Back to bug 1321884
| Who | When | What | Removed | Added |
|---|---|---|---|---|
| Jakub Hrozek | 2016-03-29 10:15:48 UTC | Status | NEW | POST |
| Jakub Hrozek | 2016-03-29 10:20:18 UTC | Doc Text | Cause: In RHEL-6.8 we rebased to a version of SSSD that evaluates SUDO rules from an IPA server (when sudo_provider is set to 'ipa' or left undefined) to a version that connects to the IPA LDAP tree as opposed to the compat LDAP tree. That RFE is tracked in https://bugzilla.redhat.com/show_bug.cgi?id=1244957 Consequence: Since this implementation is completely different, there are differences. One of them is that the 6.8 version lacks support for the externalUser attribute of SUDO rules. The SSSD project upstream already fixed the issue, however, the fix didn't make the RHEL deadlines. Workaround (if any): Revert to using sudo_provider=ldap pointed to the compat tree. Result: Installations that wish to use the externalUser attribute must use a fallback configuration until the bug is fixed in RHEL. Please note that this bug DOES NOT affect users from a trusted AD domain, only users that are completely out of reach of SSSD, such as users from /etc/passwd. | |
| Doc Type | Bug Fix | Known Issue | ||
| Lenka Špačková | 2016-03-30 15:10:51 UTC | Docs Contact | apetrova | |
| Aneta Šteflová Petrová | 2016-04-04 12:17:27 UTC | Docs Contact | apetrova | mmuehlfe |
| Aneta Šteflová Petrová | 2016-04-04 12:24:20 UTC | CC | apetrova | |
| Aneta Šteflová Petrová | 2016-04-06 11:34:34 UTC | Doc Text | Cause: In RHEL-6.8 we rebased to a version of SSSD that evaluates SUDO rules from an IPA server (when sudo_provider is set to 'ipa' or left undefined) to a version that connects to the IPA LDAP tree as opposed to the compat LDAP tree. That RFE is tracked in https://bugzilla.redhat.com/show_bug.cgi?id=1244957 Consequence: Since this implementation is completely different, there are differences. One of them is that the 6.8 version lacks support for the externalUser attribute of SUDO rules. The SSSD project upstream already fixed the issue, however, the fix didn't make the RHEL deadlines. Workaround (if any): Revert to using sudo_provider=ldap pointed to the compat tree. Result: Installations that wish to use the externalUser attribute must use a fallback configuration until the bug is fixed in RHEL. Please note that this bug DOES NOT affect users from a trusted AD domain, only users that are completely out of reach of SSSD, such as users from /etc/passwd. | SSSD does not support the LDAP externalUser attribute The System Security Services Daemon (SSSD) service misses support for the Lightweight Directory Access Protocol (LDAP) *externalUser* attribute. In consequence, the assignment of sudo rules to local accounts, such as by using the */etc/passwd* file, fails. The problem affects only accounts outside of the Identity Management (IdM) domains or Active Directory (AD) trusted domains. To work around this problem, set the *sudo_provider=ldap* option instead of the *sudo_provider=ipa* option in the */etc/sssd/sssd.conf* file. The usage of *sudo_provider=ldap* requires a configured LDAP provider in the */etc/sssd/sssd.conf* file, for example: [domain/EXAMPLE] id_provider = ipa ipa_domain = example.com ipa_server = ipa.example.com ldap_tls_cacert = /etc/ipa/ca.crt sudo_provider = ldap ldap_uri = ldap://ipa.example.com ldap_sudo_search_base = ou=sudoers,dc=example,dc=com ldap_sasl_mech = GSSAPI ldap_sasl_authid = host/hostname.example.com ldap_sasl_realm = EXAMPLE.COM krb5_server = ipa.example.com Using *sudo_provider=ldap* as described enables SSSD to resolve users defined in *externalUser*. |
