961356 – SUDO is not working for users from trusted AD domain

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 961356 - SUDO is not working for users from trusted AD domain

Summary: SUDO is not working for users from trusted AD domain

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	sssd
Sub Component:
Version:	6.4
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Jakub Hrozek
QA Contact:	Kaushik Banerjee
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2013-05-09 13:16 UTC by Dmitri Pal
Modified:	2020-05-02 17:20 UTC (History)
CC List:	8 users (show)
Fixed In Version:	sssd-1.9.2-103.el6
Doc Type:	Bug Fix
Doc Text:	No documentation needed.
Clone Of:
Environment:
Last Closed:	2013-11-21 22:17:40 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Github	SSSD sssd issues 2954	0	None	None	None	2020-05-02 17:20:43 UTC
Red Hat Product Errata	RHBA-2013:1680	0	normal	SHIPPED_LIVE	sssd bug fix and enhancement update	2013-11-20 21:52:37 UTC

Description Dmitri Pal 2013-05-09 13:16:12 UTC

This bug is created as a clone of upstream ticket:
https://fedorahosted.org/sssd/ticket/1912


{{{
AD side:
User Administrator is part of 'SUDO Users' group

IPA side:
external group ad_sudo_users contains SID of 'SUDO Users'
group sudo_users contains ad_sudo_users

# ipa sudorule-show --all sudo_users_all
dn: ipaUniqueID=880ee794-b6cf-11e2-b6c0-001a4a22046a,cn=sudorules,cn=sudo,dc=ipa,dc=pb
Rule name: sudo_users_all
Enabled: TRUE
Host category: all
Command category: all
User Groups: sudo_users
ipauniqueid: 880ee794-b6cf-11e2-b6c0-001a4a22046a
objectclass: ipaassociation, ipasudorule
}}}

The rule is correctly downloaded by SSSD, after login as 'AD\Administrator' the groups are resolved correctly:


{{{
$ su 'AD\Administrator'
Password: 
Creating home directory for administrator.

$ id
uid=1751600500(administrator) gid=1751600500(administrator) groups=1751600500(administrator),1522800004(sudo_users),1751600512(domain admins),1751600513(domain users),1751600518(schema admins),1751600519(enterprise admins),1751600520(group policy creator owners),1751601106(sudo users) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
}}}

SUDO responder does not return any records using this filter:

{{{
(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=administrator)(sudoUser=#1751600500)(sudoUser=%sudo_users)(sudoUser=%sudo users)(sudoUser=%schema admins)(sudoUser=%enterprise admins)(sudoUser=%group policy creator owners)(sudoUser=%domain admins)(sudoUser=%domain users)(sudoUser=+*)))
}}}

But the same filter returns correct rule via ldbsearch.


{{{
# ldbsearch -H cache_TRUST.ldb -b cn=sudorules,cn=custom,cn=TRUST,cn=sysdb "(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=administrator)(sudoUser=#1751600500)(sudoUser=%sudo_users)(sudoUser=%sudo users)(sudoUser=%schema admins)(sudoUser=%enterprise admins)(sudoUser=%group policy creator owners)(sudoUser=%domain admins)(sudoUser=%domain users)(sudoUser=+*)))"

# record 1
dn: name=sudo_users_all,cn=sudorules,cn=custom,cn=TRUST,cn=sysdb
cn: sudo_users_all
dataExpireTimestamp: 1367908267
entryUSN: 1333
name: sudo_users_all
objectClass: sudoRule
originalDN: cn=sudo_users_all,ou=sudoers,dc=ipa,dc=pb
sudoCommand: ALL
sudoHost: ALL
sudoUser: %sudo_users
distinguishedName: name=sudo_users_all,cn=sudorules,cn=custom,cn=TRUST,cn=sysdb

# returned 1 records
# 1 entries
# 0 referrals
}}}

Comment 1 Jakub Hrozek 2013-05-10 15:00:25 UTC

Fixed upstream.

