append_attr] (0x0020): [CID#1] value is not a string
********************** PREVIOUS MESSAGE WAS TRIGGERED BY THE FOLLOWING BACKTRACE:
   *  [sudo] [become_user] (0x0200): Trying to become user [0][0].
   *  [sudo] [become_user] (0x0200): Already user [0].
   *  [sudo] [ldb] (0x0400): server_sort:Unable to register control with rootdse!
   *  (2022-11-16 13:13:03): [sudo] [server_setup] (0x0400): CONFDB: /var/lib/sss/db/config.ldb
   *  (2022-11-16 13:13:03): [sudo] [confdb_get_domain_internal] (0x1000): pwd_expiration_warning is -1
   *  (2022-11-16 13:13:03): [sudo] [sss_get_etc_shells] (0x0400): Found shell /bin/sh in /etc/shells
   *  (2022-11-16 13:13:03): [sudo] [sss_get_etc_shells] (0x0400): Found shell /bin/bash in /etc/shells
   *  (2022-11-16 13:13:03): [sudo] [sss_get_etc_shells] (0x0400): Found shell /usr/bin/bash in /etc/shells
   *  (2022-11-16 13:13:03): [sudo] [sss_get_etc_shells] (0x0400): Found shell /bin/rbash in /etc/shells
   *  (2022-11-16 13:13:03): [sudo] [sss_get_etc_shells] (0x0400): Found shell /usr/bin/rbash in /etc/shells
   *  (2022-11-16 13:13:03): [sudo] [sss_get_etc_shells] (0x0400): Found shell /usr/bin/sh in /etc/shells
   *  (2022-11-16 13:13:03): [sudo] [sss_get_etc_shells] (0x0400): Found shell /bin/dash in /etc/shells
   *  (2022-11-16 13:13:03): [sudo] [sss_get_etc_shells] (0x0400): Found shell /usr/bin/dash in /etc/shells
   *  (2022-11-16 13:13:03): [sudo] [sss_get_etc_shells] (0x0400): Found shell /bin/zsh in /etc/shells
   *  (2022-11-16 13:13:03): [sudo] [sss_get_etc_shells] (0x0400): Found shell /usr/bin/zsh in /etc/shells
   *  (2022-11-16 13:13:03): [sudo] [sss_names_init_from_args] (0x0100): Using re [(?P<name>[^@]+)@?(?P<domain>[^@]*$)].
   *  (2022-11-16 13:13:03): [sudo] [sss_fqnames_init] (0x0100): Using fq format [%1$s].
   *  (2022-11-16 13:13:03): [sudo] [sysdb_domain_init_internal] (0x0200): DB File for LDAP: /var/lib/sss/db/cache_LDAP.ldb
   *  (2022-11-16 13:13:03): [sudo] [sysdb_domain_init_internal] (0x0200): Timestamp file for LDAP: /var/lib/sss/db/timestamps_LDAP.ldb
   *  (2022-11-16 13:13:03): [sudo] [sysdb_ldb_connect] (0x4000): No ldb module path set in env
   *  (2022-11-16 13:13:03): [sudo] [ldb] (0x0400): asq: Unable to register control with rootdse!
   *  (2022-11-16 13:13:03): [sudo] [sysdb_ldb_connect] (0x4000): No ldb module path set in env
   *  (2022-11-16 13:13:03): [sudo] [sss_names_init_from_args] (0x0100): Using re [(((?P<domain>[^\\]+)\\(?P<name>.+$))|((?P<name>[^@]+)@(?P<domain>.+$))|(^(?P<name>[^@\\]+)$))].
   *  (2022-11-16 13:13:03): [sudo] [sss_fqnames_init] (0x0100): Using fq format [%1$s@%2$s].
   *  (2022-11-16 13:13:03): [sudo] [sss_process_init] (0x0400): Responder initialization complete (explicitly configured)
   *  (2022-11-16 13:13:03): [sudo] [sss_ncache_set_str] (0x0400): Adding [NCE/USER/LDAP/root@ldap] to negative cache permanently
   *  (2022-11-16 13:13:03): [sudo] [sss_ncache_set_str] (0x0400): Adding [NCE/GROUP/LDAP/root@ldap] to negative cache permanently
   *  (2022-11-16 13:13:03): [sudo] [sss_ncache_set_str] (0x0400): Adding [NCE/UID/0] to negative cache permanently
