Bug 1399589 - sssd prevents sudo from getting data from LDAP
Summary: sssd prevents sudo from getting data from LDAP
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: sssd
Version: 7.3
Hardware: Unspecified
OS: Unspecified
Target Milestone: rc
: ---
Assignee: Pavel Březina
QA Contact: Dalibor Pospíšil
Depends On:
TreeView+ depends on / blocked
Reported: 2016-11-29 10:54 UTC by Dalibor Pospíšil
Modified: 2020-05-02 18:34 UTC (History)
8 users (show)

Fixed In Version: sssd-1.15.0-2.el7
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 1400643 (view as bug list)
Last Closed: 2017-08-01 09:02:33 UTC
Target Upstream Version:

Attachments (Terms of Use)
sssd.logs.bz2 (29.12 KB, application/x-bzip)
2016-11-29 13:41 UTC, Dalibor Pospíšil
no flags Details
sssd.logs.tar.bz2 (29.12 KB, application/x-bzip)
2016-11-29 13:44 UTC, Dalibor Pospíšil
no flags Details

System ID Private Priority Status Summary Last Updated
Github SSSD sssd issues 4290 0 None None None 2020-05-02 18:34:32 UTC
Red Hat Product Errata RHEA-2017:2294 0 normal SHIPPED_LIVE sssd bug fix and enhancement update 2017-08-01 12:39:55 UTC

Description Dalibor Pospíšil 2016-11-29 10:54:23 UTC
Description of problem:
Apparently sssd prevents sudo from getting some options from LDAP, at least 'defaults !requiretty'.
This is regression as it worked with sssd-1.13.0-40.el7

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. use linked test

Actual results:
phase dedicated to sssd fail

Expected results:
whole test passes

Comment 2 Jakub Hrozek 2016-11-29 11:12:35 UTC
Pavel should take a look

Comment 3 Lukas Slebodnik 2016-11-29 12:03:28 UTC
BTW, I would bet it's a timing issue.

Could you provide log files with debug_level=9 in domain and sudo section.

Comment 4 Dalibor Pospíšil 2016-11-29 13:41:49 UTC
Created attachment 1225842 [details]

here are debug logs I got during the test

Comment 5 Dalibor Pospíšil 2016-11-29 13:44:06 UTC
Created attachment 1225844 [details]

Comment 6 Pavel Březina 2016-12-02 13:06:33 UTC
You are hitting:
- https://bugzilla.redhat.com/show_bug.cgi?id=1312062 
- https://fedorahosted.org/sssd/ticket/2970

sssd version on the test machine is sssd-1.13.3-48.el6.x86_64 and this version is missing patch for the above bug.

Comment 7 Jakub Hrozek 2016-12-02 14:03:52 UTC
(In reply to Pavel Březina from comment #6)
> You are hitting:
> - https://bugzilla.redhat.com/show_bug.cgi?id=1312062 
> - https://fedorahosted.org/sssd/ticket/2970
> sssd version on the test machine is sssd-1.13.3-48.el6.x86_64 and this
> version is missing patch for the above bug.

Well, this is a RHEL-7 bug and the sssd version the bug is filed against is 1.14. Did we regress?

Comment 8 Pavel Březina 2016-12-05 08:35:56 UTC
It was introduced with as one of the changes for supporting IPA schema, which made it to 6.8. Yes, this is a regression.

Comment 9 Lukas Slebodnik 2016-12-05 11:53:52 UTC
Maybe I do not understand something correctly.
* native ipa sudo schema was introduced in 1.13.2
* upstream bug https://fedorahosted.org/sssd/ticket/2970 was fixed in 1.13.4 + master(1.13.90)

This bug is about sssd-1.14.0-43.el7

When did we regress?

Comment 10 Pavel Březina 2016-12-05 12:25:42 UTC
Ok, so the cause is still the same, that openldap can't handle modifyTimestamp>=number, it needs datetime format.

The patch that fixed #2970 is not complete and does not handle the case when ldap doesn't contain any sudorule during the initial full refresh -- usn is then set to 1 instead of remaining unset and we are trying to search modifyTimestamp>=1 during smart refresh which doesn't return any result.

I will prepare a patch.

This is a regression caused by IPA schema patches which was supposed to be fixed by 2970, but the fix was apparentely not complete.

Comment 11 Pavel Březina 2016-12-05 13:41:20 UTC
Upstream ticket:

Pull request:

Comment 12 Jakub Hrozek 2016-12-05 14:19:56 UTC
Upstream ticket:

Comment 13 Jakub Hrozek 2016-12-08 16:03:41 UTC
    master: 46703740e83a66909974a5ee8d47df6a6e5076e7
    sssd-1-14: 76e97affaa05ce45709efd59d120595c5992aa21
    sssd-1-13: 4e25db79aa514e044449c8ad4482c45b24e7a3d4

Comment 16 errata-xmlrpc 2017-08-01 09:02:33 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.