Bug 961356 - SUDO is not working for users from trusted AD domain
SUDO is not working for users from trusted AD domain
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: sssd (Show other bugs)
6.4
Unspecified Unspecified
medium Severity unspecified
: rc
: ---
Assigned To: Jakub Hrozek
Kaushik Banerjee
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-05-09 09:16 EDT by Dmitri Pal
Modified: 2013-11-21 17:17 EST (History)
8 users (show)

See Also:
Fixed In Version: sssd-1.9.2-103.el6
Doc Type: Bug Fix
Doc Text:
No documentation needed.
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-11-21 17:17:40 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Dmitri Pal 2013-05-09 09:16:12 EDT
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/sssd/ticket/1912


{{{
AD side:
User Administrator is part of 'SUDO Users' group

IPA side:
external group ad_sudo_users contains SID of 'SUDO Users'
group sudo_users contains ad_sudo_users

# ipa sudorule-show --all sudo_users_all
dn: ipaUniqueID=880ee794-b6cf-11e2-b6c0-001a4a22046a,cn=sudorules,cn=sudo,dc=ipa,dc=pb
Rule name: sudo_users_all
Enabled: TRUE
Host category: all
Command category: all
User Groups: sudo_users
ipauniqueid: 880ee794-b6cf-11e2-b6c0-001a4a22046a
objectclass: ipaassociation, ipasudorule
}}}

The rule is correctly downloaded by SSSD, after login as 'AD\Administrator' the groups are resolved correctly:


{{{
$ su 'AD\Administrator'
Password: 
Creating home directory for administrator@ad.pb.

$ id
uid=1751600500(administrator@ad.pb) gid=1751600500(administrator@ad.pb) groups=1751600500(administrator@ad.pb),1522800004(sudo_users),1751600512(domain admins@ad.pb),1751600513(domain users@ad.pb),1751600518(schema admins@ad.pb),1751600519(enterprise admins@ad.pb),1751600520(group policy creator owners@ad.pb),1751601106(sudo users@ad.pb) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
}}}

SUDO responder does not return any records using this filter:

{{{
(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=administrator@ad.pb)(sudoUser=#1751600500)(sudoUser=%sudo_users)(sudoUser=%sudo users@ad.pb)(sudoUser=%schema admins@ad.pb)(sudoUser=%enterprise admins@ad.pb)(sudoUser=%group policy creator owners@ad.pb)(sudoUser=%domain admins@ad.pb)(sudoUser=%domain users@ad.pb)(sudoUser=+*)))
}}}

But the same filter returns correct rule via ldbsearch.


{{{
# ldbsearch -H cache_TRUST.ldb -b cn=sudorules,cn=custom,cn=TRUST,cn=sysdb "(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=administrator@ad.pb)(sudoUser=#1751600500)(sudoUser=%sudo_users)(sudoUser=%sudo users@ad.pb)(sudoUser=%schema admins@ad.pb)(sudoUser=%enterprise admins@ad.pb)(sudoUser=%group policy creator owners@ad.pb)(sudoUser=%domain admins@ad.pb)(sudoUser=%domain users@ad.pb)(sudoUser=+*)))"

# record 1
dn: name=sudo_users_all,cn=sudorules,cn=custom,cn=TRUST,cn=sysdb
cn: sudo_users_all
dataExpireTimestamp: 1367908267
entryUSN: 1333
name: sudo_users_all
objectClass: sudoRule
originalDN: cn=sudo_users_all,ou=sudoers,dc=ipa,dc=pb
sudoCommand: ALL
sudoHost: ALL
sudoUser: %sudo_users
distinguishedName: name=sudo_users_all,cn=sudorules,cn=custom,cn=TRUST,cn=sysdb

# returned 1 records
# 1 entries
# 0 referrals
}}}
Comment 1 Jakub Hrozek 2013-05-10 11:00:25 EDT
Fixed upstream.
Comment 7 Steeve Goveas 2013-10-25 07:51:12 EDT
[root@dhcp207-85 ~]# ipa group-add --desc="ad lab.pnq.rh.qe users external map" ad_sudo_users --external
---------------------------
Added group "ad_sudo_users"
---------------------------
  Group name: ad_sudo_users
  Description: ad lab.pnq.rh.qe users external map
 
[root@dhcp207-85 ~]# ipa group-add --desc='sudo users group' sudo_users
------------------------
Added group "sudo_users"
------------------------
  Group name: sudo_users
  Description: sudo users group
  GID: 173800004

[root@dhcp207-85 ~]# ipa group-add-member ad_sudo_users --external 'LAB\aduser1'
[member user]:
[member group]:
  Group name: ad_sudo_users
  Description: ad lab.pnq.rh.qe users external map
  External member: S-1-5-21-3900144892-589318651-20988493-1105
-------------------------
Number of members added 1
-------------------------
 
