Bug 1418728 - IPA - sudo does not handle associated conflict entries
Summary: IPA - sudo does not handle associated conflict entries
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: sssd
Version: 7.3
Hardware: Unspecified
OS: Unspecified
Target Milestone: rc
: ---
Assignee: SSSD Maintainers
QA Contact: Xiyang Dong
: 1323967 (view as bug list)
Depends On:
Blocks: 1420851
TreeView+ depends on / blocked
Reported: 2017-02-02 15:13 UTC by Jakub Hrozek
Modified: 2020-05-02 18:36 UTC (History)
9 users (show)

Fixed In Version: sssd-1.15.2-1.el7
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2017-08-01 09:02:33 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Priority Status Summary Last Updated
Github SSSD sssd issues 4321 None None None 2020-05-02 18:36:13 UTC
Red Hat Product Errata RHEA-2017:2294 normal SHIPPED_LIVE sssd bug fix and enhancement update 2017-08-01 12:39:55 UTC

Description Jakub Hrozek 2017-02-02 15:13:53 UTC
This bug is created as a clone of upstream ticket:

Sudo attempts will fail in IDM environments when LDAP entries exist associated with the sudo rule, in the SSSD log we see:

(Wed Jan 25 17:08:13 2017) [sssd[be[jstephen.local]]] [sdap_search_bases_ex_done] (0x0400): Receiving data from base [cn=sudo,dc=jstephen,dc=local]
(Wed Jan 25 17:08:13 2017) [sssd[be[jstephen.local]]] [ipa_sudo_fetch_cmds_done] (0x0040): Received 2 sudo commands
(Wed Jan 25 17:08:13 2017) [sssd[be[jstephen.local]]] [ipa_sudo_fetch_done] (0x0400): About to convert rules
(Wed Jan 25 17:08:13 2017) [sssd[be[jstephen.local]]] [convert_host] (0x0020): Unexpected DN fqdn=conflicthost.jstephen.local+nsuniqueid=9b1e3301-c32611e6-bdcae37a-ef905e7c,cn=computers,cn=accounts,dc=jstephen,dc=local
(Wed Jan 25 17:08:13 2017) [sssd[be[jstephen.local]]] [rules_iterator] (0x0040): Unable to convert attributes [12]: Cannot allocate memory
(Wed Jan 25 17:08:13 2017) [sssd[be[jstephen.local]]] [ipa_sudo_conv_result] (0x0020): Unable to convert rules [12]: Cannot allocate memory
(Wed Jan 25 17:08:13 2017) [sssd[be[jstephen.local]]] [ipa_sudo_fetch_done] (0x0020): Unable to convert rules [12]: Cannot allocate memory
(Wed Jan 25 17:08:13 2017) [sssd[be[jstephen.local]]] [sdap_id_op_done] (0x4000): releasing operation connection

This is caused my the memberHost attribute containing conflict entries.
[root@ipa-server-f24 ~]# ipa sudorule-find --all --raw 'testrule'
1 Sudo Rule matched
  dn: ipaUniqueID=e9025c46-ddab-11e6-9096-525400af7498,cn=sudorules,cn=sudo,dc=jstephen,dc=local
  cn: testrule
  ipaenabledflag: TRUE
  ipasudorunasusercategory: all
  ipasudorunasgroupcategory: all
  memberhost: fqdn=ipa-client-f25.jstephen.local,cn=computers,cn=accounts,dc=jstephen,dc=local
  memberhost: fqdn=ipa-replica-f25.jstephen.local,cn=computers,cn=accounts,dc=jstephen,dc=local
  memberhost: fqdn=ipa-server-f24.jstephen.local,cn=computers,cn=accounts,dc=jstephen,dc=local
  memberhost: fqdn=conflicthost.jstephen.local+nsuniqueid=9b1e3301-c32611e6-bdcae37a-ef905e7c,cn=computers,cn=accounts,dc=jstephen,dc=local
  memberhost: fqdn=testhost.jstephen.local+nsuniqueid=cb3d7383-ddb511e6-8c9996c1-71a1e36a,cn=computers,cn=accounts,dc=jstephen,dc=local
  memberuser: uid=testuser,cn=users,cn=accounts,dc=jstephen,dc=local
  ipaUniqueID: e9025c46-ddab-11e6-9096-525400af7498
  memberallowcmd: cn=mycmdgroup,cn=sudocmdgroups,cn=sudo,dc=jstephen,dc=local
  objectClass: ipasudorule
  objectClass: ipaassociation
Number of entries returned 1

