Bug 1138576 - sudo with sssd doesn't work correctly with sudoOrder option
Summary: sudo with sssd doesn't work correctly with sudoOrder option
Status: CLOSED DUPLICATE of bug 1232950
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: sudo
Version: 7.0
Hardware: Unspecified
OS: Unspecified
Target Milestone: rc
: ---
Assignee: Daniel Kopeček
QA Contact: Dalibor Pospíšil
Depends On:
Blocks: 1138581
TreeView+ depends on / blocked
Reported: 2014-09-05 08:42 UTC by David Spurek
Modified: 2015-06-18 08:12 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
: 1138581 (view as bug list)
Last Closed: 2015-06-18 08:12:43 UTC
Target Upstream Version:

Attachments (Terms of Use)

Description David Spurek 2014-09-05 08:42:16 UTC
Description of problem:
sudo with sssd doesn't  work correctly with sudoOrder option. rule with the highest value in sudoOrder parameter should be used.

dn: cn=rule_allow,ou=Sudoers,dc=my-domain,dc=com
objectClass: top
objectClass: sudoRole
cn: rule_allow
sudoHost: ALL
sudoUser: userallowed
sudoCommand: /usr/bin/true
sudoOrder: 2

dn: cn=rule_deny,ou=Sudoers,dc=my-domain,dc=com
objectClass: top
objectClass: sudoRole
cn: rule_deny
sudoHost: ALL
sudoUser: userallowed
sudoCommand: !/usr/bin/true
sudoCommand: ALL
sudoOrder: 1

[test]su - userallowed -c 'sudo true'su: warning: cannot change directory to /home/userallowed: No such file or directory
Sorry, user userallowed is not allowed to execute '/bin/true' as root on rhel7.example.com. 

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:

Actual results:

Expected results:

Additional info:

Comment 4 Hiran Arias 2015-06-11 15:43:46 UTC
I'm having the same problem, has anyone seen this before, sudoOrder is inverted for sssd which conflict with other non-RHEL server configured with sudo-ldap.

Comment 5 Hiran Arias 2015-06-11 18:53:50 UTC
As a workaround we solve to change sudoers in nsswitch.conf file from sss to ldap and to configure the /etc/sudo-ldap.conf file and sudoOrder works as expected.

The downside is that there is no offline cache, it requires maintenance of the sudo-ldap.conf file in case of changes and it expose the use of secret user/password for the sudo schema in the ldap server for anyone who has root access.

Comment 6 Jakub Hrozek 2015-06-18 08:12:43 UTC
Pavel says the bug is in sssd.

*** This bug has been marked as a duplicate of bug 1232950 ***

Note You need to log in before you can comment on or make changes to this bug.