Red Hat Bugzilla – Bug 1486786
sssd going in offline mode due to sudo search filter.
Last modified: 2018-04-10 13:17:28 EDT
Pavel, this can you take a look, please?
Upstream ticket: https://pagure.io/SSSD/sssd/issue/3507
master: * bc854800cc67271205d63136daaf68d7863cea6b
IPA-VERSION: ipa-server-4.5.4-8.el7.x86_64 SSSD-VERSION: sssd-1.16.0-14.el7.x86_64 Tested the bug with following setup and observations: Setup: ---------- 1) 100 sudo rules, 2) 100 sudo command groups 3) 926 sudo commands (used commands from /usr/bin) 4) IPA-AD Trust is setup Observations: 1. Verified that "Connection Timed out" error message is not observed 2. Verified that sudo rule works as expected for the user defined in sudorule ( In my case it is tuser) 3. Verified that appropriate sudo message is returned when user with no sudo rule defined tries to access/ make changes to the client (in my case user is nonsudo) IPA-MASTER: ------------- [root@ndipa bz1486786]# id administrator@ipaad2016.test uid=1577600500(administrator@ipaad2016.test) gid=1577600500(administrator@ipaad2016.test) groups=1577600500(administrator@ipaad2016.test),1577600520(group policy creator owners@ipaad2016.test),1577600519(enterprise admins@ipaad2016.test),1577600512(domain admins@ipaad2016.test),1577600518(schema admins@ipaad2016.test),1577600513(domain users@ipaad2016.test) [root@ndipa ~]# ipa sudorule-show files-commands Rule name: files-commands Enabled: TRUE Users: tuser Hosts: auto-hv-01-guest08.testrelm.test Sudo Allow Commands: /usr/bin/vim Sudo Deny Commands: /usr/bin/alias, /usr/bin/as [root@ndipa bz1486786]# cat /var/log/sssd/sssd.log | grep "Connection timed out" [root@ndipa bz1486786]# grep -rn "Connection timed out" /var/log/sssd [root@ndipa bz1486786]# IPA-CLIENT: ------------- tuser: sudorule: ------------------ # su tuser sh-4.2$ cat test_file_bz.txt test bz file sh-4.2$ sudo /usr/bin/vim test_file_bz.txt sh-4.2$ #confirmed sudo user rule works as expected sh-4.2$ cat test_file_bz.txt test bz file tuser Added this comment sh-4.2$ /usr/bin/sudo -l Matching Defaults entries for tuser on auto-hv-01-guest08: !visiblepw, always_set_home, match_group_by_gid, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin User tuser may run the following commands on auto-hv-01-guest08: (root) /usr/bin/vim, !/usr/bin/as, !/usr/bin/alias sh-4.2$ nonsudo: norule ---------------- # su nonsudo sh-4.2$ /usr/bin/sudo -l [sudo] password for nonsudo: Sorry, user nonsudo may not run sudo on auto-hv-01-guest08. sh-4.2$ Thus on the basis of above observations, marking the status of Bugzilla to "VERIFIED".
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHEA-2018:0929