Public bug reported:

ubuntu 16.04, enrolled with freeipa-client to FreeIPA 4.4.0 (under
CentOS 7)

With sudo 1.8.16-0ubuntu1, everything is fine:

brian.candler@api-dev:~$ sudo -s
[sudo] password for brian.candler:
root@api-dev:~#

After update to 1.8.16-0ubuntu1.3, it no longer works:

brian.candler@api-dev:~$ sudo -k
brian.candler@api-dev:~$ sudo -s
[sudo] password for brian.candler:
brian.candler is not allowed to run sudo on api-dev.int.example.com.  This 
incident will be reported.

This is repeatable: downgrade sudo and it works again.

Seems very likely related to change made as part of #1607666, which
changes how sudo policies are matched, but has unexpected regression.

--- Additional info ---

The sudo policy in IPA is extremely simple. It has a single rule, which
says:

- applies to users in groups "system_administrators" and 
"security_administrators"
- applies to any host
- applies to any command

In LDAP under ou=sudoers tree, the groups are flattened out:

# system administrators on all hosts, sudoers, ipa.example.com
dn: cn=system administrators on all hosts,ou=sudoers,dc=ipa,dc=example,dc=com
sudoRunAsGroup: ALL
objectClass: sudoRole
objectClass: top
sudoUser: brian.candler
sudoUser: ...
sudoUser: ... list more users
sudoUser: ...
sudoRunAsUser: ALL
sudoCommand: ALL
sudoHost: ALL
cn: system administrators on all hosts

Under cn=sudorules,cn=sudo it refers to the groups rather than the
individuals:

# 59ffb10a-9c61-11e6-b5b8-00163efd5284, sudorules, sudo, ipa.example.com
dn: 
ipaUniqueID=59ffb10a-9c61-11e6-b5b8-00163efd5284,cn=sudorules,cn=sudo,dc=ipa,dc=example,dc=com
ipaSudoRunAsUserCategory: all
ipaSudoRunAsGroupCategory: all
description: admins have full sudo access on any host they can ssh into
cmdCategory: all
hostCategory: all
memberUser: 
cn=system_administrators,cn=groups,cn=accounts,dc=ipa,dc=example,dc=com
memberUser: 
cn=security_administrators,cn=groups,cn=accounts,dc=ipa,dc=example,dc=com
objectClass: ipasudorule
objectClass: ipaassociation
ipaEnabledFlag: TRUE
cn: system administrators on all hosts
ipaUniqueID: 59ffb10a-9c61-11e6-b5b8-00163efd5284

I have no workaround other than downgrade.

ProblemType: Bug
DistroRelease: Ubuntu 16.04
Package: sudo 1.8.16-0ubuntu1.3
ProcVersionSignature: Ubuntu 4.4.0-1016.25-aws 4.4.59
Uname: Linux 4.4.0-1016-aws x86_64
ApportVersion: 2.20.1-0ubuntu2.5
Architecture: amd64
Date: Wed May  3 16:01:23 2017
Ec2AMI: ami-a8d2d7ce
Ec2AMIManifest: (unknown)
Ec2AvailabilityZone: eu-west-1a
Ec2InstanceType: t2.small
Ec2Kernel: unavailable
Ec2Ramdisk: unavailable
ProcEnviron:
 TERM=xterm-256color
 PATH=(custom, no user)
 LANG=en_US.UTF-8
 SHELL=/bin/bash
SourcePackage: sudo
UpgradeStatus: No upgrade log present (probably fresh install)
VisudoCheck:
 /etc/sudoers: parsed OK
 /etc/sudoers.d/90-cloud-init-users: parsed OK
 /etc/sudoers.d/README: parsed OK

** Affects: sudo (Ubuntu)
     Importance: Undecided
         Status: New


** Tags: amd64 apport-bug ec2-images xenial

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1688034

Title:
  1.8.16-0ubuntu1.3 update breaks sudo with freeipa-client / sssd

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/sudo/+bug/1688034/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Reply via email to