RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1767514 - sssd requires timed sudoers ldap entries to be specified up to the seconds
Summary: sssd requires timed sudoers ldap entries to be specified up to the seconds
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: sssd
Version: 8.0
Hardware: Unspecified
OS: Unspecified
unspecified
medium
Target Milestone: rc
: 8.0
Assignee: Paweł Poławski
QA Contact: sssd-qe
URL:
Whiteboard: sync-to-jira
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-10-31 15:54 UTC by Dalibor Pospíšil
Modified: 2023-02-12 21:00 UTC (History)
9 users (show)

Fixed In Version: sssd-2.2.3-14.el8
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-04-28 16:56:29 UTC
Type: Bug
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github SSSD sssd issues 5079 0 None closed sssd requires timed sudoers ldap entries to be specified up to the seconds 2020-07-09 06:58:00 UTC
Red Hat Issue Tracker RHELPLAN-36546 0 None None None 2023-02-12 20:59:57 UTC
Red Hat Issue Tracker SSSD-1984 0 None None None 2023-02-12 21:00:55 UTC
Red Hat Product Errata RHBA-2020:1863 0 None None None 2020-04-28 16:56:40 UTC

Description Dalibor Pospíšil 2019-10-31 15:54:38 UTC
Description of problem:
LDAP specification says that minutes and seconds might be omitted and in that case these are meant to be treated as zeros [1].

When sudo rule defines sudoNotAfter and/or sudoNotBefore options which are defined upto hours, e.g. 2019103116Z, sssd does not match the rule and refuses a user to run a command. If the options are padded by zeros, e.g. 20191031160000Z it works.

SSSD shoudl behave according to the LDAP specifications in this terms.

Version-Release number of selected component (if applicable):
sssd-2.2.0-19.el8.x86_64

How reproducible:
100%

Steps to Reproduce:
1. have a rule with sudoNotBefore set to the past but specified upto hours, e.g. 2019103116Z
2. try to run command allowed by the rule

Actual results:
sudoNotBefore=2019103015Z
$ sudo -l
Sorry, user userallowed may not run sudo on ci-vm-10-0-137-224.

sudoNotBefore=20191030150000Z
$ sudo -l
Matching Defaults entries for userallowed on ci-vm-10-0-137-224:
    !authenticate, !requiretty

User userallowed may run the following commands on ci-vm-10-0-137-224:
    (root) NOTBEFORE=20191030150000Z ALL

Expected results:
sudoNotBefore=2019103015Z
$ sudo -l
Matching Defaults entries for userallowed on ci-vm-10-0-137-224:
    !authenticate, !requiretty

User userallowed may run the following commands on ci-vm-10-0-137-224:
    (root) NOTBEFORE=20191030150000Z ALL

sudoNotBefore=20191030150000Z
$ sudo -l
Matching Defaults entries for userallowed on ci-vm-10-0-137-224:
    !authenticate, !requiretty

User userallowed may run the following commands on ci-vm-10-0-137-224:
    (root) NOTBEFORE=20191030150000Z ALL


Additional info:
1. https://ldapwiki.com/wiki/GeneralizedTime

Comment 1 Pavel Březina 2019-11-19 12:47:41 UTC
Upstream ticket:
https://pagure.io/SSSD/sssd/issue/4118

Comment 6 Pavel Březina 2019-12-04 11:03:13 UTC
* `master`
    * 58a67cd38b8be9bef45ce70588763d851840dd65 - sysdb_sudo: Enable LDAP time format compatibility

Comment 7 Michal Zidek 2019-12-12 11:21:39 UTC
Sorry, moving back to POST, did not notice that this bug still needs ACKs. Adding devel ack.

