Description of problem: sssd tries to use compat mode for sudo rules by default, freeipa by default has compat mode turned off. in order to have working sudo working with sssd you need to manually enable compat mode on the server which has a performance cost, additionally it is not at all clear why sudo is failing, it took a significant amount of effort to debug what was going on. In order for sssd to just work it needs to be able to natively pull the sudo rules from the ipa server.
Sorry for the late reply. I was on vacation last week. (In reply to Dennis Gilmore from comment #0) > Description of problem: > sssd tries to use compat mode for sudo rules by default, This is expected, we don't support the native sudo rules yet (although we do have a first, unreviewed patch). > freeipa by default > has compat mode turned off. However, this is not expected at all. How did you test the compat tree is disabled? Did enabling it help? Alexander, are you aware of any issue in this area? > > in order to have working sudo working with sssd you need to manually enable > compat mode on the server which has a performance cost, additionally it is > not at all clear why sudo is failing, it took a significant amount of effort > to debug what was going on. > > In order for sssd to just work it needs to be able to natively pull the sudo > rules from the ipa server.
Yes, compat tree is not enabled by default. Somehow, the fact that one needs to enable compat tree with 'ipa-compat-manage enable' is missing in https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/sudo.html So at the very least there is a documentation bug.
(In reply to Alexander Bokovoy from comment #2) > Yes, compat tree is not enabled by default. > > Somehow, the fact that one needs to enable compat tree with > 'ipa-compat-manage enable' is missing in > https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/ > html/Linux_Domain_Identity_Authentication_and_Policy_Guide/sudo.html > > So at the very least there is a documentation bug. The simplest and the fast solution would be to write warning in ipa-client install if sudo-support is enabled and compat tree is disabled. Or simplified version write a message about enabling compat tree if sudo-support is enabled. The long term solution will be increase priority of ticket with ipa native sudo rules in sssd.
Agreed. So, for FreeIPA part we need to modify ipa-client-install script and also fix documentation. SSSD side needs to raise priority of implementing native IPA schema support for sudo. I'll clone the ticket to IPA side too.
Upstream ticket: https://fedorahosted.org/sssd/ticket/1108
Moving to fedora rawhide. Because it's not clear when the upstream ticket will be finished.
Correct, I don't think it will be sooner than F-24, maybe we'll also backport to F-23..
Patches are almost ready.
master: a7d2b4f157194c14bc4a40c74f6416b82befa460 1476d5348fcf387e7481d833becbd993d91f8019 f58ffb26aeaae0642a149643672fa59ec01a3a36 8da71a9d5eebe7690b66fde8bfad195d5e3cc629 8bd44a13de231d025882810c720dd07ca4ee564d 43bbf5b158ec3152806791ca49ae224ee978de24 3ff3bb43ae6509905bbf7fa6540c44cdbbd0f738 cc7f9b639144183eb4f8bd86e5bed077da7d4e35 ad5a48c4947183fda49308259e3411d17a8b0a13 d06cc0974e59cd6cf1da45cc8c60d6e822b731c2 9630a4614ba4d5f68e967d4e108893550a996f30 a641a13889d617aca6bd998025e9087e822ff7f0 4ddd5591c50e27dffa55f03fbce0dcc85cd50a8b cc7766c8456653ab5d7dedbf432cb1711a905804 ed8650be18af26b7bf389e1246f7e8cdb363f829 a2057618f30a3c64bdffb35a2ef3c2ba148c8a03 0f04241fc90f134af0272eb0999e75fb6749b595 a6dd4a6c55773e81490dcafd61d4b9782705e9bf b407fe0474a674bb42f0f42ab47c7f530a07a367 cad751beaa12e34e15565bc413442b1e80ac0c29 e085a79acfcd5331b6f99748e21765579a9a99f2 