Bug 1188338 - ldap_sudo_hostnames not working
Summary: ldap_sudo_hostnames not working
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: sssd
Version: 6.6
Hardware: x86_64
OS: Linux
unspecified
low
Target Milestone: rc
: ---
Assignee: Pavel Březina
QA Contact: Kaushik Banerjee
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2015-02-02 16:00 UTC by Marco Passerini
Modified: 2015-02-09 10:43 UTC (History)
9 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-02-09 10:43:07 UTC
Target Upstream Version:


Attachments (Terms of Use)

Description Marco Passerini 2015-02-02 16:00:25 UTC
Description of problem:

I'm configuring a server with SSSD/LDAP for SUDO authentication. The server hostname is "server1.mydomain.com", and it can't be changed. In LDAP, the host is listed as: "sudoHost: my-server1.mydomain.com" and it can't be changed either. So what I read the manual and I configured the following in sssd.conf:
ldap_sudo_hostnames = my-server1.mydomain.com
I have "sudoers:    files sss" in /etc/nsswitch.conf, and /etc/sssd/sssd.conf is properly configured.
After restarting sssd and logging into the server, I was not able to run sudo with my user account.
I solved the problem by adding the following line to sssd.conf
ipa_hostname = my-server1.mydomain.com
I think this should not be necessary as the field ldap_sudo_hostnames should take care of this. Am I correct, is this a bug?


Version-Release number of selected component (if applicable):
sssd-1.11.6-30.el6_6.3.x86_64
sssd-common-pac-1.11.6-30.el6_6.3.x86_64
sssd-ldap-1.11.6-30.el6_6.3.x86_64
sssd-client-1.11.6-30.el6_6.3.x86_64
sssd-krb5-1.11.6-30.el6_6.3.x86_64
sssd-krb5-common-1.11.6-30.el6_6.3.x86_64
sssd-common-1.11.6-30.el6_6.3.x86_64
sssd-ipa-1.11.6-30.el6_6.3.x86_64
python-sssdconfig-1.11.6-30.el6_6.3.noarch
sssd-ad-1.11.6-30.el6_6.3.x86_64
sssd-proxy-1.11.6-30.el6_6.3.x86_64

Comment 2 Jakub Hrozek 2015-02-03 08:22:57 UTC
Can you provide your whole sssd.conf ?

Comment 3 Marco Passerini 2015-02-03 09:24:57 UTC
This is it.. I replaced the field names, but here's the server name mapping:

generic_server1.mydomain.com is a hostname which provides a lot of users, all of which are supposed to be able to authenticate in this machine

server1 is the real hostname of this server

my-server1 is how the hostname is listed in the SUDOHost field in LDAP

I know it's a bit messy but this is the case, and with the current configuration it works. If I don't enter ipa_hostname it does not let me do sudo.





[domain/LDAP]

ldap_id_use_start_tls = True
cache_credentials = true
ldap_search_base = dc=mydomain,dc=com
ldap_user_search_base = ou=People,dc=mydomain,dc=com?subtree?(host=generic_server1.mydomain.com)
ldap_group_search_base = ou=Groups,dc=mydomain,dc=com
ldap_default_bind_dn = uid=mybind,ou=Special Users,dc=mydomain,dc=com
ldap_default_authtok = ********
ldap_schema = rfc2307
id_provider = ldap
auth_provider = ldap
chpass_provider = ldap
ldap_uri = ldaps://ldap1.mydomain.com/, ldaps://ldap2.mydomain.com/
ldap_backup_uri = ldaps://ldap3.mydomain.com
ldap_tls_cacertdir = /etc/openldap/certs
debug_level = 2
enumerate = true
sudo_provider = ldap
ldap_sudo_search_base = OU=Staff,OU=SUDOers,ou=idm,dc=mydomain,dc=com
ldap_sudo_hostnames = my-server1.mydomain.com
ipa_hostname = my-server1.mydomain.com
access_provider = permit

[sssd]
services = nss, pam, sudo
config_file_version = 2
domains = LDAP

[nss]
filter_users = root,named,avahi,haldaemon,dbus,radiusd,news,nscd

[pam]

[sudo]

[autofs]

[ssh]

[pac]

Comment 4 Jakub Hrozek 2015-02-09 09:20:14 UTC
Our team's sudo expert will take a look.

I don't think ipa_hostname is supposed to help, though, your config is a pure LDAP one.

Comment 5 Pavel Březina 2015-02-09 10:16:22 UTC
Hi,
the thing is that sudo does not allow to specify hostname that is supposed to match sudoHost attribute. It parses sssd.conf to find ipa_hostname and use its value or use hostname of the machine.

The option ldap_sudo_hostname may be used to change what rules are cached but its useless without changing the system hostname at this moment, so it is more for testing purpose. There is currently no sudo RFE to support changing the hostname AFAIK.

Comment 6 Jakub Hrozek 2015-02-09 10:43:07 UTC
Thank you, not our bug, then.


Note You need to log in before you can comment on or make changes to this bug.