Bug 1313940 - sudorule not working with ipa sudo_provider
sudorule not working with ipa sudo_provider
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: sssd (Show other bugs)
Unspecified Unspecified
unspecified Severity high
: rc
: ---
Assigned To: Pavel Březina
Steeve Goveas
Aneta Šteflová Petrová
: Regression, TestBlocker
Depends On:
Blocks: 1310769
  Show dependency treegraph
Reported: 2016-03-02 11:21 EST by Kaleem
Modified: 2016-05-10 16:26 EDT (History)
10 users (show)

See Also:
Fixed In Version: sssd-1.13.3-21.el6
Doc Type: Bug Fix
Doc Text:
SSSD stores sudo rules correctly when `id_provider = ipa` is set Identity Management version 3.0 and previous use different format for the `ipasudocmd` distinguished name (DN). Consequently, the System Security Services Daemon (SSSD) service was unable to store *sudo* rules correctly when the `id_provider` option was set to `ipa` in the `/etc/sssd/sssd.conf` file. This update fixes the problem, and *sudo* rules now work as expected in the described situation.
Story Points: ---
Clone Of:
Last Closed: 2016-05-10 16:26:51 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
console output with steps (6.35 KB, text/plain)
2016-03-23 04:52 EDT, Kaleem
no flags Details

  None (edit)
Description Kaleem 2016-03-02 11:21:29 EST
Description of problem:

Sudo not working for IPA sudo_provider.

Version-Release number of selected component (if applicable):

[root@auto-hv-02-guest05 ~]# rpm -q ipa-server sssd
[root@auto-hv-02-guest05 ~]# 

How reproducible:

Steps to Reproduce:

On IPA Master: 

(1) Added sudorule for IPA client machine for user "testuser1" for command "mkdir"

[root@auto-hv-02-guest05 ~]# ipa sudorule-show sudorule2
  Rule name: sudorule2
  Enabled: TRUE
  Users: testuser1
  Hosts: ipaqa64vml.testrelm.test
  Sudo Allow Commands: /bin/mkdir
[root@auto-hv-02-guest05 ~]# echo xxxxxxxx|kinit testuser1
Password for testuser1@TESTRELM.TEST: 

On IPA Client:

(2)Add sudo_provider with ipa in sssd.conf

On IPA Master: 

(3)Do ssh with user testuser1 to IPA client machine . Now Try 'sudo -l' on IPA client machine

Saw following on console.

"User testuser1 is not allowed to run sudo on ipaqa64vml."

But instead it it should have shown that user can run 'mkdir' command on this host.

[root@auto-hv-02-guest05 ~]#
[root@auto-hv-02-guest05 ~]# ssh -o StrictHostKeyChecking=no -l testuser1 ipaqa64vml.testrelm.test
Last login: Wed Mar  2 07:33:28 2016 from auto-hv-02-guest05.testrelm.test
Could not chdir to home directory /home/testuser1: No such file or directory
-sh-4.1$ sudo -l
[sudo] password for testuser1: 
User testuser1 is not allowed to run sudo on ipaqa64vml.
-sh-4.1$ logout
Connection to ipaqa64vml.testrelm.test closed.
[root@auto-hv-02-guest05 ~]# 

On IPA Client:

(4) following shown in sssd_sudo.log

(Wed Mar  2 10:06:33 2016) [sssd[sudo]] [id_callback] (0x0100): Got id ack and version (1) from Monitor
(Wed Mar  2 10:06:34 2016) [sssd[sudo]] [sbus_remove_timeout] (0x2000): 0x10b0a70
(Wed Mar  2 10:06:34 2016) [sssd[sudo]] [sbus_dispatch] (0x4000): dbus conn: 0x10ae830
(Wed Mar  2 10:06:34 2016) [sssd[sudo]] [sbus_dispatch] (0x4000): Dispatching.
(Wed Mar  2 10:06:34 2016) [sssd[sudo]] [sss_dp_get_reply] (0x1000): Got reply from Data Provider - DP error code: 3 errno: 5 error message: Internal Error
(Wed Mar  2 10:06:34 2016) [sssd[sudo]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x10b31b0

(Wed Mar  2 10:06:34 2016) [sssd[sudo]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x10b32d0

Actual results:
sudo command to be executed not shown with 'sudo -l'

