Bug 1767514
Summary: | sssd requires timed sudoers ldap entries to be specified up to the seconds | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 8 | Reporter: | Dalibor Pospíšil <dapospis> |
Component: | sssd | Assignee: | Paweł Poławski <ppolawsk> |
Status: | CLOSED ERRATA | QA Contact: | sssd-qe <sssd-qe> |
Severity: | medium | Docs Contact: | |
Priority: | unspecified | ||
Version: | 8.0 | CC: | grajaiya, jhrozek, lslebodn, mzidek, pbrezina, rsroka, sgadekar, sgoveas, tscherf |
Target Milestone: | rc | ||
Target Release: | 8.0 | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | sync-to-jira | ||
Fixed In Version: | sssd-2.2.3-14.el8 | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2020-04-28 16:56:29 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Dalibor Pospíšil
2019-10-31 15:54:38 UTC
Upstream ticket: https://pagure.io/SSSD/sssd/issue/4118 * `master` * 58a67cd38b8be9bef45ce70588763d851840dd65 - sysdb_sudo: Enable LDAP time format compatibility Sorry, moving back to POST, did not notice that this bug still needs ACKs. Adding devel ack. Tested with following data: ~]# rpm -q sssd sssd-2.2.3-17.el8.x86_64 ~]# cat /etc/sssd/sssd.conf [sssd] config_file_version = 2 domains = LDAP services = nss, pam, sudo debug_level = 0xFFFF [nss] filter_groups = root filter_users = root [pam] [sudo] debug_level = 0xFFFF sudo_timed = true [domain/LDAP] id_provider = ldap auth_provider = ldap sudo_provider = ldap debug_level = 0xFFFF ldap_uri = ldaps://ipaqavma.idmqe.lab.eng.bos.redhat.com ldap_tls_cacert = /etc/openldap/certs/cacert.asc ldap_search_base = dc=example,dc=com entry_cache_nowait_percentage = 0 entry_cache_timeout = 0 ldap_sudo_smart_refresh_interval = 1 [root@kvm-02-guest13 ~]# ldapsearch -x -h ipaqavma.idmqe.lab.eng.bos.redhat.com -b 'ou=sudoers,dc=example,dc=com' -D 'cn=Manager,dc=example,dc=com' -w 'Secret123' # extended LDIF # # LDAPv3 # base <ou=sudoers,dc=example,dc=com> with scope subtree # filter: (objectclass=*) # requesting: ALL # # Sudoers, example.com dn: ou=Sudoers,dc=example,dc=com objectClass: top objectClass: organizationalUnit ou: Sudoers # defaults, Sudoers, example.com dn: cn=defaults,ou=Sudoers,dc=example,dc=com objectClass: top objectClass: sudoRole sudoOption: !authenticate cn: defaults # test, Sudoers, example.com dn: cn=test,ou=Sudoers,dc=example,dc=com objectClass: top objectClass: sudoRole sudoHost: ALL sudoCommand: ALL sudoUser: ALL cn: test sudoRunAsUser: ALL sudoNotBefore: 2020030509Z # search result search: 2 result: 0 Success # numResponses: 4 # numEntries: 3 ~]# systemctl stop sssd ; rm -rf /var/lib/sss/db/* ; rm -rf /var/log/sssd/* ; systemctl start sssd [root@kvm-02-guest13 ~]# sudo -l -U user1 User user1 may run the following commands on kvm-02-guest13: (ALL) NOTBEFORE=20200305090000Z ALL [root@kvm-02-guest13 ~]# ssh user1@localhost user1@localhost's password: ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** This System is part of the Red Hat Test System. Please do not use this system for individual unit testing. RHTS Test information: HOSTNAME=kvm-02-guest13.hv2.lab.eng.bos.redhat.com JOBID=4112847 RECIPEID=7982488 LAB_SERVER= RESULT_SERVER=LEGACY DISTRO=RHEL-8.2.0-20200227.0 ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** Last login: Thu Mar 5 09:15:19 2020 from ::1 Could not chdir to home directory /home/user1: No such file or directory [user1@kvm-02-guest13 /]$ sudo -l Matching Defaults entries for user1 on kvm-02-guest13: !authenticate User user1 may run the following commands on kvm-02-guest13: (ALL) NOTBEFORE=20200305090000Z ALL [user1@kvm-02-guest13 /]$ sudo -l Matching Defaults entries for user1 on kvm-02-guest13: !authenticate User user1 may run the following commands on kvm-02-guest13: (ALL) NOTBEFORE=20200305090000Z ALL [user1@kvm-02-guest13 /]$ sudo less /var/log/secure [user1@kvm-02-guest13 /]$ touch /etc/sssd/sssd.conf touch: cannot touch '/etc/sssd/sssd.conf': Permission denied [user1@kvm-02-guest13 /]$ sudo touch /etc/sssd/sssd.conf [user1@kvm-02-guest13 /]$ sudo True sudo: True: command not found [user1@kvm-02-guest13 /]$ sudo true [user1@kvm-02-guest13 /]$ logout Connection to localhost closed. [root@kvm-02-guest13 [root@kvm-02-guest13 ~]# date +%Y%m%d%H%M%S 20200305095639 Marking verified. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2020:1863 |