Bug 720711

Summary: Users are not matched from sudo client.
Product: Red Hat Enterprise Linux 6 Reporter: Gowrishankar Rajaiyan <grajaiya>
Component: ipaAssignee: Rob Crittenden <rcritten>
Status: CLOSED ERRATA QA Contact: Chandrasekar Kannan <ckannan>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 6.2CC: benl, jgalipea, mkosek, shaines
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ipa-2.1.0-1.el6 Doc Type: Bug Fix
Doc Text:
Do not document
 Story Points: ---
Clone Of: Environment:
Last Closed: 2011-12-06 18:41:14 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Gowrishankar Rajaiyan 2011-07-12 15:06:15 UTC 
Description of problem:


Version-Release number of selected component (if applicable):
ipa-server-2.0.99-3.20110712T0529zgit3229eee.el6.x86_64

How reproducible:
Always

Steps to Reproduce:
1. # ipa-nis-manage enable
[root@qe-blade-04 ~]# hostname 
qe-blade-04.testrelm
[root@qe-blade-04 ~]# nisdomainname 
testrelm

2. [root@qe-blade-04 ~]# ipa user-add user1
First name: user
Last name: 1
------------------
Added user "user1"
------------------
  User login: user1
  First name: user
  Last name: 1
  Full name: user 1
  Display name: user 1
  Initials: u1
  Home directory: /home/user1
  GECOS field: user 1
  Login shell: /bin/sh
  Kerberos principal: user1@TESTRELM
  UID: 742600006
  GID: 742600006
[root@qe-blade-04 ~]# ipa passwd user1
Password: 
Enter Password again to verify: 
-------------------------------------
Changed password for "user1@TESTRELM"
-------------------------------------

3. [root@qe-blade-04 ~]# ipa sudorule-add 
Rule name: testrule1
---------------------------
Added sudo rule "testrule1"
---------------------------
  Rule name: testrule1
  Enabled: TRUE
[root@qe-blade-04 ~]# ipa sudorule-add-user
Rule name: testrule1
[member user]: user1
[member group]: user1
  Rule name: testrule1
  Enabled: TRUE
  Users: user1
  Groups: user1
-------------------------
Number of members added 2
-------------------------
[root@qe-blade-04 ~]# 

4. [root@qe-blade-04 ~]# ipa sudorule-find testrule1 --all --raw
-------------------
1 sudo rule matched
-------------------
  dn: ipauniqueid=85dc8ce2-ac95-11e0-9702-00215e202e2e,cn=sudorules,cn=sudo,dc=testrelm
  cn: testrule1
  ipaenabledflag: TRUE
  memberuser: cn=user1,cn=groups,cn=accounts,dc=testrelm
  memberuser: uid=user1,cn=users,cn=accounts,dc=testrelm
  ipauniqueid: 85dc8ce2-ac95-11e0-9702-00215e202e2e
  objectclass: ipaassociation
  objectclass: ipasudorule
----------------------------
Number of entries returned 1
----------------------------
[root@qe-blade-04 ~]# 

5. [root@qe-blade-04 ~]# cat /etc/nss_ldap.conf 
bind_policy soft
sudoers_base ou=SUDOers,dc=testrelm
binddn uid=sudo,cn=sysaccounts,cn=etc,dc=testrelm
bindpw bind123
ssl no

tls_cacertfile /etc/ipa/ca.crt
tls_checkpeer yes
bind_timelimit 5
timelimit 15
sudoers_debug 5
BASE dc=testrelm
TLS_CACERTDIR /etc/ipa
uri ldap://qe-blade-04.testrelm

6. [root@qe-blade-04 ~]# ssh -l user1 localhost
user1@localhost's password: 
Last login: Tue Jul 12 10:47:52 2011 from localhost
-sh-4.1$ sudo -l

  
Actual results:
-sh-4.1$ sudo -l
LDAP Config Summary
===================
uri              ldap://qe-blade-04.testrelm
ldap_version     3
sudoers_base     ou=SUDOers,dc=testrelm
binddn           uid=sudo,cn=sysaccounts,cn=etc,dc=testrelm
bindpw           bind123
bind_timelimit   5000
timelimit        15
ssl              no
tls_checkpeer    (yes)
tls_cacertfile   /etc/ipa/ca.crt
tls_cacertdir    /etc/ipa
===================
sudo: ldap_initialize(ld, ldap://qe-blade-04.testrelm)
sudo: ldap_set_option: debug -> 0
sudo: ldap_set_option: ldap_version -> 3
sudo: ldap_set_option: tls_checkpeer -> 1
sudo: ldap_set_option: tls_cacertfile -> /etc/ipa/ca.crt
sudo: ldap_set_option: tls_cacert -> /etc/ipa/ca.crt
sudo: ldap_set_option: tls_cacertdir -> /etc/ipa
sudo: ldap_set_option: timelimit -> 15
sudo: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT, 5)
sudo: ldap_sasl_bind_s() ok
sudo: no default options found in ou=SUDOers,dc=testrelm
sudo: user_matches=0    <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
sudo: host_matches=0
sudo: sudo_ldap_lookup(52)=0xe0
[sudo] password for user1: 
user1 is not in the sudoers file.  This incident will be reported.
-sh-4.1$ 


Expected results:
user1 should match from sudo client.

