Learn more about these different git repos.
Other Git URLs
Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 6): Bug 1313940
Description of problem: Sudo not working for IPA sudo_provider. Version-Release number of selected component (if applicable): [root@auto-hv-02-guest05 ~]# rpm -q ipa-server sssd ipa-server-3.0.0-50.el6.x86_64 sssd-1.13.3-15.el6.x86_64 [root@auto-hv-02-guest05 ~]# How reproducible: Always Steps to Reproduce: On IPA Master: (1) Added sudorule for IPA client machine for user "testuser1" for command "mkdir" [root@auto-hv-02-guest05 ~]# ipa sudorule-show sudorule2 Rule name: sudorule2 Enabled: TRUE Users: testuser1 Hosts: ipaqa64vml.testrelm.test Sudo Allow Commands: /bin/mkdir [root@auto-hv-02-guest05 ~]# echo xxxxxxxx|kinit testuser1 Password for testuser1@TESTRELM.TEST: On IPA Client: (2)Add sudo_provider with ipa in sssd.conf On IPA Master: (3)Do ssh with user testuser1 to IPA client machine . Now Try 'sudo -l' on IPA client machine Saw following on console. "User testuser1 is not allowed to run sudo on ipaqa64vml." But instead it it should have shown that user can run 'mkdir' command on this host. [root@auto-hv-02-guest05 ~]# [root@auto-hv-02-guest05 ~]# ssh -o StrictHostKeyChecking=no -l testuser1 ipaqa64vml.testrelm.test Last login: Wed Mar 2 07:33:28 2016 from auto-hv-02-guest05.testrelm.test ... .... Could not chdir to home directory /home/testuser1: No such file or directory -sh-4.1$ sudo -l [sudo] password for testuser1: User testuser1 is not allowed to run sudo on ipaqa64vml. -sh-4.1$ logout Connection to ipaqa64vml.testrelm.test closed. [root@auto-hv-02-guest05 ~]# On IPA Client: (4) following shown in sssd_sudo.log (Wed Mar 2 10:06:33 2016) [sssd[sudo]] [id_callback] (0x0100): Got id ack and version (1) from Monitor (Wed Mar 2 10:06:34 2016) [sssd[sudo]] [sbus_remove_timeout] (0x2000): 0x10b0a70 (Wed Mar 2 10:06:34 2016) [sssd[sudo]] [sbus_dispatch] (0x4000): dbus conn: 0x10ae830 (Wed Mar 2 10:06:34 2016) [sssd[sudo]] [sbus_dispatch] (0x4000): Dispatching. (Wed Mar 2 10:06:34 2016) [sssd[sudo]] [sss_dp_get_reply] (0x1000): Got reply from Data Provider - DP error code: 3 errno: 5 error message: Internal Error (Wed Mar 2 10:06:34 2016) [sssd[sudo]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x10b31b0 (Wed Mar 2 10:06:34 2016) [sssd[sudo]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x10b32d0 Actual results: sudo command to be executed not shown with 'sudo -l' Expected results: sudo command to be executed should be shown with 'sudo -l' Additional info: (1)When sudo_provider changed to ldap provider, 'sudo -l' gives correct output. Thanks to Jakub for this.
Older version of FreeIPA (3.0) uses different rdn of ipasudocmd (sudoCmd instead of ipaUniqueID).
blockedby: => blocking: => changelog: => coverity: => design: => design_review: => 0 feature_milestone: => fedora_test_page: => mark: no => 0 owner: somebody => pbrezina review: True => 0 selected: => status: new => assigned testsupdated: => 0
Fields changed
patch: 0 => 1
Linked to Bugzilla bug: https://bugzilla.redhat.com/show_bug.cgi?id=1313940 (Red Hat Enterprise Linux 6)
rhbz: [https://bugzilla.redhat.com/show_bug.cgi?id=1313940 1313940] => [https://bugzilla.redhat.com/show_bug.cgi?id=1313940 1313940], [https://bugzilla.redhat.com/show_bug.cgi?id=1313940 1313940]
milestone: NEEDS_TRIAGE => SSSD 1.13.4
resolution: => fixed status: assigned => closed
Metadata Update from @pbrezina: - Issue assigned to pbrezina - Issue set to the milestone: SSSD 1.13.4
SSSD is moving from Pagure to Github. This means that new issues and pull requests will be accepted only in SSSD's github repository.
This issue has been cloned to Github and is available here: - https://github.com/SSSD/sssd/issues/4010
If you want to receive further updates on the issue, please navigate to the github issue and click on subscribe button.
subscribe
Thank you for understanding. We apologize for all inconvenience.
Login to comment on this ticket.