Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 923753

Summary:

IPA sudorule with hostgroup as host-member does not works.

Product:

Red Hat Enterprise Linux 6

Reporter:

Kaleem <ksiddiqu>

Component:

sudo

Assignee:

Daniel Kopeček <dkopecek>

Status:

CLOSED NOTABUG

QA Contact:

David Spurek <dspurek>

Severity:

unspecified

Docs Contact:

Priority:

unspecified

Version:

6.4

CC:

dapospis, dkopecek, dpal, dspurek, ebenes, jgalipea, jhrozek, ksiddiqu, mkosek, nikolai.kondrashov, nsoman, pbrezina, pvrabec, rcritten

Target Milestone:

Target Release:

---

Hardware:

Unspecified

OS:

Unspecified

Whiteboard:

Fixed In Version:

Doc Type:

Bug Fix

Doc Text:

Story Points:

---

Clone Of:

Environment:

Last Closed:

2013-09-17 10:25:21 UTC

Type:

Bug

Regression:

---

Mount Type:

---

Documentation:

---

CRM:

Verified Versions:

Category:

---

oVirt Team:

---

RHEL 7.3 requirements from Atomic Host:

Cloudforms Team:

---

Target Upstream Version:

Embargoed:

Bug Depends On:

Bug Blocks:

947775

Attachments:

Description	Flags
sssd.conf	none
sssd domain log	none
sssd sudo log	none
LDAP data export	none
SSSD configuration file	none

Description Kaleem 2013-03-20 11:51:16 UTC

Created attachment 713194 [details]
sssd.conf

Description of problem:
IPA sudorule with hostgroup as host-member does not works. This is observed when IPA is configured to uses sssd to fetch ipa sudorule. 

Version-Release number of selected component (if applicable):
[root@rhel64master ~]# rpm -q sssd ipa-server sudo
sssd-1.9.2-82.el6.x86_64
ipa-server-3.0.0-28.el6.x86_64
sudo-1.8.6p3-7.el6.x86_64
[root@rhel64master ~]#

How reproducible:
Always

Steps to Reproduce:
1.Add a sudorule with a hostgroup 

[root@rhel64master ~]# ipa hostgroup-show hostgrp1
  Host-group: hostgrp1
  Description: test_hostgrp
  Member hosts: rhel64master.testrelm.com
  Member of Sudo rule: sudorule1
[root@rhel64master ~]# ipa sudorule-show sudorule1
  Rule name: sudorule1
  Enabled: TRUE
  Users: tuser2
  Host Groups: hostgrp1
  Sudo Allow Commands: /bin/date
[root@rhel64master ~]# 

2.Log on the machine with a user and run "sudo -l"
  
Actual results:
Following output shown and command "/bin/date" that user can run as sudo not shown.

[root@rhel64master ~]# ssh -l tuser2 rhel64master.testrelm.com
tuser2.com's password: 
Your password will expire in 89 day(s).
Last login: Wed Mar 20 14:36:03 2013 from rhel64master.testrelm.com
-sh-4.1$ sudo -l
[sudo] password for tuser2: 
Your password will expire in 89 day(s).
User tuser2 is not allowed to run sudo on rhel64master.
-sh-4.1$ logout
Connection to rhel64master.testrelm.com closed.
[root@rhel64master ~]#

Expected results:
Following output should be shown.

-sh-4.1$ sudo -l
[sudo] password for tuser2: 
Your password will expire in 89 day(s).
Matching Defaults entries for tuser2 on this host:
    requiretty, !visiblepw, always_set_home, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR
    USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC
    LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin

User tuser2 may run the following commands on this host:
    (root) /bin/date
-sh-4.1$

Additional info:
Following configuration and log files has been attached for reference.
(1)sssd.conf
(2)sssd_testrelm.log
(3)sssd_sudo.log

Comment 1 Kaleem 2013-03-20 11:56:03 UTC

Created attachment 713200 [details]
sssd domain log

Comment 2 Kaleem 2013-03-20 11:56:41 UTC

Created attachment 713202 [details]
sssd sudo log

Comment 6 Rob Crittenden 2013-07-03 12:58:30 UTC

Is the netgroup visible on the client machine? I assume that nisdomainname is set?

Comment 7 Kaleem 2013-07-04 08:00:07 UTC

I am doing it on Master machine itself. I have not set nisdomainname on this machine.

