freeipa

Clone
Source Code
GIT

#1472 Users are not matched from sudo client.
Closed: Fixed None Opened 12 years ago by rcritten.

Closed: Fixed
Reopen Issue

https://bugzilla.redhat.com/show_bug.cgi?id=720711

1. # ipa-nis-manage enable
[root@qe-blade-04 ~]# hostname 
qe-blade-04.testrelm
[root@qe-blade-04 ~]# nisdomainname 
testrelm

2. [root@qe-blade-04 ~]# ipa user-add user1
First name: user
Last name: 1
------------------
Added user "user1"
------------------
  User login: user1
  First name: user
  Last name: 1
  Full name: user 1
  Display name: user 1
  Initials: u1
  Home directory: /home/user1
  GECOS field: user 1
  Login shell: /bin/sh
  Kerberos principal: user1@TESTRELM
  UID: 742600006
  GID: 742600006
[root@qe-blade-04 ~]# ipa passwd user1
Password: 
Enter Password again to verify: 
-------------------------------------
Changed password for "user1@TESTRELM"
-------------------------------------

3. [root@qe-blade-04 ~]# ipa sudorule-add 
Rule name: testrule1
---------------------------
Added sudo rule "testrule1"
---------------------------
  Rule name: testrule1
  Enabled: TRUE
[root@qe-blade-04 ~]# ipa sudorule-add-user
Rule name: testrule1
[member user]: user1
[member group]: user1
  Rule name: testrule1
  Enabled: TRUE
  Users: user1
  Groups: user1
-------------------------
Number of members added 2
-------------------------
[root@qe-blade-04 ~]#

4. [root@qe-blade-04 ~]# ipa sudorule-find testrule1 --all --raw
-------------------
1 sudo rule matched
-------------------
  dn:
ipauniqueid=85dc8ce2-ac95-11e0-9702-00215e202e2e,cn=sudorules,cn=sudo,dc=testrelm
  cn: testrule1
  ipaenabledflag: TRUE
  memberuser: cn=user1,cn=groups,cn=accounts,dc=testrelm
  memberuser: uid=user1,cn=users,cn=accounts,dc=testrelm
  ipauniqueid: 85dc8ce2-ac95-11e0-9702-00215e202e2e
  objectclass: ipaassociation
  objectclass: ipasudorule
----------------------------
Number of entries returned 1
----------------------------
[root@qe-blade-04 ~]#

5. [root@qe-blade-04 ~]# cat /etc/nss_ldap.conf 
bind_policy soft
sudoers_base ou=SUDOers,dc=testrelm
binddn uid=sudo,cn=sysaccounts,cn=etc,dc=testrelm
bindpw bind123
ssl no

tls_cacertfile /etc/ipa/ca.crt
tls_checkpeer yes
bind_timelimit 5
timelimit 15
sudoers_debug 5
BASE dc=testrelm
TLS_CACERTDIR /etc/ipa
uri ldap://qe-blade-04.testrelm

6. [root@qe-blade-04 ~]# ssh -l user1 localhost
user1@localhost's password: 
Last login: Tue Jul 12 10:47:52 2011 from localhost
-sh-4.1$ sudo -l


Actual results:
-sh-4.1$ sudo -l
LDAP Config Summary
===================
uri              ldap://qe-blade-04.testrelm
ldap_version     3
sudoers_base     ou=SUDOers,dc=testrelm
binddn           uid=sudo,cn=sysaccounts,cn=etc,dc=testrelm
bindpw           bind123
bind_timelimit   5000
timelimit        15
ssl              no
tls_checkpeer    (yes)
tls_cacertfile   /etc/ipa/ca.crt
tls_cacertdir    /etc/ipa
===================
sudo: ldap_initialize(ld, ldap://qe-blade-04.testrelm)
sudo: ldap_set_option: debug -> 0
sudo: ldap_set_option: ldap_version -> 3
sudo: ldap_set_option: tls_checkpeer -> 1
sudo: ldap_set_option: tls_cacertfile -> /etc/ipa/ca.crt
sudo: ldap_set_option: tls_cacert -> /etc/ipa/ca.crt
sudo: ldap_set_option: tls_cacertdir -> /etc/ipa
sudo: ldap_set_option: timelimit -> 15
sudo: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT, 5)
sudo: ldap_sasl_bind_s() ok
sudo: no default options found in ou=SUDOers,dc=testrelm
sudo: user_matches=0    <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
sudo: host_matches=0
sudo: sudo_ldap_lookup(52)=0xe0
[sudo] password for user1: 
user1 is not in the sudoers file.  This incident will be reported.
-sh-4.1$

-sh-4.1$ sudo -l
LDAP Config Summary
===================
uri              ldap://bumblebee.lab.eng.pnq.redhat.com
ldap_version     3
sudoers_base     ou=SUDOers,dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com
binddn          
uid=sudo,cn=sysaccounts,cn=etc,dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com
bindpw           bind123
bind_timelimit   5000
timelimit        15
ssl              no
tls_checkpeer    (yes)
tls_cacertfile   /etc/ipa/ca.crt
tls_cacertdir    /etc/ipa
===================
sudo: ldap_initialize(ld, ldap://bumblebee.lab.eng.pnq.redhat.com)
sudo: ldap_set_option: debug -> 0
sudo: ldap_set_option: ldap_version -> 3
sudo: ldap_set_option: tls_checkpeer -> 1
sudo: ldap_set_option: tls_cacertfile -> /etc/ipa/ca.crt
sudo: ldap_set_option: tls_cacert -> /etc/ipa/ca.crt
sudo: ldap_set_option: tls_cacertdir -> /etc/ipa
sudo: ldap_set_option: timelimit -> 15
sudo: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT, 5)
sudo: ldap_sasl_bind_s() ok
sudo: no default options found in
ou=SUDOers,dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com
sudo: user_matches=1 <<<<<<<<<<<<<<<<<<<<<<<<<
sudo: host_matches=0
sudo: sudo_ldap_lookup(52)=0xc0

Note: In this case ipa server was installed with --setup-dns option.

ipa-server-install --setup-dns --forwarder=$DNSFORWARD
--hostname=$hostname_s.$DOMAIN -r $RELM -n $DOMAIN -p $ADMINPW -P $ADMINPW -a
$ADMINPW -U

I installed ipa-server without this option and sudo seems to work as expected.

Bug introduced with Changeset 8e086fd
resulting in ldapupdate having incorrect handling of uldif files. Particularly the schema_compat.uldif.

master: 9869b09[[BR]]
ipa-2-0: 6404a98

Metadata Update from @rcritten:
- Issue assigned to jraquino
- Issue set to the milestone: FreeIPA 2.1 - 2011/07
7 years ago

Login to comment on this ticket.

Metadata
None
None
None
important
None
None
None
None
defect
None
None
IPA
None
1
None
None
None
None
https://bugzilla.redhat.com/show_bug.cgi?id=720711
None
None
None
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.