Bug 1380436
Summary: | sudo: ignore case on case insensitive domains | |||
---|---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Jakub Hrozek <jhrozek> | |
Component: | sssd | Assignee: | SSSD Maintainers <sssd-maint> | |
Status: | CLOSED ERRATA | QA Contact: | Amith <apeetham> | |
Severity: | unspecified | Docs Contact: | Marc Muehlfeld <mmuehlfe> | |
Priority: | high | |||
Version: | 7.3 | CC: | afarley, enewland, grajaiya, jhrozek, john, lslebodn, mkolaja, mkosek, mupadhye, mzidek, pbrezina, pjagrut, sgoveas, tscherf | |
Target Milestone: | rc | Keywords: | ZStream | |
Target Release: | --- | |||
Hardware: | Unspecified | |||
OS: | Unspecified | |||
Whiteboard: | ||||
Fixed In Version: | sssd-1.15.0-1.el7 | Doc Type: | Known Issue | |
Doc Text: |
SSSD only applies values in `sudoUser` attributes from AD in lower case
Previously, when the System Security Services Daemon (SSSD) fetched "sudo" rules from Active Directory (AD), the `sudoUser` attribute must have match the exact case of the `samAccountName` attribute of the user the rule was assigned to. Due to a regression in Red Hat Enterprise Linux 7.3, the `sudoUser` attribute now only matches lower case values. To work around this problem, rename `sudoUser` attribute values to lower case. With the workaround, "sudo" rules are applied correctly.
|
Story Points: | --- | |
Clone Of: | ||||
: | 1382395 1392946 (view as bug list) | Environment: | ||
Last Closed: | 2017-08-01 09:00:03 UTC | Type: | --- | |
Regression: | --- | Mount Type: | --- | |
Documentation: | --- | CRM: | ||
Verified Versions: | Category: | --- | ||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
Cloudforms Team: | --- | Target Upstream Version: | ||
Embargoed: | ||||
Bug Depends On: | ||||
Bug Blocks: | 1382395, 1392946 |
Description
Jakub Hrozek
2016-09-29 15:00:54 UTC
Steps to reproduce: - prepare an AD server - extend its schema to contain the sudoers attributes - prepare an AD user or a group on the AD server side - add a sudo rule that allows the user to run a command. In the sudo rule, try adding the user or a group name in different cases. Especially the exact case should be tested (because that's what used to work in 1.13) and the lowercase should be tested (because that's what admins might intuitively use since the AD domain is case-insensitive). - without the patch in 7.2, only the exact case would work. In 7.3.0, without the patch, only the lower case would work - with the patch, all cases should work. master: f4a1046bb88d7a0ab3617e49ae94bfa849d10645 23637e2fd2b1fe42bdd2335893a11ac8016f56bc sssd-1-14: 143b1dcbbe865a139616a22b139e19bd772e46f0 88239b7f17f599aefa88a8a31c2d0ea44b766c87 Upstream ticket: https://fedorahosted.org/sssd/ticket/3241 Additional patches: master: 7e23edbaa7a6bbd0b461d5792535896b6a77928b sssd-1-14: 54f176066dafafdc12f6e0dd112ff6339308aa7c Verified the bug on SSSD Version: sssd-1.15.2-29.el7.x86_64 Steps followed during verification: 1. Add sudo rules in AD, allowing users to run commands. Also, assign the sudoUser attribute values in Upper case and lower case. For example: dn: CN=rule1,OU=Sudoers,DC=sssdad,DC=com objectClass: top objectClass: sudoRole cn: rule1 . . sudoUser: sudo_aduser1 sudoHost: ALL sudoCommand: /usr/bin/less dn: CN=rule2,OU=Sudoers,DC=sssdad,DC=com objectClass: top objectClass: sudoRole . . sudoUser: SUDO_ADUSER2 sudoHost: ALL sudoCommand: /usr/bin/more dn: CN=rule3,OU=Sudoers,DC=sssdad,DC=com objectClass: top objectClass: sudoRole . . sudoUser: sudo_aduser3 sudoHost: ALL sudoCommand: /usr/bin/less 2. Setup sssd client and execute sudo cmds as users in exact case names, lower case names and upper case names. Sample sssd.conf: [sssd] domains = sssdad.com config_file_version = 2 services = nss, pam, sudo [domain/sssdad.com] ad_domain = sssdad.com krb5_realm = SSSDAD.COM realmd_tags = manages-system joined-with-samba cache_credentials = True id_provider = ad krb5_store_password_if_offline = True default_shell = /bin/bash ldap_id_mapping = True #use_fully_qualified_names = True fallback_homedir = /home/%u@%d access_provider = ad sudo_provider = ad [pam] [root@mudflap sssd]# sudo -l -U sudo_aduser1 Matching Defaults entries for sudo_aduser1 on mudflap: !visiblepw, always_set_home, match_group_by_gid, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS", ..... User sudo_aduser1 may run the following commands on mudflap: (root) /usr/bin/less [root@mudflap sssd]# sudo -l -U SUDO_ADUSER1 Matching Defaults entries for sudo_aduser1 on mudflap: !visiblepw, always_set_home, match_group_by_gid, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS", ...... User sudo_aduser1 may run the following commands on mudflap: (root) /usr/bin/less [root@mudflap sssd]# sudo -l -U sudo_aduser2 Matching Defaults entries for sudo_aduser2 on mudflap: !visiblepw, always_set_home, match_group_by_gid, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS", .............. User sudo_aduser2 may run the following commands on mudflap: (root) /usr/bin/more [root@mudflap sssd]# sudo -l -U sudo_aduser3 Matching Defaults entries for sudo_aduser3 on mudflap: !visiblepw, always_set_home, match_group_by_gid, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS", ........ User sudo_aduser3 may run the following commands on mudflap: (root) /usr/bin/less [root@mudflap sssd]# sudo -l -U sudo_aduser3 Matching Defaults entries for sudo_aduser3 on mudflap: !visiblepw, always_set_home, match_group_by_gid, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS", ........... User sudo_aduser3 may run the following commands on mudflap: (root) /usr/bin/less [root@mudflap sssd]# sudo -l -U SUDO_ADUSER3 Matching Defaults entries for sudo_aduser3 on mudflap: !visiblepw, always_set_home, match_group_by_gid, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS", .............. User sudo_aduser3 may run the following commands on mudflap: (root) /usr/bin/less With the latest sssd build, issue seems to be resolved. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHEA-2017:2294 |