https://bugzilla.redhat.com/show_bug.cgi?id=711786
# ipa user-add testuser First name: test Last name: user --------------------- Added user "testuser" --------------------- User login: testuser First name: test Last name: user Full name: test user Display name: test user Initials: tu Home directory: /home/testuser GECOS field: testuser Login shell: /bin/sh Kerberos principal: testuser@LAB.ENG.PNQ.REDHAT.COM UID: 1866400014 # ipa sudorule-add-runasuser sudorule3 --users=testuser Rule name: sudorule3 Enabled: TRUE Users: shanks Groups: group1 Hosts: mudflap.lab.eng.pnq.redhat.com Sudo Allow Commands: /bin/ls, /bin/df, /bin/ln, /bin/pwd, /bin/hostname Sudo Command Groups: basic cmd Run As User: testuser ------------------------- Number of members added 1 -------------------------
In DS:
dn: cn=sudorule3,ou=sudoers,dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com objectClass: sudoRole objectClass: extensibleObject objectClass: top [...] sudorunasuser: testuser sudorunasgroup: test user <<<<<<<< cn: sudorule3
And in client:
-sh-4.1$ sudo -l [...] [sudo] password for shanks: sudo: ldap search '(|(sudoUser=shanks)(sudoUser=%shanks)(sudoUser=%ipausers)(sudoUser=%group1)(sudoUser=ALL))' sudo: ldap sudoHost 'mudflap.lab.eng.pnq.redhat.com' ... MATCH! sudo: ldap search 'sudoUser=+*' User shanks may run the following commands on this host: (test1, test3, test2, test4, testuser : test user) /bin/ls, /bin/df, /bin/ln, /bin/pwd, /bin/hostname
While adding a sudorunasuser, its corresponding sudorunasgroup get added automatically. "sudorunasgroup: test user" in this case.
"test user" gets displayed as a runasgroup on the ldap and client
After closer inspection, it appears as though we are also missing important sudo attributes in our native sudo schema: The following attribute types are absent
attributetype ( 1.3.6.1.4.1.15953.9.1.6 NAME 'sudoRunAsUser' DESC 'User(s) impersonated by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetype ( 1.3.6.1.4.1.15953.9.1.7 NAME 'sudoRunAsGroup' DESC 'Group(s) impersonated by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
This ticket is blocked by: https://bugzilla.redhat.com/show_bug.cgi?id=713209
-No longer blocked- The newest 389 ds package includes the updated schema.
Both patches are required to resolve this ticket.
Patch 31 corrects the monolithic behavior inherited from the legacy schema not having a distinction between runasgroups and runasusers
Patch 37 adds support for upgrading the sudo schema on older systems.
Added correction to the Makefile.am and adjusted the .update replace syntax freeipa-jraquino-0031-Correct-behavior-for-sudorunasgroup-vs-sudorunasuser.patch
Added correction to the Makefile.am: fixed indentation, removed trailing whitespace freeipa-jraquino-0037-Correct-sudo-runasuser-and-runasgroup-attributes.patch
master: 9821160 78c3abd
ipa-2-0: 104b1b8 13ad211
Metadata Update from @rcritten: - Issue assigned to jraquino - Issue set to the milestone: FreeIPA 2.1 - 2011/07
Login to comment on this ticket.