| Aneta Šteflová Petrová | 2016-04-07 07:11:49 UTC | Doc Text | SSSD does not support the LDAP externalUser attribute The System Security Services Daemon (SSSD) service misses support for the Lightweight Directory Access Protocol (LDAP) *externalUser* attribute. In consequence, the assignment of sudo rules to local accounts, such as by using the */etc/passwd* file, fails. The problem affects only accounts outside of the Identity Management (IdM) domains or Active Directory (AD) trusted domains. To work around this problem, set the *sudo_provider=ldap* option instead of the *sudo_provider=ipa* option in the */etc/sssd/sssd.conf* file. The usage of *sudo_provider=ldap* requires a configured LDAP provider in the */etc/sssd/sssd.conf* file, for example: [domain/EXAMPLE] id_provider = ipa ipa_domain = example.com ipa_server = ipa.example.com ldap_tls_cacert = /etc/ipa/ca.crt sudo_provider = ldap ldap_uri = ldap://ipa.example.com ldap_sudo_search_base = ou=sudoers,dc=example,dc=com ldap_sasl_mech = GSSAPI ldap_sasl_authid = host/hostname.example.com ldap_sasl_realm = EXAMPLE.COM krb5_server = ipa.example.com Using *sudo_provider=ldap* as described enables SSSD to resolve users defined in *externalUser*. | SSSD does not support the LDAP externalUser attribute The System Security Services Daemon (SSSD) service misses support for the Lightweight Directory Access Protocol (LDAP) *externalUser* attribute. In consequence, the assignment of sudo rules to local accounts, such as by using the `/etc/passwd` file, fails. The problem affects only accounts outside of the Identity Management (IdM) domains or Active Directory (AD) trusted domains. To work around this problem, set the *sudo_provider=ldap* option instead of the *sudo_provider=ipa* option in the `/etc/sssd/sssd.conf` file. The usage of *sudo_provider=ldap* requires a configured LDAP provider in the `/etc/sssd/sssd.conf` file, for example: [domain/EXAMPLE] id_provider = ipa ipa_domain = example.com ipa_server = ipa.example.com ldap_tls_cacert = /etc/ipa/ca.crt sudo_provider = ldap ldap_uri = ldap://ipa.example.com ldap_sudo_search_base = ou=sudoers,dc=example,dc=com ldap_sasl_mech = GSSAPI ldap_sasl_authid = host/hostname.example.com ldap_sasl_realm = EXAMPLE.COM krb5_server = ipa.example.com Using *sudo_provider=ldap* as described enables SSSD to resolve users defined in *externalUser*. |
| Aneta Šteflová Petrová | 2016-04-08 10:43:35 UTC | Doc Text | SSSD does not support the LDAP externalUser attribute The System Security Services Daemon (SSSD) service misses support for the Lightweight Directory Access Protocol (LDAP) *externalUser* attribute. In consequence, the assignment of sudo rules to local accounts, such as by using the `/etc/passwd` file, fails. The problem affects only accounts outside of the Identity Management (IdM) domains or Active Directory (AD) trusted domains. To work around this problem, set the *sudo_provider=ldap* option instead of the *sudo_provider=ipa* option in the `/etc/sssd/sssd.conf` file. The usage of *sudo_provider=ldap* requires a configured LDAP provider in the `/etc/sssd/sssd.conf` file, for example: [domain/EXAMPLE] id_provider = ipa ipa_domain = example.com ipa_server = ipa.example.com ldap_tls_cacert = /etc/ipa/ca.crt sudo_provider = ldap ldap_uri = ldap://ipa.example.com ldap_sudo_search_base = ou=sudoers,dc=example,dc=com ldap_sasl_mech = GSSAPI ldap_sasl_authid = host/hostname.example.com ldap_sasl_realm = EXAMPLE.COM krb5_server = ipa.example.com Using *sudo_provider=ldap* as described enables SSSD to resolve users defined in *externalUser*. | SSSD does not support the LDAP externalUser attribute The System Security Services Daemon (SSSD) service misses support for the *externalUser* Lightweight Directory Access Protocol (LDAP) attribute of the Identity Management (IdM) schema. In consequence, the assignment of sudo rules to local accounts, such as by using the `/etc/passwd` file, fails. The problem affects only accounts outside of the IdM domains or Active Directory (AD) trusted domains. To work around this problem, set the LDAP sudo search base as follows in the [domain] section of the `/etc/sssd/sssd.conf` file: ldap_sudo_search_base = ou=sudoers,dc=example,dc=com This enables SSSD to resolve users defined in *externalUser*. |
