SSSD / sssd

Clone

#3488 SUDO doesn't work for IPA users on IPA clients after applying ID Views for them in IPA server
Closed: Fixed 6 years ago Opened 6 years ago by jhrozek.

Closed: Fixed
Reopen Issue

Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1482674

Please note that this Bug is private and may not be accessible as it contains confidential Red Hat customer information.

Description of problem:
SUDO doesn't work for IPA users on IPA clients after applying ID Views for them
in IPA server

Version-Release number of selected component if applicable:
sssd-1.14.0-43.el7_3.14.x86_64

How reproducible:
Always

Steps to Reproduce:
1. Create IDM user named "testipauser" with /home/testipauser, UID, GID and
group name "testipagroup".
2. In IPA server,(under ID Views) override IPA username "testipauser" with some
other name for example "testuser" and apply this ID View to specific IPA
clients.
3. Create sudo rule in IPA where members of "testipagroup" group are given full
access to sudo to any command, as root user on IPA desired clients.
4. Add client to a host-group and associate host-group to sudo rule (Or you can
add host-category ALL for testing purpose)
5. On client run: # systemctl stop sssd; sss_cache -E; systemctl start sssd
6. Attempt to sudo as overriden user-name "testuser" on client, and the result
will be:
---
User  "testuser"  is not in the sudoers file, this event will be reported."
---

Actual results:
Sudo doesn't work on IPA client if it is attempted as overriden IPA username

Expected results:
Sudo should work on IPA client even if it is attempted as overriden IPA
username

Additional info:
Following are the details about the setup and configuration.

* Configuration:

IPA Server:
===========

[root@rhel7-ipa-1 ~]# hostname
rhel7-ipa-1.DOMAIN

[root@rhel7-ipa-1 ~]# ipa group-add testipagroup --gid=1000
--------------------------
Added group "testipagroup"
--------------------------
  Group name: testipagroup
  GID: 1000

[root@rhel7-ipa-1 ~]# ipa user-add testipauser --uid=16500000 --gidnumber=1000
--first=testipa --last=user
------------------------
Added user "testipauser"
------------------------
  User login: testipauser
  First name: testipa
  Last name: user
  Full name: testipa user
  Display name: testipa user
  Initials: tu
  Home directory: /home/testipauser
  GECOS: testipa user
  Login shell: /bin/sh
  Kerberos principal: testipauser@DOMAIN
  Email address: testipauser@DOMAIN
  UID: 16500000
  GID: 1000
  Password: False
  Member of groups: ipausers
  Kerberos keys available: False

[root@rhel7-ipa-1 ~]# id testipauser
uid=16500000(testipauser) gid=1000(testipagroup) groups=1000(testipagroup)

[root@rhel7-ipa-1 ~]# ipa sudorule-find
-------------------
1 Sudo Rule matched
-------------------
  Rule name: testsudorule
  Enabled: TRUE
  Host category: all
  Command category: all
  RunAs User category: all
  User Groups: testipagroup
  Sudo Option: !authenticate
----------------------------
Number of entries returned 1
----------------------------

[root@rhel7-ipa-1 ~]# getent group testipagroup
testipagroup:*:1000:testipauser

[root@rhel7-ipa-1 ~]# ipa hostgroup-find
-------------------
1 hostgroup matched
-------------------
  Host-group: testhostgroup
  Member hosts: rhel7u3-1.DOMAIN
----------------------------
Number of entries returned 1
----------------------------

[root@rhel7-ipa-1 ~]# ipa group-find testipagroup
---------------
1 group matched
---------------
  Group name: testipagroup
  GID: 1000
  Member users: testipauser
  Member of Sudo rule: testsudorule
----------------------------
Number of entries returned 1
----------------------------

[root@rhel7-ipa-1 ~]# ipa sudorule-find
-------------------
1 Sudo Rule matched
-------------------
  Rule name: testsudorule
  Enabled: TRUE
  Host category: all
  Command category: all
  User Groups: testipagroup
  RunAs External User: root
  Sudo Option: !authenticate
----------------------------
Number of entries returned 1
----------------------------

[root@rhel7-ipa-1 ~]# id testipauser
uid=16500000(testipauser) gid=1000(testipagroup) groups=1000(testipagroup)

[root@rhel7-ipa-1 ~]# getent passwd testipauser
testipauser:*:16500000:1000:testipa user:/home/testipauser:/bin/sh

[root@rhel7-ipa-1 ~]# sudo -ll -U testipauser
Matching Defaults entries for testipauser on this host:
    requiretty, !visiblepw, always_set_home, env_reset, env_keep="COLORS
DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2
QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE",
    env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES",
env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE",
env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY",
    secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin

User testipauser may run the following commands on this host:

SSSD Role: testsudorule
    RunAsUsers: root
    Options: !authenticate
    Commands:
        ALL

