RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1399589 - sssd prevents sudo from getting data from LDAP
Summary: sssd prevents sudo from getting data from LDAP
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: sssd
Version: 7.3
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: rc
: ---
Assignee: Pavel Březina
QA Contact: Dalibor Pospíšil
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-11-29 10:54 UTC by Dalibor Pospíšil
Modified: 2020-05-02 18:34 UTC (History)
8 users (show)

Fixed In Version: sssd-1.15.0-2.el7
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 1400643 (view as bug list)
Environment:
Last Closed: 2017-08-01 09:02:33 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)
sssd.logs.bz2 (29.12 KB, application/x-bzip)
2016-11-29 13:41 UTC, Dalibor Pospíšil
no flags Details
sssd.logs.tar.bz2 (29.12 KB, application/x-bzip)
2016-11-29 13:44 UTC, Dalibor Pospíšil
no flags Details


Links
System ID Private Priority Status Summary Last Updated
Github SSSD sssd issues 4290 0 None None None 2020-05-02 18:34:32 UTC
Red Hat Product Errata RHEA-2017:2294 0 normal SHIPPED_LIVE sssd bug fix and enhancement update 2017-08-01 12:39:55 UTC

Description Dalibor Pospíšil 2016-11-29 10:54:23 UTC
Description of problem:
Apparently sssd prevents sudo from getting some options from LDAP, at least 'defaults !requiretty'.
This is regression as it worked with sssd-1.13.0-40.el7

Version-Release number of selected component (if applicable):
sssd-1.14.0-43.el7

How reproducible:
100%

Steps to Reproduce:
1. use linked test
2.
3.

Actual results:
phase dedicated to sssd fail

Expected results:
whole test passes

Comment 2 Jakub Hrozek 2016-11-29 11:12:35 UTC
Pavel should take a look

Comment 3 Lukas Slebodnik 2016-11-29 12:03:28 UTC
BTW, I would bet it's a timing issue.

Could you provide log files with debug_level=9 in domain and sudo section.
https://fedorahosted.org/sssd/wiki/HOWTO_Troubleshoot_SUDO

Comment 4 Dalibor Pospíšil 2016-11-29 13:41:49 UTC
Created attachment 1225842 [details]
sssd.logs.bz2

here are debug logs I got during the test

Comment 5 Dalibor Pospíšil 2016-11-29 13:44:06 UTC
Created attachment 1225844 [details]
sssd.logs.tar.bz2

Comment 6 Pavel Březina 2016-12-02 13:06:33 UTC
You are hitting:
- https://bugzilla.redhat.com/show_bug.cgi?id=1312062 
- https://fedorahosted.org/sssd/ticket/2970

sssd version on the test machine is sssd-1.13.3-48.el6.x86_64 and this version is missing patch for the above bug.

Comment 7 Jakub Hrozek 2016-12-02 14:03:52 UTC
(In reply to Pavel Březina from comment #6)
> You are hitting:
> - https://bugzilla.redhat.com/show_bug.cgi?id=1312062 
> - https://fedorahosted.org/sssd/ticket/2970
> 
> sssd version on the test machine is sssd-1.13.3-48.el6.x86_64 and this
> version is missing patch for the above bug.

Well, this is a RHEL-7 bug and the sssd version the bug is filed against is 1.14. Did we regress?

Comment 8 Pavel Březina 2016-12-05 08:35:56 UTC
It was introduced with as one of the changes for supporting IPA schema, which made it to 6.8. Yes, this is a regression.

Comment 9 Lukas Slebodnik 2016-12-05 11:53:52 UTC
Maybe I do not understand something correctly.
* native ipa sudo schema was introduced in 1.13.2
* upstream bug https://fedorahosted.org/sssd/ticket/2970 was fixed in 1.13.4 + master(1.13.90)
  https://git.fedorahosted.org/cgit/sssd.git/commit/?id=ef5e33f7db1e314226b0077596e38ef16305cba5

This bug is about sssd-1.14.0-43.el7

When did we regress?

Comment 10 Pavel Březina 2016-12-05 12:25:42 UTC
Ok, so the cause is still the same, that openldap can't handle modifyTimestamp>=number, it needs datetime format.

The patch that fixed #2970 is not complete and does not handle the case when ldap doesn't contain any sudorule during the initial full refresh -- usn is then set to 1 instead of remaining unset and we are trying to search modifyTimestamp>=1 during smart refresh which doesn't return any result.

I will prepare a patch.

This is a regression caused by IPA schema patches which was supposed to be fixed by 2970, but the fix was apparentely not complete.

Comment 11 Pavel Březina 2016-12-05 13:41:20 UTC
Upstream ticket:
https://fedorahosted.org/sssd/ticket/3257

Pull request:
https://github.com/SSSD/sssd/pull/103

Comment 12 Jakub Hrozek 2016-12-05 14:19:56 UTC
Upstream ticket:
https://fedorahosted.org/sssd/ticket/3257

Comment 13 Jakub Hrozek 2016-12-08 16:03:41 UTC
    master: 46703740e83a66909974a5ee8d47df6a6e5076e7
    sssd-1-14: 76e97affaa05ce45709efd59d120595c5992aa21
    sssd-1-13: 4e25db79aa514e044449c8ad4482c45b24e7a3d4

Comment 16 errata-xmlrpc 2017-08-01 09:02:33 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2017:2294


Note You need to log in before you can comment on or make changes to this bug.