Bug 1256849 - SUDO: Support the IPA schema
SUDO: Support the IPA schema
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: sssd (Show other bugs)
22
All Linux
urgent Severity urgent
: ---
: ---
Assigned To: Jakub Hrozek
Fedora Extras Quality Assurance
:
Depends On:
Blocks: 1258421
  Show dependency treegraph
 
Reported: 2015-08-25 11:14 EDT by Dennis Gilmore
Modified: 2017-01-05 09:33 EST (History)
9 users (show)

See Also:
Fixed In Version: sssd-1.13.3-3.fc23 sssd-1.13.3-3.fc22
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 1258421 (view as bug list)
Environment:
Last Closed: 2016-01-24 21:21:02 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Dennis Gilmore 2015-08-25 11:14:59 EDT
Description of problem:
sssd tries to use compat mode for sudo rules by default, freeipa by default has compat mode turned off. 

in order to have working sudo working with sssd you need to manually enable compat mode on the server which has a performance cost, additionally it is not at all clear why sudo is failing, it took a significant amount of effort to debug what was going on.

In order for sssd to just work it needs to be able to natively pull the sudo rules from the ipa server.
Comment 1 Jakub Hrozek 2015-08-31 04:29:31 EDT
Sorry for the late reply. I was on vacation last week.

(In reply to Dennis Gilmore from comment #0)
> Description of problem:
> sssd tries to use compat mode for sudo rules by default,

This is expected, we don't support the native sudo rules yet (although we do have a first, unreviewed patch).

>  freeipa by default
> has compat mode turned off. 

However, this is not expected at all. How did you test the compat tree is disabled? Did enabling it help?

Alexander, are you aware of any issue in this area?

> 
> in order to have working sudo working with sssd you need to manually enable
> compat mode on the server which has a performance cost, additionally it is
> not at all clear why sudo is failing, it took a significant amount of effort
> to debug what was going on.
> 
> In order for sssd to just work it needs to be able to natively pull the sudo
> rules from the ipa server.
Comment 2 Alexander Bokovoy 2015-08-31 04:42:23 EDT
Yes, compat tree is not enabled by default.

Somehow, the fact that one needs to enable compat tree with 'ipa-compat-manage enable' is missing in https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/sudo.html

So at the very least there is a documentation bug.
Comment 3 Lukas Slebodnik 2015-08-31 06:40:49 EDT
(In reply to Alexander Bokovoy from comment #2)
> Yes, compat tree is not enabled by default.
> 
> Somehow, the fact that one needs to enable compat tree with
> 'ipa-compat-manage enable' is missing in
> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/
> html/Linux_Domain_Identity_Authentication_and_Policy_Guide/sudo.html
> 
> So at the very least there is a documentation bug.

The simplest and the fast solution would be to write warning in ipa-client install if sudo-support is enabled and compat tree is disabled.

Or simplified version write a message about enabling compat tree
if sudo-support is enabled.

The long term solution will be increase priority of ticket with ipa native sudo rules in sssd.
Comment 4 Alexander Bokovoy 2015-08-31 07:01:49 EDT
Agreed. So, for FreeIPA part we need to modify ipa-client-install script and also fix documentation.

SSSD side needs to raise priority of implementing native IPA schema support for sudo.

