Hide Forgot
Description of problem: sudo access denial response is sometimes incorrect, when a rule sudoHost attribute mismatches. This happens after the relevant rule was changed from matching sudoHost to mismatching sudoHost a few times with a smart refresh in between match and nonmatch changes. After several more iterations the response seems to stabilize on being incorrect and responses are given noticeably faster. Version-Release number of selected component (if applicable): sssd-1.9.2-30.el6.x86_64 libsss_sudo-1.9.2-30.el6.x86_64 sudo-1.8.6p3-6.el6.x86_64 sssd-client-1.9.2-30.el6.x86_64 libsss_idmap-1.9.2-30.el6.x86_64 How reproducible: always Steps to Reproduce: 1. Use the attached "sudo_host_refresh_test.ldif" file to fill LDAP directory. 2. Use the attached "sssd.conf" file as the base for SSSD configuration. 3. Execute the attached "sudo_host_refresh_test" script with "sssd" argument. Actual results: ---:<--- user1 is not allowed to run sudo on client-rhel6. This incident will be reported. 1354561769 1/1: 1 user1 is not allowed to run sudo on client-rhel6. This incident will be reported. 1354561771 1/2: 1 user1 is not allowed to run sudo on client-rhel6. This incident will be reported. 1354561772 1/3: 1 user1 is not allowed to run sudo on client-rhel6. This incident will be reported. 1354561774 1/4: 1 user1 is not allowed to run sudo on client-rhel6. This incident will be reported. 1354561775 1/5: 1 user1 is not in the sudoers file. This incident will be reported. 1354561782 2/1: 1 sudo: no tty present and no askpass program specified 1354561783 2/2: 1 sudo: no tty present and no askpass program specified 1354561785 2/3: 1 user1 is not allowed to run sudo on client-rhel6. This incident will be reported. 1354561785 2/4: 1 user1 is not allowed to run sudo on client-rhel6. This incident will be reported. 1354561786 2/5: 1 user1 is not in the sudoers file. This incident will be reported. 1354561793 3/1: 1 sudo: no tty present and no askpass program specified 1354561795 3/2: 1 sudo: no tty present and no askpass program specified 1354561796 3/3: 1 sudo: no tty present and no askpass program specified 1354561796 3/4: 1 sudo: no tty present and no askpass program specified 1354561797 3/5: 1 user1 is not in the sudoers file. This incident will be reported. 1354561804 4/1: 0 sudo: no tty present and no askpass program specified 1354561805 4/2: 1 sudo: no tty present and no askpass program specified 1354561805 4/3: 1 sudo: no tty present and no askpass program specified 1354561805 4/4: 1 sudo: no tty present and no askpass program specified 1354561805 4/5: 1 sudo: no tty present and no askpass program specified 1354561811 5/1: 1 sudo: no tty present and no askpass program specified 1354561811 5/2: 1 sudo: no tty present and no askpass program specified 1354561811 5/3: 1 sudo: no tty present and no askpass program specified 1354561811 5/4: 1 sudo: no tty present and no askpass program specified 1354561812 5/5: 1 --->:--- The lines after sudo responses contain timestamp in seconds, match/non-match change iteration number, sudo execution attempt number and sudo exit status. The "user1 is not allowed to run sudo on client-rhel6. This incident will be reported." response is correct. The "user1 is not in the sudoers file. This incident will be reported." response is unusual and is likely incorrect, but the text itself is suitable more-or-less. The "sudo: no tty present and no askpass program specified" response is definitely incorrect as it goes against the "defaults" entry. Please note the definitely incorrect exit status of 0 in the 4/1 entry. Also note how much faster the responses are given after that entry. This could signify some internal state corruption. Expected results: ---:<--- user1 is not allowed to run sudo on client-rhel6. This incident will be reported. 