853540 – sudo with sss backend should use ipa_hostname

Bug 853540 - sudo with sss backend should use ipa_hostname

Summary: sudo with sss backend should use ipa_hostname

Keywords:
Status:	CLOSED RAWHIDE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	sssd
Sub Component:
Version:	17
Hardware:	x86_64
OS:	Linux
Priority:	unspecified
Severity:	medium
Target Milestone:	---
Assignee:	Jakub Hrozek
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2012-08-31 19:49 UTC by Carsten Clasohm
Modified:	2020-05-02 16:58 UTC (History)
CC List:	8 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2012-09-06 09:11:21 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Github	SSSD sssd issues 2547	0	None	None	None	2020-05-02 16:58:33 UTC

Description Carsten Clasohm 2012-08-31 19:49:52 UTC

Description of problem:

The "ipa_hostname" option in sssd.conf can be used to override the
machine's hostname, which is useful when 3rd-party applications like
SAP require a short hostname instead of the FQDN.

When sudo is used with the sss backend, it checks the sudo rules from
the IPA server against the machine's hostname, not against the value
of the ipa_hostname parameter.


Version-Release number of selected component (if applicable):

sssd-1.8.4-14.fc17.x86_64
sudo-1.8.3p1-7.fc17.x86_64


How reproducible:

always


Steps to Reproduce:

1. Add "sudoers: files sss" in /etc/nsswitch.conf

2. Add the following lines in /etc/sssd/sssd.conf:

   [domain/example.com]
   ...
   ipa_hostname = client01.example.com
   sudo_provider = ldap
   ldap_uri = ldap://idm01.example.com
   ldap_sudo_search_base = ou=SUDOers,dc=example,dc=com
   ldap_sasl_mech = GSSAPI
   ldap_sasl_authid = host/client01.example.com
   ldap_sasl_realm = EXAMPLE.COM
   krb5_server = idm01.example.com

   [sssd]
   services = nss, pam, ssh, sudo
   ...

   [sudo]

3. Run

   su - testuser
   sudo -l

  
Actual results:

If the sudo rule in IPA is restricted to client01.example.com, 
"sudo -l" works as long as the hostname is left at its original value.

After running "hostname client01" and clearing the sssd cache, 
"sudo -l" doesn't show the sudo rules anymore.


Expected results:

sudo should honor the ipa_hostname value when the sss backend is used.

Comment 1 Dmitri Pal 2012-09-04 14:58:47 UTC

Upstream ticket:
https://fedorahosted.org/sssd/ticket/1505

Comment 2 Jakub Hrozek 2012-09-04 18:34:04 UTC

The IPA host name will be used only in conjunction with the upcoming native support of the IPA back end. The ipa_hostname option is only meaningful when the id_provider (and by extension sudo_provider) are set to ipa, which is not supported at the moment.

In general, the sudo support has changed substantially in the 1.9 release. SSSD 1.9 is going to support a new option ldap_sudo_hostnames that will bring exactly the functionality you are asking for.

The SSSD 1.9 will come first to the Fedora 18 and then will be backported to Fedora 17 after it bakes a little. If you are interested, you can check out the nightly builds of the SSSD from our devel repo:
http://jdennis.fedorapeople.org/ipa-devel/

Proceed with caution, though, it's really just nightly builds. I would discourage running them in anything that resembles a production environment.

In conclusion, I don't think this is a bug, but essentially a RFE that is going to be fixed in 1.9. I'm going to mark this bug as fixed in rawhide unless there's something I missed.

Comment 3 Jakub Hrozek 2012-09-06 09:11:21 UTC

As discussed in comment #2 this is essentially a RFE that has been implemented in the 1.9 pre-releases in Fedora. Closing.

Note You need to log in before you can comment on or make changes to this bug.