Bug 1657496 - sudo ipa_hostname not honored
Summary: sudo ipa_hostname not honored
Alias: None
Product: Fedora
Classification: Fedora
Component: sudo
Version: 29
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Radovan Sroka
QA Contact: Fedora Extras Quality Assurance
Depends On:
Blocks: 1738662
TreeView+ depends on / blocked
Reported: 2018-12-09 15:58 UTC by Magnus W
Modified: 2019-08-16 12:12 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 1738662 (view as bug list)
Last Closed: 2019-08-16 12:12:14 UTC
Type: Bug

Attachments (Terms of Use)

Description Magnus W 2018-12-09 15:58:05 UTC
Description of problem:

Failure to sudo after upgrading to sudo-1.8.25-1.fc29.x86_64 (from sudo-1.8.23-3.fc29.x86_64). The setup is using
FreeIPA and sssd with configured sudo rules based on hostnames. The "ipa_hostname" option in sssd.conf is expected to override the machine's hostname when doing host matching.     

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:

1. Add "sudoers: files sss" in /etc/nsswitch.conf

2. Add the following lines in /etc/sssd/sssd.conf:


	id_provider = ipa
	ipa_server = _srv_, ipaserver.example.com
	ipa_domain = example.com
	ipa_hostname = client01.example.com
	auth_provider = ipa
	chpass_provider = ipa
	access_provider = ipa
	cache_credentials = True
	ldap_tls_cacert = /etc/ipa/ca.crt
	krb5_store_password_if_offline = True
	services = nss, pam, ssh, sudo
	domains = example.com
3. Configure sudo rules on ipaserver.example.com to allow sudo for user01 only on server 'client01.example.com'

4. 	[user01@client01]# hostname

Actual results:

   [user01@client01]# sudo -l
   Sorry, user user01 may not run sudo on client01.

Expected results:

sudo should honor the ipa_hostname value when the sss backend is used.

The following is logged when enabling sudo debug-logs:

Dec  8 17:16:47 sudo[2366] ipa_hostname client01.example.com overrides client01
Dec  8 17:16:47 sudo[2366] <- get_ipa_hostname @ ./sssd.c:158 := 1
Dec  8 17:16:47 sudo[2366] host client01 matches sudoers pattern client01.example.com: false @ hostname_matches() ./match.c:1013

Even though the ipa_hostname override is picked up by sudo, it doesn't seem to be used when matching against the host rules provided by sssd.

When downgrading to sudo-1.8.23-3.fc29.x86_64 (everything else is the same on the system), the logs instead shows:

host client01.example.com matches sudoers pattern client01.example.com: true @ hostname_matches() ./match.c:997
Dec  8 20:09:42 sudo[25342] <- hostname_matches @ ./match.c:998 := true
Dec  8 20:09:42 sudo[25342] sssd/ldap sudoHost 'client01.example.com' ... MATCH!

..and the sudo is successful.

Something might be incorrect with my configuration, but it seems that sudo 1.8.23 and 1.8.25 behaves differently here.

Comment 2 Radovan Sroka 2019-08-16 12:12:14 UTC
Fixed in:


Note You need to log in before you can comment on or make changes to this bug.