#1779 Rule mismatch isn't noticed before smart refresh on ppc64 and s390x
Closed: Fixed None Opened 7 years ago by pbrezina.

https://bugzilla.redhat.com/show_bug.cgi?id=902716 (Red Hat Enterprise Linux 6)

Description of problem:
SSSD doesn't notice rule becoming a mismatch immediately, but only after a
smart refresh on ppc64 and s390x with directory server running on x86_64.

Version-Release number of selected component (if applicable):
sssd-client-1.9.2-74.el6.s390x
libsss_idmap-1.9.2-74.el6.s390x
libsss_sudo-1.9.2-74.el6.s390x
sssd-1.9.2-74.el6.s390x

How reproducible:
always

Steps to Reproduce:
1. Setup LDAP directory, using the attached mismatch_refresh_test.ldif file as
reference.
2. Setup SSSD client using the attached sssd.conf as reference.
3. Execute the following, replacing the server hostname:
---:<---
service sssd restart >/dev/null
ldapmodify -h dell-pe840-01.rhts.eng.bos.redhat.com -x -D
cn=Manager,dc=example,dc=com -w Secret123 <<<"
dn: cn=test,ou=Sudoers,dc=example,dc=com
replace: sudoUser
sudoUser: user2" >/dev/null
su -c 'sudo -u user2 true' user1 && echo ALLOWED || echo DENIED
sleep 11
su -c 'sudo -u user2 true' user1 && echo ALLOWED || echo DENIED
--->:---

Actual results:
ALLOWED
user1 is not allowed to run sudo on ibm-z10-02.  This incident will be
reported.
DENIED

Expected results:
user1 is not allowed to run sudo on ibm-z10-02.  This incident will be
reported.
DENIED
user1 is not allowed to run sudo on ibm-z10-02.  This incident will be
reported.
DENIED

Additional info:
This works as documented on x86_64 and i386.

Use the following command for test teardown, replacing the server hostname:
---:<---
ldapmodify  -h dell-pe840-01.rhts.eng.bos.redhat.com -x -D
cn=Manager,dc=example,dc=com -w Secret123 <<<"
dn: cn=test,ou=Sudoers,dc=example,dc=com
replace: sudoUser
sudoUser: user1" >/dev/null
--->:---

Fields changed

blockedby: =>
blocking: =>
coverity: =>
design: =>
design_review: => 0
feature_milestone: =>
fedora_test_page: =>
owner: somebody => pbrezina
patch: 0 => 1
selected: =>
status: new => assigned
testsupdated: => 0

milestone: NEEDS_TRIAGE => SSSD 1.9.4
priority: major => blocker
resolution: => fixed
status: assigned => closed

Metadata Update from @pbrezina:
- Issue assigned to pbrezina
- Issue set to the milestone: SSSD 1.9.4

3 years ago

SSSD is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in SSSD's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/SSSD/sssd/issues/2821

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Login to comment on this ticket.

Metadata