Using FreeIPA for centralized sudo - using SSSD for sudoers

I have setup FreeIPA for centralized sudo and all is working well with the exception of being able to use SSSD for sudoers.

If I have in my client /etc/nsswitch.conf the following:

sudoers: files ldap

a sudo command works as desired when the FreeIPA server is available. However, I would like to use SSSD so that in the event that the FreeIPA server were unavailable that sudo would still work.

When I have in my client /etc/nsswitch.conf the following:

sudoers: files sss

And my /etc/sssd/sssd.conf the following:

[domain/example.com]

cache_credentials = True
ipa_domain = example.com
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = host3.example.com
chpass_provider = ipa
ipa_server = _srv_, ipa.example.com
ldap_tls_cacert = /etc/ipa/ca.crt
[sssd]
services = nss, pam, ssh, sudo
config_file_version = 2
domains = example.com
ldap_sudo_search_base = ou=SUDOers,dc=example,dc=com
.
.
.
[snip]

And try to run sudo I'll get:

user1 is not allowed to run sudo on host3. This incident will be reported.

This is a different error than:

user1 is not in the sudoers file. This incident will be reported.

which leads me to believe that SSSD has actually retrieved something from FreeIPA but that what it got is wrong somehow. My one and only sudorule on the FreeIPA server is:

[root@ipa ~]# ipa sudorule-find
-------------------
1 Sudo Rule matched
-------------------
  Rule name: All
  Enabled: TRUE
  Host category: all
  Command category: all
  RunAs User category: all
  User Groups: admins
----------------------------
Number of entries returned 1
----------------------------

and the user that I'm issuing sudo with is in the admins group (again it works when ldap is specified in the nsswitch.conf).

What am I missing?

UPDATE 1:

Believe my sssd.conf was incorrect, have updated to include:

sudo_provider = ldap
ldap_uri = ldap://ipa.example.com
ldap_sudo_search_base = ou=SUDOers,dc=example,dc=com
ldap_sasl_mech = GSSAPI
ldap_sasl_authid = host/host3.example.com
ldap_sasl_realm = EXAMPLE.COM
krb5_server = ipa.example.com
[sssd]
services = nss, pam, ssh, sudo
config_file_version = 2
domains = example.com
.
.
.
[snip]

Get the same message though, i.e.:

user1 is not allowed to run sudo on host3. This incident will be reported.

UPDATE 2:

I turned on debug for SSSD, i.e. edited /etc/sssd/sssd.conf and added:

debug_level = 5

I then inspected the /var/log/sssd/sssd_example.com.log. In here I noticed that SSSD doesn't like CAPITALS in a value for ldap_sudo_search_base, i.e. when I had

ldap_sudo_search_base = ou=SUDOers,dc=example,dc=com

I noticed in the log that there wasn't an entry for ldap_sudo_search_base at all. When I changed to lowercase ou=sudoers I then saw the entry in the log, e.g.:

(Thu Dec 12 18:58:31 2013) [sssd[be[example.com]]] [common_parse_search_base] (0x0100): Search base added: [SUDO][ou=sudoers,dc=example,dc=com][SUBTREE][]

I still get the same user1 is not allowed to run sudo on host3. so it still remains unresolved.