Comment 9 shridhar 2020-03-05 14:57:56 UTC
Tested with following data:
~]# rpm -q sssd
sssd-2.2.3-17.el8.x86_64

 ~]# cat /etc/sssd/sssd.conf
[sssd]
config_file_version = 2
domains             = LDAP
services            = nss, pam, sudo
debug_level         = 0xFFFF

[nss]
filter_groups       = root
filter_users        = root

[pam]

[sudo]
debug_level         = 0xFFFF
sudo_timed          = true

[domain/LDAP]
id_provider         = ldap
auth_provider       = ldap
sudo_provider       = ldap
debug_level         = 0xFFFF
ldap_uri            = ldaps://ipaqavma.idmqe.lab.eng.bos.redhat.com
ldap_tls_cacert     = /etc/openldap/certs/cacert.asc
ldap_search_base    = dc=example,dc=com

entry_cache_nowait_percentage       = 0
entry_cache_timeout                 = 0
ldap_sudo_smart_refresh_interval    = 1



[root@kvm-02-guest13 ~]# ldapsearch -x -h ipaqavma.idmqe.lab.eng.bos.redhat.com -b 'ou=sudoers,dc=example,dc=com' -D 'cn=Manager,dc=example,dc=com' -w 'Secret123'
# extended LDIF
#
# LDAPv3
# base <ou=sudoers,dc=example,dc=com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# Sudoers, example.com
dn: ou=Sudoers,dc=example,dc=com
objectClass: top
objectClass: organizationalUnit
ou: Sudoers

# defaults, Sudoers, example.com
dn: cn=defaults,ou=Sudoers,dc=example,dc=com
objectClass: top
objectClass: sudoRole
sudoOption: !authenticate
cn: defaults

# test, Sudoers, example.com
dn: cn=test,ou=Sudoers,dc=example,dc=com
objectClass: top
objectClass: sudoRole
sudoHost: ALL
sudoCommand: ALL
sudoUser: ALL
cn: test
sudoRunAsUser: ALL
sudoNotBefore: 2020030509Z

# search result
search: 2
result: 0 Success

# numResponses: 4
# numEntries: 3

~]# systemctl stop sssd ; rm -rf /var/lib/sss/db/* ; rm -rf /var/log/sssd/* ; systemctl start sssd

[root@kvm-02-guest13 ~]# sudo -l -U user1
User user1 may run the following commands on kvm-02-guest13:
    (ALL) NOTBEFORE=20200305090000Z ALL
[root@kvm-02-guest13 ~]# ssh user1@localhost
user1@localhost's password: 
**  **  **  **  **  **  **  **  **  **  **  **  **  **  **  **  **  **
         This System is part of the Red Hat Test System.              
                                                                      
      Please do not use this system for individual unit testing.      
                                                                      
      RHTS Test information:                                          
                         HOSTNAME=kvm-02-guest13.hv2.lab.eng.bos.redhat.com                           
                            JOBID=4112847                              
                         RECIPEID=7982488                           
                       LAB_SERVER=                         
                    RESULT_SERVER=LEGACY                      
                           DISTRO=RHEL-8.2.0-20200227.0                             
**  **  **  **  **  **  **  **  **  **  **  **  **  **  **  **  **  **
Last login: Thu Mar  5 09:15:19 2020 from ::1
Could not chdir to home directory /home/user1: No such file or directory
[user1@kvm-02-guest13 /]$ sudo -l
Matching Defaults entries for user1 on kvm-02-guest13:
    !authenticate

User user1 may run the following commands on kvm-02-guest13:
    (ALL) NOTBEFORE=20200305090000Z ALL
[user1@kvm-02-guest13 /]$ sudo -l
Matching Defaults entries for user1 on kvm-02-guest13:
    !authenticate

User user1 may run the following commands on kvm-02-guest13:
    (ALL) NOTBEFORE=20200305090000Z ALL
[user1@kvm-02-guest13 /]$ sudo less /var/log/secure 
[user1@kvm-02-guest13 /]$ touch /etc/sssd/sssd.conf
touch: cannot touch '/etc/sssd/sssd.conf': Permission denied
[user1@kvm-02-guest13 /]$ sudo touch /etc/sssd/sssd.conf
[user1@kvm-02-guest13 /]$ sudo True
sudo: True: command not found
[user1@kvm-02-guest13 /]$ sudo true
[user1@kvm-02-guest13 /]$ logout
Connection to localhost closed.
[root@kvm-02-guest13 [root@kvm-02-guest13 
~]# date +%Y%m%d%H%M%S
20200305095639


Marking verified.

Comment 11 errata-xmlrpc 2020-04-28 16:56:29 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:1863


Note You need to log in before you can comment on or make changes to this bug.