libsss-sudo generated nsswitch.conf leads to error messages upon sudo invocation
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
sssd (Ubuntu) |
Fix Released
|
Low
|
Unassigned | ||
sudo (Debian) |
Fix Released
|
Unknown
|
|||
sudo (Fedora) |
Fix Released
|
Undecided
|
Bug Description
Hello,
the postinst script for libsss-sudo adds the following line to /etc/nsswitch.conf:
sudoers: files sss
On my LDAP+krb5 setup, this leads to the following error message when either LDAP or local users invoke sudo:
Nov 9 17:34:41 charon sudo: oliver : problem with defaults entries ; TTY=pts/0 ; PWD=/etc ;
The sudo invocation succeeds nonetheless, so this is mainly an annoying cosmetic issue, since a mail is sent to root everytime someone runs sudo.
Running a debug trace on sudo shows the following:
Nov 9 17:34:41 sudo[3297] <- update_defaults @ /build/
Nov 9 17:34:41 sudo[3297] <- sudo_file_setdefs @ /build/
Nov 9 17:34:41 sudo[3297] -> sudo_sss_open @ /build/
Nov 9 17:34:41 sudo[3297] <- sudo_sss_open @ /build/
Nov 9 17:34:41 sudo[3297] -> sudo_sss_parse @ /build/
Nov 9 17:34:41 sudo[3297] <- sudo_sss_parse @ /build/
Nov 9 17:34:41 sudo[3297] -> sudo_sss_setdefs @ /build/
Nov 9 17:34:41 sudo[3297] Looking for cn=defaults
Nov 9 17:34:41 sudo[3297] handle-
Nov 9 17:34:41 sudo[3297] <- sudo_sss_setdefs @ /build/
Nov 9 17:34:41 sudo[3297] -> log_error @ /build/
Nov 9 17:34:41 sudo[3297] -> vlog_error @ /build/
Nov 9 17:34:41 sudo[3297] -> set_perms @ /build/
Nov 9 17:34:41 sudo[3297] set_perms: PERM_ROOT: uid: [0, 0, 0] -> [0, 0, 0]
Nov 9 17:34:41 sudo[3297] -> sudo_grlist_addref @ /build/
Nov 9 17:34:41 sudo[3297] <- sudo_grlist_addref @ /build/
Nov 9 17:34:41 sudo[3297] <- set_perms @ /build/
Nov 9 17:34:41 sudo[3297] -> new_logline @ /build/
Nov 9 17:34:41 sudo[3297] <- new_logline @ /build/
Nov 9 17:34:41 sudo[3297] -> send_mail @ /build/
Nov 9 17:34:41 sudo[3297] -> do_syslog @ /build/
I have found a similar report in Redhat's Bugzilla, but I'm not entirely sure if it's the same problem. There are slight differences in the debug trace: https:/
Removing the "sss" statement from the sudoers line in nsswitch.conf works around the problem.
Changed in sudo (Ubuntu): | |
status: | New → Fix Released |
no longer affects: | sudo (Ubuntu) |
Changed in sudo (Debian): | |
status: | Unknown → New |
Changed in sudo (Fedora): | |
importance: | Unknown → Undecided |
status: | Unknown → Fix Released |
Changed in sudo (Debian): | |
status: | New → Incomplete |
Changed in sudo (Debian): | |
status: | Incomplete → Confirmed |
Changed in sudo (Debian): | |
status: | Confirmed → Fix Released |
Created attachment 650460
proposed patch
Description of problem:
When sudo is used with sssd and a local user runs sudo, an e-mail is sent to administrator, because sssd does not support sudo rules for local users. It is not an error, only noise.
Version-Release number of selected component (if applicable):
sudo-1.8.6p3-1
Steps to Reproduce:
1. configure sudo to use sssd as data source ('sudoers: files sss' in /etc/nsswitch.conf
2. run sssd
3. log in as local user
4. run 'sudo -l' as local user
Actual results:
E-mail is sent to administrator:
"problem with defaults entries ; TTY=pts/2 ; PWD=/home/fuero"
Expected results:
No e-mail is sent.
Additional info:
From sudo logs:
Nov 23 15:06:27 sudo[18514] -> sudo_sss_setdefs @ ./sssd.c:331
Nov 23 15:06:27 sudo[18514] Looking for cn=defaults
Nov 23 15:06:27 sudo[18514] The user was not found in SSSD.
Nov 23 15:06:27 sudo[18514] <- sudo_sss_setdefs @ ./sssd.c:348 := -1
Nov 23 15:06:27 sudo[18514] -> log_error @ ./logging.c:473
Nov 23 15:06:27 sudo[18514] -> vlog_error @ ./logging.c:421
Nov 23 15:06:27 sudo[18514] -> set_perms @ ./set_perms.c:116
Nov 23 15:06:27 sudo[18514] set_perms: PERM_ROOT: uid: [0, 0, 0] -> [0, 0, 0]
Nov 23 15:06:27 sudo[18514] -> sudo_grlist_addref @ ./pwutil.c:770
Nov 23 15:06:27 sudo[18514] <- sudo_grlist_addref @ ./pwutil.c:772
Nov 23 15:06:27 sudo[18514] <- set_perms @ ./set_perms.c:350 := true
Nov 23 15:06:27 sudo[18514] -> new_logline @ ./logging.c:746
Nov 23 15:06:27 sudo[18514] <- new_logline @ ./logging.c:867 := problem with defaults entries ; TTY=pts/3 ; PWD=/home/pbrezina ;
Nov 23 15:06:27 sudo[18514] -> send_mail @ ./logging.c:524
Nov 23 15:06:27 sudo[18514] -> do_syslog @ ./logging.c:138