RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 987479 - libsss_sudo should depend on sudo package with sssd support
Summary: libsss_sudo should depend on sudo package with sssd support
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: sssd
Version: 6.4
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Jakub Hrozek
QA Contact: Kaushik Banerjee
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2013-07-23 13:05 UTC by Eduardo Minguez
Modified: 2013-11-21 22:21 UTC (History)
7 users (show)

Fixed In Version: sssd-1.9.2-95.el6
Doc Type: Bug Fix
Doc Text:
Cause: libsss_sudo package didn't require sudo built with SSSD support. Consequence: libsss_sudo package could be installed with sudo version that doesn't work with SSSD. Fix: libsss_sudo package now requires sudo >= 1.8.6p3-6 Result: libsss_sudo can be only installed with sudo that is built with SSSD support.
Clone Of:
Environment:
Last Closed: 2013-11-21 22:21:24 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)
specfile patch (1.29 KB, patch)
2013-07-24 07:11 UTC, Jakub Hrozek 		no flags Details | Diff
View All


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2013:1680 0 normal SHIPPED_LIVE sssd bug fix and enhancement update 2013-11-20 21:52:37 UTC

Description Eduardo Minguez 2013-07-23 13:05:43 UTC 
Description of problem:
RHEL6.0 with RHEL6.4 ipa packages installed (libsss_sudo included), and sudo-1.7.2p2-9.el6.x86_64

Configuring /etc/sssd/sssd.conf to use it for sudo rules doesn't work

$ sudo /usr/bin/less
[sudo] password for testuser: 
testuser is not in the sudoers file.  This incident will be reported.

Version-Release number of selected component (if applicable):
sudo-1.7.2p2-9.el6.x86_64
libsss_sudo-1.9.2-82.7.el6_4.x86_64

How reproducible:
Fresh RHEL6.0 + ipa-client (and dependencies) from RHEL6.4 + libsss_sudo from RHEL6.4
Configure sssd for sudo rules against IdM

Steps to Reproduce:
1. Run sudo command allowed

Actual results:
$ sudo /usr/bin/less
[sudo] password for testuser: 
testuser is not in the sudoers file.  This incident will be reported.

Expected results:
$ sudo /usr/bin/less
[sudo] password for testuser: 
Missing filename ("less --help" for help)

Additional info:

Upgrading sudo package to sudo-1.8.6p3-7.el6.x86_64 works fine (I don't know if an older version works too)

/var/sssd/sssd.log with debug_level = 6 (I think the section attached is full, but I'm not sure 100%):