UPDATE 3

(Thu Dec 19 18:02:07 2013) [sssd[sudo]] [accept_fd_handler] (0x0400): Client connected!
(Thu Dec 19 18:02:07 2013) [sssd[sudo]] [sss_cmd_get_version] (0x0200): Received client version [1].
(Thu Dec 19 18:02:07 2013) [sssd[sudo]] [sss_cmd_get_version] (0x0200): Offered version [1].
(Thu Dec 19 18:02:07 2013) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'user1' matched without domain, user is user1
(Thu Dec 19 18:02:07 2013) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): using default domain [(null)]
(Thu Dec 19 18:02:07 2013) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'user1' matched without domain, user is user1
(Thu Dec 19 18:02:07 2013) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): using default domain [(null)]
(Thu Dec 19 18:02:07 2013) [sssd[sudo]] [sudosrv_cmd_parse_query_done] (0x0200): Requesting default options for [user1] from [<ALL>]
(Thu Dec 19 18:02:07 2013) [sssd[sudo]] [sudosrv_get_user] (0x0200): Requesting info about [[email protected]]
(Thu Dec 19 18:02:07 2013) [sssd[sudo]] [sudosrv_get_user] (0x0400): Returning info for user [[email protected]]
(Thu Dec 19 18:02:07 2013) [sssd[sudo]] [sudosrv_get_rules] (0x0400): Retrieving default options for [user1] from [example.com]
(Thu Dec 19 18:02:07 2013) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=user1)(sudoUser=#1219400005)(sudoUser=%apache)(sudoUser=%superadmins)(sudoUser=%user1)(sudoUser=+*))(&(dataExpireTimestamp<=1387476127)))]
(Thu Dec 19 18:02:07 2013) [sssd[sudo]] [sudosrv_get_rules] (0x2000): About to get sudo rules from cache
(Thu Dec 19 18:02:07 2013) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(name=defaults)))]
(Thu Dec 19 18:02:07 2013) [sssd[sudo]] [sudosrv_get_sudorules_from_cache] (0x0400): Returning 0 rules for [<default options>@example.com]
(Thu Dec 19 18:02:07 2013) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'user1' matched without domain, user is user1
(Thu Dec 19 18:02:07 2013) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): using default domain [(null)]
(Thu Dec 19 18:02:07 2013) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'user1' matched without domain, user is user1
(Thu Dec 19 18:02:07 2013) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): using default domain [(null)]
(Thu Dec 19 18:02:07 2013) [sssd[sudo]] [sudosrv_cmd_parse_query_done] (0x0200): Requesting rules for [user1] from [<ALL>]
(Thu Dec 19 18:02:07 2013) [sssd[sudo]] [sudosrv_get_user] (0x0200): Requesting info about [[email protected]]
(Thu Dec 19 18:02:07 2013) [sssd[sudo]] [sudosrv_get_user] (0x0400): Returning info for user [[email protected]]
(Thu Dec 19 18:02:07 2013) [sssd[sudo]] [sudosrv_get_rules] (0x0400): Retrieving rules for [user1] from [example.com]
(Thu Dec 19 18:02:07 2013) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=user1)(sudoUser=#1219400005)(sudoUser=%apache)(sudoUser=%superadmins)(sudoUser=%user1)(sudoUser=+*))(&(dataExpireTimestamp<=1387476127)))]
(Thu Dec 19 18:02:07 2013) [sssd[sudo]] [sudosrv_get_rules] (0x2000): About to get sudo rules from cache
(Thu Dec 19 18:02:07 2013) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=user1)(sudoUser=#1219400005)(sudoUser=%apache)(sudoUser=%superadmins)(sudoUser=%user1)(sudoUser=+*)))]
(Thu Dec 19 18:02:07 2013) [sssd[sudo]] [sudosrv_get_sudorules_from_cache] (0x0400): Returning 0 rules for [[email protected]]
(Thu Dec 19 18:02:11 2013) [sssd[sudo]] [client_recv] (0x0200): Client disconnected!
(Thu Dec 19 18:02:11 2013) [sssd[sudo]] [client_destructor] (0x2000): Terminated client [0x2095c60][18]

Thanks for your reply but I've seen that post.

From your question I don't see what platform you are working with. Fedora 19 has unsolved bug in sudo package that prevents SSSD sudo integration working, RHEL 6 has this bug fixed.

I am using CentOS/RHEL 6.5.

I've updated my answer with the example output. One thing you need to make sure is set is nisdomainname -- this is sudo's requirement due to the way it handles netgroups.

Yes, nisdomainname is set. Again it all works if I am using "sudoers: files ldap" in /etc/nsswitch.conf

with sudoers: files ldap you are using completely different backend. Can you enable debug_level=9 in [sudo] section of sssd.conf and add debug sudo /var/log/sudo-debug all@debug to /etc/sudo.conf? These two will generate enough debug information to find out what exactly fails.

I've added UPDATE 3 with the sssd_sudo.log output at debug_level = 8 (cuts out some noise). The sudo-debug.log produced 1500 lines of output, can you narrow it down to what to look for? Anyway, it looks like SSSD can't find any rules (i.e. my All rule). But why?

It is working now. I was messing around a lot with different switches to ipa-client-install (after doing an uninstall) and got my sssd.conf mixed up with another host I was also testing on. I think - but can't say for sure - that when I first reported this it was using the correct ldap_sasl_authid host but perhaps it wasn't. Anyway, I learned a lot in debugging this, thanks for your help.

great. For others, Fedora 19 will need this update to sudo to have it working: sudo-1.8.6p7-2.fc19