| Aneta Šteflová Petrová | 2016-04-08 12:35:28 UTC | Doc Text | SSSD does not support the LDAP externalUser attribute The System Security Services Daemon (SSSD) service misses support for the *externalUser* Lightweight Directory Access Protocol (LDAP) attribute of the Identity Management (IdM) schema. In consequence, the assignment of sudo rules to local accounts, such as by using the `/etc/passwd` file, fails. The problem affects only accounts outside of the IdM domains or Active Directory (AD) trusted domains. To work around this problem, set the LDAP sudo search base as follows in the [domain] section of the `/etc/sssd/sssd.conf` file: ldap_sudo_search_base = ou=sudoers,dc=example,dc=com This enables SSSD to resolve users defined in *externalUser*. | SSSD does not support the LDAP externalUser attribute The System Security Services Daemon (SSSD) service misses support for the *externalUser* LDAP attribute of the Identity Management (IdM) schema. In consequence, the assignment of *sudo* rules to local accounts, such as by using the `/etc/passwd` file, fails. The problem affects only accounts outside of the IdM domains and Active Directory (AD) trusted domains. To work around this problem, set the LDAP *sudo* search base as follows in the `[domain]` section of the `/etc/sssd/sssd.conf` file: ldap_sudo_search_base = ou=sudoers,dc=example,dc=com This enables SSSD to resolve users defined in *externalUser*. |
| Marek Czernek | 2016-05-09 10:29:36 UTC | CC | mczernek | |
| Doc Text | SSSD does not support the LDAP externalUser attribute The System Security Services Daemon (SSSD) service misses support for the *externalUser* LDAP attribute of the Identity Management (IdM) schema. In consequence, the assignment of *sudo* rules to local accounts, such as by using the `/etc/passwd` file, fails. The problem affects only accounts outside of the IdM domains and Active Directory (AD) trusted domains. To work around this problem, set the LDAP *sudo* search base as follows in the `[domain]` section of the `/etc/sssd/sssd.conf` file: ldap_sudo_search_base = ou=sudoers,dc=example,dc=com This enables SSSD to resolve users defined in *externalUser*. | SSSD does not support the LDAP externalUser attribute The System Security Services Daemon (SSSD) service is missing support for the *externalUser* LDAP attribute of the Identity Management (IdM) schema. In consequence, the assignment of *sudo* rules to local accounts, such as by using the `/etc/passwd` file, fails. The problem affects only accounts outside of the IdM domains and Active Directory (AD) trusted domains. To work around this problem, set the LDAP *sudo* search base as follows in the `[domain]` section of the `/etc/sssd/sssd.conf` file: ldap_sudo_search_base = ou=sudoers,dc=example,dc=com This enables SSSD to resolve users defined in *externalUser*. |
||
| John Skeoch | 2016-06-01 01:28:02 UTC | CC | preichl | |
| Jakub Hrozek | 2016-10-05 19:05:43 UTC | CC | ksiddiqu | |
| Flags | needinfo?(ksiddiqu) | |||
| Kaleem | 2016-10-17 10:55:37 UTC | Flags | needinfo?(ksiddiqu) | needinfo?(jhrozek) |
| Jakub Hrozek | 2016-10-17 11:54:16 UTC | Flags | needinfo?(jhrozek) | |
| Jakub Hrozek | 2016-10-24 09:29:17 UTC | Status | POST | MODIFIED |
| Fixed In Version | sssd-1.13.3-42.el6 | |||
| errata-xmlrpc | 2016-10-24 09:40:50 UTC | Status | MODIFIED | ON_QA |
| Xiyang Dong | 2016-11-28 14:30:38 UTC | CC | xdong | |
| Lukas Slebodnik | 2016-11-28 14:43:03 UTC | Flags | needinfo?(xdong) | |
| Xiyang Dong | 2016-11-28 18:56:38 UTC | Flags | needinfo?(xdong) | |
| Xiyang Dong | 2016-11-28 18:57:17 UTC | Status | ON_QA | ASSIGNED |
| CC | pvoborni, rcritten | |||
| Component | sssd | ipa | ||
| Docs Contact | mmuehlfe | |||
| Assignee | sssd-maint | ipa-maint | ||
| QA Contact | sgoveas | ksiddiqu | ||
