RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1226843 - sudo should not test for user match with SSSD
Summary: sudo should not test for user match with SSSD
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: sudo
Version: 7.1
Hardware: Unspecified
OS: Unspecified
unspecified
high
Target Milestone: rc
: ---
Assignee: Pavel Březina
QA Contact: Stefan Kremen
URL:
Whiteboard:
Depends On:
Blocks: 1203710 1296594 1313485
TreeView+ depends on / blocked
 
Reported: 2015-06-01 09:31 UTC by Pavel Březina
Modified: 2019-12-16 04:49 UTC (History)
16 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-07-07 10:47:09 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)

Description Pavel Březina 2015-06-01 09:31:04 UTC 
Description of problem:
When sssd is configured to use fully qualified domain name with IPA server a user is unable to use sudo because the rules won't match.


How reproducible:
Always.


Steps to Reproduce:
1. Configure SSSD with IPA domain (for example with realmd)
2. Set use_fully_qualified_names to true in /etc/sssd/sssd.conf
3. Create sudo rule for user, e.g. 'admin'
4. Configure sudo to use SSSD
5. Log in as admin@domain
6. Run sudo

Actual results:
Rule will not match, because sudoUser attribute contains 'admin' but sudo expects 'admin@domain'.

Expected results:
Rule is supposed to match.

Additional info:
When sudo is configured with SSSD backend, it should only tests sudoUser values that contains netgroups. Everything else is checked inside SSSD.
Comment 2 Martin Kosek 2015-06-01 15:27:06 UTC 
I am marking it with High severity, given it is blocking FreeIPA+realmd+sudo integration (realmd by default sets use_fully_qualified_names to True).
Comment 4 Daniel Kopeček 2015-07-06 11:07:06 UTC 
(In reply to Pavel Březina from comment #0)
> Additional info:
> When sudo is configured with SSSD backend, it should only tests sudoUser
> values that contains netgroups. Everything else is checked inside SSSD.

Is this documented somewhere? What about the case with mixed sudoUser values? It looks like that such a case is possible when reading the sudoUser value handling in sudo's plugins/sudoers/sssd.c. Or is it guaranteed that there will be only one or more netgroup values if a netgroup check is required?
Comment 5 Pavel Březina 2015-07-13 10:02:10 UTC 
Hi, sudoUser may contain mixed values, you are correct here. That is problematic... we will have to figure something out. The last resort may be extending the protocol, but I'd like to avoid that. Do you have any ideas?
Comment 6 Daniel Kopeček 2015-07-13 10:23:40 UTC 
(In reply to Pavel Březina from comment #5)
> Hi, sudoUser may contain mixed values, you are correct here. That is
> problematic... we will have to figure something out. The last resort may be
> extending the protocol, but I'd like to avoid that. Do you have any ideas?

Well, if we don't want to implement yet another hack on the sudo side, then extending the protocol seems to be the only option. Because of these exceptions in what is handled in sssd and what in sudo, the code is full of hacks.
Comment 8 Daniel Kopeček 2015-07-21 06:56:29 UTC 
Hi Pavel, since there's still no resolution to the technical problem around mixed sudoUser entries, can we move this to 7.3?
Comment 9 Pavel Březina 2015-07-27 07:51:21 UTC 
Yes, I agree.
Comment 10 Daniel Kopeček 2016-01-14 12:50:33 UTC 
(In reply to Pavel Březina from comment #9)
> Yes, I agree.

Any news regarding this issue? i.e. are there any changes on the sssd side that could help to resolve this BZ? If not, we have to move this again to a later release.
Comment 11 Pavel Březina 2016-01-14 13:27:16 UTC 
We are just going to triage ticket on SSSD side today, we want to meet 7.3.
Comment 13 Daniel Kopeček 2016-05-03 12:17:00 UTC 
(In reply to Pavel Březina from comment #5)
> Hi, sudoUser may contain mixed values, you are correct here. That is
> problematic... we will have to figure something out. The last resort may be
> extending the protocol, but I'd like to avoid that. Do you have any ideas?

I still don't know what to do here. I'm thinking about moving this to 7.4.
Comment 18 Josh Baird 2016-06-01 21:22:35 UTC 
Is this going to be pushed to 7.4?  I would really appreciate some resolution to this problem by 7.3 if possible because we are hitting this bug at a fairly large implementation.
Comment 19 Pavel Březina 2016-06-02 09:00:54 UTC 
Hi Josh, I have a sssd patch waiting for review on sssd-devel list. I can prepare a test build for you if you would be willing to test it.
Comment 21 Josh Baird 2016-06-06 13:35:05 UTC 
Hi Pavel - I would be happy to test the patch/build for you.
Comment 26 Lukas Slebodnik 2016-07-07 12:16:33 UTC 
This was fixed in sssd itself, see BZ #1300663.
Note You need to log in before you can comment on or make changes to this bug.