Bug 987479
| Summary: | libsss_sudo should depend on sudo package with sssd support | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 6 | Reporter: | Eduardo Minguez <eminguez> | ||||
| Component: | sssd | Assignee: | Jakub Hrozek <jhrozek> | ||||
| Status: | CLOSED ERRATA | QA Contact: | Kaushik Banerjee <kbanerje> | ||||
| Severity: | unspecified | Docs Contact: | |||||
| Priority: | unspecified | ||||||
| Version: | 6.4 | CC: | dpal, grajaiya, jgalipea, lslebodn, mkosek, pbrezina, rcritten | ||||
| Target Milestone: | rc | ||||||
| Target Release: | --- | ||||||
| Hardware: | Unspecified | ||||||
| OS: | Unspecified | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | sssd-1.9.2-95.el6 | Doc Type: | Bug Fix | ||||
| Doc Text: |
Cause: libsss_sudo package didn't require sudo built with SSSD support.
Consequence: libsss_sudo package could be installed with sudo version that doesn't work with SSSD.
Fix: libsss_sudo package now requires sudo >= 1.8.6p3-6
Result: libsss_sudo can be only installed with sudo that is built with SSSD support.
|
Story Points: | --- | ||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2013-11-21 22:21:24 UTC | Type: | Bug | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Attachments: |
|
||||||
I'm not entirely sure about the supportability of running 6.4 SSSD stack on 6.3 RHEL (or with 6.3 sudo), but from purely technical standpoint I agree we should do our best to warn the user. Because sudo is the initiator of the communication and libsss_sudo is simply dlopen()-ed, not linked against, the SSSD has no other way of enforcing the version than explicit Requires. Created attachment 777605 [details]
specfile patch
Attached is a candidate patch. I think Requires makes more sense here than Conflicts because when the user installs libsss_sudo, he really needs sudo support, so it makes no sense to avoid configuration with libsss_sudo but without sudo.
The version that the patch Requires was shipped in 6.4 and fixed a number of sssd-related bugs.
Verified in version 1.9.2-128.el6 Snippet of result from "yum install libsss_sudo" <snip> ---> Package libsss_sudo.x86_64 0:1.9.2-128.el6 will be installed --> Processing Dependency: sudo >= 1.8.6p3-6 for package: libsss_sudo-1.9.2-128.el6.x86_64 --> Running transaction check ---> Package sudo.x86_64 0:1.8.6p3-12.el6 will be installed --> Finished Dependency Resolution </snip> Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2013-1680.html |
Description of problem: RHEL6.0 with RHEL6.4 ipa packages installed (libsss_sudo included), and sudo-1.7.2p2-9.el6.x86_64 Configuring /etc/sssd/sssd.conf to use it for sudo rules doesn't work $ sudo /usr/bin/less [sudo] password for testuser: testuser is not in the sudoers file. This incident will be reported. Version-Release number of selected component (if applicable): sudo-1.7.2p2-9.el6.x86_64 libsss_sudo-1.9.2-82.7.el6_4.x86_64 How reproducible: Fresh RHEL6.0 + ipa-client (and dependencies) from RHEL6.4 + libsss_sudo from RHEL6.4 Configure sssd for sudo rules against IdM Steps to Reproduce: 1. Run sudo command allowed Actual results: $ sudo /usr/bin/less [sudo] password for testuser: testuser is not in the sudoers file. This incident will be reported. Expected results: $ sudo /usr/bin/less [sudo] password for testuser: Missing filename ("less --help" for help) Additional info: Upgrading sudo package to sudo-1.8.6p3-7.el6.x86_64 works fine (I don't know if an older version works too) /var/sssd/sssd.log with debug_level = 6 (I think the section attached is full, but I'm not sure 100%): (Tue Jul 23 14:47:32 2013) [sssd[be[idm.lvtc.gsnet.corp]]] [be_get_account_info] (0x0100): Got request for [3][1][name=testuser] (Tue Jul 23 14:47:32 2013) [sssd[be[idm.lvtc.gsnet.corp]]] [sdap_get_initgr_next_base] (0x0400): Searching for users with base [cn=accounts,dc=idm,dc=lvtc,dc=gsnet,dc=corp] (Tue Jul 23 14:47:32 2013) [sssd[be[idm.lvtc.gsnet.corp]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(uid=testuser)(objectclass=posixAccount))][cn=accounts,dc=idm,dc=lvtc,dc=gsnet,dc=corp]. (Tue Jul 23 14:47:32 2013) [sssd[be[idm.lvtc.gsnet.corp]]] [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg set (Tue Jul 23 14:47:32 2013) [sssd[be[idm.lvtc.gsnet.corp]]] [sdap_save_user] (0x0400): Storing info for user testuser (Tue Jul 23 14:47:32 2013) [sssd[be[idm.lvtc.gsnet.corp]]] [sdap_has_deref_support] (0x0400): The server supports deref method OpenLDAP (Tue Jul 23 14:47:32 2013) [sssd[be[idm.lvtc.gsnet.corp]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(objectclass=posixGroup)(cn=*))][cn=ipausers,cn=groups,cn=accounts,dc=idm,dc=lvtc,dc=gsnet,dc=corp]. (Tue Jul 23 14:47:32 2013) [sssd[be[idm.lvtc.gsnet.corp]]] [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg set (Tue Jul 23 14:47:32 2013) [sssd[be[idm.lvtc.gsnet.corp]]] [sdap_initgr_nested_search] (0x0040): Search for group cn=ipausers,cn=groups,cn=accounts,dc=idm,dc=lvtc,dc=gsnet,dc=corp, returned 0 results. Skipping (Tue Jul 23 14:47:32 2013) [sssd[be[idm.lvtc.gsnet.corp]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(objectclass=posixGroup)(cn=*))][ipauniqueid=9a41b00e-e960-11e2-b437-005056886a0a,cn=hbac,dc=idm,dc=lvtc,dc=gsnet,dc=corp]. (Tue Jul 23 14:47:32 2013) [sssd[be[idm.lvtc.gsnet.corp]]] [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg set (Tue Jul 23 14:47:32 2013) [sssd[be[idm.lvtc.gsnet.corp]]] [sdap_initgr_nested_search] (0x0040): Search for group ipauniqueid=9a41b00e-e960-11e2-b437-005056886a0a,cn=hbac,dc=idm,dc=lvtc,dc=gsnet,dc=corp, returned 0 results. Skipping (Tue Jul 23 14:47:32 2013) [sssd[be[idm.lvtc.gsnet.corp]]] [acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success (Tue Jul 23 14:47:32 2013) [sssd[be[idm.lvtc.gsnet.corp]]] [be_pam_handler] (0x0100): Got request with the following data (Tue Jul 23 14:47:32 2013) [sssd[be[idm.lvtc.gsnet.corp]]] [pam_print_data] (0x0100): command: PAM_AUTHENTICATE (Tue Jul 23 14:47:32 2013) [sssd[be[idm.lvtc.gsnet.corp]]] [pam_print_data] (0x0100): domain: idm.lvtc.gsnet.corp (Tue Jul 23 14:47:32 2013) [sssd[be[idm.lvtc.gsnet.corp]]] [pam_print_data] (0x0100): user: testuser (Tue Jul 23 14:47:32 2013) [sssd[be[idm.lvtc.gsnet.corp]]] [pam_print_data] (0x0100): service: sudo (Tue Jul 23 14:47:32 2013) [sssd[be[idm.lvtc.gsnet.corp]]] [pam_print_data] (0x0100): tty: /dev/pts/1 (Tue Jul 23 14:47:32 2013) [sssd[be[idm.lvtc.gsnet.corp]]] [pam_print_data] (0x0100): ruser: testuser (Tue Jul 23 14:47:32 2013) [sssd[be[idm.lvtc.gsnet.corp]]] [pam_print_data] (0x0100): rhost: vmlbcipacl60.lvtc.gsnet.corp (Tue Jul 23 14:47:32 2013) [sssd[be[idm.lvtc.gsnet.corp]]] [pam_print_data] (0x0100): authtok