   *  (2022-11-16 13:13:03): [sudo] [sss_ncache_set_str] (0x0400): Adding [NCE/GID/0] to negative cache permanently
   *  (2022-11-16 13:13:03): [sudo] [sudo_process_init] (0x0400): SUDO Initialization complete
   *  (2022-11-16 13:13:03): [sudo] [sss_dp_init_done] (0x0400): Client is registered with DP
   *  (2022-11-16 13:13:03): [sudo] [sss_monitor_service_init_done] (0x0100): Got id ack and version (1) from Monitor
   *  (2022-11-16 13:13:03): [sudo] [sss_domain_get_state] (0x1000): Domain LDAP is Active
   *  (2022-11-16 13:13:03): [sudo] [cache_req_domain_new_list_from_domain_resolution_order] (0x0400): Domain resolution order list: not set
   *  (2022-11-16 13:13:03): [sudo] [sysdb_get_certmap] (0x0400): No certificate maps found.
   *  (2022-11-16 13:13:03): [sudo] [sss_ncache_set_str] (0x0400): Adding [NCE/USER/LDAP/root@ldap] to negative cache permanently
   *  (2022-11-16 13:13:03): [sudo] [sss_ncache_set_str] (0x0400): Adding [NCE/GROUP/LDAP/root@ldap] to negative cache permanently
   *  (2022-11-16 13:13:03): [sudo] [sss_ncache_set_str] (0x0400): Adding [NCE/UID/0] to negative cache permanently
   *  (2022-11-16 13:13:03): [sudo] [sss_ncache_set_str] (0x0400): Adding [NCE/GID/0] to negative cache permanently
   *  (2022-11-16 13:13:23): [sudo] [get_client_cred] (0x4000): Client [0x563a95b48380][18] creds: euid[0] egid[0] pid[12547] cmd_line['sudo'].
   *  (2022-11-16 13:13:23): [sudo] [setup_client_idle_timer] (0x4000): Idle timer re-set for client [0x563a95b48380][18]
   *  (2022-11-16 13:13:23): [sudo] [accept_fd_handler] (0x0400): [CID#1] Client [cmd sudo][uid 0][0x563a95b48380][18] connected!
   *  (2022-11-16 13:13:23): [sudo] [sss_cmd_get_version] (0x0200): [CID#1] Received client version [1].
   *  (2022-11-16 13:13:23): [sudo] [sss_cmd_get_version] (0x0200): [CID#1] Offered version [1].
   *  (2022-11-16 13:13:23): [sudo] [sudosrv_cmd] (0x2000): [CID#1] Using protocol version [1]
   *  (2022-11-16 13:13:23): [sudo] [sudosrv_get_rules_send] (0x0400): [CID#1] Running initgroups for [myuser]
   *  (2022-11-16 13:13:23): [sudo] [cache_req_set_plugin] (0x2000): [CID#1] CR #0: Setting "Initgroups by name" plugin
   *  (2022-11-16 13:13:23): [sudo] [cache_req_send] (0x0400): [CID#1] CR #0: REQ_TRACE: New request [CID #1] 'Initgroups by name'
   *  (2022-11-16 13:13:23): [sudo] [cache_req_process_input] (0x0400): [CID#1] CR #0: Parsing input name [myuser]
   *  (2022-11-16 13:13:23): [sudo] [sss_parse_name_for_domains] (0x0200): [CID#1] name 'myuser' matched without domain, user is myuser
   *  (2022-11-16 13:13:23): [sudo] [cache_req_set_name] (0x0400): [CID#1] CR #0: Setting name [myuser]
   *  (2022-11-16 13:13:23): [sudo] [cache_req_select_domains] (0x0400): [CID#1] CR #0: Performing a multi-domain search
   *  (2022-11-16 13:13:23): [sudo] [cache_req_search_domains] (0x0400): [CID#1] CR #0: Search will check the cache and check the data provider
   *  (2022-11-16 13:13:23): [sudo] [cache_req_validate_domain_type] (0x2000): [CID#1] Request type POSIX-only for domain LDAP type POSIX is valid
   *  (2022-11-16 13:13:23): [sudo] [cache_req_set_domain] (0x0400): [CID#1] CR #0: Using domain [LDAP]