[root@dhcp207-85 ~]# wbinfo -n 'LAB\aduser1'
S-1-5-21-3900144892-589318651-20988493-1105 SID_USER (1)
 
[root@dhcp207-85 ~]# ipa group-add-member sudo_users --groups ad_sudo_users
  Group name: sudo_users
  Description: sudo users group
  GID: 173800004
  Member groups: ad_sudo_users
-------------------------
Number of members added 1
-------------------------
 
[root@dhcp207-85 ~]# cat /etc/sssd/sssd.conf
[domain/testrelm.com]
 
cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = testrelm.com
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = dhcp207-85.testrelm.com
chpass_provider = ipa
ipa_server = dhcp207-85.testrelm.com
ldap_tls_cacert = /etc/ipa/ca.crt
debug_level = 10
 
sudo_provider = ldap
ldap_uri = ldap://dhcp207-85.testrelm.com
ldap_sudo_search_base = ou=sudoers,dc=testrelm,dc=com
ldap_sasl_mech = GSSAPI
ldap_sasl_authid = host/dhcp207-85.testrelm.com
ldap_sasl_realm = TESTRELM.COM
krb5_server = dhcp207-85.testrelm.com
 
[sssd]
services = nss, pam, ssh, sudo
config_file_version = 2
 
domains = testrelm.com
[nss]
 
[pam]
 
[sudo]
 
[autofs]
 
[ssh]
 
[pac]
 
[root@dhcp207-85 ~]# service sssd restart
Stopping sssd:                                             [  OK  ]
Starting sssd:                                             [  OK  ]
 
[root@dhcp207-85 ~]# ipa sudorule-add-user sudo_users_all --groups=sudo_users
  Rule name: sudo_users_all
  Enabled: TRUE
  Host category: all
  Command category: all
  RunAs User category: all
  RunAs Group category: all
  User Groups: sudo_users
-------------------------
Number of members added 1
-------------------------
 
[root@dhcp207-85 ~]# ipa sudorule-show --all sudo_users_all
  dn: ipaUniqueID=b6563902-3bd3-11e3-9c23-5254000ffcff,cn=sudorules,cn=sudo,dc=testrelm,dc=com
  Rule name: sudo_users_all
  Enabled: TRUE
  Host category: all
  Command category: all
  RunAs User category: all
  RunAs Group category: all
  User Groups: sudo_users
  ipauniqueid: b6563902-3bd3-11e3-9c23-5254000ffcff
  objectclass: ipaassociation, ipasudorule
 
 
[root@dhcp207-85 ~]# ipa group-add-member sudo_users --user tuser
  Group name: sudo_users
  Description: sudo users group
  GID: 173800004
  Member users: tuser
  Member groups: ad_sudo_users
  Member of Sudo rule: sudo_users_all
-------------------------
Number of members added 1
-------------------------
 
[root@dhcp207-85 ~]# su - tuser
Creating home directory for tuser.
-sh-4.1$ id
uid=173800005(tuser) gid=173800005(tuser) groups=173800005(tuser),173800004(sudo_users) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
-sh-4.1$ sudo id
 
We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:
 
    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.
 
[sudo] password for tuser:
uid=0(root) gid=0(root) groups=0(root) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
-sh-4.1$ logout

[root@dhcp207-85 ~]# kinit aduser1@LAB.PNQ.RH.QE
Password for aduser1@LAB.PNQ.RH.QE: 
[root@dhcp207-85 ~]# ssh -K -l aduser1@lab.pnq.rh.qe dhcp207-85.testrelm.com 
Last login: Thu Oct 24 16:44:31 2013 from dhcp207-85.testrelm.com
-sh-4.1$ id
uid=1800201105(aduser1@lab.pnq.rh.qe) gid=1800201105(aduser1@lab.pnq.rh.qe) groups=1800201105(aduser1@lab.pnq.rh.qe),173800004(sudo_users),1800200513(domain users@lab.pnq.rh.qe) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

-sh-4.1$ sudo id
[sudo] password for aduser1@lab.pnq.rh.qe: 
uid=0(root) gid=0(root) groups=0(root) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

-sh-4.1$ sudo -l
Matching Defaults entries for aduser1@lab.pnq.rh.qe on this host:
    requiretty, !visiblepw, always_set_home, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2
    QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME
    LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY",
    secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin

User aduser1@lab.pnq.rh.qe may run the following commands on this host:
    (ALL) ALL

-sh-4.1$ logout
Connection to dhcp207-85.testrelm.com closed.