1354562694 1/1: 1 user1 is not allowed to run sudo on client-rhel6. This incident will be reported. 1354562695 1/2: 1 user1 is not allowed to run sudo on client-rhel6. This incident will be reported. 1354562695 1/3: 1 user1 is not allowed to run sudo on client-rhel6. This incident will be reported. 1354562695 1/4: 1 user1 is not allowed to run sudo on client-rhel6. This incident will be reported. 1354562695 1/5: 1 user1 is not allowed to run sudo on client-rhel6. This incident will be reported. 1354562695 2/1: 1 user1 is not allowed to run sudo on client-rhel6. This incident will be reported. 1354562695 2/2: 1 user1 is not allowed to run sudo on client-rhel6. This incident will be reported. 1354562696 2/3: 1 user1 is not allowed to run sudo on client-rhel6. This incident will be reported. 1354562696 2/4: 1 user1 is not allowed to run sudo on client-rhel6. This incident will be reported. 1354562696 2/5: 1 user1 is not allowed to run sudo on client-rhel6. This incident will be reported. 1354562696 3/1: 1 user1 is not allowed to run sudo on client-rhel6. This incident will be reported. 1354562696 3/2: 1 user1 is not allowed to run sudo on client-rhel6. This incident will be reported. 1354562696 3/3: 1 user1 is not allowed to run sudo on client-rhel6. This incident will be reported. 1354562696 3/4: 1 user1 is not allowed to run sudo on client-rhel6. This incident will be reported. 1354562696 3/5: 1 user1 is not allowed to run sudo on client-rhel6. This incident will be reported. 1354562696 4/1: 1 user1 is not allowed to run sudo on client-rhel6. This incident will be reported. 1354562696 4/2: 1 user1 is not allowed to run sudo on client-rhel6. This incident will be reported. 1354562696 4/3: 1 user1 is not allowed to run sudo on client-rhel6. This incident will be reported. 1354562696 4/4: 1 user1 is not allowed to run sudo on client-rhel6. This incident will be reported. 1354562696 4/5: 1 user1 is not allowed to run sudo on client-rhel6. This incident will be reported. 1354562696 5/1: 1 user1 is not allowed to run sudo on client-rhel6. This incident will be reported. 1354562696 5/2: 1 user1 is not allowed to run sudo on client-rhel6. This incident will be reported. 1354562696 5/3: 1 user1 is not allowed to run sudo on client-rhel6. This incident will be reported. 1354562696 5/4: 1 user1 is not allowed to run sudo on client-rhel6. This incident will be reported. 1354562696 5/5: 1 --->:--- The output above is produced with "sudoers" set to "ldap" in /etc/nsswitch.conf and the attached "sudo_host_refresh_test" script invoked with "ldap" argument.
Created attachment 656918 [details] sudo_host_refresh_test.ldif
Created attachment 656928 [details] sssd.conf
Created attachment 656940 [details] sudo_host_refresh_test
Created attachment 656941 [details] sssd.log
Created attachment 656942 [details] sssd_LDAP.log
Created attachment 656943 [details] sssd_sudo.log
Pavel, have you had a chance to take a look?
