Red Hat Summit Red Hat SummitSupportConsoleDevelopersStart a trialContact

A.2. Troubleshooting sudo with SSSD and sudo Debugging Logs

A.2.1. SSSD and sudo Debug Logging

The debug logging feature enables you to log additional information about SSSD and sudo.

The sudo Debug Log File

To enable sudo debugging:
  1. Add the following lines to /etc/sudo.conf:
    Copy to Clipboard Toggle word wrap 
    Debug sudo /var/log/sudo_debug.log all@debug
Debug sudoers.so /var/log/sudo_debug.log all@debug
  2. Run the sudo command as the user you want to debug.
The /var/log/sudo_debug.log file is created automatically and provides detailed information to answer questions like:
  • What information is available about the user and the environment when running the sudo command?
    Copy to Clipboard Toggle word wrap 
    sudo[22259] settings: debug_flags=all@debug
sudo[22259] settings: run_shell=true
sudo[22259] settings: progname=sudo
sudo[22259] settings: network_addrs=192.0.2.1/255.255.255.0 fe80::250:56ff:feb9:7d6/ffff:ffff:ffff:ffff::
sudo[22259] user_info: user=user_name
sudo[22259] user_info: pid=22259
sudo[22259] user_info: ppid=22172
sudo[22259] user_info: pgid=22259
sudo[22259] user_info: tcpgid=22259
sudo[22259] user_info: sid=22172
sudo[22259] user_info: uid=10000
sudo[22259] user_info: euid=0
sudo[22259] user_info: gid=554801393
sudo[22259] user_info: egid=554801393
sudo[22259] user_info: groups=498,6004,6005,7001,106501,554800513,554801107,554801108,554801393,554801503,554802131,554802244,554807670
sudo[22259] user_info: cwd=/
sudo[22259] user_info: tty=/dev/pts/1
sudo[22259] user_info: host=client
sudo[22259] user_info: lines=31
sudo[22259] user_info: cols=237
  • What data sources are used to fetch sudo rules?
    Copy to Clipboard Toggle word wrap 
    sudo[22259] <- sudo_parseln @ ./fileops.c:178 := sudoers: files sss
  • SSSD plug-in starts with this line:
    Copy to Clipboard Toggle word wrap 
    sudo[22259] <- sudo_sss_open @ ./sssd.c:305 := 0
  • How many rules did SSSD return?
    Copy to Clipboard Toggle word wrap 
    sudo[22259] Received 3 rule(s)
  • Does a rule match or not?
    Copy to Clipboard Toggle word wrap 
    sudo[22259] sssd/ldap sudoHost 'ALL' ... MATCH!
sudo[22259] <- user_in_group @ ./pwutil.c:1010 := false

The SSSD Debug Log Files

To enable SSSD debugging:
  1. Add the debug_level option to the [sudo] and [domain/domain_name] sections of your /etc/sssd/sssd.conf file:
    Copy to Clipboard Toggle word wrap 
    [domain/domain_name]
debug_level = 0x3ff0
...
[sudo]
debug_level = 0x3ff0
  2. Restart SSSD:
    Copy to Clipboard Toggle word wrap 
    # systemctl restart sssd
  3. Run the sudo command to write the debug information to the log files.
The following log files are created:
The domain log file: /var/log/sssd/sssd_domain_name.log
This log file helps you to answer questions like:
  • How many rules did SSSD return?
    Copy to Clipboard Toggle word wrap 
    [sdap_sudo_refresh_load_done] (0x0400): Received 4-rules rules
  • What sudo rules did SSSD download from the server?
    Copy to Clipboard Toggle word wrap 
    [sssd[be[LDAP.PB]]] [sysdb_save_sudorule] (0x0400): Adding sudo rule demo-name
  • Are the matching rules stored in the cache?
    Copy to Clipboard Toggle word wrap 
    [sdap_sudo_refresh_load_done] (0x0400): Sudoers is successfully stored in cache
  • What filter was used to download the rules from the server?
    Copy to Clipboard Toggle word wrap 
    [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(objectClass=sudoRole)(|(!(sudoHost=*))(sudoHost=ALL)(sudoHost=client.example.com)(sudoHost=client)(sudoHost=192.0.2.1)(sudoHost=192.0.2.0/24)(sudoHost=2620:52:0:224e:21a:4aff:fe23:1394)(sudoHost=2620:52:0:224e::/64)(sudoHost=fe80::21a:4aff:fe23:1394)(sudoHost=fe80::/64)(sudoHost=+*)(|(sudoHost=*\\*)(sudoHost=*?*)(sudoHost=*\2A*)(sudoHost=*[*]*))))][dc=example,dc=com]
    Use this filter to look up the rules in the IdM database:
    Copy to Clipboard Toggle word wrap 
    # ldapsearch -x -D "cn=Directory Manager" -W -H ldap://server.example.com -b dc=example,dc=com '(&(objectClass=sudoRole)...)'
The sudo responder log file: /var/log/sssd/sssd_sudo.log
This log file helps you to answer questions like:
  • How many rules did SSSD return?
    Copy to Clipboard Toggle word wrap 
    [sssd[sudo]] [sudosrv_get_sudorules_from_cache] (0x0400): Returning 4-rules rules for [user@idm.example.com]
  • What filter was applied for searching the cache of SSSD?
    Copy to Clipboard Toggle word wrap 
    [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=user)(sudoUser=#10001)(sudoUser=%group-1)(sudoUser=%user)(sudoUser=+*)))]
  • How do I look up the rules returned from the SSSD cache? Use the following filter to look up the rules:
    Copy to Clipboard Toggle word wrap 
    # ldbsearch -H /var/lib/sss/db/cache_domain_name.ldb -b cn=sysdb '(&(objectClass=sudoRule)...)'

    Note

    The ldbsearch utility is included in the ldb-tools package.
Back to top
Red Hat logoGithubredditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust. Explore our recent updates.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

Theme

© 2025 Red Hat, Inc.