I'll clone the ticket to IPA side too.
Comment 5 Jakub Hrozek 2015-08-31 07:16:20 EDT
Upstream ticket:
https://fedorahosted.org/sssd/ticket/1108
Comment 6 Lukas Slebodnik 2015-08-31 07:26:06 EDT
Moving to fedora rawhide. Because it's not clear when the upstream ticket will be finished.
Comment 7 Jakub Hrozek 2015-08-31 07:42:50 EDT
Correct, I don't think it will be sooner than F-24, maybe we'll also backport to F-23..
Comment 8 Lukas Slebodnik 2016-01-15 13:22:25 EST
Patches are almost ready.
Comment 9 Jakub Hrozek 2016-01-19 11:44:16 EST
    master:
        a7d2b4f157194c14bc4a40c74f6416b82befa460
        1476d5348fcf387e7481d833becbd993d91f8019
        f58ffb26aeaae0642a149643672fa59ec01a3a36
        8da71a9d5eebe7690b66fde8bfad195d5e3cc629
        8bd44a13de231d025882810c720dd07ca4ee564d
        43bbf5b158ec3152806791ca49ae224ee978de24
        3ff3bb43ae6509905bbf7fa6540c44cdbbd0f738
        cc7f9b639144183eb4f8bd86e5bed077da7d4e35
        ad5a48c4947183fda49308259e3411d17a8b0a13
        d06cc0974e59cd6cf1da45cc8c60d6e822b731c2
        9630a4614ba4d5f68e967d4e108893550a996f30
        a641a13889d617aca6bd998025e9087e822ff7f0
        4ddd5591c50e27dffa55f03fbce0dcc85cd50a8b
        cc7766c8456653ab5d7dedbf432cb1711a905804
        ed8650be18af26b7bf389e1246f7e8cdb363f829
        a2057618f30a3c64bdffb35a2ef3c2ba148c8a03
        0f04241fc90f134af0272eb0999e75fb6749b595
        a6dd4a6c55773e81490dcafd61d4b9782705e9bf
        b407fe0474a674bb42f0f42ab47c7f530a07a367
        cad751beaa12e34e15565bc413442b1e80ac0c29
        e085a79acfcd5331b6f99748e21765579a9a99f2
        85feb8d77a2c832787880944e02104846c4d5376
        68abbe716bed7c8d6790d9bec168ef44469306a1
        e9ae5cd285dcc8fa232e16f9c7a29f18537272f2
        1d3f5fc2802c218916e6d6bc98eeaed79c66bafe
        92ec40e6aa25f75903ffdb166a8ec56b67bfd77d
        d0599eaa9369fd867953e3c58b8d7bb445525ff5 
    sssd-1-13:
        4af65fad63a70de5515080b77bd965646e1e3fc9
        7315eed1adc4e83675b3f72a5c3fa014374bbc6d
        f58ab319363e128f817d90eb7c160e7dc9abee6c
        3d0883f56ed78b9299a3c1e21a7b16e7279ae20c
        f485bbc2c1e28f51b35f546e160a6174e6644d3a
        fe7349304170b827ddef2bdb8f858c828ddb48c7
        cab3b09bf6d9108d8498ca94c19844fa001fb827
        eac510ccc86d1d45b2cc1f0b3f9554b0a9717b78
        1dbb036f0dbe65ceba2f9eae0a1e56848149263e
        6fc3ee299f2d7103aa7357f4a91973883c487888
        2d4bc2fabba94291745112f3c9d4143d893362fb
        43f4ecef75752cc531697a4e215903657c64ca97
        599e8862a0bdd53db5dea0940ca8ae374d167846
        e1b288a9b0c40b299455ca81d0eabe1d73b31ae3
        33d4b29fd45c8f2e138121c472c541a089816d7c
        6494d7a987d895744b3ef8839866e1891df17659
        01db59be8c1175503bec23b480799f9375903884
        b6c32aeed9e02017142a88499955e6a72b103acf
        530e6e0fb086235658bd6387d83e5eddd393ef77
        04e2ea460daa6edc0b6f6ff67d14a1fd3d03e235
        4f833dc1f280f861343b022b703470a5bdddaba6
        216b846cb1acae47b80fd61fc9474b08eabe13b3
        bdfe78351ae09790205deac09027a511d4ee03cb
        c548a507e68cfe1c2ebb98e98d59101d4c4513de
        339dcc48e57d4c38fb4bc5be73cf15cf9dd46908
        f5520fc2c5e8c6a2bc5d0e73900d734e6d862545
        3063486d01c0be2ef64b884a20bfbc7f8cfd7105
        1227cd003e434ba974b6b08280f635047263a450
        69be1acf52839a8b32763397f9531f8fc4f60569
Comment 10 Fedora Update System 2016-01-19 13:58:42 EST
sssd-1.13.3-2.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2016-61146827f2
Comment 11 Fedora Update System 2016-01-19 13:59:25 EST
sssd-1.13.3-2.fc22 has been submitted as an update to Fedora 22. https://bodhi.fedoraproject.org/updates/FEDORA-2016-dca09ef2d7
Comment 12 Fedora Update System 2016-01-20 13:22:21 EST
sssd-1.13.3-3.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2016-61146827f2
Comment 13 Fedora Update System 2016-01-20 14:51:12 EST
sssd-1.13.3-3.fc22 has been submitted as an update to Fedora 22. https://bodhi.fedoraproject.org/updates/FEDORA-2016-dca09ef2d7
Comment 14 Fedora Update System 2016-01-21 23:59:28 EST
sssd-1.13.3-3.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-61146827f2
Comment 15 Fedora Update System 2016-01-23 16:31:00 EST
sssd-1.13.3-3.fc22 has been pushed to the Fedora 22 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-dca09ef2d7
Comment 16 Fedora Update System 2016-01-24 21:20:51 EST
sssd-1.13.3-3.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.
Comment 17 Fedora Update System 2016-02-01 19:54:15 EST
sssd-1.13.3-3.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.
Comment 18 bugsredhat 2017-01-04 13:47:58 EST
This fix doesn't seem to work in latest CentOS 7.3.1611 with all updates applied.


