#3288 IPA - sudo does not handle associated conflict entries
Closed: Fixed None Opened 3 years ago by jstephen.

Sudo attempts will fail in IDM environments when LDAP entries exist associated with the sudo rule, in the SSSD log we see:

(Wed Jan 25 17:08:13 2017) [sssd[be[jstephen.local]]] [sdap_search_bases_ex_done] (0x0400): Receiving data from base [cn=sudo,dc=jstephen,dc=local]
(Wed Jan 25 17:08:13 2017) [sssd[be[jstephen.local]]] [ipa_sudo_fetch_cmds_done] (0x0040): Received 2 sudo commands
(Wed Jan 25 17:08:13 2017) [sssd[be[jstephen.local]]] [ipa_sudo_fetch_done] (0x0400): About to convert rules
(Wed Jan 25 17:08:13 2017) [sssd[be[jstephen.local]]] [convert_host] (0x0020): Unexpected DN fqdn=conflicthost.jstephen.local+nsuniqueid=9b1e3301-c32611e6-bdcae37a-ef905e7c,cn=computers,cn=accounts,dc=jstephen,dc=local
(Wed Jan 25 17:08:13 2017) [sssd[be[jstephen.local]]] [rules_iterator] (0x0040): Unable to convert attributes [12]: Cannot allocate memory
(Wed Jan 25 17:08:13 2017) [sssd[be[jstephen.local]]] [ipa_sudo_conv_result] (0x0020): Unable to convert rules [12]: Cannot allocate memory
(Wed Jan 25 17:08:13 2017) [sssd[be[jstephen.local]]] [ipa_sudo_fetch_done] (0x0020): Unable to convert rules [12]: Cannot allocate memory
(Wed Jan 25 17:08:13 2017) [sssd[be[jstephen.local]]] [sdap_id_op_done] (0x4000): releasing operation connection

This is caused my the memberHost attribute containing conflict entries.

[root@ipa-server-f24 ~]# ipa sudorule-find --all --raw 'testrule'
1 Sudo Rule matched
  dn: ipaUniqueID=e9025c46-ddab-11e6-9096-525400af7498,cn=sudorules,cn=sudo,dc=jstephen,dc=local
  cn: testrule
  ipaenabledflag: TRUE
  ipasudorunasusercategory: all
  ipasudorunasgroupcategory: all
  memberhost: fqdn=ipa-client-f25.jstephen.local,cn=computers,cn=accounts,dc=jstephen,dc=local
  memberhost: fqdn=ipa-replica-f25.jstephen.local,cn=computers,cn=accounts,dc=jstephen,dc=local
  memberhost: fqdn=ipa-server-f24.jstephen.local,cn=computers,cn=accounts,dc=jstephen,dc=local
  memberhost: fqdn=conflicthost.jstephen.local+nsuniqueid=9b1e3301-c32611e6-bdcae37a-ef905e7c,cn=computers,cn=accounts,dc=jstephen,dc=local
  memberhost: fqdn=testhost.jstephen.local+nsuniqueid=cb3d7383-ddb511e6-8c9996c1-71a1e36a,cn=computers,cn=accounts,dc=jstephen,dc=local
  memberuser: uid=testuser,cn=users,cn=accounts,dc=jstephen,dc=local
  ipaUniqueID: e9025c46-ddab-11e6-9096-525400af7498
  memberallowcmd: cn=mycmdgroup,cn=sudocmdgroups,cn=sudo,dc=jstephen,dc=local
  objectClass: ipasudorule
  objectClass: ipaassociation
Number of entries returned 1

Fields changed

milestone: NEEDS_TRIAGE => SSSD 1.14.3

Fields changed

owner: somebody => jstephen
status: new => assigned



resolution: => fixed
status: assigned => closed

Metadata Update from @jstephen:
- Issue assigned to jstephen
- Issue set to the milestone: SSSD 1.14.3

3 years ago

SSSD is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in SSSD's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/SSSD/sssd/issues/4321

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Login to comment on this ticket.