(Tue Jul 23 14:47:32 2013) [sssd[be[idm.lvtc.gsnet.corp]]] [be_get_account_info] (0x0100): Got request for [3][1][name=testuser]
(Tue Jul 23 14:47:32 2013) [sssd[be[idm.lvtc.gsnet.corp]]] [sdap_get_initgr_next_base] (0x0400): Searching for users with base [cn=accounts,dc=idm,dc=lvtc,dc=gsnet,dc=corp]
(Tue Jul 23 14:47:32 2013) [sssd[be[idm.lvtc.gsnet.corp]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(uid=testuser)(objectclass=posixAccount))][cn=accounts,dc=idm,dc=lvtc,dc=gsnet,dc=corp].
(Tue Jul 23 14:47:32 2013) [sssd[be[idm.lvtc.gsnet.corp]]] [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg set
(Tue Jul 23 14:47:32 2013) [sssd[be[idm.lvtc.gsnet.corp]]] [sdap_save_user] (0x0400): Storing info for user testuser
(Tue Jul 23 14:47:32 2013) [sssd[be[idm.lvtc.gsnet.corp]]] [sdap_has_deref_support] (0x0400): The server supports deref method OpenLDAP
(Tue Jul 23 14:47:32 2013) [sssd[be[idm.lvtc.gsnet.corp]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(objectclass=posixGroup)(cn=*))][cn=ipausers,cn=groups,cn=accounts,dc=idm,dc=lvtc,dc=gsnet,dc=corp].
(Tue Jul 23 14:47:32 2013) [sssd[be[idm.lvtc.gsnet.corp]]] [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg set
(Tue Jul 23 14:47:32 2013) [sssd[be[idm.lvtc.gsnet.corp]]] [sdap_initgr_nested_search] (0x0040): Search for group cn=ipausers,cn=groups,cn=accounts,dc=idm,dc=lvtc,dc=gsnet,dc=corp, returned 0 results. Skipping
(Tue Jul 23 14:47:32 2013) [sssd[be[idm.lvtc.gsnet.corp]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(objectclass=posixGroup)(cn=*))][ipauniqueid=9a41b00e-e960-11e2-b437-005056886a0a,cn=hbac,dc=idm,dc=lvtc,dc=gsnet,dc=corp].
(Tue Jul 23 14:47:32 2013) [sssd[be[idm.lvtc.gsnet.corp]]] [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg set
(Tue Jul 23 14:47:32 2013) [sssd[be[idm.lvtc.gsnet.corp]]] [sdap_initgr_nested_search] (0x0040): Search for group ipauniqueid=9a41b00e-e960-11e2-b437-005056886a0a,cn=hbac,dc=idm,dc=lvtc,dc=gsnet,dc=corp, returned 0 results. Skipping
(Tue Jul 23 14:47:32 2013) [sssd[be[idm.lvtc.gsnet.corp]]] [acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success
(Tue Jul 23 14:47:32 2013) [sssd[be[idm.lvtc.gsnet.corp]]] [be_pam_handler] (0x0100): Got request with the following data
(Tue Jul 23 14:47:32 2013) [sssd[be[idm.lvtc.gsnet.corp]]] [pam_print_data] (0x0100): command: PAM_AUTHENTICATE
(Tue Jul 23 14:47:32 2013) [sssd[be[idm.lvtc.gsnet.corp]]] [pam_print_data] (0x0100): domain: idm.lvtc.gsnet.corp
(Tue Jul 23 14:47:32 2013) [sssd[be[idm.lvtc.gsnet.corp]]] [pam_print_data] (0x0100): user: testuser
(Tue Jul 23 14:47:32 2013) [sssd[be[idm.lvtc.gsnet.corp]]] [pam_print_data] (0x0100): service: sudo
(Tue Jul 23 14:47:32 2013) [sssd[be[idm.lvtc.gsnet.corp]]] [pam_print_data] (0x0100): tty: /dev/pts/1
(Tue Jul 23 14:47:32 2013) [sssd[be[idm.lvtc.gsnet.corp]]] [pam_print_data] (0x0100): ruser: testuser
(Tue Jul 23 14:47:32 2013) [sssd[be[idm.lvtc.gsnet.corp]]] [pam_print_data] (0x0100): rhost: vmlbcipacl60.lvtc.gsnet.corp
(Tue Jul 23 14:47:32 2013) [sssd[be[idm.lvtc.gsnet.corp]]] [pam_print_data] (0x0100): authtok type: 1
(Tue Jul 23 14:47:32 2013) [sssd[be[idm.lvtc.gsnet.corp]]] [pam_print_data] (0x0100): authtok size: 12
(Tue Jul 23 14:47:32 2013) [sssd[be[idm.lvtc.gsnet.corp]]] [pam_print_data] (0x0100): newauthtok type: 0