   *  (2022-11-16 13:13:23): [sudo] [cache_req_prepare_domain_data] (0x0400): [CID#1] CR #0: Preparing input data for domain [LDAP] rules
   *  (2022-11-16 13:13:23): [sudo] [cache_req_search_send] (0x0400): [CID#1] CR #0: Looking up myuser@ldap
   *  (2022-11-16 13:13:23): [sudo] [cache_req_search_ncache] (0x0400): [CID#1] CR #0: Checking negative cache for [myuser@ldap]
   *  (2022-11-16 13:13:23): [sudo] [sss_ncache_check_str] (0x2000): [CID#1] Checking negative cache for [NCE/USER/LDAP/myuser@ldap]
   *  (2022-11-16 13:13:23): [sudo] [cache_req_search_ncache] (0x0400): [CID#1] CR #0: [myuser@ldap] is not present in negative cache
   *  (2022-11-16 13:13:23): [sudo] [cache_req_search_cache] (0x0400): [CID#1] CR #0: Looking up [myuser@ldap] in cache
   *  (2022-11-16 13:13:23): [sudo] [cache_req_search_send] (0x0400): [CID#1] CR #0: Returning [myuser@ldap] from cache
   *  (2022-11-16 13:13:23): [sudo] [cache_req_search_ncache_filter] (0x0400): [CID#1] CR #0: This request type does not support filtering result by negative cache
   *  (2022-11-16 13:13:23): [sudo] [cache_req_create_and_add_result] (0x0400): [CID#1] CR #0: Found 19 entries in domain LDAP
   *  (2022-11-16 13:13:23): [sudo] [cache_req_done] (0x0400): [CID#1] CR #0: Finished: Success
   *  (2022-11-16 13:13:23): [sudo] [sysdb_get_sudo_user_info] (0x0400): [CID#1] Original name: myuser@ldap
   *  (2022-11-16 13:13:23): [sudo] [sysdb_get_sudo_user_info] (0x0400): [CID#1] Cased name: myuser@ldap
   *  (2022-11-16 13:13:23): [sudo] [sudosrv_query_cache] (0x0200): [CID#1] Searching sysdb with [(&(objectClass=sudoRule)(dataExpireTimestamp<=1668604403)(|(name=defaults)(sudoUser=ALL)(sudoUser=myuser@ldap)(sudoUser=#1103)(sudoUser=%access-role-sysadmin@ldap)(sudoUser=...REDACTED...)(sudoUser=%access-role-people@ldap)(sudoUser=+*)))]
   *  (2022-11-16 13:13:23): [sudo] [sudosrv_refresh_rules_send] (0x0400): [CID#1] No expired rules were found for [myuser@ldap@LDAP].
   *  (2022-11-16 13:13:23): [sudo] [sudosrv_fetch_rules] (0x0400): [CID#1] Retrieving default options for [myuser@ldap@LDAP]
   *  (2022-11-16 13:13:23): [sudo] [sudosrv_query_cache] (0x0200): [CID#1] Searching sysdb with [(&(objectClass=sudoRule)(name=defaults))]
   *  (2022-11-16 13:13:23): [sudo] [sysdb_merge_res_ts_attrs] (0x2000): [CID#1] TS cache doesn't handle this DN type, skipping
   *  (2022-11-16 13:13:23): [sudo] [sudosrv_fetch_rules] (0x0400): [CID#1] Returning 1 default options for [myuser@ldap@LDAP]
   *  (2022-11-16 13:13:23): [sudo] [sudosrv_build_response] (0x2000): [CID#1] error: [0]
   *  (2022-11-16 13:13:23): [sudo] [sudosrv_build_response] (0x2000): [CID#1] rules_num: [0]
   *  (2022-11-16 13:13:23): [sudo] [sudosrv_build_response] (0x2000): [CID#1] rule [1]/[1]
   *  (2022-11-16 13:13:23): [sudo] [sudosrv_response_append_attr] (0x2000): [CID#1] cn:defaults
   *  (2022-11-16 13:13:23): [sudo] [sudosrv_response_append_attr] (0x2000): [CID#1] objectClass:sudoRule
   *  (2022-11-16 13:13:23): [sudo] [sudosrv_response_append_attr] (0x0020): [CID#1] value is not a string
paulb-smartit commented 2 years ago