| Jakub Hrozek | 2016-11-28 21:23:21 UTC | Component | ipa | sssd |
| Assignee | ipa-maint | sssd-maint | ||
| QA Contact | ksiddiqu | sgoveas | ||
| Xiyang Dong | 2016-11-29 15:34:25 UTC | Flags | needinfo?(jhrozek) | |
| Jakub Hrozek | 2016-11-29 15:48:28 UTC | Flags | needinfo?(jhrozek) | needinfo?(pbrezina) |
| Pavel Březina | 2016-11-30 09:31:27 UTC | Flags | needinfo?(pbrezina) | needinfo?(pvoborni) |
| Petr Vobornik | 2016-11-30 14:25:30 UTC | Flags | needinfo?(pvoborni) | |
| Jakub Hrozek | 2016-12-06 10:02:57 UTC | Flags | needinfo?(xdong) | |
| Xiyang Dong | 2016-12-06 14:20:55 UTC | Flags | needinfo?(xdong) | |
| Xiyang Dong | 2016-12-06 16:28:35 UTC | Status | ASSIGNED | VERIFIED |
| Lenka Špačková | 2016-12-12 13:36:53 UTC | Docs Contact | apetrova | |
| Aneta Šteflová Petrová | 2016-12-13 08:25:11 UTC | Doc Text | SSSD does not support the LDAP externalUser attribute The System Security Services Daemon (SSSD) service is missing support for the *externalUser* LDAP attribute of the Identity Management (IdM) schema. In consequence, the assignment of *sudo* rules to local accounts, such as by using the `/etc/passwd` file, fails. The problem affects only accounts outside of the IdM domains and Active Directory (AD) trusted domains. To work around this problem, set the LDAP *sudo* search base as follows in the `[domain]` section of the `/etc/sssd/sssd.conf` file: ldap_sudo_search_base = ou=sudoers,dc=example,dc=com This enables SSSD to resolve users defined in *externalUser*. | SSSD now resolves users with *externalUser* correctly Support for the *externalUser* LDAP attribute was removed from the System Security Services Daemon (SSSD) in Red Hat Enterprise Linux 6.8. In consequence, the assignment of *sudo* rules to local accounts, such as by using the `/etc/passwd` file, failed. The problem affected only accounts outside of the Identity Management (IdM) domains and Active Directory (AD) trusted domains. This update ensures that SSSD correctly resolves users with *externalUser* defined. As a result, assigning *sudo* rules to local accounts works as expected in the described situation. |
| Doc Type | Known Issue | Bug Fix | ||
| Flags | needinfo?(jhrozek) | |||
| Jakub Hrozek | 2016-12-13 09:49:07 UTC | Flags | needinfo?(jhrozek) | |
| Aneta Šteflová Petrová | 2016-12-13 10:13:22 UTC | Doc Text | SSSD now resolves users with *externalUser* correctly Support for the *externalUser* LDAP attribute was removed from the System Security Services Daemon (SSSD) in Red Hat Enterprise Linux 6.8. In consequence, the assignment of *sudo* rules to local accounts, such as by using the `/etc/passwd` file, failed. The problem affected only accounts outside of the Identity Management (IdM) domains and Active Directory (AD) trusted domains. This update ensures that SSSD correctly resolves users with *externalUser* defined. As a result, assigning *sudo* rules to local accounts works as expected in the described situation. | SSSD now resolves users with *externalUser* correctly Support for the *externalUser* LDAP attribute was removed from the System Security Services Daemon (SSSD) in Red Hat Enterprise Linux 6.8. In consequence, the assignment of *sudo* rules to local accounts, such as by using the `/etc/passwd` file, failed. The problem affected only accounts outside of Identity Management (IdM) domains and Active Directory (AD) trusted domains. This update ensures that SSSD correctly resolves users with the *externalUser* attribute defined. As a result, assigning *sudo* rules works as expected in the described situation. |
| errata-xmlrpc | 2017-03-21 00:45:22 UTC | Status | VERIFIED | RELEASE_PENDING |
| errata-xmlrpc | 2017-03-21 09:55:15 UTC | Status | RELEASE_PENDING | CLOSED |
| Resolution | --- | ERRATA | ||
| Last Closed | 2017-03-21 05:55:15 UTC | |||
| Pavel Březina | 2020-05-02 18:20:06 UTC | Link ID | Github SSSD/sssd/issues/4013 |
Back to bug 1321884