Bug 1321884 - IPA sudo: support the externalUser attribute
Summary: IPA sudo: support the externalUser attribute
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: sssd
Version: 6.0
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: SSSD Maintainers
QA Contact: Steeve Goveas
Aneta Šteflová Petrová
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-03-29 10:10 UTC by Jakub Hrozek
Modified: 2017-03-21 09:55 UTC (History)
12 users (show)

Fixed In Version: sssd-1.13.3-42.el6
Doc Type: Bug Fix
Doc Text:
SSSD now resolves users with *externalUser* correctly Support for the *externalUser* LDAP attribute was removed from the System Security Services Daemon (SSSD) in Red Hat Enterprise Linux 6.8. In consequence, the assignment of *sudo* rules to local accounts, such as by using the `/etc/passwd` file, failed. The problem affected only accounts outside of Identity Management (IdM) domains and Active Directory (AD) trusted domains. This update ensures that SSSD correctly resolves users with the *externalUser* attribute defined. As a result, assigning *sudo* rules works as expected in the described situation.
Clone Of:
Environment:
Last Closed: 2017-03-21 09:55:15 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2017:0632 normal SHIPPED_LIVE sssd bug fix and enhancement update 2017-03-21 12:30:13 UTC

Description Jakub Hrozek 2016-03-29 10:10:54 UTC
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/sssd/ticket/2972

The LDAP sudo provider supported the externalUser, the IPA one should too

Comment 1 Jakub Hrozek 2016-03-29 10:15:48 UTC
* master: 991c9f47fcb24704b880f60ab8ee77cfda056e2c
* sssd-1-13: d4d2ffa6cf967231ae725973ee2665dbd0e2391b

Comment 2 Pavel Březina 2016-04-08 11:01:06 UTC
Ack to the doc text.

Comment 9 Xiyang Dong 2016-11-28 14:30:38 UTC
Failed to add sudorule with --externaluser option:
[root@vm-idm-030 ~]# rpm -q sssd ipa-server
sssd-1.14.0-43.el7.x86_64
ipa-server-4.4.0-12.el7.x86_64

[root@vm-idm-030 ~]# ipa sudorule-add --help|grep externaluser
  --externaluser=STR    External User the rule applies to (sudorule-find only)
  --runasexternaluser=STR
[root@vm-idm-030 ~]# ipa sudorule-add testrule --externaluser=test@domain.com
ipa: ERROR: invalid 'externaluser': this option has been deprecated.
[root@vm-idm-030 ~]# ipa sudorule-add testrule --runasexternaluser=test@domain.com
ipa: ERROR: invalid 'runasexternaluser': this option has been deprecated.

Comment 10 Lukas Slebodnik 2016-11-28 14:42:39 UTC
(In reply to Xiyang Dong from comment #9)
> Failed to add sudorule with --externaluser option:
> [root@vm-idm-030 ~]# rpm -q sssd ipa-server
> sssd-1.14.0-43.el7.x86_64
> ipa-server-4.4.0-12.el7.x86_64
> 
> [root@vm-idm-030 ~]# ipa sudorule-add --help|grep externaluser
>   --externaluser=STR    External User the rule applies to (sudorule-find
> only)
>   --runasexternaluser=STR
> [root@vm-idm-030 ~]# ipa sudorule-add testrule --externaluser=test@domain.com
> ipa: ERROR: invalid 'externaluser': this option has been deprecated.
> [root@vm-idm-030 ~]# ipa sudorule-add testrule
> --runasexternaluser=test@domain.com
> ipa: ERROR: invalid 'runasexternaluser': this option has been deprecated.

Just for your information. These steps does not test sssd.
and this bug is about sssd. May I know why the state is "FailedQA"?

Comment 11 Xiyang Dong 2016-11-28 18:56:38 UTC
Hi Lukas, as what's in bug description "The LDAP sudo provider supported the externalUser, the IPA one should too"
I agree with you that the component should be changed to ipa.

Comment 13 Jakub Hrozek 2016-11-28 21:23:21 UTC
(In reply to Xiyang Dong from comment #9)
> Failed to add sudorule with --externaluser option:
> [root@vm-idm-030 ~]# rpm -q sssd ipa-server
> sssd-1.14.0-43.el7.x86_64
> ipa-server-4.4.0-12.el7.x86_64
> 
> [root@vm-idm-030 ~]# ipa sudorule-add --help|grep externaluser
>   --externaluser=STR    External User the rule applies to (sudorule-find
> only)
>   --runasexternaluser=STR
> [root@vm-idm-030 ~]# ipa sudorule-add testrule --externaluser=test@domain.com
> ipa: ERROR: invalid 'externaluser': this option has been deprecated.
> [root@vm-idm-030 ~]# ipa sudorule-add testrule
> --runasexternaluser=test@domain.com
> ipa: ERROR: invalid 'runasexternaluser': this option has been deprecated.