Expected results:
sudo command to be executed should be shown with 'sudo -l'

Additional info:
(1)When sudo_provider changed to ldap provider, 'sudo -l' gives correct output. Thanks to Jakub for this.
Comment 3 Lukas Slebodnik 2016-03-02 11:45:46 EST
Assigning to author sudo related changes in sssd-1.13
Comment 7 Pavel Březina 2016-03-04 04:44:30 EST
Upstream ticket:
Comment 10 Pavel Březina 2016-03-04 05:43:50 EST
Sounds good. Ack.
Comment 11 Jakub Hrozek 2016-03-08 10:36:10 EST
Upstream ticket:
Comment 12 Jakub Hrozek 2016-03-09 04:34:49 EST
Patch is on review, devel acking.
Comment 14 Jakub Hrozek 2016-03-14 13:08:28 EDT
Comment 16 Kaleem 2016-03-16 03:59:58 EDT
Tried with latest build sssd-1.13.3-19.el6.x86_64 but bug still there

[root@ibm-x3250m4-04 ~]# rpm -q ipa-client sssd
[root@ibm-x3250m4-04 ~]# 

snip from sssd.<domain>.log

(Wed Mar 16 03:50:13 2016) [sssd[be[testrelm.test]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_RESULT]
(Wed Mar 16 03:50:13 2016) [sssd[be[testrelm.test]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set
(Wed Mar 16 03:50:13 2016) [sssd[be[testrelm.test]]] [sdap_get_generic_op_finished] (0x2000): Total count [0]
(Wed Mar 16 03:50:13 2016) [sssd[be[testrelm.test]]] [sdap_op_destructor] (0x2000): Operation 11 finished
(Wed Mar 16 03:50:13 2016) [sssd[be[testrelm.test]]] [sdap_search_bases_done] (0x0400): Receiving data from base [cn=sudo,dc=testrelm,dc=test]
(Wed Mar 16 03:50:13 2016) [sssd[be[testrelm.test]]] [ipa_sudo_fetch_rules_done] (0x0040): Received 1 sudo rules
(Wed Mar 16 03:50:13 2016) [sssd[be[testrelm.test]]] [process_rulemember] (0x0080): Invalid member DN sudocmd=/bin/mkdir,cn=sudocmds,cn=sudo,dc=testrelm,dc=test, skipping...
(Wed Mar 16 03:50:13 2016) [sssd[be[testrelm.test]]] [ipa_sudo_fetch_cmdgroups] (0x0400): About to fetch sudo command groups
(Wed Mar 16 03:50:13 2016) [sssd[be[testrelm.test]]] [ipa_sudo_fetch_cmdgroups] (0x0400): No command groups needs to be downloaded
(Wed Mar 16 03:50:13 2016) [sssd[be[testrelm.test]]] [ipa_sudo_fetch_cmds] (0x0400): About to fetch sudo commands
(Wed Mar 16 03:50:13 2016) [sssd[be[testrelm.test]]] [ipa_sudo_fetch_cmds] (0x0400): No commands needs to be downloaded
(Wed Mar 16 03:50:13 2016) [sssd[be[testrelm.test]]] [ipa_sudo_fetch_done] (0x0400): About to convert rules
(Wed Mar 16 03:50:13 2016) [sssd[be[testrelm.test]]] [sdap_id_op_done] (0x4000): releasing operation connection
(Wed Mar 16 03:50:13 2016) [sssd[be[testrelm.test]]] [ldb] (0x4000): start ldb transaction (nesting: 0)
(Wed Mar 16 03:50:13 2016) [sssd[be[testrelm.test]]] [ldb] (0x4000): start ldb transaction (nesting: 1)
(Wed Mar 16 03:50:13 2016) [sssd[be[testrelm.test]]] [sysdb_sudo_purge_all] (0x0400): Deleting all cached sudo rules
Comment 20 Jakub Hrozek 2016-03-16 06:10:47 EDT
I'm sorry about that, I built a new package where the patches are actually applied
Comment 21 Martin Kosek 2016-03-17 08:40:19 EDT
Fixed in sssd-1.13.3-21.el6.
Comment 23 Kaleem 2016-03-23 04:50:56 EDT
I have two observations with latest build sssd-1.13.3-22.el6.x86_64

(1)sudo run on client vm still fails in first attempt and after waiting 5 minutes second attempt is successful . Please find the attached file with console output for this.

