Learn more about these different git repos.
Other Git URLs
Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1482674
Please note that this Bug is private and may not be accessible as it contains confidential Red Hat customer information.
Description of problem: SUDO doesn't work for IPA users on IPA clients after applying ID Views for them in IPA server Version-Release number of selected component if applicable: sssd-1.14.0-43.el7_3.14.x86_64 How reproducible: Always Steps to Reproduce: 1. Create IDM user named "testipauser" with /home/testipauser, UID, GID and group name "testipagroup". 2. In IPA server,(under ID Views) override IPA username "testipauser" with some other name for example "testuser" and apply this ID View to specific IPA clients. 3. Create sudo rule in IPA where members of "testipagroup" group are given full access to sudo to any command, as root user on IPA desired clients. 4. Add client to a host-group and associate host-group to sudo rule (Or you can add host-category ALL for testing purpose) 5. On client run: # systemctl stop sssd; sss_cache -E; systemctl start sssd 6. Attempt to sudo as overriden user-name "testuser" on client, and the result will be: --- User "testuser" is not in the sudoers file, this event will be reported." --- Actual results: Sudo doesn't work on IPA client if it is attempted as overriden IPA username Expected results: Sudo should work on IPA client even if it is attempted as overriden IPA username Additional info: Following are the details about the setup and configuration. * Configuration: IPA Server: =========== [root@rhel7-ipa-1 ~]# hostname rhel7-ipa-1.DOMAIN [root@rhel7-ipa-1 ~]# ipa group-add testipagroup --gid=1000 -------------------------- Added group "testipagroup" -------------------------- Group name: testipagroup GID: 1000 [root@rhel7-ipa-1 ~]# ipa user-add testipauser --uid=16500000 --gidnumber=1000 --first=testipa --last=user ------------------------ Added user "testipauser" ------------------------ User login: testipauser First name: testipa Last name: user Full name: testipa user Display name: testipa user Initials: tu Home directory: /home/testipauser GECOS: testipa user Login shell: /bin/sh Kerberos principal: testipauser@DOMAIN Email address: testipauser@DOMAIN UID: 16500000 GID: 1000 Password: False Member of groups: ipausers Kerberos keys available: False [root@rhel7-ipa-1 ~]# id testipauser uid=16500000(testipauser) gid=1000(testipagroup) groups=1000(testipagroup) [root@rhel7-ipa-1 ~]# ipa sudorule-find ------------------- 1 Sudo Rule matched ------------------- Rule name: testsudorule Enabled: TRUE Host category: all Command category: all RunAs User category: all User Groups: testipagroup Sudo Option: !authenticate ---------------------------- Number of entries returned 1 ---------------------------- [root@rhel7-ipa-1 ~]# getent group testipagroup testipagroup:*:1000:testipauser [root@rhel7-ipa-1 ~]# ipa hostgroup-find ------------------- 1 hostgroup matched ------------------- Host-group: testhostgroup Member hosts: rhel7u3-1.DOMAIN ---------------------------- Number of entries returned 1 ---------------------------- [root@rhel7-ipa-1 ~]# ipa group-find testipagroup --------------- 1 group matched --------------- Group name: testipagroup GID: 1000 Member users: testipauser Member of Sudo rule: testsudorule ---------------------------- Number of entries returned 1 ---------------------------- [root@rhel7-ipa-1 ~]# ipa sudorule-find ------------------- 1 Sudo Rule matched ------------------- Rule name: testsudorule Enabled: TRUE Host category: all Command category: all User Groups: testipagroup RunAs External User: root Sudo Option: !authenticate ---------------------------- Number of entries returned 1 ---------------------------- [root@rhel7-ipa-1 ~]# id testipauser uid=16500000(testipauser) gid=1000(testipagroup) groups=1000(testipagroup) [root@rhel7-ipa-1 ~]# getent passwd testipauser testipauser:*:16500000:1000:testipa user:/home/testipauser:/bin/sh [root@rhel7-ipa-1 ~]# sudo -ll -U testipauser Matching Defaults entries for testipauser on this host: requiretty, !visiblepw, always_set_home, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin User testipauser may run the following commands on this host: SSSD