Bug 869013

Summary: Sudo smart refresh doesn't occur on time
Product: Red Hat Enterprise Linux 6 Reporter: Nikolai Kondrashov <nikolai.kondrashov>
Component: sssdAssignee: Jakub Hrozek <jhrozek>
Status: CLOSED ERRATA QA Contact: Kaushik Banerjee <kbanerje>
Severity: medium Docs Contact:
Priority: medium    
Version: 6.4CC: dpal, grajaiya, jgalipea, pbrezina
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: sssd-1.9.2-5.el6 Doc Type: Bug Fix
Doc Text:
Cause: SUDO smart refresh was not performed if LDAP server did not contained any rule when SSSD started. Consequence: Newly created rules where found after a longer period of time than the ldap_sudo_smart_refresh_interval option says. Fix: SUDO smart refresh is performed. Result: Newly created rule are found within ldap_sudo_smart_refresh_interval time span.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2013-02-21 09:37:51 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
Base ldif, sssd.conf and logs from the reproduction script none

Description Nikolai Kondrashov 2012-10-22 18:34:55 UTC 
Created attachment 631670 [details]
Base ldif, sssd.conf and logs from the reproduction script

Description of problem:
A sudo rule node newly added to the LDAP server doesn't get noticed by sssd within smart refresh interval, only within full refresh interval.

Version-Release number of selected component (if applicable):
libsss_autofs-1.9.2-3.el6.x86_64
libsss_idmap-1.9.2-3.el6.x86_64
libsss_sudo-1.9.2-3.el6.x86_64
sssd-client-1.9.2-3.el6.x86_64
sssd-1.9.2-3.el6.x86_64

How reproducible:
Always.

Steps to Reproduce:
#
# Setup
#
service sssd stop
echo "ldap_sudo_smart_refresh_interval = 10" >> /etc/sssd/sssd.conf
echo "ldap_sudo_full_refresh_interval = 30" >> /etc/sssd/sssd.conf
rm /var/lib/sss/db/*.ldb
service sssd start
# Wait for the service to really come up,
# see https://fedorahosted.org/sssd/ticket/1357
# Without this delay the bug won't reproduce
sleep 3
check_sudo() { su user1 -c 'sudo -u user2 true' 2>/dev/null && echo ALLOWED || echo DENIED; }
#
# Test
#
check_sudo
ldapmodify -x -h server -D 'cn=Directory Manager' -w Secret123 -a <<EOF
dn: cn=test,ou=Sudoers,dc=example,dc=com
cn: test
objectClass: top
objectClass: sudoRole
sudoOption: !authenticate
sudoUser: ALL
sudoHost: ALL
sudoCommand: ALL
sudoRunAsUser: ALL
EOF
check_sudo; sleep 12; check_sudo; sleep 10; check_sudo; sleep 10; check_sudo
#
# Teardown
#
unset check_sudo
service sssd stop
grep -v 'ldap_sudo_\(smart\|full\)_refresh_interval' /etc/sssd/sssd.conf > /etc/sssd/sssd.conf.new
mv /etc/sssd/sssd.conf{.new,}
chmod 0600 /etc/sssd/sssd.conf
ldapdelete -x -h server -D 'cn=Directory Manager' -w Secret123 cn=test,ou=Sudoers,dc=example,dc=com
rm /var/lib/sss/db/*.ldb
service sssd start
  
Actual results:
DENIED
DENIED
DENIED
DENIED
ALLOWED

Expected results:
DENIED
DENIED
ALLOWED
ALLOWED
ALLOWED
Comment 2 Jakub Hrozek 2012-10-23 10:05:46 UTC 
Pavel, can you check out the test and work with Nikolai on fixing this? Thanks!
Comment 3 Jakub Hrozek 2012-10-23 12:31:20 UTC 
Upstream ticket:
https://fedorahosted.org/sssd/ticket/1596
Comment 5 Jakub Hrozek 2012-10-24 16:26:20 UTC 
Fixed upstream.
Comment 7 Nikolai Kondrashov 2012-12-14 16:56:19 UTC 
Verified fixed in following packages:

sssd-client-1.9.2-41.el6.x86_64
libsss_idmap-1.9.2-41.el6.x86_64
libsss_sudo-1.9.2-41.el6.x86_64
sudo-1.8.6p3-6.el6.x86_64
sssd-1.9.2-41.el6.x86_64

Relevant sudo suite output:

:: [   PASS   ] :: refresh_add_rule_before_smart
:: [   PASS   ] :: refresh_add_rule_after_smart
:: [   PASS   ] :: refresh_mod_rule_user_to_mismatch
:: [   PASS   ] :: refresh_mod_rule_user_to_match_before_smart
:: [   PASS   ] :: refresh_mod_rule_user_to_match_after_smart
:: [   PASS   ] :: refresh_mod_rule_command_to_mismatch
:: [   PASS   ] :: refresh_mod_rule_command_to_match
:: [   PASS   ] :: refresh_mod_rule_runasuser_to_mismatch
:: [   PASS   ] :: refresh_mod_rule_runasuser_to_match
:: [   PASS   ] :: refresh_mod_rule_runasgroup_to_mismatch
:: [   PASS   ] :: refresh_mod_rule_runasgroup_to_match
:: [   PASS   ] :: refresh_mod_rule_sudooption_to_require_auth
:: [   PASS   ] :: refresh_mod_rule_sudooption_to_not_require_auth
Comment 8 errata-xmlrpc 2013-02-21 09:37:51 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2013-0508.html