Learn more about these different git repos.
Other Git URLs
https://bugzilla.redhat.com/show_bug.cgi?id=871160 (Red Hat Enterprise Linux 6)
Description of problem: sudo is not working for an AD trusted user in my IPA environment. I'm testing on IPA test server. [root@rhel6-1 failure1]# cat /etc/sssd/sssd.conf [domain/default] debug_level = 10 cache_credentials = True [domain/testrelm.com] debug_level = 10 cache_credentials = True krb5_store_password_if_offline = True ipa_domain = testrelm.com id_provider = ipa auth_provider = ipa access_provider = ipa subdomains_provider = ipa ipa_hostname = rhel6-1.testrelm.com chpass_provider = ipa ipa_server = rhel6-1.testrelm.com ldap_tls_cacert = /etc/ipa/ca.crt sudo_provider = ldap ldap_uri = ldap://rhel6-1.testrelm.com ldap_sudo_search_base = ou=sudoers,dc=ipa,dc=testrelm,dc=com ldap_sasl_mech = GSSAPI ldap_sasl_authid = host/rhel6-1.testrelm.com ldap_sasl_realm = TESTRELM.COM krb5_server = rhel6-1.testrelm.com [sssd] debug_level = 10 services = nss, pam, ssh, pac, sudo config_file_version = 2 domains = testrelm.com [nss] debug_level = 10 [pam] debug_level = 10 [sudo] debug_level = 10 [autofs] debug_level = 10 [ssh] debug_level = 10 [pac] debug_level = 10 [root@rhel6-1 failure1]# ipa sudorule-show testrule Rule name: testrule Enabled: TRUE Host category: all Command category: all RunAs User category: all RunAs Group category: all User Groups: adtestdom_adtestgroup1 [root@rhel6-1 failure1]# ipa group-show adtestdom_adtestgroup1 Group name: adtestdom_adtestgroup1 Description: adtestdom.com adtestgroup1 GID: 1277200040 Member groups: adtestdom_adtestgroup1_external Member of Sudo rule: testrule [root@rhel6-1 failure1]# ipa group-show adtestdom_adtestgroup1_external Group name: adtestdom_adtestgroup1_external Description: adtestdom.com adtestgroup1 external Member of groups: adtestdom_adtestgroup1 Indirect Member of Sudo rule: testrule External member: S-1-5-21-1246088475-3077293710-2580964704-1135 [root@rhel6-1 failure1]# wbinfo -n "ADTESTDOM\adtestgroup1" S-1-5-21-1246088475-3077293710-2580964704-1135 SID_DOM_GROUP (2) In AD, user adtestuser1 is in adtestgroup1. I added "debug_level = 10" to all sections of sssd.conf and reran the test: [root@rhel6-1 sssd]# vi /etc/sssd/sssd.conf [root@rhel6-1 sssd]# service sssd stop Stopping sssd: [ OK ] [root@rhel6-1 sssd]# ls backup ldap_child.log sssd_nss.log sssd_pam.log sssd_sudo.log krb5_child.log sssd.log sssd_pac.log sssd_ssh.log sssd_testrelm.com.log [root@rhel6-1 sssd]# for file in $(ls *.log); do cat /dev/null > $file; done [root@rhel6-1 sssd]# service sssd start Starting sssd: [ OK ] [root@rhel6-1 sssd]# ssh -l adtestuser1@adtestdom.com rhel6-1.testrelm.com adtestuser1@adtestdom.com@rhel6-1.testrelm.com's password: Last login: Sun Oct 28 22:07:06 2012 from rhel6-1.testrelm.com id: cannot find name for group ID 1232801136 -sh-4.1$ sudo id [sudo] password for adtestuser1@adtestdom.com: adtestuser1@adtestdom.com is not in the sudoers file. This incident will be reported. -sh-4.1$ exit logout Connection to rhel6-1.testrelm.com closed. Version-Release number of selected component (if applicable): [root@rhel6-1 failure1]# rpm -qa|egrep "sssd|sudo"|sort libsss_sudo-1.9.90-0.20121026T1831zgitac7a7ee.el6.x86_64 libsss_sudo-devel-1.9.90-0.20121026T1831zgitac7a7ee.el6.x86_64 sssd-1.9.90-0.20121026T1831zgitac7a7ee.el6.x86_64 sssd-client-1.9.90-0.20121026T1831zgitac7a7ee.el6.x86_64 sudo-1.8.6p3-4.el6.x86_64 How reproducible: Seems to be always. Steps to Reproduce: 1. Install IPA Master 2. Install AD server 3. Setup Cross Realm Trust to AD Domain 4. setup sudo rules like above 5. ssh to log in and run sudo More information and details about some of the setup can be found here: https://fedoraproject.org/wiki/QA:Testcase_freeipav3_sudo_sssd Actual results: User is denied running command. Expected results: User can run command. Additional info:
Fields changed
blockedby: => blocking: => coverity: => design: => design_review: => 0 feature_milestone: => fedora_test_page: => testsupdated: => 0
We need to fix this sooner.
milestone: SSSD 1.9.4 => SSSD 1.9.3
owner: somebody => pbrezina status: new => assigned
patch: 0 => 1
Fixed in sssd-1-9: - 4d2c8ac - 3cc3ecc - cc255b7 - d3f7600 - 894d2d5 and master: - ee500ab - 5a3c49e - d38ffc9 - 7379170 - 3a97c85
resolution: => fixed status: assigned => closed
Metadata Update from @dpal: - Issue assigned to pbrezina - Issue set to the milestone: SSSD 1.9.3
SSSD is moving from Pagure to Github. This means that new issues and pull requests will be accepted only in SSSD's github repository.
This issue has been cloned to Github and is available here: - https://github.com/SSSD/sssd/issues/2658
If you want to receive further updates on the issue, please navigate to the github issue and click on subscribe button.
subscribe
Thank you for understanding. We apologize for all inconvenience.
Login to comment on this ticket.