Bug 1188338

Summary: ldap_sudo_hostnames not working
Product: Red Hat Enterprise Linux 6 Reporter: Marco Passerini <marco.passerini>
Component: sssdAssignee: Pavel Březina <pbrezina>
Status: CLOSED NOTABUG QA Contact: Kaushik Banerjee <kbanerje>
Severity: low Docs Contact:
Priority: unspecified    
Version: 6.6CC: grajaiya, jgalipea, jhrozek, lslebodn, marco.passerini, mkosek, mzidek, pbrezina, preichl
Target Milestone: rc   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-02-09 10:43:07 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Marco Passerini 2015-02-02 16:00:25 UTC 
Description of problem:

I'm configuring a server with SSSD/LDAP for SUDO authentication. The server hostname is "server1.mydomain.com", and it can't be changed. In LDAP, the host is listed as: "sudoHost: my-server1.mydomain.com" and it can't be changed either. So what I read the manual and I configured the following in sssd.conf:
ldap_sudo_hostnames = my-server1.mydomain.com
I have "sudoers:    files sss" in /etc/nsswitch.conf, and /etc/sssd/sssd.conf is properly configured.
After restarting sssd and logging into the server, I was not able to run sudo with my user account.
I solved the problem by adding the following line to sssd.conf
ipa_hostname = my-server1.mydomain.com
I think this should not be necessary as the field ldap_sudo_hostnames should take care of this. Am I correct, is this a bug?


Version-Release number of selected component (if applicable):
sssd-1.11.6-30.el6_6.3.x86_64
sssd-common-pac-1.11.6-30.el6_6.3.x86_64
sssd-ldap-1.11.6-30.el6_6.3.x86_64
sssd-client-1.11.6-30.el6_6.3.x86_64
sssd-krb5-1.11.6-30.el6_6.3.x86_64
sssd-krb5-common-1.11.6-30.el6_6.3.x86_64
sssd-common-1.11.6-30.el6_6.3.x86_64
sssd-ipa-1.11.6-30.el6_6.3.x86_64
python-sssdconfig-1.11.6-30.el6_6.3.noarch
sssd-ad-1.11.6-30.el6_6.3.x86_64
sssd-proxy-1.11.6-30.el6_6.3.x86_64
Comment 2 Jakub Hrozek 2015-02-03 08:22:57 UTC 
Can you provide your whole sssd.conf ?
Comment 3 Marco Passerini 2015-02-03 09:24:57 UTC 
This is it.. I replaced the field names, but here's the server name mapping:

generic_server1.mydomain.com is a hostname which provides a lot of users, all of which are supposed to be able to authenticate in this machine

server1 is the real hostname of this server

my-server1 is how the hostname is listed in the SUDOHost field in LDAP

I know it's a bit messy but this is the case, and with the current configuration it works. If I don't enter ipa_hostname it does not let me do sudo.





[domain/LDAP]

ldap_id_use_start_tls = True
cache_credentials = true
ldap_search_base = dc=mydomain,dc=com
ldap_user_search_base = ou=People,dc=mydomain,dc=com?subtree?(host=generic_server1.mydomain.com)
ldap_group_search_base = ou=Groups,dc=mydomain,dc=com
ldap_default_bind_dn = uid=mybind,ou=Special Users,dc=mydomain,dc=com
ldap_default_authtok = ********
ldap_schema = rfc2307
id_provider = ldap
auth_provider = ldap
chpass_provider = ldap
ldap_uri = ldaps://ldap1.mydomain.com/, ldaps://ldap2.mydomain.com/
ldap_backup_uri = ldaps://ldap3.mydomain.com
ldap_tls_cacertdir = /etc/openldap/certs
debug_level = 2
enumerate = true
sudo_provider = ldap
ldap_sudo_search_base = OU=Staff,OU=SUDOers,ou=idm,dc=mydomain,dc=com
ldap_sudo_hostnames = my-server1.mydomain.com
ipa_hostname = my-server1.mydomain.com
access_provider = permit

[sssd]
services = nss, pam, sudo
config_file_version = 2
domains = LDAP

[nss]
filter_users = root,named,avahi,haldaemon,dbus,radiusd,news,nscd

[pam]

[sudo]

[autofs]

[ssh]

[pac]
Comment 4 Jakub Hrozek 2015-02-09 09:20:14 UTC 
Our team's sudo expert will take a look.

I don't think ipa_hostname is supposed to help, though, your config is a pure LDAP one.
Comment 5 Pavel Březina 2015-02-09 10:16:22 UTC 
Hi,
the thing is that sudo does not allow to specify hostname that is supposed to match sudoHost attribute. It parses sssd.conf to find ipa_hostname and use its value or use hostname of the machine.

The option ldap_sudo_hostname may be used to change what rules are cached but its useless without changing the system hostname at this moment, so it is more for testing purpose. There is currently no sudo RFE to support changing the hostname AFAIK.
Comment 6 Jakub Hrozek 2015-02-09 10:43:07 UTC 
Thank you, not our bug, then.