Bug 853540 – sudo with sss backend should use ipa_hostname

Bug 853540 - sudo with sss backend should use ipa_hostname

Summary:	sudo with sss backend should use ipa_hostname

Status:	CLOSED RAWHIDE

Aliases:	None

Product:	Fedora
Classification:	Fedora
Component:	sssd (Show other bugs)
Sub Component:
Version:	17
Hardware:	x86_64 Linux

Priority	unspecified Severity medium
Target Milestone:	---
Target Release:	---
Assigned To:	Jakub Hrozek
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:

URL:
Whiteboard:
Keywords:

Depends On:
Blocks:
	Show dependency tree / graph

Reported:	2012-08-31 15:49 EDT by Carsten Clasohm
Modified:	2012-09-06 05:11 EDT (History)
CC List:	8 users (show)

See Also:
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Story Points:	---
Clone Of:
Environment:
Last Closed:	2012-09-06 05:11:21 EDT
Type:	Bug
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Groups: None (edit)

Description Carsten Clasohm 2012-08-31 15:49:52 EDT

Description of problem:

The "ipa_hostname" option in sssd.conf can be used to override the
machine's hostname, which is useful when 3rd-party applications like
SAP require a short hostname instead of the FQDN.

When sudo is used with the sss backend, it checks the sudo rules from
the IPA server against the machine's hostname, not against the value
of the ipa_hostname parameter.


Version-Release number of selected component (if applicable):

sssd-1.8.4-14.fc17.x86_64
sudo-1.8.3p1-7.fc17.x86_64


How reproducible:

always


Steps to Reproduce:

1. Add "sudoers: files sss" in /etc/nsswitch.conf

2. Add the following lines in /etc/sssd/sssd.conf:

   [domain/example.com]
   ...
   ipa_hostname = client01.example.com
   sudo_provider = ldap
   ldap_uri = ldap://idm01.example.com
   ldap_sudo_search_base = ou=SUDOers,dc=example,dc=com
   ldap_sasl_mech = GSSAPI
   ldap_sasl_authid = host/client01.example.com
   ldap_sasl_realm = EXAMPLE.COM
   krb5_server = idm01.example.com

   [sssd]
   services = nss, pam, ssh, sudo
   ...

   [sudo]

3. Run

   su - testuser
   sudo -l

  
Actual results:

If the sudo rule in IPA is restricted to client01.example.com, 
"sudo -l" works as long as the hostname is left at its original value.

After running "hostname client01" and clearing the sssd cache, 
"sudo -l" doesn't show the sudo rules anymore.


Expected results:

sudo should honor the ipa_hostname value when the sss backend is used.

Comment 1 Dmitri Pal 2012-09-04 10:58:47 EDT

Upstream ticket:
https://fedorahosted.org/sssd/ticket/1505

Comment 2 Jakub Hrozek 2012-09-04 14:34:04 EDT

The IPA host name will be used only in conjunction with the upcoming native support of the IPA back end. The ipa_hostname option is only meaningful when the id_provider (and by extension sudo_provider) are set to ipa, which is not supported at the moment.

In general, the sudo support has changed substantially in the 1.9 release. SSSD 1.9 is going to support a new option ldap_sudo_hostnames that will bring exactly the functionality you are asking for.

The SSSD 1.9 will come first to the Fedora 18 and then will be backported to Fedora 17 after it bakes a little. If you are interested, you can check out the nightly builds of the SSSD from our devel repo:
http://jdennis.fedorapeople.org/ipa-devel/

Proceed with caution, though, it's really just nightly builds. I would discourage running them in anything that resembles a production environment.

In conclusion, I don't think this is a bug, but essentially a RFE that is going to be fixed in 1.9. I'm going to mark this bug as fixed in rawhide unless there's something I missed.

Comment 3 Jakub Hrozek 2012-09-06 05:11:21 EDT

As discussed in comment #2 this is essentially a RFE that has been implemented in the 1.9 pre-releases in Fedora. Closing.

Note You need to log in before you can comment on or make changes to this bug.