#1616 sudo failing for ad trusted user in IPA environment
Closed: Fixed None Opened 6 years ago by dpal.

https://bugzilla.redhat.com/show_bug.cgi?id=871160 (Red Hat Enterprise Linux 6)

Description of problem:

sudo is not working for an AD trusted user in my IPA environment.  I'm testing
on IPA test server.

[root@rhel6-1 failure1]# cat /etc/sssd/sssd.conf
[domain/default]
debug_level = 10
cache_credentials = True

[domain/testrelm.com]
debug_level = 10
cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = testrelm.com
id_provider = ipa
auth_provider = ipa
access_provider = ipa
subdomains_provider = ipa
ipa_hostname = rhel6-1.testrelm.com
chpass_provider = ipa
ipa_server = rhel6-1.testrelm.com
ldap_tls_cacert = /etc/ipa/ca.crt
sudo_provider = ldap
ldap_uri = ldap://rhel6-1.testrelm.com
ldap_sudo_search_base = ou=sudoers,dc=ipa,dc=testrelm,dc=com
ldap_sasl_mech = GSSAPI
ldap_sasl_authid = host/rhel6-1.testrelm.com
ldap_sasl_realm = TESTRELM.COM
krb5_server = rhel6-1.testrelm.com

[sssd]
debug_level = 10
services = nss, pam, ssh, pac, sudo
config_file_version = 2
domains = testrelm.com

[nss]
debug_level = 10

[pam]
debug_level = 10

[sudo]
debug_level = 10

[autofs]
debug_level = 10

[ssh]
debug_level = 10

[pac]
debug_level = 10


[root@rhel6-1 failure1]# ipa sudorule-show testrule
  Rule name: testrule
  Enabled: TRUE
  Host category: all
  Command category: all
  RunAs User category: all
  RunAs Group category: all
  User Groups: adtestdom_adtestgroup1

[root@rhel6-1 failure1]# ipa group-show adtestdom_adtestgroup1
  Group name: adtestdom_adtestgroup1
  Description: adtestdom.com adtestgroup1
  GID: 1277200040
  Member groups: adtestdom_adtestgroup1_external
  Member of Sudo rule: testrule

[root@rhel6-1 failure1]# ipa group-show adtestdom_adtestgroup1_external
  Group name: adtestdom_adtestgroup1_external
  Description: adtestdom.com adtestgroup1 external
  Member of groups: adtestdom_adtestgroup1
  Indirect Member of Sudo rule: testrule
  External member: S-1-5-21-1246088475-3077293710-2580964704-1135

[root@rhel6-1 failure1]# wbinfo -n "ADTESTDOM\adtestgroup1"
S-1-5-21-1246088475-3077293710-2580964704-1135 SID_DOM_GROUP (2)

In AD, user adtestuser1 is in adtestgroup1.

I added "debug_level = 10" to all sections of sssd.conf and reran the test:

[root@rhel6-1 sssd]# vi /etc/sssd/sssd.conf

[root@rhel6-1 sssd]# service sssd stop
Stopping sssd:                                             [  OK  ]

[root@rhel6-1 sssd]# ls
backup          ldap_child.log  sssd_nss.log  sssd_pam.log  sssd_sudo.log
krb5_child.log  sssd.log        sssd_pac.log  sssd_ssh.log
sssd_testrelm.com.log

[root@rhel6-1 sssd]# for file in $(ls *.log); do cat /dev/null > $file; done

[root@rhel6-1 sssd]# service sssd start
Starting sssd:                                             [  OK  ]

[root@rhel6-1 sssd]# ssh -l adtestuser1@adtestdom.com rhel6-1.testrelm.com
adtestuser1@adtestdom.com@rhel6-1.testrelm.com's password:
Last login: Sun Oct 28 22:07:06 2012 from rhel6-1.testrelm.com
id: cannot find name for group ID 1232801136

-sh-4.1$ sudo id
[sudo] password for adtestuser1@adtestdom.com:
adtestuser1@adtestdom.com is not in the sudoers file.  This incident will be
reported.

-sh-4.1$ exit
logout
Connection to rhel6-1.testrelm.com closed.

Version-Release number of selected component (if applicable):
[root@rhel6-1 failure1]# rpm -qa|egrep "sssd|sudo"|sort
libsss_sudo-1.9.90-0.20121026T1831zgitac7a7ee.el6.x86_64
libsss_sudo-devel-1.9.90-0.20121026T1831zgitac7a7ee.el6.x86_64
sssd-1.9.90-0.20121026T1831zgitac7a7ee.el6.x86_64
sssd-client-1.9.90-0.20121026T1831zgitac7a7ee.el6.x86_64
sudo-1.8.6p3-4.el6.x86_64

How reproducible:
Seems to be always.

Steps to Reproduce:
1.  Install IPA Master
2.  Install AD server
3.  Setup Cross Realm Trust to AD Domain
4.  setup sudo rules like above
5.  ssh to log in and run sudo

More information and details about some of the setup can be found here:
https://fedoraproject.org/wiki/QA:Testcase_freeipav3_sudo_sssd

Actual results:
User is denied running command.

Expected results:
User can run command.

Additional info:

Fields changed

blockedby: =>
blocking: =>
coverity: =>
design: =>
design_review: => 0
feature_milestone: =>
fedora_test_page: =>
testsupdated: => 0

We need to fix this sooner.

milestone: SSSD 1.9.4 => SSSD 1.9.3

Fields changed

owner: somebody => pbrezina
status: new => assigned

Fields changed

patch: 0 => 1

Fixed in sssd-1-9:
- 4d2c8ac
- 3cc3ecc
- cc255b7
- d3f7600
- 894d2d5
and master:
- ee500ab
- 5a3c49e
- d38ffc9
- 7379170
- 3a97c85

resolution: => fixed
status: assigned => closed

Metadata Update from @dpal:
- Issue assigned to pbrezina
- Issue set to the milestone: SSSD 1.9.3

2 years ago

Login to comment on this ticket.

Metadata