Comment 7 Steeve Goveas 2013-10-25 11:51:12 UTC

[root@dhcp207-85 ~]# ipa group-add --desc="ad lab.pnq.rh.qe users external map" ad_sudo_users --external
---------------------------
Added group "ad_sudo_users"
---------------------------
  Group name: ad_sudo_users
  Description: ad lab.pnq.rh.qe users external map
 
[root@dhcp207-85 ~]# ipa group-add --desc='sudo users group' sudo_users
------------------------
Added group "sudo_users"
------------------------
  Group name: sudo_users
  Description: sudo users group
  GID: 173800004

[root@dhcp207-85 ~]# ipa group-add-member ad_sudo_users --external 'LAB\aduser1'
[member user]:
[member group]:
  Group name: ad_sudo_users
  Description: ad lab.pnq.rh.qe users external map
  External member: S-1-5-21-3900144892-589318651-20988493-1105
-------------------------
Number of members added 1
-------------------------
 
[root@dhcp207-85 ~]# wbinfo -n 'LAB\aduser1'
S-1-5-21-3900144892-589318651-20988493-1105 SID_USER (1)
 
[root@dhcp207-85 ~]# ipa group-add-member sudo_users --groups ad_sudo_users
  Group name: sudo_users
  Description: sudo users group
  GID: 173800004
  Member groups: ad_sudo_users
-------------------------
Number of members added 1
-------------------------
 
[root@dhcp207-85 ~]# cat /etc/sssd/sssd.conf
[domain/testrelm.com]
 
cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = testrelm.com
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = dhcp207-85.testrelm.com
chpass_provider = ipa
ipa_server = dhcp207-85.testrelm.com
ldap_tls_cacert = /etc/ipa/ca.crt
debug_level = 10
 
sudo_provider = ldap
ldap_uri = ldap://dhcp207-85.testrelm.com
ldap_sudo_search_base = ou=sudoers,dc=testrelm,dc=com
ldap_sasl_mech = GSSAPI
ldap_sasl_authid = host/dhcp207-85.testrelm.com
ldap_sasl_realm = TESTRELM.COM
krb5_server = dhcp207-85.testrelm.com
 
[sssd]
services = nss, pam, ssh, sudo
config_file_version = 2
 
domains = testrelm.com
[nss]
 
[pam]
 
[sudo]
 
[autofs]
 
[ssh]
 
[pac]
 
[root@dhcp207-85 ~]# service sssd restart
Stopping sssd:                                             [  OK  ]
Starting sssd:                                             [  OK  ]
 
[root@dhcp207-85 ~]# ipa sudorule-add-user sudo_users_all --groups=sudo_users
  Rule name: sudo_users_all
  Enabled: TRUE
  Host category: all
  Command category: all
  RunAs User category: all
  RunAs Group category: all
  User Groups: sudo_users
-------------------------
Number of members added 1
-------------------------
 
[root@dhcp207-85 ~]# ipa sudorule-show --all sudo_users_all
  dn: ipaUniqueID=b6563902-3bd3-11e3-9c23-5254000ffcff,cn=sudorules,cn=sudo,dc=testrelm,dc=com
  Rule name: sudo_users_all
  Enabled: TRUE
  Host category: all
  Command category: all
  RunAs User category: all
  RunAs Group category: all
  User Groups: sudo_users
  ipauniqueid: b6563902-3bd3-11e3-9c23-5254000ffcff
  objectclass: ipaassociation, ipasudorule
 
 
[root@dhcp207-85 ~]# ipa group-add-member sudo_users --user tuser
  Group name: sudo_users
  Description: sudo users group
  GID: 173800004
  Member users: tuser
  Member groups: ad_sudo_users
  Member of Sudo rule: sudo_users_all
-------------------------
Number of members added 1
-------------------------
 
[root@dhcp207-85 ~]# su - tuser
Creating home directory for tuser.
-sh-4.1$ id
uid=173800005(tuser) gid=173800005(tuser) groups=173800005(tuser),173800004(sudo_users) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
-sh-4.1$ sudo id
 
We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:
 
    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.
 
[sudo] password for tuser:
uid=0(root) gid=0(root) groups=0(root) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
-sh-4.1$ logout

[root@dhcp207-85 ~]# kinit aduser1.RH.QE
Password for aduser1.RH.QE: 
[root@dhcp207-85 ~]# ssh -K -l aduser1.rh.qe dhcp207-85.testrelm.com 
Last login: Thu Oct 24 16:44:31 2013 from dhcp207-85.testrelm.com
-sh-4.1$ id
uid=1800201105(aduser1.rh.qe) gid=1800201105(aduser1.rh.qe) groups=1800201105(aduser1.rh.qe),173800004(sudo_users),1800200513(domain users.rh.qe) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

-sh-4.1$ sudo id
[sudo] password for aduser1.rh.qe: 
uid=0(root) gid=0(root) groups=0(root) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

-sh-4.1$ sudo -l
Matching Defaults entries for aduser1.rh.qe on this host:
    requiretty, !visiblepw, always_set_home, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2
    QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME
    LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY",
    secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin

User aduser1.rh.qe may run the following commands on this host:
    (ALL) ALL

-sh-4.1$ logout
Connection to dhcp207-85.testrelm.com closed.

