Bug 1321884 – IPA sudo: support the externalUser attribute

Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.

Bug 1321884 - IPA sudo: support the externalUser attribute

Summary:	IPA sudo: support the externalUser attribute

Status:	CLOSED ERRATA

Aliases:	None

Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	sssd (Show other bugs)
Sub Component:
Version:	6.0
Hardware:	Unspecified Unspecified

Priority	unspecified Severity unspecified
Target Milestone:	rc
Target Release:	---
Assigned To:	SSSD Maintainers
QA Contact:	Steeve Goveas
Docs Contact:	Aneta Šteflová Petrová

URL:
Whiteboard:
Keywords:

Depends On:
Blocks:
	Show dependency tree / graph

Reported:	2016-03-29 06:10 EDT by Jakub Hrozek
Modified:	2017-03-21 05:55 EDT (History)
CC List:	12 users (show)

See Also:
Fixed In Version:	sssd-1.13.3-42.el6
Doc Type:	Bug Fix
Doc Text:	SSSD now resolves users with externalUser correctly Support for the externalUser LDAP attribute was removed from the System Security Services Daemon (SSSD) in Red Hat Enterprise Linux 6.8. In consequence, the assignment of sudo rules to local accounts, such as by using the `/etc/passwd` file, failed. The problem affected only accounts outside of Identity Management (IdM) domains and Active Directory (AD) trusted domains. This update ensures that SSSD correctly resolves users with the externalUser attribute defined. As a result, assigning sudo rules works as expected in the described situation.
Story Points:	---
Clone Of:
Environment:
Last Closed:	2017-03-21 05:55:15 EDT
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

External Trackers
Tracker	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2017:0632	normal	SHIPPED_LIVE	sssd bug fix and enhancement update	2017-03-21 08:30:13 EDT

Groups: None (edit)

Description Jakub Hrozek 2016-03-29 06:10:54 EDT

This bug is created as a clone of upstream ticket:
https://fedorahosted.org/sssd/ticket/2972

The LDAP sudo provider supported the externalUser, the IPA one should too

Comment 1 Jakub Hrozek 2016-03-29 06:15:48 EDT

* master: 991c9f47fcb24704b880f60ab8ee77cfda056e2c
* sssd-1-13: d4d2ffa6cf967231ae725973ee2665dbd0e2391b

Comment 2 Pavel Březina 2016-04-08 07:01:06 EDT

Ack to the doc text.

Comment 9 Xiyang Dong 2016-11-28 09:30:38 EST

Failed to add sudorule with --externaluser option:
[root@vm-idm-030 ~]# rpm -q sssd ipa-server
sssd-1.14.0-43.el7.x86_64
ipa-server-4.4.0-12.el7.x86_64

[root@vm-idm-030 ~]# ipa sudorule-add --help|grep externaluser
  --externaluser=STR    External User the rule applies to (sudorule-find only)
  --runasexternaluser=STR
[root@vm-idm-030 ~]# ipa sudorule-add testrule --externaluser=test@domain.com
ipa: ERROR: invalid 'externaluser': this option has been deprecated.
[root@vm-idm-030 ~]# ipa sudorule-add testrule --runasexternaluser=test@domain.com
ipa: ERROR: invalid 'runasexternaluser': this option has been deprecated.

Comment 10 Lukas Slebodnik 2016-11-28 09:42:39 EST

(In reply to Xiyang Dong from comment #9)
> Failed to add sudorule with --externaluser option:
> [root@vm-idm-030 ~]# rpm -q sssd ipa-server
> sssd-1.14.0-43.el7.x86_64
> ipa-server-4.4.0-12.el7.x86_64
> 
> [root@vm-idm-030 ~]# ipa sudorule-add --help|grep externaluser
>   --externaluser=STR    External User the rule applies to (sudorule-find
> only)
>   --runasexternaluser=STR
> [root@vm-idm-030 ~]# ipa sudorule-add testrule --externaluser=test@domain.com
> ipa: ERROR: invalid 'externaluser': this option has been deprecated.
> [root@vm-idm-030 ~]# ipa sudorule-add testrule
> --runasexternaluser=test@domain.com
> ipa: ERROR: invalid 'runasexternaluser': this option has been deprecated.

Just for your information. These steps does not test sssd.
and this bug is about sssd. May I know why the state is "FailedQA"?

Comment 11 Xiyang Dong 2016-11-28 13:56:38 EST

Hi Lukas, as what's in bug description "The LDAP sudo provider supported the externalUser, the IPA one should too"
I agree with you that the component should be changed to ipa.

Comment 13 Jakub Hrozek 2016-11-28 16:23:21 EST

(In reply to Xiyang Dong from comment #9)
> Failed to add sudorule with --externaluser option:
> [root@vm-idm-030 ~]# rpm -q sssd ipa-server
> sssd-1.14.0-43.el7.x86_64
> ipa-server-4.4.0-12.el7.x86_64
> 
> [root@vm-idm-030 ~]# ipa sudorule-add --help|grep externaluser
>   --externaluser=STR    External User the rule applies to (sudorule-find
> only)
>   --runasexternaluser=STR
> [root@vm-idm-030 ~]# ipa sudorule-add testrule --externaluser=test@domain.com
> ipa: ERROR: invalid 'externaluser': this option has been deprecated.
> [root@vm-idm-030 ~]# ipa sudorule-add testrule
> --runasexternaluser=test@domain.com
> ipa: ERROR: invalid 'runasexternaluser': this option has been deprecated.

