Users can login to a server with their LDAP credentials, but running commands with sudo fails on Oracle Linux 7 with SSSD (Doc ID 2505124.1)

Last updated on JUNE 02, 2020

Applies to:

Symptoms

Users on a server running Oracle Linux 7 (OL 7) with LDAP and sssd used for authentication can log in the server, but they cannot elevate privileges with sudo, with commands run as sudo failing.

The server has been configured with sudo rules defined on the local system via /etc/sudoers and not on the ldap server.  The customer has successfully configured Solaris clients to authenticate users with the LDAP server, and use local sudo rules on the Solaris client, indicating an issue with the configuration on the OL 7 system.

The customer had followed the documentation below on how to configure LDAP and sssd on Oracle Linux 7, but this did not resolve the issue.

Enabling the LDAP client on Oracle Linux 7: https://docs.oracle.com/cd/E52668_01/E54669/html/ol7-enblcli-ldap.html
Configuring LDAP with sssd on Oracle Linux 7: https://docs.oracle.com/cd/E52668_01/E54669/html/ol7-sssd-ldap.html

The customer also checked and configured sssd to work with nss, pam and sudo, and nsswitch.conf as per the example below:

Example /etc/sssd/sssd.conf:
[sssd]
services = nss,pam,sudo
[sudo]
[domain/LDAP]
id_provider = ldap

sudo_provider = ldap
ldap_uri = ldap://<DOMAINNAME>  #add the ldap domain name here
ldap_sudo_search_base = ou=sudoers,dc=example,dc=com  #add the ldap search details for the ldap servers

Example /etc/nsswitch.conf

sudoers: files sss   #this line tells nsswitch to check local files and sssd for sudo rules

Note: sssd needs to be restarted for the abovte to be applied to the system.

When trying to run commands with sudo for an ldap user on the system, the following  kinds of errors logged to /var/log/messages and sssd_pam.log when the sudo command fails:

=== messages log ===

Nov 19 09:53:10 <HOSTNAME> sssd[sudo][20062]: Starting up
Nov 19 09:53:10 <HOSTNAME> sssd[pam][20060]: Starting up
Nov 19 09:53:10 <HOSTNAME> sssd[be[default]][20058]: Could not start TLS encryption. error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol
Nov 19 09:54:31 <HOSTNAME> sssd[be[default]][20058]: Could not start TLS encryption. error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol
Nov 19 09:54:31 <HOSTNAME> sssd[be[default]][20058]: Backend is offline
Nov 19 09:55:59 <HOSTNAME> sssd[be[default]][20058]: Could not start TLS encryption. error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol
Nov 19 09:58:24 <HOSTNAME> sssd[be[default]][20058]: Could not start TLS encryption. error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol
Nov 19 10:02:35 <HOSTNAME> sssd[be[default]][20058]: Could not start TLS encryption. error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol

and:

===sssd_pam.log===
(Mon Nov 19 09:55:01 2018) [sssd[pam]] [sss_dp_get_reply] (0x0010): The Data Provider returned an error [org.freedesktop.sssd.Error.DataProvider.Offline]
(Mon Nov 19 09:55:01 2018) [sssd[pam]] [sss_dp_get_reply] (0x0010): The Data Provider returned an error [org.freedesktop.sssd.Error.DataProvider.Offline]
(Mon Nov 19 09:58:01 2018) [sssd[pam]] [sss_dp_get_reply] (0x0010): The Data Provider returned an error [org.freedesktop.sssd.Error.DataProvider.Offline]
(Mon Nov 19 09:58:02 2018) [sssd[pam]] [sss_dp_get_reply] (0x0010): The Data Provider returned an error [org.freedesktop.sssd.Error.DataProvider.Offline]

The id command also fails:

e.g.

[root@<HOSTNAME>]# id <USERNAME>
id: <USERNAME>: no such user

Cause

My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.