RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1188338 - ldap_sudo_hostnames not working
Summary: ldap_sudo_hostnames not working
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: sssd
Version: 6.6
Hardware: x86_64
OS: Linux
unspecified
low
Target Milestone: rc
: ---
Assignee: Pavel Březina
QA Contact: Kaushik Banerjee
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2015-02-02 16:00 UTC by Marco Passerini
Modified: 2015-02-09 10:43 UTC (History)
9 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-02-09 10:43:07 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)

Description Marco Passerini 2015-02-02 16:00:25 UTC 
Description of problem:

I'm configuring a server with SSSD/LDAP for SUDO authentication. The server hostname is "server1.mydomain.com", and it can't be changed. In LDAP, the host is listed as: "sudoHost: my-server1.mydomain.com" and it can't be changed either. So what I read the manual and I configured the following in sssd.conf:
ldap_sudo_hostnames = my-server1.mydomain.com
I have "sudoers:    files sss" in /etc/nsswitch.conf, and /etc/sssd/sssd.conf is properly configured.
After restarting sssd and logging into the server, I was not able to run sudo with my user account.
I solved the problem by adding the following line to sssd.conf
ipa_hostname = my-server1.mydomain.com
I think this should not be necessary as the field ldap_sudo_hostnames should take care of this. Am I correct, is this a bug?


Version-Release number of selected component (if applicable):
sssd-1.11.6-30.el6_6.3.x86_64
sssd-common-pac-1.11.6-30.el6_6.3.x86_64
sssd-ldap-1.11.6-30.el6_6.3.x86_64
sssd-client-1.11.6-30.el6_6.3.x86_64
sssd-krb5-1.11.6-30.el6_6.3.x86_64
sssd-krb5-common-1.11.6-30.el6_6.3.x86_64
sssd-common-1.11.6-30.el6_6.3.x86_64
sssd-ipa-1.11.6-30.el6_6.3.x86_64
python-sssdconfig-1.11.6-30.el6_6.3.noarch
sssd-ad-1.11.6-30.el6_6.3.x86_64
sssd-proxy-1.11.6-30.el6_6.3.x86_64
Comment 2 Jakub Hrozek 2015-02-03 08:22:57 UTC 
Can you provide your whole sssd.conf ?
Comment 3 Marco Passerini 2015-02-03 09:24:57 UTC 
This is it.. I replaced the field names, but here's the server name mapping:

generic_server1.mydomain.com is a hostname which provides a lot of users, all of which are supposed to be able to authenticate in this machine

server1 is the real hostname of this server

my-server1 is how the hostname is listed in the SUDOHost field in LDAP

I know it's a bit messy but this is the case, and with the current configuration it works. If I don't enter ipa_hostname it does not let me do sudo.





[domain/LDAP]

ldap_id_use_start_tls = True
cache_credentials = true
ldap_search_base = dc=mydomain,dc=com
ldap_user_search_base = ou=People,dc=mydomain,dc=com?subtree?(host=generic_server1.mydomain.com)
ldap_group_search_base = ou=Groups,dc=mydomain,dc=com
ldap_default_bind_dn = uid=mybind,ou=Special Users,dc=mydomain,dc=com
ldap_default_authtok = ********
ldap_schema = rfc2307
id_provider = ldap
auth_provider = ldap
chpass_provider = ldap
ldap_uri = ldaps://ldap1.mydomain.com/, ldaps://ldap2.mydomain.com/
ldap_backup_uri = ldaps://ldap3.mydomain.com
ldap_tls_cacertdir = /etc/openldap/certs
debug_level = 2
enumerate = true
sudo_provider = ldap
ldap_sudo_search_base = OU=Staff,OU=SUDOers,ou=idm,dc=mydomain,dc=com
ldap_sudo_hostnames = my-server1.mydomain.com
ipa_hostname = my-server1.mydomain.com
access_provider = permit

[sssd]
services = nss, pam, sudo
config_file_version = 2
domains = LDAP

[nss]
filter_users = root,named,avahi,haldaemon,dbus,radiusd,news,nscd

[pam]

[sudo]

[autofs]

[ssh]

[pac]
Comment 4 Jakub Hrozek 2015-02-09 09:20:14 UTC 
Our team's sudo expert will take a look.

I don't think ipa_hostname is supposed to help, though, your config is a pure LDAP one.
Comment 5 Pavel Březina 2015-02-09 10:16:22 UTC 
Hi,
the thing is that sudo does not allow to specify hostname that is supposed to match sudoHost attribute. It parses sssd.conf to find ipa_hostname and use its value or use hostname of the machine.

The option ldap_sudo_hostname may be used to change what rules are cached but its useless without changing the system hostname at this moment, so it is more for testing purpose. There is currently no sudo RFE to support changing the hostname AFAIK.
Comment 6 Jakub Hrozek 2015-02-09 10:43:07 UTC 
Thank you, not our bug, then.
Note You need to log in before you can comment on or make changes to this bug.