Bug 1258421

Summary: freeipa sudo rules do not work out of the box, add a warning to ipa-client-install to enable compat tree and fix documentation
Product: [Fedora] Fedora Reporter: Alexander Bokovoy <abokovoy>
Component: freeipaAssignee: IPA Maintainers <ipa-maint>
Status: CLOSED WONTFIX QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: medium    
Version: 22CC: abokovoy, dennis, extras-qa, ipa-maint, jhrozek, lslebodn, mkosek, pbrezina, preichl, pviktori, pvoborni, rcritten, sbose, sgallagh, ssorce
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 1256849 Environment:
Last Closed: 2016-01-29 14:08:13 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1256849    
Bug Blocks:    

Description Alexander Bokovoy 2015-08-31 11:03:04 UTC 
+++ This bug was initially created as a clone of Bug #1256849 +++

Description of problem:
sssd tries to use compat mode for sudo rules by default, freeipa by default has compat mode turned off. 

in order to have working sudo working with sssd you need to manually enable compat mode on the server which has a performance cost, additionally it is not at all clear why sudo is failing, it took a significant amount of effort to debug what was going on.

In order for sssd to just work it needs to be able to natively pull the sudo rules from the ipa server.

--- Additional comment from Jakub Hrozek on 2015-08-31 11:29:31 EEST ---

Sorry for the late reply. I was on vacation last week.

(In reply to Dennis Gilmore from comment #0)
> Description of problem:
> sssd tries to use compat mode for sudo rules by default,

This is expected, we don't support the native sudo rules yet (although we do have a first, unreviewed patch).

>  freeipa by default
> has compat mode turned off. 

However, this is not expected at all. How did you test the compat tree is disabled? Did enabling it help?

Alexander, are you aware of any issue in this area?

> 
> in order to have working sudo working with sssd you need to manually enable
> compat mode on the server which has a performance cost, additionally it is
> not at all clear why sudo is failing, it took a significant amount of effort
> to debug what was going on.
> 
> In order for sssd to just work it needs to be able to natively pull the sudo
> rules from the ipa server.

--- Additional comment from Alexander Bokovoy on 2015-08-31 11:42:23 EEST ---

Yes, compat tree is not enabled by default.

Somehow, the fact that one needs to enable compat tree with 'ipa-compat-manage enable' is missing in https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/sudo.html

So at the very least there is a documentation bug.

--- Additional comment from Lukas Slebodnik on 2015-08-31 13:40:49 EEST ---

(In reply to Alexander Bokovoy from comment #2)
> Yes, compat tree is not enabled by default.
> 
> Somehow, the fact that one needs to enable compat tree with
> 'ipa-compat-manage enable' is missing in
> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/
> html/Linux_Domain_Identity_Authentication_and_Policy_Guide/sudo.html
> 
> So at the very least there is a documentation bug.

The simplest and the fast solution would be to write warning in ipa-client install if sudo-support is enabled and compat tree is disabled.

Or simplified version write a message about enabling compat tree
if sudo-support is enabled.

The long term solution will be increase priority of ticket with ipa native sudo rules in sssd.

--- Additional comment from Alexander Bokovoy on 2015-08-31 14:01:49 EEST ---

Agreed. So, for FreeIPA part we need to modify ipa-client-install script and also fix documentation.

SSSD side needs to raise priority of implementing native IPA schema support for sudo.

I'll clone the ticket to IPA side too.
Comment 1 Alexander Bokovoy 2015-08-31 13:00:39 UTC 
Rob noted that we always enable compat plugin unconditionally in IPA installations so the question is why it was disabled in the original bug report.

here is a common setup part that unconditionally enables compat tree:
    def __common_post_setup(self):
        self.step("initializing group membership", self.init_memberof)
        self.step("adding master entry", self.__add_master_entry)
        self.step("initializing domain level", self.__set_domain_level)
        self.step("configuring Posix uid/gid generation",
                  self.__config_uidgid_gen)
        self.step("adding replication acis", self.__add_replication_acis)
        self.step("enabling compatibility plugin",
                  self.__enable_compat_plugin)
        self.step("activating sidgen plugin", self._add_sidgen_plugin)
        self.step("activating extdom plugin", self._add_extdom_plugin)
        self.step("tuning directory server", self.__tuning)

        self.step("configuring directory to start on boot", self.__enable)

We still think it makes sense to add warning to ipa-client-install and also to ipa-manage-compat about sudo behavior if compat tree is disabled. And documentation needs to include clarifications of the compat tree affecting sudo.
Comment 2 Petr Vobornik 2015-08-31 17:17:31 UTC 
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/5276
Comment 3 Lukas Slebodnik 2016-01-25 08:46:08 UTC 
I thought that it would be super EASY to add warning to freeipa and it would took
much more time to implement native IPA sudo provider in sssd. However it looks like I was wrong.

Do we still need this BZ?
Comment 4 Martin Kosek 2016-01-25 15:23:50 UTC 
This was rather low priority for FreeIPA project, which is why it took so long (updating Bug sev/prio, I do not know why it was set that high).

But Lukas has a point, I would vote for closing it, given that current SSSD releases (even in RHEL-6.x) are about to get native SUDO support.
Comment 5 Petr Vobornik 2016-01-29 14:08:13 UTC 
As Lukas pointed in comment 3, SSSD will receive a native IPA sudo provider and therefore fixing this bug is no longer required.