Hide Forgot
This bug has been copied from bug #1380436 and has been proposed to be backported to 7.3 z-stream (EUS).
I tested this bz on RHEL-7.3 and got following results: With older build, sssd-1.14.0-43.el7.x86_64, 1) add a sudo rule with a user in "small case" letters. Result - User is able to run sudo commands. # sudo -l -U student2 . . User student2 may run the following commands on this host: (root) /usr/bin/less (root) /usr/bin/more 2) add a sudo rule with a user in "Upper case" letters. Result - User unable to run sudo commands. # sudo -l -U STUDENT3 User student3 is not allowed to run sudo on vm-idm-005. 3) Upgrade the sssd build to sssd-1.14.0-43.el7_3.3.x86_64 and verify the existing rule where user is in "small case" letters. Result - User is able to run sudo commands # sudo -l -U student6 . . User student6 may run the following commands on this host: (root) ALL 4) Verify the existing sudo rule with a user in "Upper case" letters. Result - User unable to run sudo commands # sudo -l -U STUDENT4 User student4 is not allowed to run sudo on vm-idm-005. 5) Add a new sudo rule with a user in "small case" letters. Result - User unable to run sudo commands # sudo -l -U student5 User student5 is not allowed to run sudo on vm-idm-005. With the patched sssd build both the upper & lower case user names should work, however in this case only the existing rules are working that too, lower case one's.
The patch introduced a new bug tracked as https://fedorahosted.org/sssd/ticket/3241 Thank you for your testing.
Upstream ticket: https://fedorahosted.org/sssd/ticket/3241
Additional patches: master: 7e23edbaa7a6bbd0b461d5792535896b6a77928b sssd-1-14: 54f176066dafafdc12f6e0dd112ff6339308aa7c
Verified the bug on SSSD Version: sssd-1.14.0-43.el7_3.11.x86_64 Steps followed during verification: 1. Add sudo rules in AD, allowing users to run commands. Also, assign the sudoUser attribute values in Upper case and lower case. For example: dn: CN=rule2,OU=sudoers,DC=black,DC=com objectClass: top objectClass: sudoRole . . sudoCommand: /usr/bin/more sudoUser: STUDENT3 sudoHost: ALL . . sudoUser: student2 sudoHost: /usr/bin/more . . sudoUser: STUDENT7 sudoHost: ALL 2. Setup sssd client and execute sudo cmds as users in exact case names, lower case names and upper case names. Sample sssd.conf: [sssd] domains = black.com config_file_version = 2 services = nss, pam, sudo [domain/black.com] ad_domain = black.com krb5_realm = BLACK.COM realmd_tags = manages-system joined-with-samba cache_credentials = True id_provider = ad krb5_store_password_if_offline = True default_shell = /bin/bash ldap_id_mapping = True use_fully_qualified_names = True fallback_homedir = /home/%u@%d access_provider = ad [root@qe-blade-04 sssd]# sudo -l -U student2 Matching Defaults entries for student2 on this host: !visiblepw, always_set_home, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR . . User student2 may run the following commands on this host: (root) /usr/bin/less (root) /usr/bin/more (root) /usr/bin/less [root@qe-blade-04 sssd]# sudo -l -U STUDENT7 . . User student7 may run the following commands on this host: (root) ALL [root@qe-blade-04 sssd]# sudo -l -U student7 Matching Defaults entries for student7 on this host: . . User student7 may run the following commands on this host: (root) ALL
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2017-0078.html