type: 1 (Tue Jul 23 14:47:32 2013) [sssd[be[idm.lvtc.gsnet.corp]]] [pam_print_data] (0x0100): authtok size: 12 (Tue Jul 23 14:47:32 2013) [sssd[be[idm.lvtc.gsnet.corp]]] [pam_print_data] (0x0100): newauthtok type: 0 (Tue Jul 23 14:47:32 2013) [sssd[be[idm.lvtc.gsnet.corp]]] [pam_print_data] (0x0100): newauthtok size: 0 (Tue Jul 23 14:47:32 2013) [sssd[be[idm.lvtc.gsnet.corp]]] [pam_print_data] (0x0100): priv: 0 (Tue Jul 23 14:47:32 2013) [sssd[be[idm.lvtc.gsnet.corp]]] [pam_print_data] (0x0100): cli_pid: 15562 (Tue Jul 23 14:47:32 2013) [sssd[be[idm.lvtc.gsnet.corp]]] [check_for_valid_tgt] (0x0080): TGT is valid. (Tue Jul 23 14:47:32 2013) [sssd[be[idm.lvtc.gsnet.corp]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'IPA' (Tue Jul 23 14:47:32 2013) [sssd[be[idm.lvtc.gsnet.corp]]] [be_resolve_server_process] (0x0200): Found address for server vmlbcipal02.idm.lvtc.gsnet.corp: [180.133.135.32] TTL 1200 (Tue Jul 23 14:47:32 2013) [sssd[be[idm.lvtc.gsnet.corp]]] [krb5_find_ccache_step] (0x0080): Saved ccache FILE:/tmp/krb5cc_56800003_mbQQFU if of different type than ccache in configuration file, reusing the old ccache (Tue Jul 23 14:47:32 2013) [sssd[be[idm.lvtc.gsnet.corp]]] [write_pipe_handler] (0x0400): All data has been sent! (Tue Jul 23 14:47:32 2013) [sssd[be[idm.lvtc.gsnet.corp]]] [read_pipe_handler] (0x0400): EOF received, client finished (Tue Jul 23 14:47:32 2013) [sssd[be[idm.lvtc.gsnet.corp]]] [fo_set_port_status] (0x0100): Marking port 0 of server 'vmlbcipal02.idm.lvtc.gsnet.corp' as 'working' (Tue Jul 23 14:47:32 2013) [sssd[be[idm.lvtc.gsnet.corp]]] [set_server_common_status] (0x0100): Marking server 'vmlbcipal02.idm.lvtc.gsnet.corp' as 'working' (Tue Jul 23 14:47:32 2013) [sssd[be[idm.lvtc.gsnet.corp]]] [safe_remove_old_ccache_file] (0x0400): New and old ccache file are the same, no one will be deleted. (Tue Jul 23 14:47:32 2013) [sssd[be[idm.lvtc.gsnet.corp]]] [be_pam_handler_callback] (0x0100): Backend returned: (0, 0, <NULL>) [Success] (Tue Jul 23 14:47:32 2013) [sssd[be[idm.lvtc.gsnet.corp]]] [be_pam_handler_callback] (0x0100): Sending result [0][idm.lvtc.gsnet.corp] (Tue Jul 23 14:47:32 2013) [sssd[be[idm.lvtc.gsnet.corp]]] [be_pam_handler_callback] (0x0100): Sent result [0][idm.lvtc.gsnet.corp] (Tue Jul 23 14:47:32 2013) [sssd[be[idm.lvtc.gsnet.corp]]] [child_sig_handler] (0x0100): child [15565] finished successfully. (Tue Jul 23 14:47:32 2013) [sssd[be[idm.lvtc.gsnet.corp]]] [be_pam_handler] (0x0100): Got request with the following data (Tue Jul 23 14:47:32 2013) [sssd[be[idm.lvtc.gsnet.corp]]] [pam_print_data] (0x0100): command: PAM_ACCT_MGMT (Tue Jul 23 14:47:32 2013) [sssd[be[idm.lvtc.gsnet.corp]]] [pam_print_data] (0x0100): domain: idm.lvtc.gsnet.corp (Tue Jul 23 14:47:32 2013) [sssd[be[idm.lvtc.gsnet.corp]]] [pam_print_data] (0x0100): user: testuser (Tue Jul 23 14:47:32 2013) [sssd[be[idm.lvtc.gsnet.corp]]] [pam_print_data] (0x0100): service: sudo (Tue Jul 23 14:47:32 2013) [sssd[be[idm.lvtc.gsnet.corp]]] [pam_print_data] (0x0100): tty: /dev/pts/1 (Tue Jul 23 14:47:32 2013) [sssd[be[idm.lvtc.gsnet.corp]]] [pam_print_data] (0x0100): ruser: testuser (Tue Jul 23 14:47:32 2013) [sssd[be[idm.lvtc.gsnet.corp]]] [pam_print_data] (0x0100): rhost: vmlbcipacl60.lvtc.gsnet.corp (Tue Jul 23 14:47:32 