Problem:
hostgroups aren't recognized anymore!

Single hosts in the IPA Sudo-Rule are recognized but hostgroups aren't.

Running latest IPA server and SSSD.
IPA: 4.4.0-14.el7.centos.1.1
SSSD: 1.14.0-43.el7_3.4

Everything worked before with CentOS 7.2 and older IPA.
And yes, I'm running IPA in compat-mode.

Here are some Logs

Sudo Log:
Jan  3 11:51:26 sudo[13561] val[0]=+vboxhosts
Jan  3 11:51:26 sudo[13561] -> addr_matches @ ./match_addr.c:190
Jan  3 11:51:26 sudo[13561] -> addr_matches_if @ ./match_addr.c:62
Jan  3 11:51:26 sudo[13561] <- addr_matches_if @ ./match_addr.c:100 := false
Jan  3 11:51:26 sudo[13561] <- addr_matches @ ./match_addr.c:200 := false
Jan  3 11:51:26 sudo[13561] -> sudo_sss_ipa_hostname_matches @ ./sssd.c:561
Jan  3 11:51:26 sudo[13561] -> hostname_matches @ ./match.c:749
Jan  3 11:51:26 sudo[13561] <- hostname_matches @ ./match.c:760 := false
Jan  3 11:51:26 sudo[13561] -> netgr_matches @ ./match.c:865
Jan  3 11:51:26 sudo[13561] (wolkenstein.ind.rwth-aachen.de, *, ind.rwth-aachen.de) NOT found in netgroup vboxhosts
Jan  3 11:51:26 sudo[13561] (wolkenstein.ind.rwth-aachen.de, *, ind.rwth-aachen.de) NOT found in netgroup vboxhosts
Jan  3 11:51:26 sudo[13561] <- netgr_matches @ ./match.c:918 := false
Jan  3 11:51:26 sudo[13561] IPA hostname (wolkenstein.ind.rwth-aachen.de) matches +vboxhosts => false
Jan  3 11:51:26 sudo[13561] <- sudo_sss_ipa_hostname_matches @ ./sssd.c:572 := false
Jan  3 11:51:26 sudo[13561] -> netgr_matches @ ./match.c:865
Jan  3 11:51:26 sudo[13561] (wolkenstein, *, ind.rwth-aachen.de) NOT found in netgroup vboxhosts
Jan  3 11:51:26 sudo[13561] (wolkenstein.ind.rwth-aachen.de, *, ind.rwth-aachen.de) NOT found in netgroup vboxhosts
Jan  3 11:51:26 sudo[13561] <- netgr_matches @ ./match.c:918 := false
Jan  3 11:51:26 sudo[13561] -> hostname_matches @ ./match.c:749
Jan  3 11:51:26 sudo[13561] <- hostname_matches @ ./match.c:760 := false
Jan  3 11:51:26 sudo[13561] sssd/ldap sudoHost '+vboxhosts' ... not
....