Upstream ticket: https://fedorahosted.org/sssd/ticket/1693
Re-ran the original test with these packages: sssd-client-1.9.2-37.el6.x86_64 sssd-1.9.2-37.el6.x86_64 sudo-1.8.6p3-6.el6.x86_64 libsss_idmap-1.9.2-37.el6.x86_64 libsss_sudo-1.9.2-37.el6.x86_64 The sssd and sudo debug logs for the run are to be attached. The output pattern has changed a bit: ---:<--- user1 is not allowed to run sudo on client-rhel6. This incident will be reported. 1355136689 1/1: 1 user1 is not allowed to run sudo on client-rhel6. This incident will be reported. 1355136691 1/2: 1 user1 is not allowed to run sudo on client-rhel6. This incident will be reported. 1355136692 1/3: 1 user1 is not allowed to run sudo on client-rhel6. This incident will be reported. 1355136694 1/4: 1 user1 is not allowed to run sudo on client-rhel6. This incident will be reported. 1355136695 1/5: 1 user1 is not in the sudoers file. This incident will be reported. 1355136702 2/1: 1 sudo: no tty present and no askpass program specified 1355136703 2/2: 1 sudo: no tty present and no askpass program specified 1355136704 2/3: 1 user1 is not allowed to run sudo on client-rhel6. This incident will be reported. 1355136705 2/4: 1 user1 is not allowed to run sudo on client-rhel6. This incident will be reported. 1355136706 2/5: 1 user1 is not in the sudoers file. This incident will be reported. 1355136713 3/1: 1 sudo: no tty present and no askpass program specified 1355136715 3/2: 1 sudo: no tty present and no askpass program specified 1355136716 3/3: 1 sudo: no tty present and no askpass program specified 1355136717 3/4: 1 sudo: no tty present and no askpass program specified 1355136717 3/5: 1 user1 is not allowed to run sudo on client-rhel6. This incident will be reported. 1355136724 4/1: 1 user1 is not allowed to run sudo on client-rhel6. This incident will be reported. 1355136726 4/2: 1 user1 is not allowed to run sudo on client-rhel6. This incident will be reported. 1355136727 4/3: 1 user1 is not allowed to run sudo on client-rhel6. This incident will be reported. 1355136728 4/4: 1 user1 is not allowed to run sudo on client-rhel6. This incident will be reported. 1355136729 4/5: 1 user1 is not allowed to run sudo on client-rhel6. This incident will be reported. 1355136736 5/1: 1 user1 is not allowed to run sudo on client-rhel6. This incident will be reported. 1355136737 5/2: 1 user1 is not allowed to run sudo on client-rhel6. This incident will be reported. 1355136738 5/3: 1 user1 is not allowed to run sudo on client-rhel6. This incident will be reported. 1355136739 5/4: 1 user1 is not allowed to run sudo on client-rhel6. This incident will be reported. 1355136740 5/5: 1 --->:---
Created attachment 660711 [details] host_refresh_logs2.tar.gz
Created attachment 660719 [details] sudo_host_refresh_default_test Retried without setting entry_cache_timeout, smart and full refresh interval, with the attached modified test. This results in always the same, polite answer and stable response time: ---:<--- Sorry, user user1 is not allowed to execute '/bin/true' as user2 on client-rhel6.sss-test.test. 1355137758 1/1: 1 Sorry, user user1 is not allowed to execute '/bin/true' as user2 on client-rhel6.sss-test.test. 1355137759 1/2: 1 Sorry, user user1 is not allowed to execute '/bin/true' as user2 on client-rhel6.sss-test.test. 1355137759 1/3: 1 Sorry, user user1 is not allowed to execute '/bin/true' as user2 on client-rhel6.sss-test.test. 1355137759 1/4: 1 Sorry, user user1 is not allowed to execute '/bin/true' as user2 on client-rhel6.sss-test.test. 1355137759 1/5: 1 Sorry, user user1 is not allowed to execute '/bin/true' as user2 on client-rhel6.sss-test.test. 1355137765 2/1: 1 Sorry, user user1 is not allowed to execute '/bin/true' as user2 on client-rhel6.sss-test.test. 1355137765 2/2: 1 Sorry, user user1 is not allowed to execute '/bin/true' as user2 on client-rhel6.sss-test.test. 1355137765 