Bug 853540 - sudo with sss backend should use ipa_hostname
Summary: sudo with sss backend should use ipa_hostname
Keywords:
Status: CLOSED RAWHIDE
Alias: None
Product: Fedora
Classification: Fedora
Component: sssd
Version: 17
Hardware: x86_64
OS: Linux
unspecified
medium
Target Milestone: ---
Assignee: Jakub Hrozek
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2012-08-31 19:49 UTC by Carsten Clasohm
Modified: 2020-05-02 16:58 UTC (History)
8 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2012-09-06 09:11:21 UTC
Type: Bug

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


Links
System ID Priority Status Summary Last Updated
Github SSSD sssd issues 2547 None None None 2020-05-02 16:58:33 UTC

Description Carsten Clasohm 2012-08-31 19:49:52 UTC 
Description of problem:

The "ipa_hostname" option in sssd.conf can be used to override the
machine's hostname, which is useful when 3rd-party applications like
SAP require a short hostname instead of the FQDN.

When sudo is used with the sss backend, it checks the sudo rules from
the IPA server against the machine's hostname, not against the value
of the ipa_hostname parameter.


Version-Release number of selected component (if applicable):

sssd-1.8.4-14.fc17.x86_64
sudo-1.8.3p1-7.fc17.x86_64


How reproducible:

always


Steps to Reproduce:

1. Add "sudoers: files sss" in /etc/nsswitch.conf

2. Add the following lines in /etc/sssd/sssd.conf:

   [domain/example.com]
   ...
   ipa_hostname = client01.example.com
   sudo_provider = ldap
   ldap_uri = ldap://idm01.example.com
   ldap_sudo_search_base = ou=SUDOers,dc=example,dc=com
   ldap_sasl_mech = GSSAPI
   ldap_sasl_authid = host/client01.example.com
   ldap_sasl_realm = EXAMPLE.COM
   krb5_server = idm01.example.com

   [sssd]
   services = nss, pam, ssh, sudo
   ...

   [sudo]

3. Run

   su - testuser
   sudo -l

  
Actual results:

If the sudo rule in IPA is restricted to client01.example.com, 
"sudo -l" works as long as the hostname is left at its original value.

After running "hostname client01" and clearing the sssd cache, 
"sudo -l" doesn't show the sudo rules anymore.


Expected results:

sudo should honor the ipa_hostname value when the sss backend is used.
Comment 1 Dmitri Pal 2012-09-04 14:58:47 UTC 
Upstream ticket:
https://fedorahosted.org/sssd/ticket/1505
Comment 2 Jakub Hrozek 2012-09-04 18:34:04 UTC 
The IPA host name will be used only in conjunction with the upcoming native support of the IPA back end. The ipa_hostname option is only meaningful when the id_provider (and by extension sudo_provider) are set to ipa, which is not supported at the moment.

In general, the sudo support has changed substantially in the 1.9 release. SSSD 1.9 is going to support a new option ldap_sudo_hostnames that will bring exactly the functionality you are asking for.

The SSSD 1.9 will come first to the Fedora 18 and then will be backported to Fedora 17 after it bakes a little. If you are interested, you can check out the nightly builds of the SSSD from our devel repo:
http://jdennis.fedorapeople.org/ipa-devel/

Proceed with caution, though, it's really just nightly builds. I would discourage running them in anything that resembles a production environment.

In conclusion, I don't think this is a bug, but essentially a RFE that is going to be fixed in 1.9. I'm going to mark this bug as fixed in rawhide unless there's something I missed.
Comment 3 Jakub Hrozek 2012-09-06 09:11:21 UTC 
As discussed in comment #2 this is essentially a RFE that has been implemented in the 1.9 pre-releases in Fedora. Closing.
Note You need to log in before you can comment on or make changes to this bug.