Hide Forgot
This bug is created as a clone of upstream ticket: https://fedorahosted.org/sssd/ticket/2919 One BZ showed that current sudo protocol we use does not provide enough information to sudo to process rules that does not contain fully qualified names when the login does. We should improve the protocol and logic so it is more clear what does sssd and what does sudo.
*** Bug 1331174 has been marked as a duplicate of this bug. ***
* master: 61913b8f0d1ba54d82640500d7486fac5f72b030
Jakub, ack, clear. Resetting it here, and yes, it is indeed for 01599086.
Could you please provide steps to verify?
Create user, say user-1, in domain LDAP. Create rule with sudoUser: user-1. su user-1 sudo -l -- works Set default_domain_suffix = LDAP su user-1 sudo -l -- won't work without this fix
Verified on sssd-1.14.0-43.el7: [root@vm-idm-002 ~]# su tuser sh-4.2$ sudo -l [sudo] password for tuser: Sorry, user tuser may not run sudo on vm-idm-002. [root@vm-idm-002 ~]# ipa sudorule-add trule --usercat=all --hostcat=all --cmdcat=all ----------------------- Added Sudo Rule "trule" ----------------------- Rule name: trule Enabled: TRUE User category: all Host category: all Command category: all [root@vm-idm-002 ~]# service sssd restart Redirecting to /bin/systemctl restart sssd.service [root@vm-idm-002 ~]# su tuser sh-4.2$ sudo -l Matching Defaults entries for tuser on this host: !visiblepw, always_set_home, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin User tu[root@vm-idm-002 ~]# cat /etc/sssd/sssd.conf | grep "default_domain_suffix" default_domain_suffix = testrelm.test [root@vm-idm-002 ~]# service sssd restart Redirecting to /bin/systemctl restart sssd.service [root@vm-idm-002 ~]# su tuser sh-4.2$ sudo -l Matching Defaults entries for tuser on this host: !visiblepw, always_set_home, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin User tuser may run the following commands on this host: (root) ALL
Looks good to me.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHEA-2016-2476.html