(Tue Jul 23 14:47:32 2013) [sssd[be[idm.lvtc.gsnet.corp]]] [pam_print_data] (0x0100): newauthtok size: 0
(Tue Jul 23 14:47:32 2013) [sssd[be[idm.lvtc.gsnet.corp]]] [pam_print_data] (0x0100): priv: 0
(Tue Jul 23 14:47:32 2013) [sssd[be[idm.lvtc.gsnet.corp]]] [pam_print_data] (0x0100): cli_pid: 15562
(Tue Jul 23 14:47:32 2013) [sssd[be[idm.lvtc.gsnet.corp]]] [check_for_valid_tgt] (0x0080): TGT is valid.
(Tue Jul 23 14:47:32 2013) [sssd[be[idm.lvtc.gsnet.corp]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'IPA'
(Tue Jul 23 14:47:32 2013) [sssd[be[idm.lvtc.gsnet.corp]]] [be_resolve_server_process] (0x0200): Found address for server vmlbcipal02.idm.lvtc.gsnet.corp: [180.133.135.32] TTL 1200
(Tue Jul 23 14:47:32 2013) [sssd[be[idm.lvtc.gsnet.corp]]] [krb5_find_ccache_step] (0x0080): Saved ccache FILE:/tmp/krb5cc_56800003_mbQQFU if of different type than ccache in configuration file, reusing the old ccache
(Tue Jul 23 14:47:32 2013) [sssd[be[idm.lvtc.gsnet.corp]]] [write_pipe_handler] (0x0400): All data has been sent!
(Tue Jul 23 14:47:32 2013) [sssd[be[idm.lvtc.gsnet.corp]]] [read_pipe_handler] (0x0400): EOF received, client finished
(Tue Jul 23 14:47:32 2013) [sssd[be[idm.lvtc.gsnet.corp]]] [fo_set_port_status] (0x0100): Marking port 0 of server 'vmlbcipal02.idm.lvtc.gsnet.corp' as 'working'
(Tue Jul 23 14:47:32 2013) [sssd[be[idm.lvtc.gsnet.corp]]] [set_server_common_status] (0x0100): Marking server 'vmlbcipal02.idm.lvtc.gsnet.corp' as 'working'
(Tue Jul 23 14:47:32 2013) [sssd[be[idm.lvtc.gsnet.corp]]] [safe_remove_old_ccache_file] (0x0400): New and old ccache file are the same, no one will be deleted.
(Tue Jul 23 14:47:32 2013) [sssd[be[idm.lvtc.gsnet.corp]]] [be_pam_handler_callback] (0x0100): Backend returned: (0, 0, <NULL>) [Success]
(Tue Jul 23 14:47:32 2013) [sssd[be[idm.lvtc.gsnet.corp]]] [be_pam_handler_callback] (0x0100): Sending result [0][idm.lvtc.gsnet.corp]
(Tue Jul 23 14:47:32 2013) [sssd[be[idm.lvtc.gsnet.corp]]] [be_pam_handler_callback] (0x0100): Sent result [0][idm.lvtc.gsnet.corp]
(Tue Jul 23 14:47:32 2013) [sssd[be[idm.lvtc.gsnet.corp]]] [child_sig_handler] (0x0100): child [15565] finished successfully.
(Tue Jul 23 14:47:32 2013) [sssd[be[idm.lvtc.gsnet.corp]]] [be_pam_handler] (0x0100): Got request with the following data
(Tue Jul 23 14:47:32 2013) [sssd[be[idm.lvtc.gsnet.corp]]] [pam_print_data] (0x0100): command: PAM_ACCT_MGMT
(Tue Jul 23 14:47:32 2013) [sssd[be[idm.lvtc.gsnet.corp]]] [pam_print_data] (0x0100): domain: idm.lvtc.gsnet.corp
(Tue Jul 23 14:47:32 2013) [sssd[be[idm.lvtc.gsnet.corp]]] [pam_print_data] (0x0100): user: testuser
(Tue Jul 23 14:47:32 2013) [sssd[be[idm.lvtc.gsnet.corp]]] [pam_print_data] (0x0100): service: sudo
(Tue Jul 23 14:47:32 2013) [sssd[be[idm.lvtc.gsnet.corp]]] [pam_print_data] (0x0100): tty: /dev/pts/1
(Tue Jul 23 14:47:32 2013) [sssd[be[idm.lvtc.gsnet.corp]]] [pam_print_data] (0x0100): ruser: testuser
(Tue Jul 23 14:47:32 2013) [sssd[be[idm.lvtc.gsnet.corp]]] [pam_print_data] (0x0100): rhost: vmlbcipacl60.lvtc.gsnet.corp
(Tue Jul 23 14:47:32 2013) [sssd[be[idm.lvtc.gsnet.corp]]] [pam_print_data] (0x0100): authtok type: 0
(Tue Jul 23 14:47:32 2013) [sssd[be[idm.lvtc.gsnet.corp]]] [pam_print_data] (0x0100): authtok size: 0
(Tue Jul 23 14:47:32 2013) [sssd[be[idm.lvtc.gsnet.corp]]] [pam_print_data] (0x0100): newauthtok type: 0