Additional info:

$ sssctl user-checks -s=sudo myuser
user: myuser
action: acct
service: sudo

SSSD nss user lookup result:
 - user name: myuser
 - user id: 1103
 - group id: 501
 - gecos: My User
 - home directory: /home/myuser
 - shell: /bin/zsh

SSSD InfoPipe user lookup result:
 - name: myuser
 - uidNumber: 1103
 - gidNumber: 501
 - gecos: My User
 - homeDirectory: /home/myuser
 - loginShell: /bin/zsh

testing pam_acct_mgmt

pam_acct_mgmt: Success

PAM Environment:
 - no env -
paulb-smartit commented 2 years ago

I've spent more time looking into how sssd works, and I am coming to the conclusion that the problem isn't with the caching or querying of data.

If I use ldbsearch to query the cache_LDAP.ldb database, I can see all the users and groups cached in there, and understand the suffix of @ldap now. @ldap is an internal database representation, not a domain actually used to query LDAP with.

$ ldbsearch -H /var/lib/sss/db/cache_LDAP.ldb

So what have I got going on? Is there something in the data that fails to return a successful query? The data in OpenLDAP works with sudo-ldap.

When using sudo there is a very long pause, 60 seconds, and then it asks for a password. I modified the prompt in LDAP using a sudoOption.

passprompt=[sudo-ldap] Password for %u on %H:

nsswitch.conf

sudoers: files sss

But I'm only seeing a prompt of [sudo] I suspect the sss part is timing out and reverting to files, hence the standard prompt. I can't see from the logs why it behaves like this, though.

alexey-tikhonov commented 1 year ago

Hi @paulb-opusvl,

Looks like an issue is:

   *  (2022-11-16 13:13:23): [sudo] [sudosrv_query_cache] (0x0200): [CID#1] Searching sysdb with [(&(objectClass=sudoRule)(name=defaults))]
   *  (2022-11-16 13:13:23): [sudo] [sysdb_merge_res_ts_attrs] (0x2000): [CID#1] TS cache doesn't handle this DN type, skipping
   *  (2022-11-16 13:13:23): [sudo] [sudosrv_fetch_rules] (0x0400): [CID#1] Returning 1 default options for [myuser@ldap@LDAP]
   *  (2022-11-16 13:13:23): [sudo] [sudosrv_build_response] (0x2000): [CID#1] error: [0]
   *  (2022-11-16 13:13:23): [sudo] [sudosrv_build_response] (0x2000): [CID#1] rules_num: [0]
   *  (2022-11-16 13:13:23): [sudo] [sudosrv_build_response] (0x2000): [CID#1] rule [1]/[1]
   *  (2022-11-16 13:13:23): [sudo] [sudosrv_response_append_attr] (0x2000): [CID#1] cn:defaults
   *  (2022-11-16 13:13:23): [sudo] [sudosrv_response_append_attr] (0x2000): [CID#1] objectClass:sudoRule
   *  (2022-11-16 13:13:23): [sudo] [sudosrv_response_append_attr] (0x0020): [CID#1] value is not a string

Could you please show output of ldbsearch for ' [(&(objectClass=sudoRule)(name=defaults))]' filter for domain cache (in /var/lib/sss/db/cache_LDAP.ldb)?

paulb-smartit commented 1 year ago

Ok it's been a while, I appreciate you coming back. I reverted users to sudo and delivered sudoers.d style configs.

This is from my system:

$ sudo ldbsearch -H /var/lib/sss/db/cache_LDAP.ldb '(&(objectClass=sudoRule)(name=defaults))' 
asq: Unable to register control with rootdse!
# record 1
dn: name=defaults,cn=sudorules,cn=custom,cn=LDAP,cn=sysdb
cn: defaults
dataExpireTimestamp: 1668693811
entryUSN: 20220825105355Z
name: defaults
objectCategory: sudoRole
objectCategory: top
objectClass: sudoRule
originalDN: cn=defaults,ou=SUDOers,dc=opusvl
sudoOption:: aW5zdWx0cwAA
sudoOption:: c3lzbG9nPXVzZXIAAA==
sudoOption: mailto=sysadmin@opusvl.com
sudoOption:: aWdub3JlX2xvY2FsX3N1ZG9lcnMAAA==
sudoOption:: bWFpbHN1Yj1zdWRvIGFjY2VzcyByZXBvcnQgZnJvbSAlaAA=
sudoOption: pwfeedback
sudoOption: passprompt=[sudo-ldap] Password for %u on %H:
sudoOption: env_reset
distinguishedName: name=defaults,cn=sudorules,cn=custom,cn=LDAP,cn=sysdb

