Red Hat SummitEste contenido no está disponible en el idioma seleccionado.
A.2. Troubleshooting sudo with SSSD and sudo Debugging Logs
A.2.1. SSSD and sudo Debug Logging
Copiar enlaceEnlace copiado en el portapapeles!
The debug logging feature enables you to log additional information about SSSD and sudo.
The sudo Debug Log File
To enable sudo debugging:
- Add the following lines to
/etc/sudo.conf:Debug sudo /var/log/sudo_debug.log all@debug Debug sudoers.so /var/log/sudo_debug.log all@debug
Debug sudo /var/log/sudo_debug.log all@debug Debug sudoers.so /var/log/sudo_debug.log all@debugCopy to Clipboard Copied! Toggle word wrap Toggle overflow - Run the
sudocommand as the user you want to debug.
The
/var/log/sudo_debug.log file is created automatically and provides detailed information to answer questions like:
- What information is available about the user and the environment when running the
sudocommand?Copy to Clipboard Copied! Toggle word wrap Toggle overflow - What data sources are used to fetch sudo rules?
sudo[22259] <- sudo_parseln @ ./fileops.c:178 := sudoers: files sss
sudo[22259] <- sudo_parseln @ ./fileops.c:178 := sudoers: files sssCopy to Clipboard Copied! Toggle word wrap Toggle overflow - SSSD plug-in starts with this line:
sudo[22259] <- sudo_sss_open @ ./sssd.c:305 := 0
sudo[22259] <- sudo_sss_open @ ./sssd.c:305 := 0Copy to Clipboard Copied! Toggle word wrap Toggle overflow - How many rules did SSSD return?
sudo[22259] Received 3 rule(s)
sudo[22259] Received 3 rule(s)Copy to Clipboard Copied! Toggle word wrap Toggle overflow - Does a rule match or not?
sudo[22259] sssd/ldap sudoHost 'ALL' ... MATCH! sudo[22259] <- user_in_group @ ./pwutil.c:1010 := false
sudo[22259] sssd/ldap sudoHost 'ALL' ... MATCH! sudo[22259] <- user_in_group @ ./pwutil.c:1010 := falseCopy to Clipboard Copied! Toggle word wrap Toggle overflow
The SSSD Debug Log Files
To enable SSSD debugging:
- Add the
debug_leveloption to the[sudo]and[domain/domain_name]sections of your/etc/sssd/sssd.conffile:[domain/domain_name] debug_level = 0x3ff0 ... [sudo] debug_level = 0x3ff0
[domain/domain_name] debug_level = 0x3ff0 ... [sudo] debug_level = 0x3ff0Copy to Clipboard Copied! Toggle word wrap Toggle overflow - Restart SSSD:
systemctl restart sssd
# systemctl restart sssdCopy to Clipboard Copied! Toggle word wrap Toggle overflow - Run the
sudocommand to write the debug information to the log files.
The following log files are created:
- The domain log file:
/var/log/sssd/sssd_domain_name.log - This log file helps you to answer questions like:
- How many rules did SSSD return?
[sdap_sudo_refresh_load_done] (0x0400): Received 4-rules rules
[sdap_sudo_refresh_load_done] (0x0400): Received 4-rules rulesCopy to Clipboard Copied! Toggle word wrap Toggle overflow - What sudo rules did SSSD download from the server?
[sssd[be[LDAP.PB]]] [sysdb_save_sudorule] (0x0400): Adding sudo rule demo-name
[sssd[be[LDAP.PB]]] [sysdb_save_sudorule] (0x0400): Adding sudo rule demo-nameCopy to Clipboard Copied! Toggle word wrap Toggle overflow - Are the matching rules stored in the cache?
[sdap_sudo_refresh_load_done] (0x0400): Sudoers is successfully stored in cache
[sdap_sudo_refresh_load_done] (0x0400): Sudoers is successfully stored in cacheCopy to Clipboard Copied! Toggle word wrap Toggle overflow - What filter was used to download the rules from the server?
[sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(objectClass=sudoRole)(|(!(sudoHost=*))(sudoHost=ALL)(sudoHost=client.example.com)(sudoHost=client)(sudoHost=192.0.2.1)(sudoHost=192.0.2.0/24)(sudoHost=2620:52:0:224e:21a:4aff:fe23:1394)(sudoHost=2620:52:0:224e::/64)(sudoHost=fe80::21a:4aff:fe23:1394)(sudoHost=fe80::/64)(sudoHost=+*)(|(sudoHost=*\\*)(sudoHost=*?*)(sudoHost=*\2A*)(sudoHost=*[*]*))))][dc=example,dc=com]
[sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(objectClass=sudoRole)(|(!(sudoHost=*))(sudoHost=ALL)(sudoHost=client.example.com)(sudoHost=client)(sudoHost=192.0.2.1)(sudoHost=192.0.2.0/24)(sudoHost=2620:52:0:224e:21a:4aff:fe23:1394)(sudoHost=2620:52:0:224e::/64)(sudoHost=fe80::21a:4aff:fe23:1394)(sudoHost=fe80::/64)(sudoHost=+*)(|(sudoHost=*\\*)(sudoHost=*?*)(sudoHost=*\2A*)(sudoHost=*[*]*))))][dc=example,dc=com]Copy to Clipboard Copied! Toggle word wrap Toggle overflow Use this filter to look up the rules in the IdM database:ldapsearch -x -D "cn=Directory Manager" -W -H ldap://server.example.com -b dc=example,dc=com '(&(objectClass=sudoRole)...)'
# ldapsearch -x -D "cn=Directory Manager" -W -H ldap://server.example.com -b dc=example,dc=com '(&(objectClass=sudoRole)...)'Copy to Clipboard Copied! Toggle word wrap Toggle overflow
- The sudo responder log file:
/var/log/sssd/sssd_sudo.log - This log file helps you to answer questions like:
- How many rules did SSSD return?
[sssd[sudo]] [sudosrv_get_sudorules_from_cache] (0x0400): Returning 4-rules rules for [user@idm.example.com]
[sssd[sudo]] [sudosrv_get_sudorules_from_cache] (0x0400): Returning 4-rules rules for [user@idm.example.com]Copy to Clipboard Copied! Toggle word wrap Toggle overflow - What filter was applied for searching the cache of SSSD?
[sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=user)(sudoUser=#10001)(sudoUser=%group-1)(sudoUser=%user)(sudoUser=+*)))]
[sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=user)(sudoUser=#10001)(sudoUser=%group-1)(sudoUser=%user)(sudoUser=+*)))]Copy to Clipboard Copied! Toggle word wrap Toggle overflow - How do I look up the rules returned from the SSSD cache? Use the following filter to look up the rules:
ldbsearch -H /var/lib/sss/db/cache_domain_name.ldb -b cn=sysdb '(&(objectClass=sudoRule)...)'
# ldbsearch -H /var/lib/sss/db/cache_domain_name.ldb -b cn=sysdb '(&(objectClass=sudoRule)...)'Copy to Clipboard Copied! Toggle word wrap Toggle overflow Note
Theldbsearchutility is included in the ldb-tools package.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}