2/3: 1 Sorry, user user1 is not allowed to execute '/bin/true' as user2 on client-rhel6.sss-test.test. 1355137765 2/4: 1 Sorry, user user1 is not allowed to execute '/bin/true' as user2 on client-rhel6.sss-test.test. 1355137765 2/5: 1 Sorry, user user1 is not allowed to execute '/bin/true' as user2 on client-rhel6.sss-test.test. 1355137771 3/1: 1 Sorry, user user1 is not allowed to execute '/bin/true' as user2 on client-rhel6.sss-test.test. 1355137771 3/2: 1 Sorry, user user1 is not allowed to execute '/bin/true' as user2 on client-rhel6.sss-test.test. 1355137772 3/3: 1 Sorry, user user1 is not allowed to execute '/bin/true' as user2 on client-rhel6.sss-test.test. 1355137772 3/4: 1 Sorry, user user1 is not allowed to execute '/bin/true' as user2 on client-rhel6.sss-test.test. 1355137772 3/5: 1 Sorry, user user1 is not allowed to execute '/bin/true' as user2 on client-rhel6.sss-test.test. 1355137778 4/1: 1 Sorry, user user1 is not allowed to execute '/bin/true' as user2 on client-rhel6.sss-test.test. 1355137778 4/2: 1 Sorry, user user1 is not allowed to execute '/bin/true' as user2 on client-rhel6.sss-test.test. 1355137778 4/3: 1 Sorry, user user1 is not allowed to execute '/bin/true' as user2 on client-rhel6.sss-test.test. 1355137778 4/4: 1 Sorry, user user1 is not allowed to execute '/bin/true' as user2 on client-rhel6.sss-test.test. 1355137778 4/5: 1 Sorry, user user1 is not allowed to execute '/bin/true' as user2 on client-rhel6.sss-test.test. 1355137784 5/1: 1 Sorry, user user1 is not allowed to execute '/bin/true' as user2 on client-rhel6.sss-test.test. 1355137784 5/2: 1 Sorry, user user1 is not allowed to execute '/bin/true' as user2 on client-rhel6.sss-test.test. 1355137784 5/3: 1 Sorry, user user1 is not allowed to execute '/bin/true' as user2 on client-rhel6.sss-test.test. 1355137784 5/4: 1 Sorry, user user1 is not allowed to execute '/bin/true' as user2 on client-rhel6.sss-test.test. 1355137784 5/5: 1 --->:--- The logs are to be attached.
Created attachment 660722 [details] host_refresh_logs_default.tar.gz
Where should I look for core files? I have abrtd running.
Restoring original component. Don't know the reason it changed, but I've seen this happen to another bug of mine. Could be a bug in Bugzilla.
abrt-cli list doesn't show any core files.
Created attachment 660745 [details] nsswitch.conf
Created attachment 660746 [details] sudoers
I've noticed similar effect just adding/removing a rule with similar timing.
Please note, that although the issue reproduced only with minimal refresh interval, there is no proof that it won't reproduce with other intervals, including the default one. As evidenced by the behavior described in the bug description some internal state corruption could be happening. As the cause is unknown and the effect is not fully studied, I would say that it is not entirely safe to release the package as is.
I was able to reproduce this issue on RHEL6.4 machine.
Please note, that this bug interferes with automatic testing considerably, as it uses low smart refresh interval while testing smart refresh and attribute value handling to speed it up. The sudo suite has about 20% tests waived currently because of this bug. I would prefer this bug fixed sooner.
Fixed upstream in 1.10.0
Verified as fixed with the following packages: sssd-common-1.11.0-1.el7.x86_64 sssd-ad-1.11.0-1.el7.x86_64 sssd-ipa-1.11.0-1.el7.x86_64 libsss_idmap-1.11.0-1.el7.x86_64 sssd-client-1.11.0-1.el7.x86_64 sssd-krb5-common-1.11.0-1.el7.x86_64 sssd-ldap-1.11.0-1.el7.x86_64 sssd-proxy-1.11.0-1.el7.x86_64 python-sssdconfig-1.11.0-1.el7.noarch sssd-krb5-1.11.0-1.el7.x86_64 sssd-1.11.0-1.el7.x86_64 Relevant sudo suite output: :: [ PASS ] :: stress_refresh_attr_host (Expected 0, got 0)
This request was resolved in Red Hat Enterprise Linux 7.0. Contact your manager or support representative in case you have further questions about the request.