85feb8d77a2c832787880944e02104846c4d5376 68abbe716bed7c8d6790d9bec168ef44469306a1 e9ae5cd285dcc8fa232e16f9c7a29f18537272f2 1d3f5fc2802c218916e6d6bc98eeaed79c66bafe 92ec40e6aa25f75903ffdb166a8ec56b67bfd77d d0599eaa9369fd867953e3c58b8d7bb445525ff5 sssd-1-13: 4af65fad63a70de5515080b77bd965646e1e3fc9 7315eed1adc4e83675b3f72a5c3fa014374bbc6d f58ab319363e128f817d90eb7c160e7dc9abee6c 3d0883f56ed78b9299a3c1e21a7b16e7279ae20c f485bbc2c1e28f51b35f546e160a6174e6644d3a fe7349304170b827ddef2bdb8f858c828ddb48c7 cab3b09bf6d9108d8498ca94c19844fa001fb827 eac510ccc86d1d45b2cc1f0b3f9554b0a9717b78 1dbb036f0dbe65ceba2f9eae0a1e56848149263e 6fc3ee299f2d7103aa7357f4a91973883c487888 2d4bc2fabba94291745112f3c9d4143d893362fb 43f4ecef75752cc531697a4e215903657c64ca97 599e8862a0bdd53db5dea0940ca8ae374d167846 e1b288a9b0c40b299455ca81d0eabe1d73b31ae3 33d4b29fd45c8f2e138121c472c541a089816d7c 6494d7a987d895744b3ef8839866e1891df17659 01db59be8c1175503bec23b480799f9375903884 b6c32aeed9e02017142a88499955e6a72b103acf 530e6e0fb086235658bd6387d83e5eddd393ef77 04e2ea460daa6edc0b6f6ff67d14a1fd3d03e235 4f833dc1f280f861343b022b703470a5bdddaba6 216b846cb1acae47b80fd61fc9474b08eabe13b3 bdfe78351ae09790205deac09027a511d4ee03cb c548a507e68cfe1c2ebb98e98d59101d4c4513de 339dcc48e57d4c38fb4bc5be73cf15cf9dd46908 f5520fc2c5e8c6a2bc5d0e73900d734e6d862545 3063486d01c0be2ef64b884a20bfbc7f8cfd7105 1227cd003e434ba974b6b08280f635047263a450 69be1acf52839a8b32763397f9531f8fc4f60569
sssd-1.13.3-2.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2016-61146827f2
sssd-1.13.3-2.fc22 has been submitted as an update to Fedora 22. https://bodhi.fedoraproject.org/updates/FEDORA-2016-dca09ef2d7
sssd-1.13.3-3.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2016-61146827f2
sssd-1.13.3-3.fc22 has been submitted as an update to Fedora 22. https://bodhi.fedoraproject.org/updates/FEDORA-2016-dca09ef2d7
sssd-1.13.3-3.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-61146827f2
sssd-1.13.3-3.fc22 has been pushed to the Fedora 22 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-dca09ef2d7
sssd-1.13.3-3.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.
sssd-1.13.3-3.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.
This fix doesn't seem to work in latest CentOS 7.3.1611 with all updates applied. Problem: hostgroups aren't recognized anymore! Single hosts in the IPA Sudo-Rule are recognized but hostgroups aren't. Running latest IPA server and SSSD. IPA: 4.4.0-14.el7.centos.1.1 SSSD: 1.14.0-43.el7_3.4 Everything worked before with CentOS 7.2 and older IPA. And yes, I'm running IPA in compat-mode. Here are some Logs Sudo Log: Jan 3 11:51:26 sudo[13561] val[0]=+vboxhosts Jan 3 11:51:26 sudo[13561] -> addr_matches @ ./match_addr.c:190 Jan 3 11:51:26 sudo[13561] -> addr_matches_if @ ./match_addr.c:62 Jan 3 11:51:26 sudo[13561] <- addr_matches_if @ ./match_addr.c:100 := false Jan 3 11:51:26 sudo[13561] <- addr_matches @ ./match_addr.c:200 := false Jan 3 11:51:26 sudo[13561] -> sudo_sss_ipa_hostname_matches @ ./sssd.c:561 Jan 3 11:51:26 sudo[13561] -> hostname_matches @ ./match.c:749 Jan 3 11:51:26 sudo[13561] <- hostname_matches @ ./match.c:760 := false Jan 3 11:51:26 sudo[13561] -> netgr_matches @ ./match.c:865 Jan 3 11:51:26 sudo[13561] (wolkenstein.ind.rwth-aachen.de, *, ind.rwth-aachen.de) NOT found in netgroup vboxhosts Jan 3 11:51:26 sudo[13561] (wolkenstein.ind.rwth-aachen.de, *, ind.rwth-aachen.de) NOT found in netgroup vboxhosts Jan 3 11:51:26 sudo[13561] <- netgr_matches @ ./match.c:918 := false Jan 3 11:51:26 sudo[13561] IPA hostname (wolkenstein.ind.rwth-aachen.de) matches +vboxhosts => false Jan 3 11:51:26 sudo[13561] <- sudo_sss_ipa_hostname_matches @ ./sssd.c:572 := false Jan 3 11:51:26 sudo[13561] -> netgr_matches @ ./match.c:865 Jan 3 11:51:26 sudo[13561] (wolkenstein, *, ind.rwth-aachen.de) NOT found in netgroup vboxhosts Jan 3 11:51:26 sudo[13561] (wolkenstein.ind.rwth-aachen.de, *, ind.rwth-aachen.de) NOT found in netgroup vboxhosts Jan 3 11:51:26 sudo[13561] <- netgr_matches @ ./match.c:918 := false Jan 3 11:51:26 sudo[13561] -> hostname_matches @ ./match.c:749 Jan 3 11:51:26 sudo[13561] <- hostname_matches @ ./match.c:760 := false Jan 3 11:51:26 sudo[13561] sssd/ldap sudoHost '+vboxhosts' ... not .... SSSD-Logs: ... sssd_ind.rwth-aachen.de.log:(Tue Jan 3 11:19:03 2017) [sssd[be[ind.rwth-aachen.de]]] [ipa_hostgroup_info_done] (0x0200): Dereferenced host group: vboxhosts sssd_ind.rwth-aachen.de.log:(Tue Jan 3 11:29:36 2017) [sssd[be[ind.rwth-aachen.de]]] [ipa_hostgroup_info_done] (0x0200): Dereferenced host group: vboxhosts sssd_ind.rwth-aachen.de.log:(Tue Jan 3 11:30:38 2017) [sssd[be[ind.rwth-aachen.de]]] [dp_get_account_info_handler] (0x0200): Got request for [0x4][BE_REQ_NETGROUP][1][name=vboxhosts] sssd_ind.rwth-aachen.de.log:(Tue Jan 3 11:32:59 2017) [sssd[be[ind.rwth-aachen.de]]] [ipa_hostgroup_info_done] (0x0200): Dereferenced host group: vboxhosts ... sssd_nss.log:(Tue Jan 3 11:30:38 2017) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name 'vboxhosts' matched without domain, user is vboxhosts sssd_nss.log:(Tue Jan 3 11:30:38 2017) [sssd[nss]] [lookup_netgr_step] (0x0040): No results for netgroup vboxhosts (domain ind.rwth-aachen.de) sssd_nss.log:(Tue Jan 3 11:30:38 2017) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name 'vboxhosts' matched without domain, user is vboxhosts sssd_nss.log:(Tue Jan 3 11:30:38 2017) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name 'vboxhosts' matched without domain, user is vboxhosts
(In reply to bugsredhat from comment #18) > This fix doesn't seem to work in latest CentOS 7.3.1611 with all updates > applied. > > > Problem: > hostgroups aren't recognized anymore! > > Single hosts in the IPA Sudo-Rule are recognized but hostgroups aren't. > > Running latest IPA server and SSSD. > IPA: 4.4.0-14.el7.centos.1.1 > SSSD: 1.14.0-43.el7_3.4 > A) This BZ is for fedora B) you should firstly test whether you can resolve hostgroups with "getent netgroup" sudo use netgroups C) You might write a mail to sssd-users mailing list
A.) Thx, I thought because of its address bugzilla.redhat... it's for all kind of redhat/centos and fedora B.) This can't work because hostgroups in IPA aren't netgroups! If I understand it right it is the job of SSSD-SUDO (IPA-Provider?) to build netgroups from user- and hostgroups in IPA C.) Thx BUT, this bug isn't related to Centos/Redhat. I can reproduce it in latest Fedora 25. Maybe it's best to open a ticket in the Bugzilla for the SSSD. I think this bug was introduced with SSSD 1.40.x and the support for the IPA-SUDO schema.
(In reply to bugsredhat from comment #20) > A.) Thx, I thought because of its address bugzilla.redhat... it's for all > kind of redhat/centos and fedora > B.) This can't work because hostgroups in IPA aren't netgroups! If I > understand it right it is the job of SSSD-SUDO (IPA-Provider?) to build > netgroups from user- and hostgroups in IPA I think all rules related to the host are downloaded, so sssd should download all the rules for the current host and all its host groups. > C.) Thx > > BUT, this bug isn't related to Centos/Redhat. I can reproduce it in latest > Fedora 25. > > Maybe it's best to open a ticket in the Bugzilla for the SSSD. I think this > bug was introduced with SSSD 1.40.x and the support for the IPA-SUDO schema. Yes, I would recommend to file a new bug.