Bug 2121399
| Summary: | GID in SudoUser entry does not work via SSSD provider | |||
|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 9 | Reporter: | nbubakov | |
| Component: | sudo | Assignee: | Radovan Sroka <rsroka> | |
| Status: | CLOSED MIGRATED | QA Contact: | BaseOS QE Security Team <qe-baseos-security> | |
| Severity: | unspecified | Docs Contact: | ||
| Priority: | unspecified | |||
| Version: | 9.0 | CC: | dapospis | |
| Target Milestone: | rc | Keywords: | MigratedToJIRA, Triaged | |
| Target Release: | --- | |||
| Hardware: | Unspecified | |||
| OS: | Unspecified | |||
| Whiteboard: | ||||
| Fixed In Version: | Doc Type: | If docs needed, set a value | ||
| Doc Text: | Story Points: | --- | ||
| Clone Of: | ||||
| : | 2121402 (view as bug list) | Environment: | ||
| Last Closed: | 2023-08-01 11:36:58 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
Description of problem: Sudo rule option SudoUser with group ID does not work via SSSD provider. But it works via LDAP. Version-Release number of selected component (if applicable): tested and failed on all RHEL8 and RHEL9 How reproducible: Everytime Steps to Reproduce: 1. setup sudo to use sssd, using this ldap data: # my-domain.com dn: dc=my-domain,dc=com objectClass: dcObject objectClass: organization dc: my-domain o: Test server # Groups, my-domain.com dn: ou=Groups,dc=my-domain,dc=com objectClass: top objectClass: organizationalunit ou: Groups # People, my-domain.com dn: ou=People,dc=my-domain,dc=com objectClass: top objectClass: organizationalunit ou: People # admin, People, my-domain.com dn: cn=admin,ou=People,dc=my-domain,dc=com objectClass: top objectClass: account objectClass: posixAccount cn: admin uidNumber: 11001 gidNumber: 21001 homeDirectory: /home/admin loginShell: /bin/bash uid: admin userPassword:: eA== # admin, Groups, my-domain.com dn: cn=admin,ou=Groups,dc=my-domain,dc=com gidNumber: 21001 objectClass: top objectClass: posixGroup cn: 21001 cn: admin # userallowed, People, my-domain.com dn: cn=userallowed,ou=People,dc=my-domain,dc=com objectClass: top objectClass: account objectClass: posixAccount cn: userallowed uidNumber: 10001 gidNumber: 20001 homeDirectory: /home/userallowed loginShell: /bin/bash uid: userallowed userPassword:: eA== # groupallowed, Groups, my-domain.com dn: cn=groupallowed,ou=Groups,dc=my-domain,dc=com gidNumber: 20001 objectClass: top objectClass: posixGroup cn: groupallowed # usernotallowed, People, my-domain.com dn: cn=usernotallowed,ou=People,dc=my-domain,dc=com objectClass: top objectClass: account objectClass: posixAccount cn: usernotallowed uidNumber: 10002 gidNumber: 20002 homeDirectory: /home/usernotallowed loginShell: /bin/bash uid: usernotallowed userPassword:: eA== # groupnotallowed, Groups, my-domain.com dn: cn=groupnotallowed,ou=Groups,dc=my-domain,dc=com gidNumber: 20002 objectClass: top objectClass: posixGroup cn: groupnotallowed # Sudoers, my-domain.com dn: ou=Sudoers,dc=my-domain,dc=com objectClass: top objectClass: organizationalUnit ou: Sudoers # defaults, Sudoers, my-domain.com dn: cn=defaults,ou=Sudoers,dc=my-domain,dc=com objectClass: top objectClass: sudoRole cn: defaults sudoOption: !authenticate sudoOption: !requiretty # rule1, Sudoers, my-domain.com dn: cn=rule1,ou=Sudoers,dc=my-domain,dc=com objectClass: top objectClass: sudoRole cn: rule1 sudoHost: ALL sudoCommand: ALL sudoUser: %#20001 2. check it with following command: $ su - userallowed -c 'sudo true' 3. Actual results: Gets generic error - exit status 1 Expected results: userallowed is in the sudoers file - exit status 0 Additional info: