Setup: - IPA server: srv.server.com - IPA client: cl.client.com - configure both ipa-server and ipa-client before following steps
How to reproduce:
[server] # ipa user-add testuser1 --first Test --last User1 [server] # ipa hostgroup-add testhostgroup [server] # ipa hostgroup-add-member testhostgroup --hosts cl.client.com [server] # ipa sudorule-add testrule --usercat=all --cmdcat=all --runasusercat=all --runasgroupcat=all [server] # ipa sudorule-add-option testrule --sudooption !authenticate [server] # ipa sudorule-add-host testrule --hostgroups testhostgroup # on client, clear SSSD cache [client] # systemctl stop sssd [client] # find /var/lib/sss/db -name '*.ldb' | xargs rm -fv [client] # rm -fv /var/lib/sss/mc/group [client] # rm -fv /var/lib/sss/mc/passwd [client] # systemctl start sssd # verify that sudo allows access from client [client] # su -c "sudo -l" testuser1
Expected result:
Prints list of allowed commands.
Actual results:
Rejects access:
We trust you have received the usual lecture from the local System Administrator. It usually boils down to these three things: #1) Respect the privacy of others. #2) Think before you type. #3) With great power comes great responsibility. sudo: no tty present and no askpass program specified
Applies for 4.4 and 4.3 version.
sssd needn't fetch sudo rules immediately after start. They should be fetched from IPA after few seconds. IIRC (10-20). I would need to check source code.
Yes, I realize that, and actually automated tests are configured for 10sec sleep after performing changes in sudo rules. This issue is the only one problematic, other sudo rules (for users, groups, hosts) work well, only hostgroup sudorules malfuction. Also, I have now tested the issue more than an hour after establishing the sudo rule and still receive the failure.
hostgroups not working suggests that the NIS domainname is not being set. You may want to do something like this to ensure you can see the triplet:
$ getent netgroup testhostgroup
It will probably look something like:
testhostgroup (cl.client.com,-,client.com)
I have:
$ getent netgroup testhostgroup testhostgroup (cl.client.com,-,server.com)
Created SSSD ticket: https://fedorahosted.org/sssd/ticket/3152
Hi, if you use -l option, you still need to authenticate (unless cn=defaults rule says otherwise). Authentication needs terminal or askpass program.
You need to either add a rule named defaults with option !authenticate or you need to alter your test in a way that it executes a specific program instead of listing allowed commands.
Metadata Update from @lryznaro: - Issue assigned to someone - Issue set to the milestone: 0.0 NEEDS_TRIAGE
Login to comment on this ticket.