Rechercher

Ce contenu n'est pas disponible dans la langue sélectionnée.

A.2. Troubleshooting sudo with SSSD and sudo Debugging Logs

download PDF

A.2.1. SSSD and sudo Debug Logging

The debug logging feature enables you to log additional information about SSSD and sudo.

The sudo Debug Log File

To enable sudo debugging:
  1. Add the following lines to /etc/sudo.conf:
    Debug sudo /var/log/sudo_debug.log all@debug
    Debug sudoers.so /var/log/sudo_debug.log all@debug
  2. Run the sudo command as the user you want to debug.
The /var/log/sudo_debug.log file is created automatically and provides detailed information to answer questions like:
  • What information is available about the user and the environment when running the sudo command?
    sudo[22259] settings: debug_flags=all@debug
    sudo[22259] settings: run_shell=true
    sudo[22259] settings: progname=sudo
    sudo[22259] settings: network_addrs=192.0.2.1/255.255.255.0 fe80::250:56ff:feb9:7d6/ffff:ffff:ffff:ffff::
    sudo[22259] user_info: user=user_name
    sudo[22259] user_info: pid=22259
    sudo[22259] user_info: ppid=22172
    sudo[22259] user_info: pgid=22259
    sudo[22259] user_info: tcpgid=22259
    sudo[22259] user_info: sid=22172
    sudo[22259] user_info: uid=10000
    sudo[22259] user_info: euid=0
    sudo[22259] user_info: gid=554801393
    sudo[22259] user_info: egid=554801393
    sudo[22259] user_info: groups=498,6004,6005,7001,106501,554800513,554801107,554801108,554801393,554801503,554802131,554802244,554807670
    sudo[22259] user_info: cwd=/
    sudo[22259] user_info: tty=/dev/pts/1
    sudo[22259] user_info: host=client
    sudo[22259] user_info: lines=31
    sudo[22259] user_info: cols=237
  • What data sources are used to fetch sudo rules?
    sudo[22259] <- sudo_parseln @ ./fileops.c:178 := sudoers: files sss
  • SSSD plug-in starts with this line:
    sudo[22259] <- sudo_sss_open @ ./sssd.c:305 := 0
  • How many rules did SSSD return?
    sudo[22259] Received 3 rule(s)
  • Does a rule match or not?
    sudo[22259] sssd/ldap sudoHost 'ALL' ... MATCH!
    sudo[22259] <- user_in_group @ ./pwutil.c:1010 := false

The SSSD Debug Log Files

To enable SSSD debugging:
  1. Add the debug_level option to the [sudo] and [domain/domain_name] sections of your /etc/sssd/sssd.conf file:
    [domain/domain_name]
    debug_level = 0x3ff0
    ...
    [sudo]
    debug_level = 0x3ff0
  2. Restart SSSD:
    # systemctl restart sssd
  3. Run the sudo command to write the debug information to the log files.
The following log files are created:
The domain log file: /var/log/sssd/sssd_domain_name.log
This log file helps you to answer questions like:
  • How many rules did SSSD return?
    [sdap_sudo_refresh_load_done] (0x0400): Received 4-rules rules
  • What sudo rules did SSSD download from the server?
    [sssd[be[LDAP.PB]]] [sysdb_save_sudorule] (0x0400): Adding sudo rule demo-name
  • Are the matching rules stored in the cache?
    [sdap_sudo_refresh_load_done] (0x0400): Sudoers is successfully stored in cache
  • What filter was used to download the rules from the server?
    [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(objectClass=sudoRole)(|(!(sudoHost=*))(sudoHost=ALL)(sudoHost=client.example.com)(sudoHost=client)(sudoHost=192.0.2.1)(sudoHost=192.0.2.0/24)(sudoHost=2620:52:0:224e:21a:4aff:fe23:1394)(sudoHost=2620:52:0:224e::/64)(sudoHost=fe80::21a:4aff:fe23:1394)(sudoHost=fe80::/64)(sudoHost=+*)(|(sudoHost=*\\*)(sudoHost=*?*)(sudoHost=*\2A*)(sudoHost=*[*]*))))][dc=example,dc=com]
    Use this filter to look up the rules in the IdM database:
    # ldapsearch -x -D "cn=Directory Manager" -W -H ldap://server.example.com -b dc=example,dc=com '(&(objectClass=sudoRole)...)'
The sudo responder log file: /var/log/sssd/sssd_sudo.log
This log file helps you to answer questions like:
  • How many rules did SSSD return?
    [sssd[sudo]] [sudosrv_get_sudorules_from_cache] (0x0400): Returning 4-rules rules for [user@idm.example.com]
  • What filter was applied for searching the cache of SSSD?
    [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=user)(sudoUser=#10001)(sudoUser=%group-1)(sudoUser=%user)(sudoUser=+*)))]
  • How do I look up the rules returned from the SSSD cache? Use the following filter to look up the rules:
    # ldbsearch -H /var/lib/sss/db/cache_domain_name.ldb -b cn=sysdb '(&(objectClass=sudoRule)...)'

    Note

    The ldbsearch utility is included in the ldb-tools package.
Red Hat logoGithubRedditYoutubeTwitter

Apprendre

Essayez, achetez et vendez

Communautés

À propos de la documentation Red Hat

Nous aidons les utilisateurs de Red Hat à innover et à atteindre leurs objectifs grâce à nos produits et services avec un contenu auquel ils peuvent faire confiance.

Rendre l’open source plus inclusif

Red Hat s'engage à remplacer le langage problématique dans notre code, notre documentation et nos propriétés Web. Pour plus de détails, consultez leBlog Red Hat.

À propos de Red Hat

Nous proposons des solutions renforcées qui facilitent le travail des entreprises sur plusieurs plates-formes et environnements, du centre de données central à la périphérie du réseau.

© 2024 Red Hat, Inc.