Ubuntu
sudo package

sudo fails to retrieve groups in sudoUser

Bug #1686544 reported by quess
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
sudo (Ubuntu)
New
Undecided
Unassigned

Bug Description

Currently using sudo with sssd 1.13.4 on xenial to manage sudo rules, groups are not resolved since last update.

I troubleshooted :
- sudo with all@debug
- sssd with [sudo] debug_level = 9 and [domain/domain.tld] debug_level = 9
- LDAP requests are correctly sent, and I can obtain correct rules
- SSSD cache is correctly stored too, I can successfully ldbsearch into!

I had to downgrade sudo (1.8.16-0ubuntu1.3) xenial to sudo (1.8.16-0ubuntu1) xenial, to get my groups working again. I tried sudo 1.8.19, with no luck.

Working in 1.8.16-0ubuntu1.3 and 1.8.16-0ubuntu1:
sudoCommand: /bin/mount
sudoHost: ALL
sudoUser: ALL

Working in 1.8.16-0ubuntu1.3 and 1.8.16-0ubuntu1:
sudoCommand: /bin/mount
sudoHost: ALL
sudoUser: #uid

Broken since 1.8.16-0ubuntu1.3:
sudoCommand: /bin/mount
sudoHost: ALL
sudoUser: %mygroup

Broken in 1.8.16-0ubuntu1.3:
sudoCommand: /bin/mount
sudoHost: ALL
sudoUser: myuser

Patch sssd-doesnt-handle-netgroups.diff seems to break something...

Revision history for this message
quess (quess) wrote :
Revision history for this message
quess (quess) wrote :

reported here too : https://www.redhat.com/archives/freeipa-users/2017-May/msg00033.html

Revision history for this message
quess (quess) wrote :

In the link posted above, the OP solves the problem by adding objectClass: posixgroup to his groups.
In my case, they already are "posix-ified".

But, I finally made my sudorules to work by turning use_fully_qualified_names = False.

Summary:
use_fully_qualified_names = True + sudo 1.8.16-0ubuntu1 => OK
use_fully_qualified_names = True + sudo 1.8.16-0ubuntu1.3 => NOK
use_fully_qualified_names = False + sudo 1.8.16-0ubuntu1.3 => OK

Remaining problems:
sudoUser=%#gid is not retrieved

Revision history for this message
quess (quess) wrote :

sudoUser=%#gid is a known bug in sssd https://pagure.io/SSSD/sssd/issue/1678

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Bug attachments

Remote bug watches

Bug watches keep track of this bug in other bug trackers.