Comment 8 Rob Crittenden 2013-07-05 13:20:39 UTC

hostgroups are mapped to netgroups for the purposes of sudo. Try setting nisdomainname to your domain name.

You can also try fetching the netgroup to be sure that is working:

$ getent netgroup test_hostgrp

Comment 9 David Spurek 2013-07-09 09:31:27 UTC

I reproduce the problem too.

ipa hostgroup-show hostgrp1
  Host-group: hostgrp1
  Description: test hostgroup 1
  Member hosts: ipa1.testdomain.com
  Member of Sudo rule: sudorule1

ipa sudorule-show sudorule1
  Rule name: sudorule1
  Enabled: TRUE
  Users: tuser2
  Host Groups: hostgrp1
  Sudo Allow Commands: /bin/date

getent netgroup hostgrp1
hostgrp1              (ipa1.testdomain.com, -, testdomain.com)


su - tuser2
-sh-4.1$ whoami
tuser2
-sh-4.1$ sudo -l
[sudo] password for tuser2: 
Your password will expire in 89 day(s).
User tuser2 is not allowed to run sudo on ipa1.

Comment 10 Rob Crittenden 2013-07-09 12:24:21 UTC

What is the output of nisdomainname?

Comment 11 David Spurek 2013-07-09 12:31:33 UTC

[test]nisdomainname 
(none)

Comment 12 David Spurek 2013-07-09 12:35:43 UTC

If I set nisdomainname to my domain name as you advice at comment#8, result is the same.

[test]nisdomainname testdomain.com
[test]nisdomainname
testdomain.com

[test]su - tuser2
su: warning: cannot change directory to /home/tuser2: No such file or directory
-sh-4.1$ sudo -l
[sudo] password for tuser2: 
Your password will expire in 89 day(s).
User tuser2 is not allowed to run sudo on ipa1.

Comment 13 Rob Crittenden 2013-07-09 18:56:30 UTC

Can I see nsswitch and sssd.conf?

Comment 14 David Spurek 2013-07-10 08:29:00 UTC

Yes you can.

[test]cat /etc/nsswitch.conf 
#
# /etc/nsswitch.conf
#
# An example Name Service Switch config file. This file should be
# sorted with the most-used services at the beginning.
#
# The entry '[NOTFOUND=return]' means that the search for an
# entry should stop if the search in the previous entry turned
# up nothing. Note that if the search failed due to some other reason
# (like no NIS server responding) then the search continues with the
# next entry.
#
# Valid entries include:
#
#	nisplus			Use NIS+ (NIS version 3)
#	nis			Use NIS (NIS version 2), also called YP
#	dns			Use DNS (Domain Name Service)
#	files			Use the local files
#	db			Use the local database (.db) files
#	compat			Use NIS on compat mode
#	hesiod			Use Hesiod for user lookups
#	[NOTFOUND=return]	Stop searching if not found so far
#

# To use db, put the "db" in front of "files" for entries you want to be
# looked up first in the databases
#
# Example:
#passwd:    db files nisplus nis
#shadow:    db files nisplus nis
#group:     db files nisplus nis

passwd:     files sss
shadow:     files sss
group:      files sss

#hosts:     db files nisplus nis dns
hosts:      files dns

# Example - obey only what nisplus tells us...
#services:   nisplus [NOTFOUND=return] files
#networks:   nisplus [NOTFOUND=return] files
#protocols:  nisplus [NOTFOUND=return] files
#rpc:        nisplus [NOTFOUND=return] files
#ethers:     nisplus [NOTFOUND=return] files
#netmasks:   nisplus [NOTFOUND=return] files     

bootparams: nisplus [NOTFOUND=return] files

ethers:     files
netmasks:   files
networks:   files
protocols:  files
rpc:        files
services:   files sss

netgroup:   files sss

publickey:  nisplus

automount:  files
aliases:    files nisplus

sudoers: files sss


[test]cat /etc/sssd/sssd.conf
[domain/testdomain.com]

cache_credentials = True
krb5_store_password_if_offline = True
krb5_realm = TESTREALM
ipa_domain = testdomain.com
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = ipa1.testdomain.com
chpass_provider = ipa
ipa_server = ipa1.testdomain.com
ldap_tls_cacert = /etc/ipa/ca.crt
[domain/testdomain]

cache_credentials = True
krb5_store_password_if_offline = True
krb5_realm = TESTREALM
ipa_domain = testdomain
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = ipa1.testdomain.com
chpass_provider = ipa
ipa_server = ipa1.testdomain.com
ldap_tls_cacert = /etc/ipa/ca.crt
[sssd]
services = nss, pam, ssh, sudo
config_file_version = 2

domains = testdomain, testdomain.com
[nss]

[pam]

[sudo]

[autofs]

[ssh]

Comment 16 Daniel Kopeček 2013-08-14 08:13:09 UTC

Looks like it is working fine with the latest package even though I didn't add a patch to address this specifically. Please review my (working) configuration, I might have configured the system in a slightly different way and that's why it is working for me...