SSSD-Logs:
...
sssd_ind.rwth-aachen.de.log:(Tue Jan  3 11:19:03 2017) [sssd[be[ind.rwth-aachen.de]]] [ipa_hostgroup_info_done] (0x0200): Dereferenced host group: vboxhosts
sssd_ind.rwth-aachen.de.log:(Tue Jan  3 11:29:36 2017) [sssd[be[ind.rwth-aachen.de]]] [ipa_hostgroup_info_done] (0x0200): Dereferenced host group: vboxhosts
sssd_ind.rwth-aachen.de.log:(Tue Jan  3 11:30:38 2017) [sssd[be[ind.rwth-aachen.de]]] [dp_get_account_info_handler] (0x0200): Got request for [0x4][BE_REQ_NETGROUP][1][name=vboxhosts]
sssd_ind.rwth-aachen.de.log:(Tue Jan  3 11:32:59 2017) [sssd[be[ind.rwth-aachen.de]]] [ipa_hostgroup_info_done] (0x0200): Dereferenced host group: vboxhosts 
...

sssd_nss.log:(Tue Jan  3 11:30:38 2017) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name 'vboxhosts' matched without domain, user is vboxhosts
sssd_nss.log:(Tue Jan  3 11:30:38 2017) [sssd[nss]] [lookup_netgr_step] (0x0040): No results for netgroup vboxhosts (domain ind.rwth-aachen.de)
sssd_nss.log:(Tue Jan  3 11:30:38 2017) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name 'vboxhosts' matched without domain, user is vboxhosts
sssd_nss.log:(Tue Jan  3 11:30:38 2017) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name 'vboxhosts' matched without domain, user is vboxhosts
Comment 19 Lukas Slebodnik 2017-01-04 13:53:49 EST
(In reply to bugsredhat from comment #18)
> This fix doesn't seem to work in latest CentOS 7.3.1611 with all updates
> applied.
> 
> 
> Problem:
> hostgroups aren't recognized anymore!
> 
> Single hosts in the IPA Sudo-Rule are recognized but hostgroups aren't.
> 
> Running latest IPA server and SSSD.
> IPA: 4.4.0-14.el7.centos.1.1
> SSSD: 1.14.0-43.el7_3.4
> 
A) This BZ is for fedora
B) you should firstly test whether you can resolve hostgroups with "getent netgroup" sudo use netgroups
C) You might write a mail to sssd-users mailing list
Comment 20 bugsredhat 2017-01-05 09:19:43 EST
A.) Thx, I thought because of its address bugzilla.redhat... it's for all kind of redhat/centos and fedora
B.) This can't work because hostgroups in IPA aren't netgroups! If I understand it right it is the job of SSSD-SUDO (IPA-Provider?) to build netgroups from user- and hostgroups in IPA
C.) Thx

BUT, this bug isn't related to Centos/Redhat. I can reproduce it in latest Fedora 25.

Maybe it's best to open a ticket in the Bugzilla for the SSSD. I think this bug was introduced with SSSD 1.40.x and the support for the IPA-SUDO schema.
Comment 21 Jakub Hrozek 2017-01-05 09:33:49 EST
(In reply to bugsredhat from comment #20)
> A.) Thx, I thought because of its address bugzilla.redhat... it's for all
> kind of redhat/centos and fedora
> B.) This can't work because hostgroups in IPA aren't netgroups! If I
> understand it right it is the job of SSSD-SUDO (IPA-Provider?) to build
> netgroups from user- and hostgroups in IPA

I think all rules related to the host are downloaded, so sssd should download all the rules for the current host and all its host groups.

> C.) Thx
> 
> BUT, this bug isn't related to Centos/Redhat. I can reproduce it in latest
> Fedora 25.
> 
> Maybe it's best to open a ticket in the Bugzilla for the SSSD. I think this
> bug was introduced with SSSD 1.40.x and the support for the IPA-SUDO schema.

Yes, I would recommend to file a new bug.

Note You need to log in before you can comment on or make changes to this bug.