Description of problem: Failure to sudo after upgrading to sudo-1.8.25-1.fc29.x86_64 (from sudo-1.8.23-3.fc29.x86_64). The setup is using FreeIPA and sssd with configured sudo rules based on hostnames. The "ipa_hostname" option in sssd.conf is expected to override the machine's hostname when doing host matching. Version-Release number of selected component (if applicable): sudo-1.8.25-1.fc29.x86_64 sssd-2.0.0-4.fc29.x86_64 How reproducible: always Steps to Reproduce: 1. Add "sudoers: files sss" in /etc/nsswitch.conf 2. Add the following lines in /etc/sssd/sssd.conf: [domain/example.com] id_provider = ipa ipa_server = _srv_, ipaserver.example.com ipa_domain = example.com ipa_hostname = client01.example.com auth_provider = ipa chpass_provider = ipa access_provider = ipa cache_credentials = True ldap_tls_cacert = /etc/ipa/ca.crt krb5_store_password_if_offline = True [sssd] services = nss, pam, ssh, sudo domains = example.com ... 3. Configure sudo rules on ipaserver.example.com to allow sudo for user01 only on server 'client01.example.com' 4. [user01@client01]# hostname client01 Actual results: [user01@client01]# sudo -l Sorry, user user01 may not run sudo on client01. Expected results: sudo should honor the ipa_hostname value when the sss backend is used. The following is logged when enabling sudo debug-logs: Dec 8 17:16:47 sudo[2366] ipa_hostname client01.example.com overrides client01 Dec 8 17:16:47 sudo[2366] <- get_ipa_hostname @ ./sssd.c:158 := 1 ... Dec 8 17:16:47 sudo[2366] host client01 matches sudoers pattern client01.example.com: false @ hostname_matches() ./match.c:1013 ... Even though the ipa_hostname override is picked up by sudo, it doesn't seem to be used when matching against the host rules provided by sssd. When downgrading to sudo-1.8.23-3.fc29.x86_64 (everything else is the same on the system), the logs instead shows: host client01.example.com matches sudoers pattern client01.example.com: true @ hostname_matches() ./match.c:997 Dec 8 20:09:42 sudo[25342] <- hostname_matches @ ./match.c:998 := true Dec 8 20:09:42 sudo[25342] sssd/ldap sudoHost 'client01.example.com' ... MATCH! ..and the sudo is successful. Something might be incorrect with my configuration, but it seems that sudo 1.8.23 and 1.8.25 behaves differently here.
Fixed in: https://www.sudo.ws/repos/sudo/rev/b4f31dbe3109