[dkopecek@ipa1 ~]$ rpmquery sudo
sudo-1.8.6p3-8.fc18.x86_64

[dkopecek@ipa1 ~]$ getent netgroup hostgrp1
hostgrp1              (ipa1.testdomain.com,,testdomain.com)

[dkopecek@ipa1 ~]$ nisdomainname 
testdomain.com

[dkopecek@ipa1 ~]$ hostname
ipa1.testdomain.com

[dkopecek@ipa1 ~]$ cat sudorule-hostgrp.ldif 
dn: cn=test,ou=Sudoers,dc=example,dc=com
cn: test
objectClass: top
objectClass: sudoRole
sudoCommand: ALL
sudoHost: +hostgrp1
sudoRunAsUser: ALL
sudoUser: +netgroup_user2

[dkopecek@ipa1 ~]$ cat /etc/nsswitch.conf | grep sss
passwd:     files sss
shadow:     files sss
group:      files sss
services:   files sss
netgroup:   files sss
sudoers: sss

-bash-4.2$ id
uid=10001(user1) gid=20001(group_user1) groups=20001(group_user1) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
-bash-4.2$ getent netgroup netgroup_user1
netgroup_user1        ( ,user1,)
-bash-4.2$ sudo -l
User user1 is not allowed to run sudo on ipa1.

-bash-4.2$ id
uid=10002(user2) gid=20002(group_user2) groups=20002(group_user2) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
-bash-4.2$ getent netgroup netgroup_user2
netgroup_user2        ( ,user2,)
-bash-4.2$ sudo -l
Matching Defaults entries for user2 on this host:
    !authenticate, !requiretty

User user2 may run the following commands on this host:
    (ALL) ALL

Comment 17 Daniel Kopeček 2013-08-14 08:15:01 UTC

sudo debug log:

...
Aug 13 20:53:22 sudo[31375]   username=user2
Aug 13 20:53:22 sudo[31375] domainname=(null)
Aug 13 20:53:22 sudo[31375] state |= USERMATCH
Aug 13 20:53:22 sudo[31375] Received 1 rule(s)
Aug 13 20:53:22 sudo[31375] -> sudo_sss_filter_result @ ./sssd.c:180
Aug 13 20:53:22 sudo[31375] in_res=0x7fee3d6a5e60, count=1, act=INCLUDE
Aug 13 20:53:22 sudo[31375] emalloc: cnt=1
Aug 13 20:53:22 sudo[31375] -> sudo_sss_result_filterp @ ./sssd.c:646
Aug 13 20:53:22 sudo[31375] -> sudo_sss_check_host @ ./sssd.c:558
Aug 13 20:53:22 sudo[31375] val[0]=+hostgrp1
Aug 13 20:53:22 sudo[31375] -> addr_matches @ ./match_addr.c:190
Aug 13 20:53:22 sudo[31375] -> addr_matches_if @ ./match_addr.c:62
Aug 13 20:53:22 sudo[31375] <- addr_matches_if @ ./match_addr.c:100 := false
Aug 13 20:53:22 sudo[31375] <- addr_matches @ ./match_addr.c:200 := false
Aug 13 20:53:22 sudo[31375] -> netgr_matches @ ./match.c:720
Aug 13 20:53:22 sudo[31375] (ipa1, *, testdomain.com) found in netgroup hostgrp1
Aug 13 20:53:22 sudo[31375] <- netgr_matches @ ./match.c:772 := true
Aug 13 20:53:22 sudo[31375] sssd/ldap sudoHost '+hostgrp1' ... MATCH!
Aug 13 20:53:22 sudo[31375] <- sudo_sss_check_host @ ./sssd.c:593 := true
Aug 13 20:53:22 sudo[31375] -> sudo_sss_filter_user_netgroup @ ./sssd.c:609
Aug 13 20:53:22 sudo[31375] val[0]=+netgroup_user2
Aug 13 20:53:22 sudo[31375] -> netgr_matches @ ./match.c:720
Aug 13 20:53:22 sudo[31375] (*, user2, testdomain.com) found in netgroup netgroup_user2
Aug 13 20:53:22 sudo[31375] <- netgr_matches @ ./match.c:772 := true
Aug 13 20:53:22 sudo[31375] sssd/ldap sudoUser '+netgroup_user2' ... MATCH! (user2)
Aug 13 20:53:22 sudo[31375] <- sudo_sss_filter_user_netgroup @ ./sssd.c:638 := true
Aug 13 20:53:22 sudo[31375] <- sudo_sss_result_filterp @ ./sssd.c:650 := 1
Aug 13 20:53:22 sudo[31375] COPY (included): 0x7fee3d6a5e80[0] => 0x7fee3d6b4a30[0] (= 0x7fee3d6a5e80)
Aug 13 20:53:22 sudo[31375] -> sudo_sss_rulecpy @ ./sssd.c:152
Aug 13 20:53:22 sudo[31375] dst=0x7fee3d6b4a30, src=0x7fee3d6a5e80
Aug 13 20:53:22 sudo[31375] emalloc: cnt=6
Aug 13 20:53:22 sudo[31375] -> sudo_sss_attrcpy @ ./sssd.c:133
Aug 13 20:53:22 sudo[31375] dst=0x7fee3d6b4de0, src=0x7fee3d6b4ad0
Aug 13 20:53:22 sudo[31375] emalloc: cnt=1
...

