Red Hat Summit Red Hat SummitSupportoConsoleSviluppatoriInizia una provaContatti

Questo contenuto non è disponibile nella lingua selezionata.

A.2. Troubleshooting sudo with SSSD and sudo Debugging Logs

A.2.1. SSSD and sudo Debug Logging
Copia collegamento

The debug logging feature enables you to log additional information about SSSD and sudo.

The sudo Debug Log File

To enable sudo debugging:
  1. Add the following lines to /etc/sudo.conf: 
    Debug sudo /var/log/sudo_debug.log all@debug
Debug sudoers.so /var/log/sudo_debug.log all@debug
    Copy to Clipboard Toggle word wrap
  2. Run the sudo command as the user you want to debug.
The /var/log/sudo_debug.log file is created automatically and provides detailed information to answer questions like:
  • What information is available about the user and the environment when running the sudo command? 
    sudo[22259] settings: debug_flags=all@debug
sudo[22259] settings: run_shell=true
sudo[22259] settings: progname=sudo
sudo[22259] settings: network_addrs=192.0.2.1/255.255.255.0 fe80::250:56ff:feb9:7d6/ffff:ffff:ffff:ffff::
sudo[22259] user_info: user=user_name
sudo[22259] user_info: pid=22259
sudo[22259] user_info: ppid=22172
sudo[22259] user_info: pgid=22259
sudo[22259] user_info: tcpgid=22259
sudo[22259] user_info: sid=22172
sudo[22259] user_info: uid=10000
sudo[22259] user_info: euid=0
sudo[22259] user_info: gid=554801393
sudo[22259] user_info: egid=554801393
sudo[22259] user_info: groups=498,6004,6005,7001,106501,554800513,554801107,554801108,554801393,554801503,554802131,554802244,554807670
sudo[22259] user_info: cwd=/
sudo[22259] user_info: tty=/dev/pts/1
sudo[22259] user_info: host=client
sudo[22259] user_info: lines=31
sudo[22259] user_info: cols=237
    Copy to Clipboard Toggle word wrap
  • What data sources are used to fetch sudo rules? 
    sudo[22259] <- sudo_parseln @ ./fileops.c:178 := sudoers: files sss
    Copy to Clipboard Toggle word wrap
  • SSSD plug-in starts with this line: 
    sudo[22259] <- sudo_sss_open @ ./sssd.c:305 := 0
    Copy to Clipboard Toggle word wrap
  • How many rules did SSSD return? 
    sudo[22259] Received 3 rule(s)
    Copy to Clipboard Toggle word wrap
  • Does a rule match or not? 
    sudo[22259] sssd/ldap sudoHost 'ALL' ... MATCH!
sudo[22259] <- user_in_group @ ./pwutil.c:1010 := false
    Copy to Clipboard Toggle word wrap

The SSSD Debug Log Files

To enable SSSD debugging:
  1. Add the debug_level option to the [sudo] and [domain/domain_name] sections of your /etc/sssd/sssd.conf file: 
    [domain/domain_name]
debug_level = 0x3ff0
...
[sudo]
debug_level = 0x3ff0
    Copy to Clipboard Toggle word wrap
  2. Restart SSSD: 
    # systemctl restart sssd
    Copy to Clipboard Toggle word wrap
  3. Run the sudo command to write the debug information to the log files.
The following log files are created:
The domain log file: /var/log/sssd/sssd_domain_name.log
This log file helps you to answer questions like:
  • How many rules did SSSD return? 
    [sdap_sudo_refresh_load_done] (0x0400): Received 4-rules rules
    Copy to Clipboard Toggle word wrap
  • What sudo rules did SSSD download from the server? 
    [sssd[be[LDAP.PB]]] [sysdb_save_sudorule] (0x0400): Adding sudo rule demo-name
    Copy to Clipboard Toggle word wrap
  • Are the matching rules stored in the cache? 
    [sdap_sudo_refresh_load_done] (0x0400): Sudoers is successfully stored in cache
    Copy to Clipboard Toggle word wrap
  • What filter was used to download the rules from the server? 
    [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(objectClass=sudoRole)(|(!(sudoHost=*))(sudoHost=ALL)(sudoHost=client.example.com)(sudoHost=client)(sudoHost=192.0.2.1)(sudoHost=192.0.2.0/24)(sudoHost=2620:52:0:224e:21a:4aff:fe23:1394)(sudoHost=2620:52:0:224e::/64)(sudoHost=fe80::21a:4aff:fe23:1394)(sudoHost=fe80::/64)(sudoHost=+*)(|(sudoHost=*\\*)(sudoHost=*?*)(sudoHost=*\2A*)(sudoHost=*[*]*))))][dc=example,dc=com]
    Copy to Clipboard Toggle word wrap
    Use this filter to look up the rules in the IdM database: 
    # ldapsearch -x -D "cn=Directory Manager" -W -H ldap://server.example.com -b dc=example,dc=com '(&(objectClass=sudoRole)...)'
    Copy to Clipboard Toggle word wrap
The sudo responder log file: /var/log/sssd/sssd_sudo.log
This log file helps you to answer questions like:
  • How many rules did SSSD return? 
    [sssd[sudo]] [sudosrv_get_sudorules_from_cache] (0x0400): Returning 4-rules rules for [user@idm.example.com]
    Copy to Clipboard Toggle word wrap
  • What filter was applied for searching the cache of SSSD? 
    [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=user)(sudoUser=#10001)(sudoUser=%group-1)(sudoUser=%user)(sudoUser=+*)))]
    Copy to Clipboard Toggle word wrap
  • How do I look up the rules returned from the SSSD cache? Use the following filter to look up the rules: 
    # ldbsearch -H /var/lib/sss/db/cache_domain_name.ldb -b cn=sysdb '(&(objectClass=sudoRule)...)'
    Copy to Clipboard Toggle word wrap

    Note

    The ldbsearch utility is included in the ldb-tools package.
Torna in cima
Red Hat logoGithubredditYoutubeTwitter

Formazione

Prova, acquista e vendi

Community

Informazioni sulla documentazione di Red Hat

Aiutiamo gli utenti Red Hat a innovarsi e raggiungere i propri obiettivi con i nostri prodotti e servizi grazie a contenuti di cui possono fidarsi. Esplora i nostri ultimi aggiornamenti.

Rendiamo l’open source più inclusivo

Red Hat si impegna a sostituire il linguaggio problematico nel codice, nella documentazione e nelle proprietà web. Per maggiori dettagli, visita il Blog di Red Hat.

Informazioni su Red Hat

Forniamo soluzioni consolidate che rendono più semplice per le aziende lavorare su piattaforme e ambienti diversi, dal datacenter centrale all'edge della rete.

Theme

© 2025 Red Hat