Role: testsudorule RunAsUsers: root Options: !authenticate Commands: ALL IPA Client: =========== [root@rhel7u3-1 ~]# hostname rhel7u3-1.DOMAIN 1. Without ID View: =================== On IPA client: [root@rhel7u3-1 ~]# id testipauser uid=16500000(testipauser) gid=1000(testipagroup) groups=1000(testipagroup) [root@rhel7u3-1 ~]# getent passwd testipauser testipauser:*:16500000:1000:testipa user:/home/testipauser:/bin/sh [root@rhel7u3-1 ~]# sudo -ll -U testipauser Matching Defaults entries for testipauser on this host: !visiblepw, always_set_home, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin User testipauser may run the following commands on this host: SSSD Role: testsudorule RunAsUsers: root Options: !authenticate Commands: ALL 2. With ID View: ================ On IPA server: [root@rhel7-ipa-1 ~]# ipa idview-show testidview --all dn: cn=testidview,cn=views,cn=accounts,dc=DOMAIN ID View Name: testidview User object overrides: testipauser Hosts the view applies to: rhel7u3-1.DOMAIN objectclass: ipaIDView, top, nsContainer On IPA client: [root@rhel7u3-1 ~]# service sssd stop; rm -rf /var/lib/sss/db/* ; service sssd start Redirecting to /bin/systemctl stop sssd.service Redirecting to /bin/systemctl start sssd.service [root@rhel7u3-1 ~]# id testipauser uid=5000(testuser) gid=1000(testipagroup) groups=1000(testipagroup) [root@rhel7u3-1 ~]# id testuser uid=5000(testuser) gid=1000(testipagroup) groups=1000(testipagroup) [root@rhel7u3-1 ~]# ssh testipauser@0 Password: Last login: Wed Jul 26 03:07:10 2017 from ::1 Could not chdir to home directory /home/testuser: No such file or directory -sh-4.2$ logout Connection to 0 closed. [root@rhel7u3-1 ~]# ssh testuser@0 Password: Last login: Wed Jul 26 03:37:11 2017 from 127.0.0.1 Could not chdir to home directory /home/testuser: No such file or directory -sh-4.2$ logout Connection to 0 closed. [root@rhel7u3-1 ~]# sudo -ll -U testipauser User testuser is not allowed to run sudo on rhel7u3-1. [root@rhel7u3-1 ~]# sudo -ll -U testuser User testuser is not allowed to run sudo on rhel7u3-1. Conclusion: =========== After applying ID View in IPA server, sudo doesn't work on IPA client at all. Whereas login works perfectly on client. I have already discussed this with pbrezina, as he mentioned the sudo responder is unable to find the overridden user name and thus it is failing. And we probably will have to modify "sudoUser" attribute to contain the overridden name instead of the original one.
Metadata Update from @jhrozek: - Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1482674
Metadata Update from @jhrozek: - Issue assigned to jhrozek
picking up because there is already a WIP patch: I have a WIP patch: https://github.com/jhrozek/sssd/commit/425b019d75c8ec5bf9566b984832bb5a1b06d05e
Metadata Update from @jhrozek: - Issue set to the milestone: None
PR: https://github.com/SSSD/sssd/pull/366
Metadata Update from @jhrozek: - Issue tagged with: PR
Metadata Update from @jhrozek: - Issue set to the milestone: SSSD 1.15.4
master:
Patches does not cleanly apply to older branches due to cache_req refactoring
If you want to apply the patches at least to sssd-1-14, I can give you a backport, I had to create it anyway in order to create RHEL test packages.
Metadata Update from @jhrozek: - Issue priority set to: critical
The sssd-1-13 sudo responder code is quite different, because only in sssd-1-14 we switched to cache_req at all. The difference between master and sssd-1-14 is not that big, but for sssd-1-13 I would prefer to only do the backport if someone needs it, otherwise we risk a regression.
Closing.
Metadata Update from @jhrozek: - Issue close_status updated to: Fixed - Issue status updated to: Closed (was: Open)
Metadata Update from @jhrozek: - Issue set to the milestone: SSSD 1.16.0 (was: SSSD 1.15.4)
SSSD is moving from Pagure to Github. This means that new issues and pull requests will be accepted only in SSSD's github repository.
This issue has been cloned to Github and is available here: - https://github.com/SSSD/sssd/issues/4514
If you want to receive further updates on the issue, please navigate to the github issue and click on subscribe button.
subscribe
Thank you for understanding. We apologize for all inconvenience.
Login to comment on this ticket.