Red Hat Bugzilla – Bug 853540
sudo with sss backend should use ipa_hostname
Last modified: 2012-09-06 05:11:21 EDT
Description of problem:
The "ipa_hostname" option in sssd.conf can be used to override the
machine's hostname, which is useful when 3rd-party applications like
SAP require a short hostname instead of the FQDN.
When sudo is used with the sss backend, it checks the sudo rules from
the IPA server against the machine's hostname, not against the value
of the ipa_hostname parameter.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. Add "sudoers: files sss" in /etc/nsswitch.conf
2. Add the following lines in /etc/sssd/sssd.conf:
ipa_hostname = client01.example.com
sudo_provider = ldap
ldap_uri = ldap://idm01.example.com
ldap_sudo_search_base = ou=SUDOers,dc=example,dc=com
ldap_sasl_mech = GSSAPI
ldap_sasl_authid = host/client01.example.com
ldap_sasl_realm = EXAMPLE.COM
krb5_server = idm01.example.com
services = nss, pam, ssh, sudo
su - testuser
If the sudo rule in IPA is restricted to client01.example.com,
"sudo -l" works as long as the hostname is left at its original value.
After running "hostname client01" and clearing the sssd cache,
"sudo -l" doesn't show the sudo rules anymore.
sudo should honor the ipa_hostname value when the sss backend is used.
The IPA host name will be used only in conjunction with the upcoming native support of the IPA back end. The ipa_hostname option is only meaningful when the id_provider (and by extension sudo_provider) are set to ipa, which is not supported at the moment.
In general, the sudo support has changed substantially in the 1.9 release. SSSD 1.9 is going to support a new option ldap_sudo_hostnames that will bring exactly the functionality you are asking for.
The SSSD 1.9 will come first to the Fedora 18 and then will be backported to Fedora 17 after it bakes a little. If you are interested, you can check out the nightly builds of the SSSD from our devel repo:
Proceed with caution, though, it's really just nightly builds. I would discourage running them in anything that resembles a production environment.
In conclusion, I don't think this is a bug, but essentially a RFE that is going to be fixed in 1.9. I'm going to mark this bug as fixed in rawhide unless there's something I missed.
As discussed in comment #2 this is essentially a RFE that has been implemented in the 1.9 pre-releases in Fedora. Closing.