I found out how to enable debugging for sudoers: Debug sudo /var/log/sudo-debug all@info Debug sudoers.so /var/log/sudoers-debug all@info
With the *new* sudo I get the following logged matching 'sssd': May 5 12:40:06 sudo[17912] sssd/ldap sudoHost 'ALL' ... MATCH! May 5 12:40:06 sudo[17912] sssd/ldap sudoUser '%system_administrators' ... not (brian.candler) May 5 12:40:06 sudo[17912] sssd/ldap sudoUser '%security_administrators' ... not (brian.candler) But with the *old* sudo I get: May 5 12:41:48 sudo[18384] sssd/ldap sudoHost 'ALL' ... MATCH! May 5 12:41:48 sudo[18384] sssd/ldap sudoRunAsUser 'ALL' ... MATCH! May 5 12:41:48 sudo[18384] sssd/ldap sudoCommand 'ALL' ... MATCH! It seems to be a behaviour change with group checking. The 'brian.candler' user *is* a member of one of those groups in IPA; but those groups are not posix groups so they are not visible using (e.g.) "id" I was able to solve the problem by adding objectClass: posixgroup gidNumber: NNNNNNNN to those group objects. After this, the sudoers log shows: May 5 13:11:50 sudo[19545] sssd/ldap sudoHost 'ALL' ... MATCH! May 5 13:11:50 sudo[19545] sssd/ldap sudoUser '%system_administrators' ... not (brian.candler) May 5 13:11:50 sudo[19545] sssd/ldap sudoUser '%security_administrators' ... MATCH! (brian.candler) May 5 13:11:50 sudo[19545] sssd/ldap sudoRunAsUser 'ALL' ... MATCH! May 5 13:11:50 sudo[19545] sssd/ldap sudoCommand 'ALL' ... MATCH! So: arguably this is not a bug, but a bug fix. Still, it would be nice if the release notes explained the potential for regression. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to sudo in Ubuntu. https://bugs.launchpad.net/bugs/1688034 Title: 1.8.16-0ubuntu1.3 update breaks sudo with freeipa-client / sssd Status in sudo package in Ubuntu: New Bug description: ubuntu 16.04, enrolled with freeipa-client to FreeIPA 4.4.0 (under CentOS 7) With sudo 1.8.16-0ubuntu1, everything is fine: brian.candler@api-dev:~$ sudo -s [sudo] password for brian.candler: root@api-dev:~# After update to 1.8.16-0ubuntu1.3, it no longer works: brian.candler@api-dev:~$ sudo -k brian.candler@api-dev:~$ sudo -s [sudo] password for brian.candler: brian.candler is not allowed to run sudo on api-dev.int.example.com. This incident will be reported. This is repeatable: downgrade sudo and it works again. Seems very likely related to change made as part of #1607666, which changes how sudo policies are matched, but has unexpected regression. --- Additional info --- The sudo policy in IPA is extremely simple. It has a single rule, which says: - applies to users in groups "system_administrators" and "security_administrators" - applies to any host - applies to any command In LDAP under ou=sudoers tree, the groups are flattened out: # system administrators on all hosts, sudoers, ipa.example.com dn: cn=system administrators on all hosts,ou=sudoers,dc=ipa,dc=example,dc=com sudoRunAsGroup: ALL objectClass: sudoRole objectClass: top sudoUser: brian.candler sudoUser: ... sudoUser: ... list more users sudoUser: ... sudoRunAsUser: ALL sudoCommand: ALL sudoHost: ALL cn: system administrators on all hosts Under cn=sudorules,cn=sudo it refers to the groups rather than the individuals: # 59ffb10a-9c61-11e6-b5b8-00163efd5284, sudorules, sudo, ipa.example.com dn: ipaUniqueID=59ffb10a-9c61-11e6-b5b8-00163efd5284,cn=sudorules,cn=sudo,dc=ipa,dc=example,dc=com ipaSudoRunAsUserCategory: all ipaSudoRunAsGroupCategory: all description: admins have full sudo access on any host they can ssh into cmdCategory: all hostCategory: all memberUser: cn=system_administrators,cn=groups,cn=accounts,dc=ipa,dc=example,dc=com memberUser: cn=security_administrators,cn=groups,cn=accounts,dc=ipa,dc=example,dc=com objectClass: ipasudorule objectClass: ipaassociation ipaEnabledFlag: TRUE cn: system administrators on all hosts ipaUniqueID: 59ffb10a-9c61-11e6-b5b8-00163efd5284 I have no workaround other than downgrade. ProblemType: Bug DistroRelease: Ubuntu 16.04 Package: sudo 1.8.16-0ubuntu1.3 ProcVersionSignature: Ubuntu 4.4.0-1016.25-aws 4.4.59 Uname: Linux 4.4.0-1016-aws x86_64 ApportVersion: 2.20.1-0ubuntu2.5 Architecture: amd64 Date: Wed May 3 16:01:23 2017 Ec2AMI: ami-a8d2d7ce Ec2AMIManifest: (unknown) Ec2AvailabilityZone: eu-west-1a Ec2InstanceType: t2.small Ec2Kernel: unavailable Ec2Ramdisk: unavailable ProcEnviron: TERM=xterm-256color PATH=(custom, no user) LANG=en_US.UTF-8 SHELL=/bin/bash SourcePackage: sudo UpgradeStatus: No upgrade log present (probably fresh install) VisudoCheck: /etc/sudoers: parsed OK /etc/sudoers.d/90-cloud-init-users: parsed OK /etc/sudoers.d/README: parsed OK To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/sudo/+bug/1688034/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
