Learn more about these different git repos.
Other Git URLs
AD side: User Administrator is part of 'SUDO Users' group IPA side: external group ad_sudo_users contains SID of 'SUDO Users' group sudo_users contains ad_sudo_users # ipa sudorule-show --all sudo_users_all dn: ipaUniqueID=880ee794-b6cf-11e2-b6c0-001a4a22046a,cn=sudorules,cn=sudo,dc=ipa,dc=pb Rule name: sudo_users_all Enabled: TRUE Host category: all Command category: all User Groups: sudo_users ipauniqueid: 880ee794-b6cf-11e2-b6c0-001a4a22046a objectclass: ipaassociation, ipasudorule
The rule is correctly downloaded by SSSD, after login as 'AD\Administrator' the groups are resolved correctly:
$ su 'AD\Administrator' Password: Creating home directory for administrator@ad.pb. $ id uid=1751600500(administrator@ad.pb) gid=1751600500(administrator@ad.pb) groups=1751600500(administrator@ad.pb),1522800004(sudo_users),1751600512(domain admins@ad.pb),1751600513(domain users@ad.pb),1751600518(schema admins@ad.pb),1751600519(enterprise admins@ad.pb),1751600520(group policy creator owners@ad.pb),1751601106(sudo users@ad.pb) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
SUDO responder does not return any records using this filter:
(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=administrator@ad.pb)(sudoUser=#1751600500)(sudoUser=%sudo_users)(sudoUser=%sudo users@ad.pb)(sudoUser=%schema admins@ad.pb)(sudoUser=%enterprise admins@ad.pb)(sudoUser=%group policy creator owners@ad.pb)(sudoUser=%domain admins@ad.pb)(sudoUser=%domain users@ad.pb)(sudoUser=+*)))
But the same filter returns correct rule via ldbsearch.
# ldbsearch -H cache_TRUST.ldb -b cn=sudorules,cn=custom,cn=TRUST,cn=sysdb "(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=administrator@ad.pb)(sudoUser=#1751600500)(sudoUser=%sudo_users)(sudoUser=%sudo users@ad.pb)(sudoUser=%schema admins@ad.pb)(sudoUser=%enterprise admins@ad.pb)(sudoUser=%group policy creator owners@ad.pb)(sudoUser=%domain admins@ad.pb)(sudoUser=%domain users@ad.pb)(sudoUser=+*)))" # record 1 dn: name=sudo_users_all,cn=sudorules,cn=custom,cn=TRUST,cn=sysdb cn: sudo_users_all dataExpireTimestamp: 1367908267 entryUSN: 1333 name: sudo_users_all objectClass: sudoRule originalDN: cn=sudo_users_all,ou=sudoers,dc=ipa,dc=pb sudoCommand: ALL sudoHost: ALL sudoUser: %sudo_users distinguishedName: name=sudo_users_all,cn=sudorules,cn=custom,cn=TRUST,cn=sysdb # returned 1 records # 1 entries # 0 referrals
The problem is different in master and 1.9.
2f5fbac breaks it in 1.9 because the name of trusted users was converted to FQDN, but sudo responder is not aware of it, thus it is unable to find the user.
bfba065 changes the problem in master. It finds the user correctly but then search the wrong ldb tree for rules - cn=ad.domain,cn=sysdb instead of cn=ipa.domain,cn=sysdb.
Fields changed
owner: somebody => pbrezina patch: 0 => 1 status: new => assigned
milestone: NEEDS_TRIAGE => SSSD 1.10.0
Ticket has been cloned to Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=961356
rhbz: => [https://bugzilla.redhat.com/show_bug.cgi?id=961356 961356]
resolution: => fixed status: assigned => closed
This was actually fixed in the Beta.
milestone: SSSD 1.10.0 => SSSD 1.10 beta
changelog: => N/A, mostly a bugfix
Metadata Update from @pbrezina: - Issue assigned to pbrezina - Issue set to the milestone: SSSD 1.10 beta
SSSD is moving from Pagure to Github. This means that new issues and pull requests will be accepted only in SSSD's github repository.
This issue has been cloned to Github and is available here: - https://github.com/SSSD/sssd/issues/2954
If you want to receive further updates on the issue, please navigate to the github issue and click on subscribe button.
subscribe
Thank you for understanding. We apologize for all inconvenience.
Log in to comment on this ticket.