Bug 871208

Summary:	ipa sudorule-add-user should accept external users
Product:	Red Hat Enterprise Linux 8	Reporter:	Scott Poore <spoore>
Component:	ipa	Assignee:	IPA Maintainers <ipa-maint>
Status:	CLOSED ERRATA	QA Contact:	IDM QE LIST <seceng-idm-qe-list>
Severity:	unspecified	Docs Contact:
Priority:	medium
Version:	8.0	CC:	abokovoy, blc, dpal, ipa-maint, jgalipea, ksiddiqu, ldelouw, mkosek, mpolovka, mvarun, ndehadra, pasik, pcech, pvoborni, rcritten, ssidhaye, tscherf, twoerner, wefleury
Target Milestone:	rc	Keywords:	Triaged
Target Release:	---
Hardware:	Unspecified
OS:	Unspecified
Whiteboard:
Fixed In Version:	ipa-4.9.1-1	Doc Type:	If docs needed, set a value
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2021-05-18 15:47:45 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Scott Poore 2012-10-29 22:33:01 UTC

Description of problem:

ipa sudorule-add-user restricts users names to a limited variety of characters.  At the very least @ and \ should be included to cover username conventions used for AD trusted users.  When I try now, I see this:

[root@rhel6-1 failure1]#  ipa sudorule-add-user testrule --users=adtestuser1
ipa: ERROR: invalid 'user': may only include letters, numbers, _, -, . and $

In addition Simo mentioned in an email:

We should allow any character in this case.
These are external user/group names, we do not have any control on them.

If I want to add the user ätest@foo^^bar in /etc/passwd then I should be
allowed to use it in a sudo rule

Version-Release number of selected component (if applicable):
ipa-server-3.0.0-106.20121026T1837zgitf14dd98.el6.x86_64

How reproducible:
Always

Steps to Reproduce:
1.  Setup IPA Master
2.  ipa sudorule-add testrule
3.  ipa sudorule-add-user --users=test
  
Actual results:
error listed above

Expected results:
success

Additional info:

Comment 2 Dmitri Pal 2012-10-29 23:27:36 UTC

Upstream ticket:
https://fedorahosted.org/freeipa/ticket/3226

Comment 3 Scott Poore 2012-10-30 14:53:10 UTC

After Sumit brought up a good point, I'm modifying this request.

Instead of modifying --users option functionality, I'd like to request a new --external (or similar) option.  This will allow a distinction between adding IPA users and External ones coming from other sources like AD.

I'd think we'd keep the option similar to the group-add one used when adding AD groups/users to a group in IPA.

Comment 7 Petr Vobornik 2017-02-23 15:12:45 UTC

The bugzilla doesn't have high enough priority in comparison to other bugs/RFEs for 7.4. Moving to next release. Without sufficient justification it can be moved again later.

Comment 20 Rob Crittenden 2021-01-26 18:07:14 UTC

Fixed upstream
master:
https://pagure.io/freeipa/c/afcb06006c46073838ca196ac6d235854c91b854
https://pagure.io/freeipa/c/172e4b977048af7cdb244b52aec08a024749962e
https://pagure.io/freeipa/c/5fae809d921c58b6450d4d10f46b9013e1e31da1
https://pagure.io/freeipa/c/0ffdfc70f26e6f863c69c2ff03219e96dd5fd618
https://pagure.io/freeipa/c/a37db297f036390c6b75eca77fa88422df4f51a0
https://pagure.io/freeipa/c/349322e3fb6da88a964d53e6f157743b29e40d30
https://pagure.io/freeipa/c/09e06e05641be5e71d5a1a6a273cb0c3c0c4531b
https://pagure.io/freeipa/c/642b81e99f6f267c2c24a47816a2f9ae7464a858
https://pagure.io/freeipa/c/c91a1a078aea9996d30854ede1ce266f74a6176f
https://pagure.io/freeipa/c/08d720982876926ba555b94fdde6c84469b20868

Comment 21 Rob Crittenden 2021-01-26 21:32:34 UTC

Fixed upstream
ipa-4-9:
https://pagure.io/freeipa/c/16b30cbe5e4f1fd8965ed27ba2ca9b4b7b295e9c
https://pagure.io/freeipa/c/132d7fb0ed21e2e7cc69366e2141ae69e7864afb
https://pagure.io/freeipa/c/ffc2edf61efccbcbd4294fbc8a8613decea299a3
https://pagure.io/freeipa/c/a3563d1c35fbe9e6e96199ead211ec3b4ff1d2d2
https://pagure.io/freeipa/c/054a068f4705cd715789ceda75fa709404d5f884
https://pagure.io/freeipa/c/78043bfb5e2a3b1fc0fae6d55ba605ba469ce5ae
https://pagure.io/freeipa/c/f4d3c91e7f80659268e006dffa5f064b29b45c98
https://pagure.io/freeipa/c/a7c56fde7727bfad3f885cf50e21182cdc46024e
https://pagure.io/freeipa/c/64b70be65698b12927795a7a8b79ef7aada010b8
https://pagure.io/freeipa/c/51ca38772f41d3a26a4253a732338d09a69f9647

Comment 22 Alexander Bokovoy 2021-01-27 09:44:22 UTC

Upstream design document: https://freeipa.readthedocs.io/en/latest/designs/adtrust/sudorules-with-ad-objects.html

Comment 28 Michal Polovka 2021-02-02 11:25:10 UTC

Verified using ipa-server-4.9.1-1.module+el8.4.0+9665+c9815399.x86_64 and ipa-server-trust-ad-4.9.1-1.module+el8.4.0+9665+c9815399.x86_64 in RHEL8.4 nightly build.

Passed 	test_integration/test_trust.py::TestTrust::()::test_sudorules_ad_users
Passed 	test_integration/test_trust.py::TestTrust::()::test_sudorules_ad_groups	
Passed 	test_integration/test_trust.py::TestTrust::()::test_sudorules_ad_runasuser
Passed 	test_integration/test_trust.py::TestTrust::()::test_sudorules_ad_runasuser_group
Passed 	test_integration/test_trust.py::TestTrust::()::test_sudorules_ad_runasgroup

Full test log is available as an attachment of this BZ.

Comment 31 errata-xmlrpc 2021-05-18 15:47:45 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: idm:DL1 and idm:client security, bug fix, and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2021:1846