Bug 1392946

Summary: sudo: ignore case on case insensitive domains
Product: Red Hat Enterprise Linux 7 Reporter: Marcel Kolaja <mkolaja>
Component: sssdAssignee: SSSD Maintainers <sssd-maint>
Status: CLOSED ERRATA QA Contact: Steeve Goveas <sgoveas>
Severity: unspecified Docs Contact: Marc Muehlfeld <mmuehlfe>
Priority: high    
Version: 7.3CC: afarley, apeetham, enewland, grajaiya, jhrozek, john, lslebodn, mkolaja, mkosek, mzidek, pbrezina, sgoveas, sssd-maint, tscherf
Target Milestone: rcKeywords: ZStream
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: sssd-1.14.0-43.el7_3.8 Doc Type: Bug Fix
Doc Text:
Due to an update in Red Hat Enterprise Linux 7.3, in a case-insensitive domain, the sudoUser attribute only matched the lowercase version of the LDAP user or group name. As a consequence, configurations using case-insensitive sudoUser attribute values failed. This update re-enables SSSD to match the sudoUser attribute regardless of case and now both lowercase and case-sensitive can be configured.
 Story Points: ---
Clone Of: 1380436 Environment:
Last Closed: 2017-01-17 18:09:45 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1380436    
Bug Blocks:    

Description Marcel Kolaja 2016-11-08 14:08:16 UTC 
This bug has been copied from bug #1380436 and has been proposed
to be backported to 7.3 z-stream (EUS).
Comment 4 Amith 2016-11-14 16:09:06 UTC 
I tested this bz on RHEL-7.3 and got following results:

With older build, sssd-1.14.0-43.el7.x86_64, 

1) add a sudo rule with a user in "small case" letters.
Result - User is able to run sudo commands.

# sudo -l -U student2
.
.
User student2 may run the following commands on this host:
    (root) /usr/bin/less
    (root) /usr/bin/more

2) add a sudo rule with a user in "Upper case" letters.
Result - User unable to run sudo commands.

# sudo -l -U STUDENT3
User student3 is not allowed to run sudo on vm-idm-005.


3) Upgrade the sssd build to sssd-1.14.0-43.el7_3.3.x86_64 and verify the existing rule where user is in "small case" letters.
Result - User is able to run sudo commands

# sudo -l -U student6
.
.
User student6 may run the following commands on this host:
    (root) ALL


4) Verify the existing sudo rule with a user in "Upper case" letters.
Result - User unable to run sudo commands

# sudo -l -U STUDENT4
User student4 is not allowed to run sudo on vm-idm-005.

5) Add a new sudo rule with a user in "small case" letters.
Result - User unable to run sudo commands

# sudo -l -U student5
User student5 is not allowed to run sudo on vm-idm-005.

With the patched sssd build both the upper & lower case user names should work, however in this case only the existing rules are working that too, lower case one's.
Comment 5 Jakub Hrozek 2016-11-14 22:29:32 UTC 
The patch introduced a new bug tracked as https://fedorahosted.org/sssd/ticket/3241

Thank you for your testing.
Comment 7 Jakub Hrozek 2016-11-23 10:28:31 UTC 
Upstream ticket:
https://fedorahosted.org/sssd/ticket/3241
Comment 8 Jakub Hrozek 2016-11-23 10:36:43 UTC 
Additional patches:
    master: 7e23edbaa7a6bbd0b461d5792535896b6a77928b
    sssd-1-14: 54f176066dafafdc12f6e0dd112ff6339308aa7c
Comment 10 Amith 2017-01-08 17:24:17 UTC 
Verified the bug on SSSD Version: sssd-1.14.0-43.el7_3.11.x86_64

Steps followed during verification:
1. Add sudo rules in AD, allowing users to run commands. Also, assign the sudoUser attribute values in Upper case and lower case. For example:

dn: CN=rule2,OU=sudoers,DC=black,DC=com
objectClass: top
objectClass: sudoRole
.
.
sudoCommand: /usr/bin/more
sudoUser: STUDENT3
sudoHost: ALL
.
.
sudoUser: student2
sudoHost: /usr/bin/more
.
.
sudoUser: STUDENT7
sudoHost: ALL

2. Setup sssd client and execute sudo cmds as users in exact case names, lower case names and upper case names.

Sample sssd.conf:

[sssd]
domains = black.com
config_file_version = 2
services = nss, pam, sudo

[domain/black.com]
ad_domain = black.com
krb5_realm = BLACK.COM
realmd_tags = manages-system joined-with-samba 
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = True
fallback_homedir = /home/%u@%d
access_provider = ad

[root@qe-blade-04 sssd]# sudo -l -U student2
Matching Defaults entries for student2 on this host:
    !visiblepw, always_set_home, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR 
.
.
User student2 may run the following commands on this host:
    (root) /usr/bin/less
    (root) /usr/bin/more
    (root) /usr/bin/less

[root@qe-blade-04 sssd]# sudo -l -U STUDENT7
.
.
User student7 may run the following commands on this host:
    (root) ALL

[root@qe-blade-04 sssd]# sudo -l -U student7
Matching Defaults entries for student7 on this host:
.
.
User student7 may run the following commands on this host:
    (root) ALL
Comment 12 errata-xmlrpc 2017-01-17 18:09:45 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2017-0078.html