IPA Client:
===========

[root@rhel7u3-1 ~]# hostname
rhel7u3-1.DOMAIN

1. Without ID View:
===================

On IPA client:

[root@rhel7u3-1 ~]# id testipauser
uid=16500000(testipauser) gid=1000(testipagroup) groups=1000(testipagroup)

[root@rhel7u3-1 ~]# getent passwd testipauser
testipauser:*:16500000:1000:testipa user:/home/testipauser:/bin/sh

[root@rhel7u3-1 ~]# sudo -ll -U testipauser
Matching Defaults entries for testipauser on this host:
    !visiblepw, always_set_home, env_reset, env_keep="COLORS DISPLAY HOSTNAME
HISTSIZE KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG
LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE
    LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY
LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE
LINGUAS _XKB_CHARSET XAUTHORITY",
    secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin

User testipauser may run the following commands on this host:

SSSD Role: testsudorule
    RunAsUsers: root
    Options: !authenticate
    Commands:
        ALL


2. With ID View:
================

On IPA server:

[root@rhel7-ipa-1 ~]# ipa idview-show testidview --all
  dn: cn=testidview,cn=views,cn=accounts,dc=DOMAIN
  ID View Name: testidview
  User object overrides: testipauser
  Hosts the view applies to: rhel7u3-1.DOMAIN
  objectclass: ipaIDView, top, nsContainer

On IPA client:

[root@rhel7u3-1 ~]# service sssd stop; rm -rf /var/lib/sss/db/* ; service sssd
start
Redirecting to /bin/systemctl stop  sssd.service
Redirecting to /bin/systemctl start  sssd.service

[root@rhel7u3-1 ~]# id testipauser
uid=5000(testuser) gid=1000(testipagroup) groups=1000(testipagroup)

[root@rhel7u3-1 ~]# id testuser
uid=5000(testuser) gid=1000(testipagroup) groups=1000(testipagroup)

[root@rhel7u3-1 ~]# ssh testipauser@0
Password:
Last login: Wed Jul 26 03:07:10 2017 from ::1
Could not chdir to home directory /home/testuser: No such file or directory
-sh-4.2$ logout
Connection to 0 closed.

[root@rhel7u3-1 ~]# ssh testuser@0
Password:
Last login: Wed Jul 26 03:37:11 2017 from 127.0.0.1
Could not chdir to home directory /home/testuser: No such file or directory
-sh-4.2$ logout
Connection to 0 closed.

[root@rhel7u3-1 ~]# sudo -ll -U testipauser
User testuser is not allowed to run sudo on rhel7u3-1.

[root@rhel7u3-1 ~]# sudo -ll -U testuser
User testuser is not allowed to run sudo on rhel7u3-1.

Conclusion:
===========
After applying ID View in IPA server, sudo doesn't work on IPA client at all.
Whereas login works perfectly on client.

I have already discussed this with pbrezina, as he mentioned the sudo responder
is unable to find the overridden user name and thus it is failing.
And we probably will have to modify "sudoUser" attribute to contain the
overridden name instead of the original one.

Metadata Update from @jhrozek:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1482674
6 years ago

Metadata Update from @jhrozek:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1482674
6 years ago

Metadata Update from @jhrozek:
- Issue assigned to jhrozek
6 years ago

picking up because there is already a WIP patch: I have a WIP patch: https://github.com/jhrozek/sssd/commit/425b019d75c8ec5bf9566b984832bb5a1b06d05e

Metadata Update from @jhrozek:
- Issue set to the milestone: None
6 years ago

Metadata Update from @jhrozek:
- Issue tagged with: PR
6 years ago

Metadata Update from @jhrozek:
- Issue set to the milestone: SSSD 1.15.4
6 years ago

master:

Patches does not cleanly apply to older branches due to cache_req refactoring

If you want to apply the patches at least to sssd-1-14, I can give you a backport, I had to create it anyway in order to create RHEL test packages.

Metadata Update from @jhrozek:
- Issue priority set to: critical
6 years ago

The sssd-1-13 sudo responder code is quite different, because only in sssd-1-14 we switched to cache_req at all. The difference between master and sssd-1-14 is not that big, but for sssd-1-13 I would prefer to only do the backport if someone needs it, otherwise we risk a regression.

Closing.

Metadata Update from @jhrozek:
- Issue close_status updated to: Fixed
- Issue status updated to: Closed (was: Open)
6 years ago

Metadata Update from @jhrozek:
- Issue set to the milestone: SSSD 1.16.0 (was: SSSD 1.15.4)
6 years ago

SSSD is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in SSSD's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/SSSD/sssd/issues/4514

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Login to comment on this ticket.

Metadata

PR

None
None
critical
None
None
None
None
None
None
https://bugzilla.redhat.com/show_bug.cgi?id=1482674
None
None
None
None
None
None
None
None
None
None
None
None
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.