2013) [sssd[be[idm.lvtc.gsnet.corp]]] [pam_print_data] (0x0100): authtok type: 0 (Tue Jul 23 14:47:32 2013) [sssd[be[idm.lvtc.gsnet.corp]]] [pam_print_data] (0x0100): authtok size: 0 (Tue Jul 23 14:47:32 2013) [sssd[be[idm.lvtc.gsnet.corp]]] [pam_print_data] (0x0100): newauthtok type: 0 (Tue Jul 23 14:47:32 2013) [sssd[be[idm.lvtc.gsnet.corp]]] [pam_print_data] (0x0100): newauthtok size: 0 (Tue Jul 23 14:47:32 2013) [sssd[be[idm.lvtc.gsnet.corp]]] [pam_print_data] (0x0100): priv: 0 (Tue Jul 23 14:47:32 2013) [sssd[be[idm.lvtc.gsnet.corp]]] [pam_print_data] (0x0100): cli_pid: 15562 (Tue Jul 23 14:47:32 2013) [sssd[be[idm.lvtc.gsnet.corp]]] [sdap_access_send] (0x0400): Performing access check for user [testuser] (Tue Jul 23 14:47:32 2013) [sssd[be[idm.lvtc.gsnet.corp]]] [sdap_account_expired_rhds] (0x0400): Performing RHDS access check for user [testuser] (Tue Jul 23 14:47:32 2013) [sssd[be[idm.lvtc.gsnet.corp]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(objectClass=ipaHost)(fqdn=vmlbcipacl60.lvtc.gsnet.corp))][cn=accounts,dc=idm,dc=lvtc,dc=gsnet,dc=corp]. (Tue Jul 23 14:47:32 2013) [sssd[be[idm.lvtc.gsnet.corp]]] [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg set (Tue Jul 23 14:47:32 2013) [sssd[be[idm.lvtc.gsnet.corp]]] [sdap_x_deref_search_send] (0x0400): Dereferencing entry [fqdn=vmlbcipacl60.lvtc.gsnet.corp,cn=computers,cn=accounts,dc=idm,dc=lvtc,dc=gsnet,dc=corp] using OpenLDAP deref (Tue Jul 23 14:47:32 2013) [sssd[be[idm.lvtc.gsnet.corp]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [no filter][fqdn=vmlbcipacl60.lvtc.gsnet.corp,cn=computers,cn=accounts,dc=idm,dc=lvtc,dc=gsnet,dc=corp]. (Tue Jul 23 14:47:32 2013) [sssd[be[idm.lvtc.gsnet.corp]]] [sdap_x_deref_parse_entry] (0x0400): Got deref control (Tue Jul 23 14:47:32 2013) [sssd[be[idm.lvtc.gsnet.corp]]] [sdap_x_deref_parse_entry] (0x0400): All deref results from a single control parsed (Tue Jul 23 14:47:32 2013) [sssd[be[idm.lvtc.gsnet.corp]]] [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg set (Tue Jul 23 14:47:32 2013) [sssd[be[idm.lvtc.gsnet.corp]]] [ipa_hostgroup_info_done] (0x0200): No host groups were dereferenced (Tue Jul 23 14:47:32 2013) [sssd[be[idm.lvtc.gsnet.corp]]] [ipa_hbac_service_info_next] (0x0400): Sending request for next search base: [cn=hbac,dc=idm,dc=lvtc,dc=gsnet,dc=corp][2][(objectClass=ipaHBACService)] (Tue Jul 23 14:47:32 2013) [sssd[be[idm.lvtc.gsnet.corp]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(objectClass=ipaHBACService)][cn=hbac,dc=idm,dc=lvtc,dc=gsnet,dc=corp]. (Tue Jul 23 14:47:32 2013) [sssd[be[idm.lvtc.gsnet.corp]]] [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg set (Tue Jul 23 14:47:32 2013) [sssd[be[idm.lvtc.gsnet.corp]]] [ipa_hbac_servicegroup_info_next] (0x0400): Sending request for next search base: [cn=hbac,dc=idm,dc=lvtc,dc=gsnet,dc=corp][2][(objectClass=ipaHBACServiceGroup)] (Tue Jul 23 14:47:32 2013) [sssd[be[idm.lvtc.gsnet.corp]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(objectClass=ipaHBACServiceGroup)][cn=hbac,dc=idm,dc=lvtc,dc=gsnet,dc=corp]. (Tue Jul 23 14:47:32 2013) [sssd[be[idm.lvtc.gsnet.corp]]] [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg set (Tue Jul 23 14:47:32 2013) [sssd[be[idm.lvtc.gsnet.corp]]] [ipa_hbac_rule_info_next] (0x0400): Sending request for next search base: [cn=hbac,dc=idm,dc=lvtc,dc=gsnet,dc=corp][2][(&(objectclass=ipaHBACRule)(ipaenabledflag=TRUE)(|(hostCategory=all)(memberHost=fqdn=vmlbcipacl60.lvtc.gsnet.corp,cn=computers,cn=accounts,dc=idm,dc=lvtc,dc=gsnet,dc=corp)))] (Tue Jul 23 14:47:32 2013) [sssd[be[idm.lvtc.gsnet.corp]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(objectclass=ipaHBACRule)(ipaenabledflag=TRUE)(|(hostCategory=all)(memberHost=fqdn=vmlbcipacl60.lvtc.gsnet.corp,cn=computers,cn=accounts,dc=idm,dc=lvtc,dc=gsnet,dc=corp)))][cn=hbac,dc=idm,dc=lvtc,dc=gsnet,dc=corp]. (Tue Jul 23 14:47:32 2013) [sssd[be[idm.lvtc.gsnet.corp]]] [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg set (Tue Jul 23 14:47:32 2013) [sssd[be[idm.lvtc.gsnet.corp]]] [hbac_get_category] (0x0200): Category is set to 'all'. (Tue Jul 23 14:47:32 2013) [sssd[be[idm.lvtc.gsnet.corp]]] [hbac_get_category] (0x0200): Category is set to 'all'. (Tue Jul 23 14:47:32 2013) [sssd[be[idm.lvtc.gsnet.corp]]] [hbac_shost_attrs_to_rule] (0x0400): Processing source hosts for rule [prueba] (Tue Jul 23 14:47:32 2013) [sssd[be[idm.lvtc.gsnet.corp]]] [hbac_get_category] (0x0200): Category is set to 'all'. (Tue Jul 23 14:47:32 2013) [sssd[be[idm.lvtc.gsnet.corp]]] [hbac_get_category] (0x0200): Category is set to 'all'. (Tue Jul 23 14:47:32 2013) [sssd[be[idm.lvtc.gsnet.corp]]] [hbac_get_category] (0x0200): Category is set to 'all'. (Tue Jul 23 14:47:32 2013) [sssd[be[idm.lvtc.gsnet.corp]]] [hbac_shost_attrs_to_rule] (0x0400): Processing source hosts for rule [allow_all] (Tue Jul 23 14:47:32 2013) [sssd[be[idm.lvtc.gsnet.corp]]] [ipa_hbac_evaluate_rules] (0x0080): Access granted by HBAC rule [prueba] (Tue Jul 23 14:47:32 2013) [sssd[be[idm.lvtc.gsnet.corp]]] [be_pam_handler_callback] (0x0100): Backend returned: (0, 0, <NULL>) [Success] (Tue Jul 23 14:47:32 2013) [sssd[be[idm.lvtc.gsnet.corp]]] [ipa_get_selinux_send] (0x0400): Retrieving SELinux user mapping (Tue Jul 23 14:47:32 2013) [sssd[be[idm.lvtc.gsnet.corp]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(cn=ipaConfig)(objectClass=ipaGuiConfig))][cn=etc,dc=idm,dc=lvtc,dc=gsnet,dc=corp]. (Tue Jul 23 14:47:32 2013) [sssd[be[idm.lvtc.gsnet.corp]]] [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg set (Tue Jul 23 14:47:32 2013) [sssd[be[idm.lvtc.gsnet.corp]]] [ipa_selinux_get_maps_next] (0x0400): Trying to fetch SELinux maps with following parameters: [2][(&(objectclass=ipaselinuxusermap)(ipaEnabledFlag=TRUE))][cn=selinux,dc=idm,dc=lvtc,dc=gsnet,dc=corp] (Tue Jul 23 14:47:32 2013) [sssd[be[idm.lvtc.gsnet.corp]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(objectclass=ipaselinuxusermap)(ipaEnabledFlag=TRUE))][cn=selinux,dc=idm,dc=lvtc,dc=gsnet,dc=corp]. (Tue Jul 23 14:47:32 2013) [sssd[be[idm.lvtc.gsnet.corp]]] [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg set (Tue Jul 23 14:47:32 2013) [sssd[be[idm.lvtc.gsnet.corp]]] [ipa_selinux_get_maps_done] (0x0400): No SELinux user maps found! (Tue Jul 23 14:47:32 2013) [sssd[be[idm.lvtc.gsnet.corp]]] [be_pam_handler_callback] (0x0100): Backend returned: (0, 0, Success) [Success] (Tue Jul 23 14:47:32 2013) [sssd[be[idm.lvtc.gsnet.corp]]] [be_pam_handler_callback] (0x0100): Sending result [0][idm.lvtc.gsnet.corp] (Tue Jul 23 14:47:32 2013) [sssd[be[idm.lvtc.gsnet.corp]]] [be_pam_handler_callback] (0x0100): Sent result [0][idm.lvtc.gsnet.corp]