Red Hat Bugzilla – Bug 1258421
freeipa sudo rules do not work out of the box, add a warning to ipa-client-install to enable compat tree and fix documentation
Last modified: 2016-01-29 09:08:13 EST
+++ This bug was initially created as a clone of Bug #1256849 +++
Description of problem:
sssd tries to use compat mode for sudo rules by default, freeipa by default has compat mode turned off.
in order to have working sudo working with sssd you need to manually enable compat mode on the server which has a performance cost, additionally it is not at all clear why sudo is failing, it took a significant amount of effort to debug what was going on.
In order for sssd to just work it needs to be able to natively pull the sudo rules from the ipa server.
--- Additional comment from Jakub Hrozek on 2015-08-31 11:29:31 EEST ---
Sorry for the late reply. I was on vacation last week.
(In reply to Dennis Gilmore from comment #0)
> Description of problem:
> sssd tries to use compat mode for sudo rules by default,
This is expected, we don't support the native sudo rules yet (although we do have a first, unreviewed patch).
> freeipa by default
> has compat mode turned off.
However, this is not expected at all. How did you test the compat tree is disabled? Did enabling it help?
Alexander, are you aware of any issue in this area?
> in order to have working sudo working with sssd you need to manually enable
> compat mode on the server which has a performance cost, additionally it is
> not at all clear why sudo is failing, it took a significant amount of effort
> to debug what was going on.
> In order for sssd to just work it needs to be able to natively pull the sudo
> rules from the ipa server.
--- Additional comment from Alexander Bokovoy on 2015-08-31 11:42:23 EEST ---
Yes, compat tree is not enabled by default.
Somehow, the fact that one needs to enable compat tree with 'ipa-compat-manage enable' is missing in https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/sudo.html
So at the very least there is a documentation bug.
--- Additional comment from Lukas Slebodnik on 2015-08-31 13:40:49 EEST ---
(In reply to Alexander Bokovoy from comment #2)
> Yes, compat tree is not enabled by default.
> Somehow, the fact that one needs to enable compat tree with
> 'ipa-compat-manage enable' is missing in
> So at the very least there is a documentation bug.
The simplest and the fast solution would be to write warning in ipa-client install if sudo-support is enabled and compat tree is disabled.
Or simplified version write a message about enabling compat tree
if sudo-support is enabled.
The long term solution will be increase priority of ticket with ipa native sudo rules in sssd.
--- Additional comment from Alexander Bokovoy on 2015-08-31 14:01:49 EEST ---
Agreed. So, for FreeIPA part we need to modify ipa-client-install script and also fix documentation.
SSSD side needs to raise priority of implementing native IPA schema support for sudo.
I'll clone the ticket to IPA side too.
Rob noted that we always enable compat plugin unconditionally in IPA installations so the question is why it was disabled in the original bug report.
here is a common setup part that unconditionally enables compat tree:
self.step("initializing group membership", self.init_memberof)
self.step("adding master entry", self.__add_master_entry)
self.step("initializing domain level", self.__set_domain_level)
self.step("configuring Posix uid/gid generation",
self.step("adding replication acis", self.__add_replication_acis)
self.step("enabling compatibility plugin",
self.step("activating sidgen plugin", self._add_sidgen_plugin)
self.step("activating extdom plugin", self._add_extdom_plugin)
self.step("tuning directory server", self.__tuning)
self.step("configuring directory to start on boot", self.__enable)
We still think it makes sense to add warning to ipa-client-install and also to ipa-manage-compat about sudo behavior if compat tree is disabled. And documentation needs to include clarifications of the compat tree affecting sudo.
I thought that it would be super EASY to add warning to freeipa and it would took
much more time to implement native IPA sudo provider in sssd. However it looks like I was wrong.
Do we still need this BZ?
This was rather low priority for FreeIPA project, which is why it took so long (updating Bug sev/prio, I do not know why it was set that high).
But Lukas has a point, I would vote for closing it, given that current SSSD releases (even in RHEL-6.x) are about to get native SUDO support.
As Lukas pointed in comment 3, SSSD will receive a native IPA sudo provider and therefore fixing this bug is no longer required.