Well, this is not really relevant because customers might have this option set from a previous version. That's why the fix is in SSSD..the change we did in 6.8 to support the native LDAP IPA tree removed the support for the externalUser, this change is adding the support back.

Comment 14 Jakub Hrozek 2016-11-28 21:23:56 UTC
btw if you'd like to set the attribute with a recent IPA version, you can use --setattr or --addattr

Comment 16 Xiyang Dong 2016-11-29 15:34:25 UTC
Jakub, how exactly can I verify this bugzilla?

Comment 17 Jakub Hrozek 2016-11-29 15:48:28 UTC
Redirecting to Pavel, but I think the crux is to set the externalUser attribute with --setattr, thus simulating the old version where externalUser was still present.

Comment 18 Xiyang Dong 2016-11-29 19:01:38 UTC
I tried but it still says the same thing:

[root@vm-idm-004 ~]# rpm -q sssd ipa-client
sssd-1.13.3-45.el6.x86_64
ipa-client-3.0.0-51.el6.x86_64

[root@vm-idm-004 ~]# ipa sudorule-add testrule --setattr externaluser=test@domain.com
ipa: ERROR: invalid 'externaluser': this option has been deprecated.

Comment 19 Pavel Březina 2016-11-30 09:31:27 UTC
It may be not reproducible with recent IPA versions. I'm CCing Petr Vobornik from IPA to get the answer. Petr, how does one set the externalUser attribute on sudo object?

Comment 20 Lukas Slebodnik 2016-11-30 10:48:53 UTC
Just an idea.
does externalUser attribute on sudo object work with ipa on rhel6?

Comment 21 Petr Vobornik 2016-11-30 14:25:30 UTC
On RHEL 7:

In short, use the same command as for IPA user: 

$ ipa sudorule-show dsfdsf
  Rule name: dsfdsf
  Enabled: TRUE
  External User: aa, bb

$ ipa sudorule-mod dsfdsf --externaluser=cc
ipa: ERROR: invalid 'externaluser': this option has been deprecated.

$ ipa sudorule-add-user dsfdsf --users=cc
  Rule name: dsfdsf
  Enabled: TRUE
  External User: aa, bb, cc
-------------------------
Number of members added 1
-------------------------

Comment 22 Jakub Hrozek 2016-12-06 10:02:57 UTC
Hi Xiyang, please let us know if Petr's comment helped.

Comment 23 Xiyang Dong 2016-12-06 14:20:55 UTC
Hi Jakub , what Petr mentioned works on RHEL6.9, so this is the way we support external users for now and I should verify the bug like this ?
I mean this --externaluser attr is deprecated.It's a little confusing to me.

Comment 24 Jakub Hrozek 2016-12-06 14:24:12 UTC
(In reply to Xiyang Dong from comment #23)
> Hi Jakub , what Petr mentioned works on RHEL6.9, so this is the way we
> support external users for now and I should verify the bug like this ?
> I mean this --externaluser attr is deprecated.It's a little confusing to me.

That's a decision the IPA UI developers took. The intent of this bug is to bring back the support for configurations set up this way by SSSD.

Comment 25 Xiyang Dong 2016-12-06 16:28:35 UTC
Thanks.
Verified on sssd-1.13.3-48.el6:

[root@nightcrawler ~]# cat /etc/sssd/sssd.conf | grep sudo_provider
sudo_provider = ipa
[root@nightcrawler ~]# service sssd restart
Stopping sssd: [  OK  ]
Starting sssd: [  OK  ]
[root@nightcrawler ~]# ipa user-add testuser 
First name: testuser
Last name: testuser
---------------------
Added user "testuser"
---------------------
  User login: testuser
  First name: testuser
  Last name: testuser
  Full name: testuser testuser
  Display name: testuser testuser
  Initials: tt
  Home directory: /home/testuser
  GECOS field: testuser testuser
  Login shell: /bin/sh
  Kerberos principal: testuser@TESTRELM.TEST
  Email address: testuser@testrelm.test
  UID: 955600001
  GID: 955600001
  Password: False
  Kerberos keys available: False
[root@nightcrawler ~]# ipa user-find aa
---------------
0 users matched
---------------
----------------------------
Number of entries returned 0
----------------------------
[root@nightcrawler ~]# ipa sudorule-add test
----------------------
Added Sudo Rule "test"
----------------------
  Rule name: test
[root@nightcrawler ~]# ipa sudorule-add-user test --users=testuser,aa
  Rule name: test
  Enabled: TRUE
  Users: testuser
  External User: aa
-------------------------
Number of members added 2
-------------------------
  Enabled: TRUE

Comment 29 errata-xmlrpc 2017-03-21 09:55:15 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2017-0632.html


Note You need to log in before you can comment on or make changes to this bug.