1399589 – sssd prevents sudo from getting data from LDAP

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1399589 - sssd prevents sudo from getting data from LDAP

Summary: sssd prevents sudo from getting data from LDAP

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	sssd
Sub Component:
Version:	7.3
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	high
Target Milestone:	rc
Target Release:	---
Assignee:	Pavel Březina
QA Contact:	Dalibor Pospíšil
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2016-11-29 10:54 UTC by Dalibor Pospíšil
Modified:	2020-05-02 18:34 UTC (History)
CC List:	8 users (show)
Fixed In Version:	sssd-1.15.0-2.el7
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Clones:	1400643 (view as bug list)
Environment:
Last Closed:	2017-08-01 09:02:33 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
sssd.logs.bz2 (29.12 KB, application/x-bzip) 2016-11-29 13:41 UTC, Dalibor Pospíšil	no flags	Details
sssd.logs.tar.bz2 (29.12 KB, application/x-bzip) 2016-11-29 13:44 UTC, Dalibor Pospíšil	no flags	Details
Show Obsolete (1) View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Github	SSSD sssd issues 4290	0	None	None	None	2020-05-02 18:34:32 UTC
Red Hat Product Errata	RHEA-2017:2294	0	normal	SHIPPED_LIVE	sssd bug fix and enhancement update	2017-08-01 12:39:55 UTC

Description Dalibor Pospíšil 2016-11-29 10:54:23 UTC

Description of problem:
Apparently sssd prevents sudo from getting some options from LDAP, at least 'defaults !requiretty'.
This is regression as it worked with sssd-1.13.0-40.el7

Version-Release number of selected component (if applicable):
sssd-1.14.0-43.el7

How reproducible:
100%

Steps to Reproduce:
1. use linked test
2.
3.

Actual results:
phase dedicated to sssd fail

Expected results:
whole test passes

Comment 2 Jakub Hrozek 2016-11-29 11:12:35 UTC

Pavel should take a look

Comment 3 Lukas Slebodnik 2016-11-29 12:03:28 UTC

BTW, I would bet it's a timing issue.

Could you provide log files with debug_level=9 in domain and sudo section.
https://fedorahosted.org/sssd/wiki/HOWTO_Troubleshoot_SUDO

Comment 4 Dalibor Pospíšil 2016-11-29 13:41:49 UTC

Created attachment 1225842 [details]
sssd.logs.bz2

here are debug logs I got during the test

Comment 5 Dalibor Pospíšil 2016-11-29 13:44:06 UTC

Created attachment 1225844 [details]
sssd.logs.tar.bz2

Comment 6 Pavel Březina 2016-12-02 13:06:33 UTC

You are hitting:
- https://bugzilla.redhat.com/show_bug.cgi?id=1312062 
- https://fedorahosted.org/sssd/ticket/2970

sssd version on the test machine is sssd-1.13.3-48.el6.x86_64 and this version is missing patch for the above bug.

Comment 7 Jakub Hrozek 2016-12-02 14:03:52 UTC

(In reply to Pavel Březina from comment #6)
> You are hitting:
> - https://bugzilla.redhat.com/show_bug.cgi?id=1312062 
> - https://fedorahosted.org/sssd/ticket/2970
> 
> sssd version on the test machine is sssd-1.13.3-48.el6.x86_64 and this
> version is missing patch for the above bug.

Well, this is a RHEL-7 bug and the sssd version the bug is filed against is 1.14. Did we regress?

Comment 8 Pavel Březina 2016-12-05 08:35:56 UTC

It was introduced with as one of the changes for supporting IPA schema, which made it to 6.8. Yes, this is a regression.

Comment 9 Lukas Slebodnik 2016-12-05 11:53:52 UTC

Maybe I do not understand something correctly.
* native ipa sudo schema was introduced in 1.13.2
* upstream bug https://fedorahosted.org/sssd/ticket/2970 was fixed in 1.13.4 + master(1.13.90)
  https://git.fedorahosted.org/cgit/sssd.git/commit/?id=ef5e33f7db1e314226b0077596e38ef16305cba5

This bug is about sssd-1.14.0-43.el7

When did we regress?

Comment 10 Pavel Březina 2016-12-05 12:25:42 UTC

Ok, so the cause is still the same, that openldap can't handle modifyTimestamp>=number, it needs datetime format.

The patch that fixed #2970 is not complete and does not handle the case when ldap doesn't contain any sudorule during the initial full refresh -- usn is then set to 1 instead of remaining unset and we are trying to search modifyTimestamp>=1 during smart refresh which doesn't return any result.

I will prepare a patch.

This is a regression caused by IPA schema patches which was supposed to be fixed by 2970, but the fix was apparentely not complete.

Comment 11 Pavel Březina 2016-12-05 13:41:20 UTC

Upstream ticket:
https://fedorahosted.org/sssd/ticket/3257

Pull request:
https://github.com/SSSD/sssd/pull/103

Comment 12 Jakub Hrozek 2016-12-05 14:19:56 UTC

Upstream ticket:
https://fedorahosted.org/sssd/ticket/3257

Comment 13 Jakub Hrozek 2016-12-08 16:03:41 UTC

    master: 46703740e83a66909974a5ee8d47df6a6e5076e7
    sssd-1-14: 76e97affaa05ce45709efd59d120595c5992aa21
    sssd-1-13: 4e25db79aa514e044449c8ad4482c45b24e7a3d4

Comment 16 errata-xmlrpc 2017-08-01 09:02:33 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2017:2294

Note You need to log in before you can comment on or make changes to this bug.