(2)First sudo run attempt is also successful but when sssd cache removed on client vm before running sudo command on it.

is this a separate issue or part of this bug which needs to be fixed?
Comment 24 Kaleem 2016-03-23 04:52 EDT
Created attachment 1139405 [details]
console output with steps
Comment 26 Pavel Březina 2016-03-24 09:15:52 EDT
Ok, so I can confirm that the issue *is* fixed. If you add a sudo rule you need to wait some time till SSSD downloads it through either smart or full refresh (please refer to sssd-sudo man page).

Ad 1) The first attempt is not successful because the rule was not yet downloaded. During the five minutes delay a smart refresh occurred and downloaded newly added rule. Therefore second attempt is successful.

Ad 2) If you restart SSSD with a clear cache, full refresh that downloads all rules happens immediately (and with 10 seconds delay if the cache is not clear). Therefore the rules is there immediately.

If you are not testing specific sudo refresh type, it is good to remove cache and restart sssd so the changes take effect immediately. If you are testing refresh types you can decrease the period with ldap_sudo_*_refresh_interval.
Comment 27 Kaleem 2016-03-29 08:24:45 EDT
Verified as per #c26

IPA/sssd version:

snip from automation log:
:: [  BEGIN   ] :: Running 'ipa sudorule-add-allow-command --sudocmds=/bin/mkdir sudorule1'
  Rule name: sudorule1
  Enabled: TRUE
  Users: user1
  Hosts: ibm-x3250m4-02.testrelm.test
  Sudo Allow Commands: /bin/mkdir
Number of members added 1
:: [   PASS   ] :: Command 'ipa sudorule-add-allow-command --sudocmds=/bin/mkdir sudorule1' (Expected 0, got 0)
:: [  BEGIN   ] :: Running 'sssd_cache_cleanup'
Stopping sssd: [  OK  ]
Starting sssd: [  OK  ]
:: [   PASS   ] :: Command 'sssd_cache_cleanup' (Expected 0, got 0)
:: [  BEGIN   ] :: Running 'sudo_list user1'
#!/usr/bin/expect -f

set timeout 30
set send_slow {1 .1}
match_max 100000

spawn ssh -o StrictHostKeyChecking=no -l user1 ibm-x3250m4-02.testrelm.test
expect "*: "
send -s "xxxxxxxx\r"
expect "*$ "
send -s "sudo -l > /tmp/sudo_list_client_25647.out 2>&1 \r"
expect "user1: "
send -s "xxxxxxxx\r"
expect eof
spawn ssh -o StrictHostKeyChecking=no -l user1 ibm-x3250m4-02.testrelm.test
user1@ibm-x3250m4-02.testrelm.test's password: 
Last login: Tue Mar 29 01:38:14 2016 from ibm-x3250m4-02.testrelm.test

**  **  **  **  **  **  **  **  **  **  **  **  **  **  **  **  **  **
**  **  **  **  **  **  **  **  **  **  **  **  **  **  **  **  **  **
Could not chdir to home directory /home/user1: No such file or directory
MARK-LWD-LOOP -- 2016-03-29 01:39:53 --
sudo -l > /tmp/sudo_list_client_25647.out 2>&1 
[sudo] password for user1: 
-sh-4.1$ ibm-x3250m4-02.testrelm.test
Connecting to ibm-x3250m4-02.testrelm.test...
Fetching /tmp/sudo_list_client_25647.out to /tmp/sudo_list.out
Matching Defaults entries for user1 on this host:
    !visiblepw, always_set_home, env_reset, env_keep="COLORS DISPLAY HOSTNAME
    _XKB_CHARSET XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin

User user1 may run the following commands on this host:
    (root) /bin/mkdir
:: [   PASS   ] :: Command 'sudo_list user1' (Expected 0, got 0)
:: [   PASS   ] :: File '/tmp/sudo_list.out' should contain 'User user1 may run the following commands on this host:' 
:: [   PASS   ] :: File '/tmp/sudo_list.out' should contain '(root) /bin/mkdir'
Comment 32 errata-xmlrpc 2016-05-10 16:26:51 EDT
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.