[root@dhcp207-85 ~]# ipa group-add-member ad_sudo_users --external 'LAB\administrator'
[member user]: 
[member group]: 
  Group name: ad_sudo_users
  Description: ad lab.pnq.rh.qe users external map
  External member: S-1-5-21-3900144892-589318651-20988493-1105, S-1-5-21-3900144892-589318651-20988493-500
  Member of groups: sudo_users
  Indirect Member of Sudo rule: sudo_users_all
-------------------------
Number of members added 1
-------------------------

[root@dhcp207-85 ~]# ssh -l administrator.rh.qe dhcp207-85.testrelm.com 
administrator.rh.qe.com's password: 
-sh-4.1$ id
uid=1800200500(administrator.rh.qe) gid=1800200500(administrator.rh.qe) groups=1800200500(administrator.rh.qe),173800004(sudo_users),1800200512(domain admins.rh.qe),1800200513(domain users.rh.qe),1800200518(schema admins.rh.qe),1800200519(enterprise admins.rh.qe),1800200520(group policy creator owners.rh.qe) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

-sh-4.1$ sudo -l

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.

[sudo] password for administrator.rh.qe: 
Matching Defaults entries for administrator.rh.qe on this host:
    requiretty, !visiblepw, always_set_home, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2
    QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME
    LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY",
    secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin

User administrator.rh.qe may run the following commands on this host:
    (ALL) ALL

-sh-4.1$ sudo id
uid=0(root) gid=0(root) groups=0(root) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

-sh-4.1$ logout

[root@dhcp207-85 ~]# cd /var/lib/sss/db/

[root@dhcp207-85 db]# ldbsearch -H cache_testrelm.com.ldb -b cn=sudorules,cn=custom,cn=testrelm.com,cn=sysdb "(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=administrator.rh.qe)(sudoUser=#1800200500)(sudoUser=%sudo_users)(sudoUser=%sudo users.rh.qe)(sudoUser=%schema admins.rh.qe)(sudoUser=%enterprise admins.rh.qe)(sudoUser=%group policy creator owners.rh.qe)(sudoUser=%domain admins.rh.qe)(sudoUser=%domain users.rh.qe)(sudoUser=+*)))"
asq: Unable to register control with rootdse!
# record 1
dn: name=sudo_users_all,cn=sudorules,cn=custom,cn=testrelm.com,cn=sysdb
cn: sudo_users_all
dataExpireTimestamp: 1382698758
entryUSN: 584
name: sudo_users_all
objectClass: sudoRule
originalDN: cn=sudo_users_all,ou=sudoers,dc=testrelm,dc=com
sudoCommand: ALL
sudoHost: ALL
sudoRunAsUser: ALL
sudoUser: %sudo_users
distinguishedName: name=sudo_users_all,cn=sudorules,cn=custom,cn=testrelm.com,
 cn=sysdb

# returned 1 records
# 1 entries
# 0 referrals

[root@dhcp207-85 db]# grep "Returning 1 rules for \[aduser1.rh.qe\]" /var/log/sssd/sssd_sudo.log -B4
(Wed Oct 23 20:49:58 2013) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=aduser1.rh.qe)(sudoUser=#1800201105)(sudoUser=%sudo_users)(sudoUser=%Domain Users.rh.qe)(sudoUser=+*))(&(dataExpireTimestamp<=1382541598)))]
(Wed Oct 23 20:49:58 2013) [sssd[sudo]] [sudosrv_get_rules] (0x2000): About to get sudo rules from cache
(Wed Oct 23 20:49:58 2013) [sssd[sudo]] [sysdb_search_group_by_gid] (0x0400): No such entry
(Wed Oct 23 20:49:58 2013) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=aduser1.rh.qe)(sudoUser=#1800201105)(sudoUser=%sudo_users)(sudoUser=%Domain Users.rh.qe)(sudoUser=+*)))]
(Wed Oct 23 20:49:58 2013) [sssd[sudo]] [sudosrv_get_sudorules_from_cache] (0x0400): Returning 1 rules for [aduser1.rh.qe]

Comment 8 errata-xmlrpc 2013-11-21 22:17:40 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-1680.html

Note You need to log in before you can comment on or make changes to this bug.