Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

sudo_provider = none doesn't disable all sudo related requests #7624

Open
BlackLotus opened this issue Sep 27, 2024 · 0 comments
Open

sudo_provider = none doesn't disable all sudo related requests #7624

BlackLotus opened this issue Sep 27, 2024 · 0 comments

Comments

@BlackLotus
Copy link

We set sudo_provider = none in our sssd.conf, but there are still request being made after all.
Here an example after a sudo -i

(2024-09-27 12:41:03): [be[default]] [sdap_get_generic_ext_step] (0x0400): [RID#3] calling ldap_search_ext with [(objectclass=*)][].
(2024-09-27 12:41:03): [be[default]] [sdap_get_generic_ext_step] (0x2000): [RID#3] ldap_search_ext called, msgid = 1
(2024-09-27 12:41:03): [be[default]] [sdap_get_generic_ext_step] (0x0400): [RID#3] calling ldap_search_ext with [(&(uidNumber=27399)(objectclass=posixAccount)(uid=*)(&(uidNumber=*)(!(uidNumber=0))))][ou=users,dc=example,dc=de].
(2024-09-27 12:41:03): [be[default]] [sdap_get_generic_ext_step] (0x2000): [RID#3] ldap_search_ext called, msgid = 3
(2024-09-27 12:41:05): [be[default]] [sdap_get_generic_ext_step] (0x0400): [RID#4] calling ldap_search_ext with [(&(uid=pam_usertype_non_existent:)(objectclass=posixAccount)(uid=*)(&(uidNumber=*)(!(uidNumber=0))))][ou=users,dc=example,dc=de].
(2024-09-27 12:41:05): [be[default]] [sdap_get_generic_ext_step] (0x2000): [RID#4] ldap_search_ext called, msgid = 4
(2024-09-27 12:41:05): [be[default]] [sdap_get_generic_ext_step] (0x0400): [RID#5] calling ldap_search_ext with [(&(uid=foobar)(objectclass=posixAccount)(&(uidNumber=*)(!(uidNumber=0))))][ou=users,dc=example,dc=de].
(2024-09-27 12:41:05): [be[default]] [sdap_get_generic_ext_step] (0x2000): [RID#5] ldap_search_ext called, msgid = 5
(2024-09-27 12:41:05): [be[default]] [sdap_get_generic_ext_step] (0x0400): [RID#5] calling ldap_search_ext with [(&(memberuid=foobar)(objectClass=posixGroup)(cn=*)(&(gidNumber=*)(!(gidNumber=0))))][ou=users,dc=example,dc=de].
(2024-09-27 12:41:05): [be[default]] [sdap_get_generic_ext_step] (0x2000): [RID#5] ldap_search_ext called, msgid = 6
(2024-09-27 12:41:05): [be[default]] [sdap_get_generic_ext_step] (0x0400): [RID#5] calling ldap_search_ext with [(&(gidNumber=15300)(objectClass=posixGroup)(cn=*)(&(gidNumber=*)(!(gidNumber=0))))][ou=users,dc=example,dc=de].
(2024-09-27 12:41:05): [be[default]] [sdap_get_generic_ext_step] (0x2000): [RID#5] ldap_search_ext called, msgid = 7
(2024-09-27 12:41:26): [be[default]] [sdap_get_generic_ext_step] (0x0400): [RID#7] calling ldap_search_ext with [(&(uid=admin)(objectclass=posixAccount)(uid=*)(&(uidNumber=*)(!(uidNumber=0))))][ou=users,dc=example,dc=de].
(2024-09-27 12:41:26): [be[default]] [sdap_get_generic_ext_step] (0x2000): [RID#7] ldap_search_ext called, msgid = 8
(2024-09-27 12:42:27): [be[default]] [sdap_get_generic_ext_step] (0x0400): [RID#8] calling ldap_search_ext with [(objectclass=*)][].
(2024-09-27 12:42:27): [be[default]] [sdap_get_generic_ext_step] (0x2000): [RID#8] ldap_search_ext called, msgid = 1
(2024-09-27 12:42:27): [be[default]] [sdap_get_generic_ext_step] (0x0400): [RID#9] calling ldap_search_ext with [(&(uid=pam_usertype_non_existent:)(objectclass=posixAccount)(uid=*)(&(uidNumber=*)(!(uidNumber=0))))][ou=users,dc=example,dc=de].
(2024-09-27 12:42:27): [be[default]] [sdap_get_generic_ext_step] (0x2000): [RID#9] ldap_search_ext called, msgid = 9
(2024-09-27 12:42:32): [be[default]] [sdap_get_generic_ext_step] (0x0400): [RID#12] calling ldap_search_ext with [(objectclass=*)][].
(2024-09-27 12:42:32): [be[default]] [sdap_get_generic_ext_step] (0x2000): [RID#12] ldap_search_ext called, msgid = 1

Note: I didn't check if the requests are actually made since I don't have administrative access to the ldap host and am going 100% off of the logs.

Here is the config of the host

[sssd]
config_file_version = 2
services = nss, pam
domains = default

[domain/default]
cache_credentials = true
debug_level = 9
enumerate = false

id_provider = ldap
auth_provider = ldap
host_provider = none
sudo_provider = none
ldap_page_size = 500

ldap_uri = ldaps://openldap.example.de
ldap_search_base = ou=users,dc=example,dc=de
ldap_default_bind_dn = cn=hpc-bind,ou=security,dc=example,dc=de
ldap_default_authtok_type = password
ldap_default_authtok = supersecretpassword

override_shell = /bin/bash
override_gid = 100000

I hope I'm not overlooking something obvious.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@BlackLotus