Comment 18 Daniel Kopeček 2013-08-14 08:16:36 UTC

Created attachment 786428 [details]
LDAP data export

Comment 19 Daniel Kopeček 2013-08-14 08:17:49 UTC

Created attachment 786429 [details]
SSSD configuration file

Comment 20 Jakub Hrozek 2013-08-21 14:39:31 UTC

Nikolai (or anyone else from your team), can you please check if the setup works for you as well?

Comment 21 David Spurek 2013-08-26 12:53:46 UTC

Hi Daniel, I don't know if I have the right setup,but this is my setup steps:

1. Install ipa server
2. add user,hostgroup,sudorule via ipa commands:

ipa hostgroup-add --desc="test hostgroup 1" hostgrp1
ipa hostgroup-add-member --hosts=`hostname` hostgrp1

ipa sudorule-add sudorule1
ipa user-add --first=test --last=user2 --cn=tuser2 --email=tuser2 --random tuser2
ipa sudorule-add-user --users=tuser2 sudorule1
ipa sudorule-add-host --hostgroups=hostgrp1 sudorule1
ipa sudocmd-add "/bin/date"
ipa sudorule-add-allow-command sudorule1 --sudocmds="/bin/date"

3. su - tuser2 and sudo -l


This is my setup and it not works for me. 

Sudorule after these ipa commands looks like:

dn: cn=sudorule1,ou=sudoers,dc=testrealm
objectClass: sudoRole
sudoUser: tuser2
sudoHost: +hostgrp1
sudoCommand: /bin/date
cn: sudorule1


[test]su - tuser2
-sh-4.1$ id
uid=1288800001(tuser2) gid=1288800001(tuser2) groups=1288800001(tuser2) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

-sh-4.1$ getent passwd tuser2
tuser2:*:1288800001:1288800001:test user2:/home/tuser2:/bin/sh

-sh-4.1$ nisdomainname 
testdomain.com

-sh-4.1$ hostname
rhel64.testdomain.com

-sh-4.1$ getent netgroup hostgrp1
hostgrp1              (rhel64.testdomain.com, -, testdomain.com)

-sh-4.1$ cat /etc/nsswitch.conf | grep sss
passwd:     files sss
shadow:     files sss
group:      files sss
services:   files sss
netgroup:   files sss
sudoers: files sss


-sh-4.1$ sudo -l
User tuser2 is not allowed to run sudo on rhel64.

-sh-4.1$ rpm -q sudo
sudo-1.8.6p3-10.el6.x86_64


Nikolai, can you check if this is the right setup?

Comment 22 Kaleem 2013-08-26 14:28:57 UTC

Setup seems to be same which i used to file this bug. I also tried with sudo-1.8.6p3-10.el6.x86_64 and found that this bug still exits.