Comment 1 Lukas Slebodnik 2017-02-07 16:38:44 UTC
* 1404f3aa541849d880cce591584ba1580014cb50
* d0aae3c1e87e2e51ab178b7b343261443094a974

* db0c5135add7c93638794abd8c7f04a1c5d74186
* c4c47ca961029dbbccf7aab0794c31ab97bc10e0

Comment 4 Xiyang Dong 2017-06-09 17:59:09 UTC
Verified on sssd-1.15.2-24.el7:
# ipa host-add --force conflicthost.tesrelm.test
Added host "conflicthost.tesrelm.test"
  Host name: conflicthost.tesrelm.test
  Principal name: host/conflicthost.tesrelm.test@TESTRELM.TEST
  Principal alias: host/conflicthost.tesrelm.test@TESTRELM.TEST
  Password: False
  Keytab: False
  Managed by: conflicthost.tesrelm.test
# ipa sudorule-add testrule
Added Sudo Rule "testrule"
  Rule name: testrule
  Enabled: TRUE
# cat > addmemberhost.ldif << addmemberhost.ldif_EOF
> dn: ipaUniqueID=854eecd0-4d38-11e7-80de-525400bd3099,cn=sudorules,cn=sudo,dc=testrelm,dc=test
> changetype: modify
> add: memberhost
> memberhost: fqdn=conflicthost.tesrelm.test,cn=computers,cn=accounts,dc=testrelm,dc=test
> addmemberhost.ldif_EOF
# ldapmodify -x -D "cn=Directory Manager" -w Secret123  -f addmemberhost.ldif
modifying entry "ipaUniqueID=854eecd0-4d38-11e7-80de-525400bd3099,cn=sudorules,cn=sudo,dc=testrelm,dc=test"
# ipa sudorule-find --all --raw 'testrule'
1 Sudo Rule matched
  dn: ipaUniqueID=854eecd0-4d38-11e7-80de-525400bd3099,cn=sudorules,cn=sudo,dc=testrelm,dc=test
  cn: testrule
  ipaenabledflag: TRUE
  memberhost: fqdn=conflicthost.tesrelm.test,cn=computers,cn=accounts,dc=testrelm,dc=test
  ipaUniqueID: 854eecd0-4d38-11e7-80de-525400bd3099
  objectClass: ipaassociation
  objectClass: ipasudorule
Number of entries returned 1
# cat /etc/sssd/sssd.conf 

cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = testrelm.test
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = hp-xw6600-02.testrelm.test
chpass_provider = ipa
ipa_server = _srv_, bkr-hv03-guest06.testrelm.test
ldap_tls_cacert = /etc/ipa/ca.crt
debug_level = 9

services = nss, sudo, pam, ssh

domains = testrelm.test
debug_level = 9

homedir_substring = /home

debug_level = 9

# service sssd restart
Redirecting to /bin/systemctl restart sssd.service
# cd /var/log/sssd/
# cat sssd* | grep "Unexpected DN"
# cat sssd* | grep "Unable to convert"

Comment 5 errata-xmlrpc 2017-08-01 09:02:33 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Comment 6 Jakub Hrozek 2017-08-09 16:04:19 UTC
*** Bug 1323967 has been marked as a duplicate of this bug. ***

Note You need to log in before you can comment on or make changes to this bug.