Bug 1418728
| Summary: | IPA - sudo does not handle associated conflict entries | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Jakub Hrozek <jhrozek> |
| Component: | sssd | Assignee: | SSSD Maintainers <sssd-maint> |
| Status: | CLOSED ERRATA | QA Contact: | Xiyang Dong <xdong> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 7.3 | CC: | grajaiya, jhrozek, ksiddiqu, lslebodn, mkosek, mzidek, pbrezina, pkulkarn, sgoveas |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | sssd-1.15.2-1.el7 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2017-08-01 09:02:33 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 1420851 | ||
|
Description
Jakub Hrozek
2017-02-02 15:13:53 UTC
master: * 1404f3aa541849d880cce591584ba1580014cb50 * d0aae3c1e87e2e51ab178b7b343261443094a974 sssd-1-14: * db0c5135add7c93638794abd8c7f04a1c5d74186 * c4c47ca961029dbbccf7aab0794c31ab97bc10e0 Verified on sssd-1.15.2-24.el7:
# ipa host-add --force conflicthost.tesrelm.test
--------------------------------------
Added host "conflicthost.tesrelm.test"
--------------------------------------
Host name: conflicthost.tesrelm.test
Principal name: host/conflicthost.tesrelm.test
Principal alias: host/conflicthost.tesrelm.test
Password: False
Keytab: False
Managed by: conflicthost.tesrelm.test
# ipa sudorule-add testrule
--------------------------
Added Sudo Rule "testrule"
--------------------------
Rule name: testrule
Enabled: TRUE
# cat > addmemberhost.ldif << addmemberhost.ldif_EOF
> dn: ipaUniqueID=854eecd0-4d38-11e7-80de-525400bd3099,cn=sudorules,cn=sudo,dc=testrelm,dc=test
> changetype: modify
> add: memberhost
> memberhost: fqdn=conflicthost.tesrelm.test,cn=computers,cn=accounts,dc=testrelm,dc=test
> addmemberhost.ldif_EOF
# ldapmodify -x -D "cn=Directory Manager" -w Secret123 -f addmemberhost.ldif
modifying entry "ipaUniqueID=854eecd0-4d38-11e7-80de-525400bd3099,cn=sudorules,cn=sudo,dc=testrelm,dc=test"
# ipa sudorule-find --all --raw 'testrule'
-------------------
1 Sudo Rule matched
-------------------
dn: ipaUniqueID=854eecd0-4d38-11e7-80de-525400bd3099,cn=sudorules,cn=sudo,dc=testrelm,dc=test
cn: testrule
ipaenabledflag: TRUE
memberhost: fqdn=conflicthost.tesrelm.test,cn=computers,cn=accounts,dc=testrelm,dc=test
ipaUniqueID: 854eecd0-4d38-11e7-80de-525400bd3099
objectClass: ipaassociation
objectClass: ipasudorule
----------------------------
Number of entries returned 1
----------------------------
# cat /etc/sssd/sssd.conf
[domain/testrelm.test]
cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = testrelm.test
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = hp-xw6600-02.testrelm.test
chpass_provider = ipa
ipa_server = _srv_, bkr-hv03-guest06.testrelm.test
ldap_tls_cacert = /etc/ipa/ca.crt
debug_level = 9
[sssd]
services = nss, sudo, pam, ssh
domains = testrelm.test
debug_level = 9
[nss]
homedir_substring = /home
[pam]
[sudo]
debug_level = 9
[autofs]
[ssh]
[pac]
[ifp]
[secrets]
# service sssd restart
Redirecting to /bin/systemctl restart sssd.service
# cd /var/log/sssd/
# cat sssd* | grep "Unexpected DN"
# cat sssd* | grep "Unable to convert"
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHEA-2017:2294 *** Bug 1323967 has been marked as a duplicate of this bug. *** |