Hide Forgot
Description of problem: Apparently sssd prevents sudo from getting some options from LDAP, at least 'defaults !requiretty'. This is regression as it worked with sssd-1.13.0-40.el7 Version-Release number of selected component (if applicable): sssd-1.14.0-43.el7 How reproducible: 100% Steps to Reproduce: 1. use linked test 2. 3. Actual results: phase dedicated to sssd fail Expected results: whole test passes
Pavel should take a look
BTW, I would bet it's a timing issue. Could you provide log files with debug_level=9 in domain and sudo section. https://fedorahosted.org/sssd/wiki/HOWTO_Troubleshoot_SUDO
Created attachment 1225842 [details] sssd.logs.bz2 here are debug logs I got during the test
Created attachment 1225844 [details] sssd.logs.tar.bz2
You are hitting: - https://bugzilla.redhat.com/show_bug.cgi?id=1312062 - https://fedorahosted.org/sssd/ticket/2970 sssd version on the test machine is sssd-1.13.3-48.el6.x86_64 and this version is missing patch for the above bug.
(In reply to Pavel Březina from comment #6) > You are hitting: > - https://bugzilla.redhat.com/show_bug.cgi?id=1312062 > - https://fedorahosted.org/sssd/ticket/2970 > > sssd version on the test machine is sssd-1.13.3-48.el6.x86_64 and this > version is missing patch for the above bug. Well, this is a RHEL-7 bug and the sssd version the bug is filed against is 1.14. Did we regress?
It was introduced with as one of the changes for supporting IPA schema, which made it to 6.8. Yes, this is a regression.
Maybe I do not understand something correctly. * native ipa sudo schema was introduced in 1.13.2 * upstream bug https://fedorahosted.org/sssd/ticket/2970 was fixed in 1.13.4 + master(1.13.90) https://git.fedorahosted.org/cgit/sssd.git/commit/?id=ef5e33f7db1e314226b0077596e38ef16305cba5 This bug is about sssd-1.14.0-43.el7 When did we regress?
Ok, so the cause is still the same, that openldap can't handle modifyTimestamp>=number, it needs datetime format. The patch that fixed #2970 is not complete and does not handle the case when ldap doesn't contain any sudorule during the initial full refresh -- usn is then set to 1 instead of remaining unset and we are trying to search modifyTimestamp>=1 during smart refresh which doesn't return any result. I will prepare a patch. This is a regression caused by IPA schema patches which was supposed to be fixed by 2970, but the fix was apparentely not complete.
Upstream ticket: https://fedorahosted.org/sssd/ticket/3257 Pull request: https://github.com/SSSD/sssd/pull/103
Upstream ticket: https://fedorahosted.org/sssd/ticket/3257
master: 46703740e83a66909974a5ee8d47df6a6e5076e7 sssd-1-14: 76e97affaa05ce45709efd59d120595c5992aa21 sssd-1-13: 4e25db79aa514e044449c8ad4482c45b24e7a3d4
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHEA-2017:2294