#1912 SUDO is not working for users from trusted AD domain
Closed: Fixed None Opened 9 years ago by pbrezina.

AD side:
User Administrator is part of 'SUDO Users' group

IPA side:
external group ad_sudo_users contains SID of 'SUDO Users'
group sudo_users contains ad_sudo_users

# ipa sudorule-show --all sudo_users_all
dn: ipaUniqueID=880ee794-b6cf-11e2-b6c0-001a4a22046a,cn=sudorules,cn=sudo,dc=ipa,dc=pb
Rule name: sudo_users_all
Enabled: TRUE
Host category: all
Command category: all
User Groups: sudo_users
ipauniqueid: 880ee794-b6cf-11e2-b6c0-001a4a22046a
objectclass: ipaassociation, ipasudorule

The rule is correctly downloaded by SSSD, after login as 'AD\Administrator' the groups are resolved correctly:

$ su 'AD\Administrator'
Creating home directory for administrator@ad.pb.

$ id
uid=1751600500(administrator@ad.pb) gid=1751600500(administrator@ad.pb) groups=1751600500(administrator@ad.pb),1522800004(sudo_users),1751600512(domain admins@ad.pb),1751600513(domain users@ad.pb),1751600518(schema admins@ad.pb),1751600519(enterprise admins@ad.pb),1751600520(group policy creator owners@ad.pb),1751601106(sudo users@ad.pb) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

SUDO responder does not return any records using this filter:

(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=administrator@ad.pb)(sudoUser=#1751600500)(sudoUser=%sudo_users)(sudoUser=%sudo users@ad.pb)(sudoUser=%schema admins@ad.pb)(sudoUser=%enterprise admins@ad.pb)(sudoUser=%group policy creator owners@ad.pb)(sudoUser=%domain admins@ad.pb)(sudoUser=%domain users@ad.pb)(sudoUser=+*)))

But the same filter returns correct rule via ldbsearch.

# ldbsearch -H cache_TRUST.ldb -b cn=sudorules,cn=custom,cn=TRUST,cn=sysdb "(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=administrator@ad.pb)(sudoUser=#1751600500)(sudoUser=%sudo_users)(sudoUser=%sudo users@ad.pb)(sudoUser=%schema admins@ad.pb)(sudoUser=%enterprise admins@ad.pb)(sudoUser=%group policy creator owners@ad.pb)(sudoUser=%domain admins@ad.pb)(sudoUser=%domain users@ad.pb)(sudoUser=+*)))"

# record 1
dn: name=sudo_users_all,cn=sudorules,cn=custom,cn=TRUST,cn=sysdb
cn: sudo_users_all
dataExpireTimestamp: 1367908267
entryUSN: 1333
name: sudo_users_all
objectClass: sudoRule
originalDN: cn=sudo_users_all,ou=sudoers,dc=ipa,dc=pb
sudoCommand: ALL
sudoHost: ALL
sudoUser: %sudo_users
distinguishedName: name=sudo_users_all,cn=sudorules,cn=custom,cn=TRUST,cn=sysdb

# returned 1 records
# 1 entries
# 0 referrals

The problem is different in master and 1.9.

2f5fbac breaks it in 1.9 because the name of trusted users was converted to FQDN, but sudo responder is not aware of it, thus it is unable to find the user.

bfba065 changes the problem in master. It finds the user correctly but then search the wrong ldb tree for rules - cn=ad.domain,cn=sysdb instead of cn=ipa.domain,cn=sysdb.

Fields changed

owner: somebody => pbrezina
patch: 0 => 1
status: new => assigned

Fields changed

milestone: NEEDS_TRIAGE => SSSD 1.10.0

resolution: => fixed
status: assigned => closed

This was actually fixed in the Beta.

milestone: SSSD 1.10.0 => SSSD 1.10 beta

Fields changed

changelog: => N/A, mostly a bugfix

Metadata Update from @pbrezina:
- Issue assigned to pbrezina
- Issue set to the milestone: SSSD 1.10 beta

5 years ago

SSSD is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in SSSD's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/SSSD/sssd/issues/2954

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Login to comment on this ticket.