Red Hat Bugzilla – Bug 1380436
sudo: ignore case on case insensitive domains
Last modified: 2017-08-01 05:00:03 EDT
This bug is created as a clone of upstream ticket: https://fedorahosted.org/sssd/ticket/3203 Sudo responder search rules only with user name which may fail on case insensitive domains. We should also search by alias on such configuration.
Steps to reproduce: - prepare an AD server - extend its schema to contain the sudoers attributes - prepare an AD user or a group on the AD server side - add a sudo rule that allows the user to run a command. In the sudo rule, try adding the user or a group name in different cases. Especially the exact case should be tested (because that's what used to work in 1.13) and the lowercase should be tested (because that's what admins might intuitively use since the AD domain is case-insensitive). - without the patch in 7.2, only the exact case would work. In 7.3.0, without the patch, only the lower case would work - with the patch, all cases should work.
master: f4a1046bb88d7a0ab3617e49ae94bfa849d10645 23637e2fd2b1fe42bdd2335893a11ac8016f56bc sssd-1-14: 143b1dcbbe865a139616a22b139e19bd772e46f0 88239b7f17f599aefa88a8a31c2d0ea44b766c87
Upstream ticket: https://fedorahosted.org/sssd/ticket/3241
Additional patches: master: 7e23edbaa7a6bbd0b461d5792535896b6a77928b sssd-1-14: 54f176066dafafdc12f6e0dd112ff6339308aa7c
Verified the bug on SSSD Version: sssd-1.15.2-29.el7.x86_64 Steps followed during verification: 1. Add sudo rules in AD, allowing users to run commands. Also, assign the sudoUser attribute values in Upper case and lower case. For example: dn: CN=rule1,OU=Sudoers,DC=sssdad,DC=com objectClass: top objectClass: sudoRole cn: rule1 . . sudoUser: sudo_aduser1 sudoHost: ALL sudoCommand: /usr/bin/less dn: CN=rule2,OU=Sudoers,DC=sssdad,DC=com objectClass: top objectClass: sudoRole . . sudoUser: SUDO_ADUSER2 sudoHost: ALL sudoCommand: /usr/bin/more dn: CN=rule3,OU=Sudoers,DC=sssdad,DC=com objectClass: top objectClass: sudoRole . . sudoUser: sudo_aduser3@SSSDAD.COM sudoHost: ALL sudoCommand: /usr/bin/less 2. Setup sssd client and execute sudo cmds as users in exact case names, lower case names and upper case names. Sample sssd.conf: [sssd] domains = sssdad.com config_file_version = 2 services = nss, pam, sudo [domain/sssdad.com] ad_domain = sssdad.com krb5_realm = SSSDAD.COM realmd_tags = manages-system joined-with-samba cache_credentials = True id_provider = ad krb5_store_password_if_offline = True default_shell = /bin/bash ldap_id_mapping = True #use_fully_qualified_names = True fallback_homedir = /home/%u@%d access_provider = ad sudo_provider = ad [pam] [root@mudflap sssd]# sudo -l -U sudo_aduser1 Matching Defaults entries for sudo_aduser1 on mudflap: !visiblepw, always_set_home, match_group_by_gid, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS", ..... User sudo_aduser1 may run the following commands on mudflap: (root) /usr/bin/less [root@mudflap sssd]# sudo -l -U SUDO_ADUSER1 Matching Defaults entries for sudo_aduser1 on mudflap: !visiblepw, always_set_home, match_group_by_gid, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS", ...... User sudo_aduser1 may run the following commands on mudflap: (root) /usr/bin/less [root@mudflap sssd]# sudo -l -U sudo_aduser2 Matching Defaults entries for sudo_aduser2 on mudflap: !visiblepw, always_set_home, match_group_by_gid, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS", .............. User sudo_aduser2 may run the following commands on mudflap: (root) /usr/bin/more [root@mudflap sssd]# sudo -l -U sudo_aduser3@SSSDAD.COM Matching Defaults entries for sudo_aduser3 on mudflap: !visiblepw, always_set_home, match_group_by_gid, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS", ........ User sudo_aduser3 may run the following commands on mudflap: (root) /usr/bin/less [root@mudflap sssd]# sudo -l -U sudo_aduser3 Matching Defaults entries for sudo_aduser3 on mudflap: !visiblepw, always_set_home, match_group_by_gid, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS", ........... User sudo_aduser3 may run the following commands on mudflap: (root) /usr/bin/less [root@mudflap sssd]# sudo -l -U SUDO_ADUSER3 Matching Defaults entries for sudo_aduser3 on mudflap: !visiblepw, always_set_home, match_group_by_gid, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS", .............. User sudo_aduser3 may run the following commands on mudflap: (root) /usr/bin/less With the latest sssd build, issue seems to be resolved.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHEA-2017:2294