(Tue Jul 23 14:47:32 2013) [sssd[be[idm.lvtc.gsnet.corp]]] [pam_print_data] (0x0100): newauthtok size: 0
(Tue Jul 23 14:47:32 2013) [sssd[be[idm.lvtc.gsnet.corp]]] [pam_print_data] (0x0100): priv: 0
(Tue Jul 23 14:47:32 2013) [sssd[be[idm.lvtc.gsnet.corp]]] [pam_print_data] (0x0100): cli_pid: 15562
(Tue Jul 23 14:47:32 2013) [sssd[be[idm.lvtc.gsnet.corp]]] [sdap_access_send] (0x0400): Performing access check for user [testuser]
(Tue Jul 23 14:47:32 2013) [sssd[be[idm.lvtc.gsnet.corp]]] [sdap_account_expired_rhds] (0x0400): Performing RHDS access check for user [testuser]
(Tue Jul 23 14:47:32 2013) [sssd[be[idm.lvtc.gsnet.corp]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(objectClass=ipaHost)(fqdn=vmlbcipacl60.lvtc.gsnet.corp))][cn=accounts,dc=idm,dc=lvtc,dc=gsnet,dc=corp].
(Tue Jul 23 14:47:32 2013) [sssd[be[idm.lvtc.gsnet.corp]]] [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg set
(Tue Jul 23 14:47:32 2013) [sssd[be[idm.lvtc.gsnet.corp]]] [sdap_x_deref_search_send] (0x0400): Dereferencing entry [fqdn=vmlbcipacl60.lvtc.gsnet.corp,cn=computers,cn=accounts,dc=idm,dc=lvtc,dc=gsnet,dc=corp] using OpenLDAP deref
(Tue Jul 23 14:47:32 2013) [sssd[be[idm.lvtc.gsnet.corp]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [no filter][fqdn=vmlbcipacl60.lvtc.gsnet.corp,cn=computers,cn=accounts,dc=idm,dc=lvtc,dc=gsnet,dc=corp].
(Tue Jul 23 14:47:32 2013) [sssd[be[idm.lvtc.gsnet.corp]]] [sdap_x_deref_parse_entry] (0x0400): Got deref control
(Tue Jul 23 14:47:32 2013) [sssd[be[idm.lvtc.gsnet.corp]]] [sdap_x_deref_parse_entry] (0x0400): All deref results from a single control parsed
(Tue Jul 23 14:47:32 2013) [sssd[be[idm.lvtc.gsnet.corp]]] [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg set
(Tue Jul 23 14:47:32 2013) [sssd[be[idm.lvtc.gsnet.corp]]] [ipa_hostgroup_info_done] (0x0200): No host groups were dereferenced
(Tue Jul 23 14:47:32 2013) [sssd[be[idm.lvtc.gsnet.corp]]] [ipa_hbac_service_info_next] (0x0400): Sending request for next search base: [cn=hbac,dc=idm,dc=lvtc,dc=gsnet,dc=corp][2][(objectClass=ipaHBACService)]
(Tue Jul 23 14:47:32 2013) [sssd[be[idm.lvtc.gsnet.corp]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(objectClass=ipaHBACService)][cn=hbac,dc=idm,dc=lvtc,dc=gsnet,dc=corp].
(Tue Jul 23 14:47:32 2013) [sssd[be[idm.lvtc.gsnet.corp]]] [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg set
(Tue Jul 23 14:47:32 2013) [sssd[be[idm.lvtc.gsnet.corp]]] [ipa_hbac_servicegroup_info_next] (0x0400): Sending request for next search base: [cn=hbac,dc=idm,dc=lvtc,dc=gsnet,dc=corp][2][(objectClass=ipaHBACServiceGroup)]
(Tue Jul 23 14:47:32 2013) [sssd[be[idm.lvtc.gsnet.corp]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(objectClass=ipaHBACServiceGroup)][cn=hbac,dc=idm,dc=lvtc,dc=gsnet,dc=corp].
(Tue Jul 23 14:47:32 2013) [sssd[be[idm.lvtc.gsnet.corp]]] [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg set
(Tue Jul 23 14:47:32 2013) [sssd[be[idm.lvtc.gsnet.corp]]] [ipa_hbac_rule_info_next] (0x0400): Sending request for next search base: [cn=hbac,dc=idm,dc=lvtc,dc=gsnet,dc=corp][2][(&(objectclass=ipaHBACRule)(ipaenabledflag=TRUE)(|(hostCategory=all)(memberHost=fqdn=vmlbcipacl60.lvtc.gsnet.corp,cn=computers,cn=accounts,dc=idm,dc=lvtc,dc=gsnet,dc=corp)))]
