Learn more about these different git repos.
Other Git URLs
https://bugzilla.redhat.com/show_bug.cgi?id=854793 (Red Hat Enterprise Linux 6)
Description of problem: When host groups are used with sudorules in IPA - any update is not picked up by sssd until sssd is restarted and the sssd cache cleared on the client. user groups update immediately. This poses a potential security risk as if you remove hosts from the hostgroup sssd on the clients still allows them to run the sudo commands. Note that host groups for hbac rules works as expected i.e. update immediately. Version-Release number of selected component (if applicable): 1. RHEL 6.0, sssd v 1.5.1-66.el6_2.3 & ipa-server-2.1.3-9.el6.x86_64 (same version of client) 2. RHEL6.0, sssd v 1.8.0-32.el6.x86_64 & ipa-server-2.1.3-9.el6.x86_64 (same version of client) 3. RHEL 6.3 sssd v 1.8.0-32.el6.x86_64 & ipa-server-2.2.0-16.el6.x86_64 (same version of client) How reproducible: To make the steps clearer I will use an example where: hg_test is the hostgroup defined in IPA client.example.com is the client on which the sudo command will be executed test_user - is the test user Steps to Reproduce: 1. Set-up sudorule with "Access this host" set to hostgroup hg_test with client.example.com in the hostgroup hg_test & all other setting set to all. Set sudoers-debug 2 in sudo-ldap.conf (or whichever file sudo -V | grep ^ldap.conf specifies to help debugging). 2. Check that test_user on client.example.com can execute the sudo command successfully 3. Remove client.example.com from the hostgroup hg_test 4. Log out and in again as the test_user and attempt a sudo command again Actual results: Even after the host client.example.com has been removed from the hostgroup hg_test the users on this server can still execute sudo commands even though they should not be able to. This can only be remedied by restarting sssd and clearing the cache i.e.: service sssd stop ; rm -f /var/lib/sss/db/* ; service sssd start Expected results: Updates to the hosts in the hostgroup should be picked up immediately by sssd Additional info: Config files: sudo-ldap.conf: uri ldap://ipaserver.example.com ldap_version 3 sudoers_base ou=SUDOers,dc=example,dc=com binddn uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com bindpw ***** bind_timelimit 5000 timelimit 15 ssl start_tls #tls_checkpeer (yes) tls_checkpeer no tls_cacertfile /etc/ipa/ca.crt sudoers_debug 2 sssd.conf [sssd] config_file_version = 2 services = nss, pam domains = example.com [nss] [pam] [domain/example.com] cache_credentials = True krb5_store_password_if_offline = True ipa_domain = example.com id_provider = ipa auth_provider = ipa access_provider = ipa ipa_hostname = ipaserver.example.com chpass_provider = ipa ipa_server = ipaserver.example.com ldap_tls_cacert = /etc/ipa/ca.crt enumerate = True debug_level = 9 entry_cache_netgroup_timeout = 60 # set low to see if this would update the hostgroups after 60 seconds.
This turned out to be a configuration issue.
blockedby: => blocking: => coverity: => feature_milestone: => resolution: => invalid status: new => closed testsupdated: => 0
I am facing similar problem as above. This defect is closed with "configuration issue". I am changing sudorules for a group in ipa server and it is not reflecting in client machines until we clear sssd cache and restart it. Please let me know the configuration changes we need to make in order to solve this issue.
_comment0: I am facing similar problem as above. This defect is closed with "configuration issue". I am changing sudorules for group in ipa server and it is not reflecting in client machines until we clear sssd cache and restart it. Please let me know the configuration changes we need to make in order to solve this issue. => 1406910490946066 changelog: => design: => design_review: => 0 fedora_test_page: => review: => 0 selected: =>
Can you write to sssd-users mailing list? Otherwise I'm afraid the conversation would be lost..
Metadata Update from @dpal: - Issue set to the milestone: NEEDS_TRIAGE
SSSD is moving from Pagure to Github. This means that new issues and pull requests will be accepted only in SSSD's github repository.
This issue has been cloned to Github and is available here: - https://github.com/SSSD/sssd/issues/2550
If you want to receive further updates on the issue, please navigate to the github issue and click on subscribe button.
subscribe
Thank you for understanding. We apologize for all inconvenience.
Login to comment on this ticket.