[root@dhcp207-85 ~]# ipa group-add-member ad_sudo_users --external 'LAB\administrator'
[member user]: 
[member group]: 
  Group name: ad_sudo_users
  Description: ad lab.pnq.rh.qe users external map
  External member: S-1-5-21-3900144892-589318651-20988493-1105, S-1-5-21-3900144892-589318651-20988493-500
  Member of groups: sudo_users
  Indirect Member of Sudo rule: sudo_users_all
-------------------------
Number of members added 1
-------------------------

[root@dhcp207-85 ~]# ssh -l administrator@lab.pnq.rh.qe dhcp207-85.testrelm.com 
administrator@lab.pnq.rh.qe@dhcp207-85.testrelm.com's password: 
-sh-4.1$ id
uid=1800200500(administrator@lab.pnq.rh.qe) gid=1800200500(administrator@lab.pnq.rh.qe) groups=1800200500(administrator@lab.pnq.rh.qe),173800004(sudo_users),1800200512(domain admins@lab.pnq.rh.qe),1800200513(domain users@lab.pnq.rh.qe),1800200518(schema admins@lab.pnq.rh.qe),1800200519(enterprise admins@lab.pnq.rh.qe),1800200520(group policy creator owners@lab.pnq.rh.qe) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

-sh-4.1$ sudo -l

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.

[sudo] password for administrator@lab.pnq.rh.qe: 
Matching Defaults entries for administrator@lab.pnq.rh.qe on this host:
    requiretty, !visiblepw, always_set_home, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2
    QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME
    LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY",
    secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin

User administrator@lab.pnq.rh.qe may run the following commands on this host:
    (ALL) ALL

-sh-4.1$ sudo id
uid=0(root) gid=0(root) groups=0(root) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

-sh-4.1$ logout

[root@dhcp207-85 ~]# cd /var/lib/sss/db/

[root@dhcp207-85 db]# ldbsearch -H cache_testrelm.com.ldb -b cn=sudorules,cn=custom,cn=testrelm.com,cn=sysdb "(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=administrator@lab.pnq.rh.qe)(sudoUser=#1800200500)(sudoUser=%sudo_users)(sudoUser=%sudo users@lab.pnq.rh.qe)(sudoUser=%schema admins@lab.pnq.rh.qe)(sudoUser=%enterprise admins@lab.pnq.rh.qe)(sudoUser=%group policy creator owners@lab.pnq.rh.qe)(sudoUser=%domain admins@lab.pnq.rh.qe)(sudoUser=%domain users@lab.pnq.rh.qe)(sudoUser=+*)))"
asq: Unable to register control with rootdse!
# record 1
dn: name=sudo_users_all,cn=sudorules,cn=custom,cn=testrelm.com,cn=sysdb
cn: sudo_users_all
dataExpireTimestamp: 1382698758
entryUSN: 584
name: sudo_users_all
objectClass: sudoRule
originalDN: cn=sudo_users_all,ou=sudoers,dc=testrelm,dc=com
sudoCommand: ALL
sudoHost: ALL
sudoRunAsUser: ALL
sudoUser: %sudo_users
distinguishedName: name=sudo_users_all,cn=sudorules,cn=custom,cn=testrelm.com,
 cn=sysdb

# returned 1 records
# 1 entries
# 0 referrals

[root@dhcp207-85 db]# grep "Returning 1 rules for \[aduser1@lab.pnq.rh.qe\]" /var/log/sssd/sssd_sudo.log -B4
(Wed Oct 23 20:49:58 2013) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=aduser1@lab.pnq.rh.qe)(sudoUser=#1800201105)(sudoUser=%sudo_users)(sudoUser=%Domain Users@lab.pnq.rh.qe)(sudoUser=+*))(&(dataExpireTimestamp<=1382541598)))]
(Wed Oct 23 20:49:58 2013) [sssd[sudo]] [sudosrv_get_rules] (0x2000): About to get sudo rules from cache
(Wed Oct 23 20:49:58 2013) [sssd[sudo]] [sysdb_search_group_by_gid] (0x0400): No such entry
(Wed Oct 23 20:49:58 2013) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=aduser1@lab.pnq.rh.qe)(sudoUser=#1800201105)(sudoUser=%sudo_users)(sudoUser=%Domain Users@lab.pnq.rh.qe)(sudoUser=+*)))]
(Wed Oct 23 20:49:58 2013) [sssd[sudo]] [sudosrv_get_sudorules_from_cache] (0x0400): Returning 1 rules for [aduser1@lab.pnq.rh.qe]
Comment 8 errata-xmlrpc 2013-11-21 17:17:40 EST
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-1680.html

Note You need to log in before you can comment on or make changes to this bug.