(Tue Jul 23 14:47:32 2013) [sssd[be[idm.lvtc.gsnet.corp]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(objectclass=ipaHBACRule)(ipaenabledflag=TRUE)(|(hostCategory=all)(memberHost=fqdn=vmlbcipacl60.lvtc.gsnet.corp,cn=computers,cn=accounts,dc=idm,dc=lvtc,dc=gsnet,dc=corp)))][cn=hbac,dc=idm,dc=lvtc,dc=gsnet,dc=corp].
(Tue Jul 23 14:47:32 2013) [sssd[be[idm.lvtc.gsnet.corp]]] [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg set
(Tue Jul 23 14:47:32 2013) [sssd[be[idm.lvtc.gsnet.corp]]] [hbac_get_category] (0x0200): Category is set to 'all'.
(Tue Jul 23 14:47:32 2013) [sssd[be[idm.lvtc.gsnet.corp]]] [hbac_get_category] (0x0200): Category is set to 'all'.
(Tue Jul 23 14:47:32 2013) [sssd[be[idm.lvtc.gsnet.corp]]] [hbac_shost_attrs_to_rule] (0x0400): Processing source hosts for rule [prueba]
(Tue Jul 23 14:47:32 2013) [sssd[be[idm.lvtc.gsnet.corp]]] [hbac_get_category] (0x0200): Category is set to 'all'.
(Tue Jul 23 14:47:32 2013) [sssd[be[idm.lvtc.gsnet.corp]]] [hbac_get_category] (0x0200): Category is set to 'all'.
(Tue Jul 23 14:47:32 2013) [sssd[be[idm.lvtc.gsnet.corp]]] [hbac_get_category] (0x0200): Category is set to 'all'.
(Tue Jul 23 14:47:32 2013) [sssd[be[idm.lvtc.gsnet.corp]]] [hbac_shost_attrs_to_rule] (0x0400): Processing source hosts for rule [allow_all]
(Tue Jul 23 14:47:32 2013) [sssd[be[idm.lvtc.gsnet.corp]]] [ipa_hbac_evaluate_rules] (0x0080): Access granted by HBAC rule [prueba]
(Tue Jul 23 14:47:32 2013) [sssd[be[idm.lvtc.gsnet.corp]]] [be_pam_handler_callback] (0x0100): Backend returned: (0, 0, <NULL>) [Success]
(Tue Jul 23 14:47:32 2013) [sssd[be[idm.lvtc.gsnet.corp]]] [ipa_get_selinux_send] (0x0400): Retrieving SELinux user mapping
(Tue Jul 23 14:47:32 2013) [sssd[be[idm.lvtc.gsnet.corp]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(cn=ipaConfig)(objectClass=ipaGuiConfig))][cn=etc,dc=idm,dc=lvtc,dc=gsnet,dc=corp].
(Tue Jul 23 14:47:32 2013) [sssd[be[idm.lvtc.gsnet.corp]]] [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg set
(Tue Jul 23 14:47:32 2013) [sssd[be[idm.lvtc.gsnet.corp]]] [ipa_selinux_get_maps_next] (0x0400): Trying to fetch SELinux maps with following parameters: [2][(&(objectclass=ipaselinuxusermap)(ipaEnabledFlag=TRUE))][cn=selinux,dc=idm,dc=lvtc,dc=gsnet,dc=corp]
(Tue Jul 23 14:47:32 2013) [sssd[be[idm.lvtc.gsnet.corp]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(objectclass=ipaselinuxusermap)(ipaEnabledFlag=TRUE))][cn=selinux,dc=idm,dc=lvtc,dc=gsnet,dc=corp].
(Tue Jul 23 14:47:32 2013) [sssd[be[idm.lvtc.gsnet.corp]]] [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg set
(Tue Jul 23 14:47:32 2013) [sssd[be[idm.lvtc.gsnet.corp]]] [ipa_selinux_get_maps_done] (0x0400): No SELinux user maps found!
(Tue Jul 23 14:47:32 2013) [sssd[be[idm.lvtc.gsnet.corp]]] [be_pam_handler_callback] (0x0100): Backend returned: (0, 0, Success) [Success]
(Tue Jul 23 14:47:32 2013) [sssd[be[idm.lvtc.gsnet.corp]]] [be_pam_handler_callback] (0x0100): Sending result [0][idm.lvtc.gsnet.corp]
(Tue Jul 23 14:47:32 2013) [sssd[be[idm.lvtc.gsnet.corp]]] [be_pam_handler_callback] (0x0100): Sent result [0][idm.lvtc.gsnet.corp]
Comment 2 Jakub Hrozek 2013-07-23 19:02:22 UTC 
I'm not entirely sure about the supportability of running 6.4 SSSD stack on 6.3 RHEL (or with 6.3 sudo), but from purely technical standpoint I agree we should do our best to warn the user.

