Why does sssd-1.9.2-129.el6_5.4 returns incomplete list of sudo rules containing +netgroups, in the Red Hat Entperprise Liunux 6.5?
Issue
-
On Red Hat Enterprise Linux 6.5 system configured as LDAP client using sssd, With
sudo-1.8.6p3-12.el6.x86_64version, if a sudo rules contains+netgroupinsudoUserattribute it result in access denied . -
It appears that any mention of a netgroup in a
sudoRoleprevents the rest of that rule from being interpreted.
Here is an example with onlysssenabled in/etc/nsswitch.conf -
We've recently started deploying and patching to RHEL6.5 . Shortly after doing so, we've discovered problems with sssd.
-
In our LDAP model, we have
sudoUserswho require access to multiplesudoRoles. However, sssd appears to match the first sudoRole and return only those rules. See an example below for theUserAuser, who is present insudoRolesUserA-su,UserA-snmpd-suandopsview-su.
# grep sudoers /etc/nsswitch.conf
sudoers: sss
# su - UserA
$ sudo -l
Matching Defaults entries for UserA on this host:
ignore_local_sudoers
User UserA may run the following commands on this host:
(root) NOPASSWD: /etc/init.d/snmpd reload, /etc/init.d/snmptrapd reload, /etc/init.d/functions, /usr/bin/smo backup list *,
/sbin/vxdmpadm iostat show, /opt/VRTSvcs/bin/hastatus -sum, /opt/VRTSvcs/bin/hares -display, /opt/VRTSvcs/bin/hares -state *,
/opt/VRTSvcs/bin/hares -list, /opt/VRTSvcs/bin/hares -list sid=*
-
The above output commands are the results of UserA-su ( only one rule ) only. We are missing the other two sudoRoles.
-
When we add ldap to the end of nsswitch.conf for sudoers, our normal behaviour is back.
# grep sudoers /etc/nsswitch.conf
sudoers: sss ldap
# su - UserA
$ sudo -l
Matching Defaults entries for UserA on this host:
ignore_local_sudoers, ignore_local_sudoers
User UserA may run the following commands on this host:
(root) NOPASSWD: /etc/init.d/snmpd reload, /etc/init.d/snmptrapd reload, /etc/init.d/functions, /usr/bin/smo backup list *,
/sbin/vxdmpadm iostat show, /opt/VRTSvcs/bin/hastatus -sum, /opt/VRTSvcs/bin/hares -display, /opt/VRTSvcs/bin/hares -state *,
/opt/VRTSvcs/bin/hares -list, /opt/VRTSvcs/bin/hares -list sid=*
(root) NOPASSWD: /usr/local/UserA/libexec/check_logfiles *, /usr/bin/su - UserA, /bin/su - UserA,
/usr/local/UserA/bin/install_slave, /usr/sbin/vxstat, /sbin/vxdmpadm iostat show, /admin/stats/thread_watch.ksh,
/opt/scripts/checkdisks/checkdisks.ksh
(root) NOPASSWD: /etc/init.d/snmpd reload, /etc/init.d/snmptrapd reload, /etc/init.d/functions, /usr/bin/smo backup list *,
/sbin/vxdmpadm iostat show, /opt/VRTSvcs/bin/hastatus -sum, /opt/VRTSvcs/bin/hares -display, /opt/VRTSvcs/bin/hares -state *,
/opt/VRTSvcs/bin/hares -list, /opt/VRTSvcs/bin/hares -list sid=*
(root) NOPASSWD: /bin/su - UserA, /usr/bin/su - UserA, /usr/local/UserA/bin/install_slave, /usr/local/UserA/libexec/check_logfiles
*, /usr/local/UserA/libexec/check_vxvm, /usr/local/UserA/libexec/check_oradataguard.sh, /usr/bin/sudoedit /etc/snmp/snmpd.conf,
/usr/bin/sudoedit /etc/init.d/snmptrapd, /usr/bin/sudoedit /etc/init.d/snmpd, /usr/bin/sudoedit /etc/snmp/snmptrapd.conf, /usr/bin/tail
-f /var/log/messages
- This is the entire set of commands for all three sudoRoles.
- I can confirm that sssd behaves as we expect with the following version of sssd installed:
sssd-client-1.9.2-82.7.el6_4.x86_64
sssd-1.9.2-82.7.el6_4.x86_64
- Can you advise whether any functionality was lost between these versions of sssd-*? And can you provide a workaround to allow us to continue using our additional sudo architecture with sssd?
Environment
- Red Hat Enterprise Linux 6.5
- sssd-1.9.2-129.el6_5.4.x86_64
- sssd-client-1.9.2-129.el6_5.4.x86_64
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.
