I think this bug was caused by this upstream change: https://bugzilla.sudo.ws/show_bug.cgi?id=717 So, I have a FreeIPA setup with sudo rules enabled. I have a rule configured in FreeIPA which says 'allow the user adamw to sudo on any machine in the group adam-machines'. If I try to sudo on a machine in that group with sudo 1.8.15, it works. If I try on a machine with sudo 1.8.16, it fails. Here is the difference in the logs: 1.8.15: Jun 21 10:34:31 sudo[3297] val[0]=+adam-machines Jun 21 10:34:31 sudo[3297] -> addr_matches @ ./match_addr.c:195 Jun 21 10:34:31 sudo[3297] -> addr_matches_if @ ./match_addr.c:56 Jun 21 10:34:31 sudo[3297] <- addr_matches_if @ ./match_addr.c:66 := false Jun 21 10:34:31 sudo[3297] IP address +adam-machines matches local host: false @ addr_matches() ./match_addr.c:206 Jun 21 10:34:31 sudo[3297] <- addr_matches @ ./match_addr.c:207 := false Jun 21 10:34:31 sudo[3297] -> netgr_matches @ ./match.c:972 Jun 21 10:34:31 sudo[3297] -> sudo_getdomainname @ ./match.c:910 Jun 21 10:34:31 sudo[3297] <- sudo_getdomainname @ ./match.c:949 := (null) Jun 21 10:34:31 sudo[3297] netgroup adam-machines matches (xps13.happyassassin.net|xps13, , ): true @ netgr_matches() ./match.c:998 Jun 21 10:34:31 sudo[3297] <- netgr_matches @ ./match.c:1001 := true 1.8.16: Jun 21 10:26:17 sudo[2935] val[0]=+adam-machines Jun 21 10:26:17 sudo[2935] -> addr_matches @ ./match_addr.c:195 Jun 21 10:26:17 sudo[2935] -> addr_matches_if @ ./match_addr.c:56 Jun 21 10:26:17 sudo[2935] <- addr_matches_if @ ./match_addr.c:66 := false Jun 21 10:26:17 sudo[2935] IP address +adam-machines matches local host: false @ addr_matches() ./match_addr.c:206 Jun 21 10:26:17 sudo[2935] <- addr_matches @ ./match_addr.c:207 := false Jun 21 10:26:17 sudo[2935] -> netgr_matches @ ./match.c:1015 Jun 21 10:26:17 sudo[2935] -> sudo_getdomainname @ ./match.c:953 Jun 21 10:26:17 sudo[2935] <- sudo_getdomainname @ ./match.c:992 := (null) Jun 21 10:26:17 sudo[2935] netgroup adam-machines matches (xps13.happyassassin.net|xps13, adamw, ): false @ netgr_matches() ./match.c:1041 Jun 21 10:26:17 sudo[2935] <- netgr_matches @ ./match.c:1044 := false note the difference in the triplet that's checked. For 1.8.15 it's "(xps13.happyassassin.net|xps13, , )". For 1.8.16 it's "(xps13.happyassassin.net|xps13, adamw, )". If I add a test FreeIPA rule allowing access directly to the specific host (rather than using a FreeIPA host group), sudo works. So this is definitely to do with the host group.
It seems like sudo 1.8.17 fixes this. I did a test build of it and sudo works again. Log looks like this: Jun 21 11:10:38 sudo[3834] val[0]=+adam-machines Jun 21 11:10:38 sudo[3834] -> addr_matches @ ./match_addr.c:195 Jun 21 11:10:38 sudo[3834] -> addr_matches_if @ ./match_addr.c:56 Jun 21 11:10:38 sudo[3834] <- addr_matches_if @ ./match_addr.c:66 := false Jun 21 11:10:38 sudo[3834] IP address +adam-machines matches local host: false @ addr_matches() ./match_addr.c:206 Jun 21 11:10:38 sudo[3834] <- addr_matches @ ./match_addr.c:207 := false Jun 21 11:10:38 sudo[3834] -> netgr_matches @ ./match.c:1039 Jun 21 11:10:38 sudo[3834] -> sudo_getdomainname @ ./match.c:977 Jun 21 11:10:38 sudo[3834] <- sudo_getdomainname @ ./match.c:1016 := (null) Jun 21 11:10:38 sudo[3834] netgroup adam-machines matches (xps13.happyassassin.net|xps13, , ): true @ netgr_matches() ./match.c:1065 Jun 21 11:10:38 sudo[3834] <- netgr_matches @ ./match.c:1068 := true so it's gone back to checking just the hostname (the user no longer appears in the triplet). I do see some relevant-looking changes in plugins/sudoers/sssd.c and plugins/sudoers/match.c upstream, so it makes sense.
Aha. The specific upstream fix is this commit: https://github.com/millert/sudo/commit/ccf88d3bb22fbb9804fd66bd4fb4ab6c168b10f4 before that commit, sudo_sss_check_host was unconditionally throwing the username into the netgr_matches call (which is incorrect); after the commit, it only includes it if netgroup_tuple is enabled (which by default it is not). The netgroup_tuple thing was the feature added to address bug #717 in 1.8.16 . It looks like in the initial commit to add that feature: https://github.com/millert/sudo/commit/5a77989a33ee8f27349aec831603fcd55cce159c most calls to netgr_matches were changed to use a ternary to specify username if def_netgroup_tuple is true, but the netgr_matches call in sudo_sss_check_host was just changed to specify username unconditionally, and ccf88d3 fixes that.
(In reply to Adam Williamson from comment #1) > It seems like sudo 1.8.17 fixes this. I did a test build of it and sudo > works again. Log looks like this: Great, thanks for the triage. I'm preparing an update to 1.8.17. Once I have a patch for #1348533, I'll push the update.
Can you please fix F24 as well? It has 1.8.16 as well.
sudo-1.8.17p1-1.fc24 has been submitted as an update to Fedora 24. https://bodhi.fedoraproject.org/updates/FEDORA-2016-c102e92ca1
sudo-1.8.17p1-1.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-c102e92ca1
sudo-1.8.17p1-1.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.