Because sudo is the initiator of the communication and libsss_sudo is simply dlopen()-ed, not linked against, the SSSD has no other way of enforcing the version than explicit Requires.
Comment 5 Jakub Hrozek 2013-07-24 07:11:33 UTC 
Created attachment 777605 [details]
specfile patch

Attached is a candidate patch. I think Requires makes more sense here than Conflicts because when the user installs libsss_sudo, he really needs sudo support, so it makes no sense to avoid configuration with libsss_sudo but without sudo.

The version that the patch Requires was shipped in 6.4 and fixed a number of sssd-related bugs.
Comment 7 Kaushik Banerjee 2013-10-21 06:17:47 UTC 
Verified in version 1.9.2-128.el6

Snippet of result from "yum install libsss_sudo"

<snip>

---> Package libsss_sudo.x86_64 0:1.9.2-128.el6 will be installed
--> Processing Dependency: sudo >= 1.8.6p3-6 for package: libsss_sudo-1.9.2-128.el6.x86_64
--> Running transaction check
---> Package sudo.x86_64 0:1.8.6p3-12.el6 will be installed
--> Finished Dependency Resolution

</snip>
Comment 8 errata-xmlrpc 2013-11-21 22:21:24 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-1680.html
Note You need to log in before you can comment on or make changes to this bug.