Additional info:
This worked for me in ipa-server-2.0.0-25.el6.x86_64

-sh-4.1$ sudo -l
LDAP Config Summary
===================
uri              ldap://bumblebee.lab.eng.pnq.redhat.com
ldap_version     3
sudoers_base     ou=SUDOers,dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com
binddn           uid=sudo,cn=sysaccounts,cn=etc,dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com
bindpw           bind123
bind_timelimit   5000
timelimit        15
ssl              no
tls_checkpeer    (yes)
tls_cacertfile   /etc/ipa/ca.crt
tls_cacertdir    /etc/ipa
===================
sudo: ldap_initialize(ld, ldap://bumblebee.lab.eng.pnq.redhat.com)
sudo: ldap_set_option: debug -> 0
sudo: ldap_set_option: ldap_version -> 3
sudo: ldap_set_option: tls_checkpeer -> 1
sudo: ldap_set_option: tls_cacertfile -> /etc/ipa/ca.crt
sudo: ldap_set_option: tls_cacert -> /etc/ipa/ca.crt
sudo: ldap_set_option: tls_cacertdir -> /etc/ipa
sudo: ldap_set_option: timelimit -> 15
sudo: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT, 5)
sudo: ldap_sasl_bind_s() ok
sudo: no default options found in ou=SUDOers,dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com
sudo: user_matches=1 <<<<<<<<<<<<<<<<<<<<<<<<<
sudo: host_matches=0
sudo: sudo_ldap_lookup(52)=0xc0
Comment 2 Gowrishankar Rajaiyan 2011-07-13 12:26:46 UTC 
Note: In this case ipa server was installed with --setup-dns option. 

ipa-server-install --setup-dns --forwarder=$DNSFORWARD --hostname=$hostname_s.$DOMAIN -r $RELM -n $DOMAIN -p $ADMINPW -P $ADMINPW -a $ADMINPW -U

I installed ipa-server without this option and sudo seems to work as expected.
Comment 3 Rob Crittenden 2011-07-13 12:31:35 UTC 
https://fedorahosted.org/freeipa/ticket/1472
Comment 4 Martin Kosek 2011-07-19 07:50:32 UTC 
Fixed upstream:
master: https://fedorahosted.org/freeipa/changeset/9869b0971d98457fce181c6de78c173e1b5ebff1
ipa-2-0: https://fedorahosted.org/freeipa/changeset/6404a98ab95b1ed558dcf900bc0788a49f31aae1
Comment 7 Rob Crittenden 2011-10-31 20:55:19 UTC 
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
Do not document
Comment 8 Gowrishankar Rajaiyan 2011-11-02 05:35:53 UTC 
-sh-4.1$ sudo -l > /tmp/sudo_list.out 2>&1 
[sudo] password for user1: 
-sh-4.1$ LDAP Config Summary
===================
uri              ldap://qe-blade-12.testrelm
ldap_version     3
sudoers_base     ou=SUDOers,dc=testrelm
binddn           uid=sudo,cn=sysaccounts,cn=etc,dc=testrelm
bindpw           bind123
bind_timelimit   5000
timelimit        15
ssl              no
tls_checkpeer    (yes)
tls_cacertfile   /etc/ipa/ca.crt
tls_cacertdir    /etc/ipa
===================
sudo: ldap_initialize(ld, ldap://qe-blade-12.testrelm)
sudo: ldap_set_option: debug -> 0
sudo: ldap_set_option: ldap_version -> 3
sudo: ldap_set_option: tls_checkpeer -> 1
sudo: ldap_set_option: tls_cacertfile -> /etc/ipa/ca.crt
sudo: ldap_set_option: tls_cacert -> /etc/ipa/ca.crt
sudo: ldap_set_option: tls_cacertdir -> /etc/ipa
sudo: ldap_set_option: timelimit -> 15
sudo: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT, 5)
sudo: ldap_sasl_bind_s() ok
sudo: no default options found in ou=SUDOers,dc=testrelm
sudo: ldap sudoHost 'qe-blade-12.testrelm' ... MATCH!
sudo: user_matches=1
sudo: host_matches=1
sudo: sudo_ldap_lookup(52)=0x02

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.

sudo: ldap search '(|(sudoUser=user1)(sudoUser=%user1)(sudoUser=%ipausers)(sudoUser=ALL))'
sudo: ldap sudoHost 'qe-blade-12.testrelm' ... MATCH!
sudo: ldap search 'sudoUser=+*'
User user1 may run the following commands on this host:
    (root) /bin/mkdir
:: [   PASS   ] :: Running 'sudo_list user1'
:: [   PASS   ] :: File '/tmp/sudo_list.out' should contain 'sudo: user_matches=1'
:: [   PASS   ] :: File '/tmp/sudo_list.out' should contain 'sudo: host_matches=1'
:: [   PASS   ] :: File '/tmp/sudo_list.out' should contain 'sudo: ldap sudoHost 'qe-blade-12.testrelm' ... MATCH'
:: [   PASS   ] :: File '/tmp/sudo_list.out' should contain 'User user1 may run the following commands on this host:'
:: [   PASS   ] :: File '/tmp/sudo_list.out' should contain '(root) /bin/mkdir'



Verified.
Version: ipa-server-2.1.3-7.el6.x86_64
Comment 9 errata-xmlrpc 2011-12-06 18:41:14 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2011-1533.html