Show Table of Contents
The
A.2. Troubleshooting sudo with SSSD and sudo Debugging Logs
A.2.1. SSSD and sudo Debug Logging
The debug logging feature enables you to log additional information about SSSD and sudo.
The sudo Debug Log File
To enable sudo debugging:
- Add the following lines to
/etc/sudo.conf:Debug sudo /var/log/sudo_debug.log all@debug Debug sudoers.so /var/log/sudo_debug.log all@debug
- Run the
sudocommand as the user you want to debug.
The
/var/log/sudo_debug.log file is created automatically and provides detailed information to answer questions like:
- What information is available about the user and the environment when running the
sudocommand?sudo[22259] settings: debug_flags=all@debug sudo[22259] settings: run_shell=true sudo[22259] settings: progname=sudo sudo[22259] settings: network_addrs=192.0.2.1/255.255.255.0 fe80::250:56ff:feb9:7d6/ffff:ffff:ffff:ffff:: sudo[22259] user_info: user=user_name sudo[22259] user_info: pid=22259 sudo[22259] user_info: ppid=22172 sudo[22259] user_info: pgid=22259 sudo[22259] user_info: tcpgid=22259 sudo[22259] user_info: sid=22172 sudo[22259] user_info: uid=10000 sudo[22259] user_info: euid=0 sudo[22259] user_info: gid=554801393 sudo[22259] user_info: egid=554801393 sudo[22259] user_info: groups=498,6004,6005,7001,106501,554800513,554801107,554801108,554801393,554801503,554802131,554802244,554807670 sudo[22259] user_info: cwd=/ sudo[22259] user_info: tty=/dev/pts/1 sudo[22259] user_info: host=client sudo[22259] user_info: lines=31 sudo[22259] user_info: cols=237
- What data sources are used to fetch sudo rules?
sudo[22259] <- sudo_parseln @ ./fileops.c:178 := sudoers: files sss
- SSSD plug-in starts with this line:
sudo[22259] <- sudo_sss_open @ ./sssd.c:305 := 0
- How many rules did SSSD return?
sudo[22259] Received 3 rule(s)
- Does a rule match or not?
sudo[22259] sssd/ldap sudoHost 'ALL' ... MATCH! sudo[22259] <- user_in_group @ ./pwutil.c:1010 := false
The SSSD Debug Log Files
To enable SSSD debugging:
- Add the
debug_leveloption to the[sudo]and[domain/domain_name]sections of your/etc/sssd/sssd.conffile:[domain/domain_name] debug_level = 0x3ff0 ... [sudo] debug_level = 0x3ff0
- Restart SSSD:
# systemctl restart sssd
- Run the
sudocommand to write the debug information to the log files.
The following log files are created:
- The domain log file:
/var/log/sssd/sssd_domain_name.log - This log file helps you to answer questions like:
- How many rules did SSSD return?
[sdap_sudo_refresh_load_done] (0x0400): Received 4-rules rules
- What sudo rules did SSSD download from the server?
[sssd[be[LDAP.PB]]] [sysdb_save_sudorule] (0x0400): Adding sudo rule demo-name
- Are the matching rules stored in the cache?
[sdap_sudo_refresh_load_done] (0x0400): Sudoers is successfully stored in cache
- What filter was used to download the rules from the server?
[sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(objectClass=sudoRole)(|(!(sudoHost=*))(sudoHost=ALL)(sudoHost=client.example.com)(sudoHost=client)(sudoHost=192.0.2.1)(sudoHost=192.0.2.0/24)(sudoHost=2620:52:0:224e:21a:4aff:fe23:1394)(sudoHost=2620:52:0:224e::/64)(sudoHost=fe80::21a:4aff:fe23:1394)(sudoHost=fe80::/64)(sudoHost=+*)(|(sudoHost=*\\*)(sudoHost=*?*)(sudoHost=*\2A*)(sudoHost=*[*]*))))][dc=example,dc=com]
Use this filter to look up the rules in the IdM database:# ldapsearch -x -D "cn=Directory Manager" -W -H ldap://server.example.com -b dc=example,dc=com '(&(objectClass=sudoRole)...)'
- The sudo responder log file:
/var/log/sssd/sssd_sudo.log - This log file helps you to answer questions like:
- How many rules did SSSD return?
[sssd[sudo]] [sudosrv_get_sudorules_from_cache] (0x0400): Returning 4-rules rules for [user@idm.example.com]
- What filter was applied for searching the cache of SSSD?
[sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=user)(sudoUser=#10001)(sudoUser=%group-1)(sudoUser=%user)(sudoUser=+*)))]
- How do I look up the rules returned from the SSSD cache? Use the following filter to look up the rules:
# ldbsearch -H /var/lib/sss/db/cache_domain_name.ldb -b cn=sysdb '(&(objectClass=sudoRule)...)'
Note
Theldbsearchutility is included in the ldb-tools package.
Where did the comment section go?
Red Hat's documentation publication system recently went through an upgrade to enable speedier, more mobile-friendly content. We decided to re-evaluate our commenting platform to ensure that it meets your expectations and serves as an optimal feedback mechanism. During this redesign, we invite your input on providing feedback on Red Hat documentation via the discussion platform.