Excerpts from ipa automation log:
=================================

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: sudorule-add-hostgrp_func001: Adding hostgroup and verifying from sudo client.
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

spawn /usr/bin/kinit -V admin
Using default cache: /tmp/krb5cc_0
Using principal: admin
Password for admin: 
Authenticated to Kerberos v5
Default principal: admin
:: [ 19:28:26 ] ::  kinit as admin with password ********** was successful.
:: [   PASS   ] :: Kinit as admin user (Expected 0, got 0)
--------------------------
Added hostgroup "hostgrp1"
--------------------------
  Host-group: hostgrp1
  Description: test_hostgrp
:: [   PASS   ] :: Running 'ipa hostgroup-add hostgrp1 --desc=test_hostgrp' (Expected 0, got 0)
  Rule name: sudorule1
  Enabled: TRUE
  Users: user1
  Hosts: rhel64-client.testrelm.com
  Sudo Allow Commands: /bin/mkdir
-------------------------
Number of members added 1
-------------------------
:: [   PASS   ] :: Running 'ipa sudorule-add-allow-command --sudocmds=/bin/mkdir sudorule1' (Expected 0, got 0)
  Rule name: sudorule1
  Enabled: TRUE
  Users: user1
  Sudo Allow Commands: /bin/mkdir
---------------------------
Number of members removed 1
---------------------------
:: [   PASS   ] :: Running 'ipa sudorule-remove-host sudorule1 --hosts=rhel64-client.testrelm.com' (Expected 0, got 0)
  Host-group: hostgrp1
  Description: test_hostgrp
  Member hosts: rhel64-client.testrelm.com
-------------------------
Number of members added 1
-------------------------
:: [   PASS   ] :: Running 'ipa hostgroup-add-member hostgrp1 --hosts=rhel64-client.testrelm.com' (Expected 0, got 0)
  Rule name: sudorule1
  Enabled: TRUE
  Users: user1
  Host Groups: hostgrp1
  Sudo Allow Commands: /bin/mkdir
-------------------------
Number of members added 1
-------------------------
:: [   PASS   ] :: Running 'ipa sudorule-add-host sudorule1 --hostgroup=hostgrp1' (Expected 0, got 0)
Stopping sssd: [  OK  ]
[  OK  ] sssd: [  OK  ]
#!/usr/bin/expect -f

set timeout 30
set send_slow {1 .1}
match_max 100000

spawn ssh -o StrictHostKeyChecking=no -l user1 rhel64-client.testrelm.com
expect "*: "
send -s "**********\r"
expect "*$ "
send -s "sudo -l > /tmp/sudo_list_client_31583.out 2>&1 \r"
expect "user1: "
send -s "**********\r"
expect eof
spawn ssh -o StrictHostKeyChecking=no -l user1 rhel64-client.testrelm.com
user1.com's password: 
Your password will expire in 89 day(s).
Last login: Mon Aug 26 19:27:47 2013 from rhel64-master.testrelm.com
Could not chdir to home directory /home/user1: No such file or directory
-sh-4.1$ sudo -l > /tmp/sudo_list_client_31583.out 2>&1 
[sudo] password for user1: 
-sh-4.1$ rhel64-client.testrelm.com
Connecting to rhel64-client.testrelm.com...
Fetching /tmp/sudo_list_client_31583.out to /tmp/sudo_list.out
/tmp/sudo_list_client_31583.out                                                                                            100%   96     0.1KB/s   00:00    
:: [   PASS   ] :: Running 'sudo_list user1' (Expected 0, got 0)
Your password will expire in 89 day(s).
User user1 is not allowed to run sudo on rhel64-client.
:: [   PASS   ] :: Running 'cat /tmp/sudo_list.out' (Expected 0, got 0)
:: [   FAIL   ] :: File '/tmp/sudo_list.out' should contain '(root) /bin/mkdir' 
:: [ 19:29:23 ] ::  Failing because of https://bugzilla.redhat.com/show_bug.cgi?id=923753
:: [   PASS   ] :: Running 'rm -fr /tmp/sudo_list.out' (Expected 0, got 0)

[root@rhel64-client ~]# rpm -q sudo
sudo-1.8.6p3-10.el6.x86_64
[root@rhel64-client ~]#

Comment 23 Nikolai Kondrashov 2013-08-29 15:34:48 UTC

Jakub, I've no IPA setup handy, sorry.

David, I'm sorry, I've never tested sssd with IPA and cannot say if the LDAP directory contents is correct. The sssd.conf looks good enough for me.