Well, this is not really relevant because customers might have this option set from a previous version. That's why the fix is in SSSD..the change we did in 6.8 to support the native LDAP IPA tree removed the support for the externalUser, this change is adding the support back.

Comment 14 Jakub Hrozek 2016-11-28 16:23:56 EST

btw if you'd like to set the attribute with a recent IPA version, you can use --setattr or --addattr

Comment 16 Xiyang Dong 2016-11-29 10:34:25 EST

Jakub, how exactly can I verify this bugzilla?

Comment 17 Jakub Hrozek 2016-11-29 10:48:28 EST

Redirecting to Pavel, but I think the crux is to set the externalUser attribute with --setattr, thus simulating the old version where externalUser was still present.

Comment 18 Xiyang Dong 2016-11-29 14:01:38 EST

I tried but it still says the same thing:

[root@vm-idm-004 ~]# rpm -q sssd ipa-client
sssd-1.13.3-45.el6.x86_64
ipa-client-3.0.0-51.el6.x86_64

[root@vm-idm-004 ~]# ipa sudorule-add testrule --setattr externaluser=test@domain.com
ipa: ERROR: invalid 'externaluser': this option has been deprecated.

Comment 19 Pavel Březina 2016-11-30 04:31:27 EST

It may be not reproducible with recent IPA versions. I'm CCing Petr Vobornik from IPA to get the answer. Petr, how does one set the externalUser attribute on sudo object?

Comment 20 Lukas Slebodnik 2016-11-30 05:48:53 EST

Just an idea.
does externalUser attribute on sudo object work with ipa on rhel6?

Comment 21 Petr Vobornik 2016-11-30 09:25:30 EST

On RHEL 7:

In short, use the same command as for IPA user: 

$ ipa sudorule-show dsfdsf
  Rule name: dsfdsf
  Enabled: TRUE
  External User: aa, bb

$ ipa sudorule-mod dsfdsf --externaluser=cc
ipa: ERROR: invalid 'externaluser': this option has been deprecated.

$ ipa sudorule-add-user dsfdsf --users=cc
  Rule name: dsfdsf
  Enabled: TRUE
  External User: aa, bb, cc
-------------------------
Number of members added 1
-------------------------

Comment 22 Jakub Hrozek 2016-12-06 05:02:57 EST

Hi Xiyang, please let us know if Petr's comment helped.

Comment 23 Xiyang Dong 2016-12-06 09:20:55 EST

Hi Jakub , what Petr mentioned works on RHEL6.9, so this is the way we support external users for now and I should verify the bug like this ?
I mean this --externaluser attr is deprecated.It's a little confusing to me.

Comment 24 Jakub Hrozek 2016-12-06 09:24:12 EST

(In reply to Xiyang Dong from comment #23)
> Hi Jakub , what Petr mentioned works on RHEL6.9, so this is the way we
> support external users for now and I should verify the bug like this ?
> I mean this --externaluser attr is deprecated.It's a little confusing to me.

That's a decision the IPA UI developers took. The intent of this bug is to bring back the support for configurations set up this way by SSSD.

Comment 25 Xiyang Dong 2016-12-06 11:28:35 EST

Thanks.
Verified on sssd-1.13.3-48.el6:

[root@nightcrawler ~]# cat /etc/sssd/sssd.conf | grep sudo_provider
sudo_provider = ipa
[root@nightcrawler ~]# service sssd restart
Stopping sssd: [  OK  ]
Starting sssd: [  OK  ]
[root@nightcrawler ~]# ipa user-add testuser 
First name: testuser
Last name: testuser
---------------------
Added user "testuser"
---------------------
  User login: testuser
  First name: testuser
  Last name: testuser
  Full name: testuser testuser
  Display name: testuser testuser
  Initials: tt
  Home directory: /home/testuser
  GECOS field: testuser testuser
  Login shell: /bin/sh
  Kerberos principal: testuser@TESTRELM.TEST
  Email address: testuser@testrelm.test
  UID: 955600001
  GID: 955600001
  Password: False
  Kerberos keys available: False
[root@nightcrawler ~]# ipa user-find aa
---------------
0 users matched
---------------
----------------------------
Number of entries returned 0
----------------------------
[root@nightcrawler ~]# ipa sudorule-add test
----------------------
Added Sudo Rule "test"
----------------------
  Rule name: test
[root@nightcrawler ~]# ipa sudorule-add-user test --users=testuser,aa
  Rule name: test
  Enabled: TRUE
  Users: testuser
  External User: aa
-------------------------
Number of members added 2
-------------------------
  Enabled: TRUE

Comment 29 errata-xmlrpc 2017-03-21 05:55:15 EDT

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2017-0632.html

Note You need to log in before you can comment on or make changes to this bug.