Description of problem:
Apparently sssd prevents sudo from getting some options from LDAP, at least 'defaults !requiretty'.
This is regression as it worked with sssd-1.13.0-40.el7
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. use linked test
phase dedicated to sssd fail
whole test passes
Pavel should take a look
BTW, I would bet it's a timing issue.
Could you provide log files with debug_level=9 in domain and sudo section.
Created attachment 1225842 [details]
here are debug logs I got during the test
Created attachment 1225844 [details]
You are hitting:
sssd version on the test machine is sssd-1.13.3-48.el6.x86_64 and this version is missing patch for the above bug.
(In reply to Pavel Březina from comment #6)
> You are hitting:
> - https://bugzilla.redhat.com/show_bug.cgi?id=1312062
> - https://fedorahosted.org/sssd/ticket/2970
> sssd version on the test machine is sssd-1.13.3-48.el6.x86_64 and this
> version is missing patch for the above bug.
Well, this is a RHEL-7 bug and the sssd version the bug is filed against is 1.14. Did we regress?
It was introduced with as one of the changes for supporting IPA schema, which made it to 6.8. Yes, this is a regression.
Maybe I do not understand something correctly.
* native ipa sudo schema was introduced in 1.13.2
* upstream bug https://fedorahosted.org/sssd/ticket/2970 was fixed in 1.13.4 + master(1.13.90)
This bug is about sssd-1.14.0-43.el7
When did we regress?
Ok, so the cause is still the same, that openldap can't handle modifyTimestamp>=number, it needs datetime format.
The patch that fixed #2970 is not complete and does not handle the case when ldap doesn't contain any sudorule during the initial full refresh -- usn is then set to 1 instead of remaining unset and we are trying to search modifyTimestamp>=1 during smart refresh which doesn't return any result.
I will prepare a patch.
This is a regression caused by IPA schema patches which was supposed to be fixed by 2970, but the fix was apparentely not complete.
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.