# returned 1 records
# 1 entries
# 0 referrals

decoded parts

sudoOption: mailsub=sudo access report from %h
sudoOption: ignore_local_sudoers
sudoOption: insults
sudoOption: syslog=user

This is didn't like:

$ sudo ldbsearch -H /var/lib/sss/db/cache_LDAP.ldb '[(&(objectClass=sudoRule)(name=defaults))]'
asq: Unable to register control with rootdse!
allocating request failed: Unable to parse search expression
paulb-smartit commented 1 year ago

Cleaner output:

$ sudo ldbsearch -H /var/lib/sss/db/cache_LDAP.ldb '(&(objectClass=sudoRule)(name=defaults))' | perl -MMIME::Base64 -MEncode=decode -n -00 -e 's/\n +//g;s/(?<=:: )(\S+)/decode("UTF-8",decode_base64($1))/eg;print'
asq: Unable to register control with rootdse!
# record 1
dn: name=defaults,cn=sudorules,cn=custom,cn=LDAP,cn=sysdb
cn: defaults
dataExpireTimestamp: 1668693811
entryUSN: 20220825105355Z
name: defaults
objectCategory: sudoRole
objectCategory: top
objectClass: sudoRule
originalDN: cn=defaults,ou=SUDOers,dc=opusvl
sudoOption:: insults
sudoOption:: syslog=user
sudoOption: mailto=sysadmin@opusvl.com
sudoOption:: ignore_local_sudoers
sudoOption:: mailsub=sudo access report from %h
sudoOption: pwfeedback
sudoOption: passprompt=[sudo-ldap] Password for %u on %H:
sudoOption: env_reset
distinguishedName: name=defaults,cn=sudorules,cn=custom,cn=LDAP,cn=sysdb

# returned 1 records
# 1 entries
# 0 referrals
alexey-tikhonov commented 1 year ago

It looks like the issue is with values:

sudoOption:: aW5zdWx0cwAA
sudoOption:: c3lzbG9nPXVzZXIAAA==
sudoOption:: aWdub3JlX2xvY2FsX3N1ZG9lcnMAAA==
sudoOption:: bWFpbHN1Yj1zdWRvIGFjY2VzcyByZXBvcnQgZnJvbSAlaAA=

-- there are unexpected chars that make SSSD think this is not a string.

For example:

$ echo -n 'aW5zdWx0cwAA' | base64 --decode | hexdump -C
00000000  69 6e 73 75 6c 74 73 00  00                       |insults..|

-- note '00 00' at the end.

Can you check corresponding LDAP content?

alexey-tikhonov commented 1 year ago

@pbrezina, do you think it would make sense to add a special case handling for trailing \0 at end of strings?

pbrezina commented 1 year ago

Hi, I don't think so. sudoOption is supposed to be a string so I would just say it is malformed value that should be fixed. Is the value intentional? Does it work with sudoers: ldap?

paulb-smartit commented 1 year ago

Hi, I don't think so. sudoOption is supposed to be a string so I would just say it is malformed value that should be fixed. Is the value intentional? Does it work with sudoers: ldap?

Yes, 100% with sudo-ldap. I see what you mean by the trailing nulls and have no clue where they come from. They aren't there in a direct ldap query. Actually they are! I use ldapsearch and find the same result.

Exported cn=defaults to ldif, changed entries from base64 encoded to plain text. Imported and now they don't have the nulls. Just need to clear the cache and see if that resolves the issue.

paulb-smartit commented 1 year ago

I wasn't seeing the cache get updated.

Eventually, I updated all my nssswitch.conf from ldap to sss and tried sudo and it worked!

No idea where all those nulls came from, but they were not just in the cn=defaults also in other sudoRoles. Once I fixed them all with the export import process, things started to work.

Thank you for your help in identifying the problem