Hide Forgot
Description of problem: LDAP specification says that minutes and seconds might be omitted and in that case these are meant to be treated as zeros [1]. When sudo rule defines sudoNotAfter and/or sudoNotBefore options which are defined upto hours, e.g. 2019103116Z, sssd does not match the rule and refuses a user to run a command. If the options are padded by zeros, e.g. 20191031160000Z it works. SSSD shoudl behave according to the LDAP specifications in this terms. Version-Release number of selected component (if applicable): sssd-2.2.0-19.el8.x86_64 How reproducible: 100% Steps to Reproduce: 1. have a rule with sudoNotBefore set to the past but specified upto hours, e.g. 2019103116Z 2. try to run command allowed by the rule Actual results: sudoNotBefore=2019103015Z $ sudo -l Sorry, user userallowed may not run sudo on ci-vm-10-0-137-224. sudoNotBefore=20191030150000Z $ sudo -l Matching Defaults entries for userallowed on ci-vm-10-0-137-224: !authenticate, !requiretty User userallowed may run the following commands on ci-vm-10-0-137-224: (root) NOTBEFORE=20191030150000Z ALL Expected results: sudoNotBefore=2019103015Z $ sudo -l Matching Defaults entries for userallowed on ci-vm-10-0-137-224: !authenticate, !requiretty User userallowed may run the following commands on ci-vm-10-0-137-224: (root) NOTBEFORE=20191030150000Z ALL sudoNotBefore=20191030150000Z $ sudo -l Matching Defaults entries for userallowed on ci-vm-10-0-137-224: !authenticate, !requiretty User userallowed may run the following commands on ci-vm-10-0-137-224: (root) NOTBEFORE=20191030150000Z ALL Additional info: 1. https://ldapwiki.com/wiki/GeneralizedTime
Upstream ticket: https://pagure.io/SSSD/sssd/issue/4118
* `master` * 58a67cd38b8be9bef45ce70588763d851840dd65 - sysdb_sudo: Enable LDAP time format compatibility
Sorry, moving back to POST, did not notice that this bug still needs ACKs. Adding devel ack.
Tested with following data: ~]# rpm -q sssd sssd-2.2.3-17.el8.x86_64 ~]# cat /etc/sssd/sssd.conf [sssd] config_file_version = 2 domains = LDAP services = nss, pam, sudo debug_level = 0xFFFF [nss] filter_groups = root filter_users = root [pam] [sudo] debug_level = 0xFFFF sudo_timed = true [domain/LDAP] id_provider = ldap auth_provider = ldap sudo_provider = ldap debug_level = 0xFFFF ldap_uri = ldaps://ipaqavma.idmqe.lab.eng.bos.redhat.com ldap_tls_cacert = /etc/openldap/certs/cacert.asc ldap_search_base = dc=example,dc=com entry_cache_nowait_percentage = 0 entry_cache_timeout = 0 ldap_sudo_smart_refresh_interval = 1 [root@kvm-02-guest13 ~]# ldapsearch -x -h ipaqavma.idmqe.lab.eng.bos.redhat.com -b 'ou=sudoers,dc=example,dc=com' -D 'cn=Manager,dc=example,dc=com' -w 'Secret123' # extended LDIF # # LDAPv3 # base <ou=sudoers,dc=example,dc=com> with scope subtree # filter: (objectclass=*) # requesting: ALL # # Sudoers, example.com dn: ou=Sudoers,dc=example,dc=com objectClass: top objectClass: organizationalUnit ou: Sudoers # defaults, Sudoers, example.com dn: cn=defaults,ou=Sudoers,dc=example,dc=com objectClass: top objectClass: sudoRole sudoOption: !authenticate cn: defaults # test, Sudoers, example.com dn: cn=test,ou=Sudoers,dc=example,dc=com objectClass: top objectClass: sudoRole sudoHost: ALL sudoCommand: ALL sudoUser: ALL cn: test sudoRunAsUser: ALL sudoNotBefore: 2020030509Z # search result search: 2 result: 0 Success # numResponses: 4 # numEntries: 3 ~]# systemctl stop sssd ; rm -rf /var/lib/sss/db/* ; rm -rf /var/log/sssd/* ; systemctl start sssd [root@kvm-02-guest13 ~]# sudo -l -U user1 User user1 may run the following commands on kvm-02-guest13: (ALL) NOTBEFORE=20200305090000Z ALL [root@kvm-02-guest13 ~]# ssh user1@localhost user1@localhost's password: ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** This System is part of the Red Hat Test System. Please do not use this system for individual unit testing. RHTS Test information: HOSTNAME=kvm-02-guest13.hv2.lab.eng.bos.redhat.com JOBID=4112847 RECIPEID=7982488 LAB_SERVER= RESULT_SERVER=LEGACY DISTRO=RHEL-8.2.0-20200227.0 ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** Last login: Thu Mar 5 09:15:19 2020 from ::1 Could not chdir to home directory /home/user1: No such file or directory [user1@kvm-02-guest13 /]$ sudo -l Matching Defaults entries for user1 on kvm-02-guest13: !authenticate User user1 may run the following commands on kvm-02-guest13: (ALL) NOTBEFORE=20200305090000Z ALL [user1@kvm-02-guest13 /]$ sudo -l Matching Defaults entries for user1 on kvm-02-guest13: !authenticate User user1 may run the following commands on kvm-02-guest13: (ALL) NOTBEFORE=20200305090000Z ALL [user1@kvm-02-guest13 /]$ sudo less /var/log/secure [user1@kvm-02-guest13 /]$ touch /etc/sssd/sssd.conf touch: cannot touch '/etc/sssd/sssd.conf': Permission denied [user1@kvm-02-guest13 /]$ sudo touch /etc/sssd/sssd.conf [user1@kvm-02-guest13 /]$ sudo True sudo: True: command not found [user1@kvm-02-guest13 /]$ sudo true [user1@kvm-02-guest13 /]$ logout Connection to localhost closed. [root@kvm-02-guest13 [root@kvm-02-guest13 ~]# date +%Y%m%d%H%M%S 20200305095639 Marking verified.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2020:1863