#2969 sudorule not working with ipa sudo_provider on older freeipa
Closed: Fixed None Opened 3 years ago by pbrezina.

Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 6): Bug 1313940

Description of problem:

Sudo not working for IPA sudo_provider.

Version-Release number of selected component (if applicable):

[root@auto-hv-02-guest05 ~]# rpm -q ipa-server sssd
[root@auto-hv-02-guest05 ~]#

How reproducible:

Steps to Reproduce:

On IPA Master:

(1) Added sudorule for IPA client machine for user "testuser1" for command

[root@auto-hv-02-guest05 ~]# ipa sudorule-show sudorule2
  Rule name: sudorule2
  Enabled: TRUE
  Users: testuser1
  Hosts: ipaqa64vml.testrelm.test
  Sudo Allow Commands: /bin/mkdir
[root@auto-hv-02-guest05 ~]# echo xxxxxxxx|kinit testuser1
Password for testuser1@TESTRELM.TEST:

On IPA Client:

(2)Add sudo_provider with ipa in sssd.conf

On IPA Master:

(3)Do ssh with user testuser1 to IPA client machine . Now Try 'sudo -l' on IPA
client machine

Saw following on console.

"User testuser1 is not allowed to run sudo on ipaqa64vml."

But instead it it should have shown that user can run 'mkdir' command on this

[root@auto-hv-02-guest05 ~]#
[root@auto-hv-02-guest05 ~]# ssh -o StrictHostKeyChecking=no -l testuser1
Last login: Wed Mar  2 07:33:28 2016 from auto-hv-02-guest05.testrelm.test
Could not chdir to home directory /home/testuser1: No such file or directory
-sh-4.1$ sudo -l
[sudo] password for testuser1:
User testuser1 is not allowed to run sudo on ipaqa64vml.
-sh-4.1$ logout
Connection to ipaqa64vml.testrelm.test closed.
[root@auto-hv-02-guest05 ~]#

On IPA Client:

(4) following shown in sssd_sudo.log

(Wed Mar  2 10:06:33 2016) [sssd[sudo]] [id_callback] (0x0100): Got id ack and
version (1) from Monitor
(Wed Mar  2 10:06:34 2016) [sssd[sudo]] [sbus_remove_timeout] (0x2000):
(Wed Mar  2 10:06:34 2016) [sssd[sudo]] [sbus_dispatch] (0x4000): dbus conn:
(Wed Mar  2 10:06:34 2016) [sssd[sudo]] [sbus_dispatch] (0x4000): Dispatching.
(Wed Mar  2 10:06:34 2016) [sssd[sudo]] [sss_dp_get_reply] (0x1000): Got reply
from Data Provider - DP error code: 3 errno: 5 error message: Internal Error
(Wed Mar  2 10:06:34 2016) [sssd[sudo]] [ldb] (0x4000): Added timed event
"ltdb_callback": 0x10b31b0

(Wed Mar  2 10:06:34 2016) [sssd[sudo]] [ldb] (0x4000): Added timed event
"ltdb_timeout": 0x10b32d0

Actual results:
sudo command to be executed not shown with 'sudo -l'

Expected results:
sudo command to be executed should be shown with 'sudo -l'

Additional info:
(1)When sudo_provider changed to ldap provider, 'sudo -l' gives correct output.
Thanks to Jakub for this.

Older version of FreeIPA (3.0) uses different rdn of ipasudocmd (sudoCmd instead of ipaUniqueID).

blockedby: =>
blocking: =>
changelog: =>
coverity: =>
design: =>
design_review: => 0
feature_milestone: =>
fedora_test_page: =>
mark: no => 0
owner: somebody => pbrezina
review: True => 0
selected: =>
status: new => assigned
testsupdated: => 0

Fields changed

patch: 0 => 1

Fields changed

milestone: NEEDS_TRIAGE => SSSD 1.13.4

resolution: => fixed
status: assigned => closed

Metadata Update from @pbrezina:
- Issue assigned to pbrezina
- Issue set to the milestone: SSSD 1.13.4

2 years ago

Login to comment on this ticket.