Bug 21044

Summary: sudo not honoring sudoers as defined by sssd.
Product: Mageia Reporter: Zombie Ryushu <zombie_ryushu>
Component: RPM PackagesAssignee: All Packagers <pkg-bugs>
Status: NEW --- QA Contact:
Severity: normal    
Priority: Normal CC: marja11, rod.emerson
Version: Cauldron   
Target Milestone: ---   
Hardware: All   
OS: Linux   
See Also: https://bugs.mageia.org/show_bug.cgi?id=21076
https://bugs.mageia.org/show_bug.cgi?id=21077
Whiteboard:
Source RPM: sudo CVE:
Status comment:

Description Zombie Ryushu 2017-06-07 22:00:58 CEST 
In Mageia 6. For reasons as of yet unknown, sudoers are not enumerated by LDAP when sssd is in use. 
Using the identical Mageia its sister distribution and Rosa sssd.conf and nsswitch.conf setups with:
sudoers: files sss
on Rosa systems this is honored and sudo permissions are extrapolated from sss, on Mageia they are ignored.
Comment 1 Marja Van Waes 2017-06-07 22:13:57 CEST 
Assigning to all packagers collectively, since there is no registered maintainer for this package.

CC: (none) => marja11
Assignee: bugsquad => pkg-bugs

Comment 2 Rod Emerson 2017-06-12 07:38:40 CEST 
This works for me on mga5.

--- sudo.spec
+++ sudo.spec
@@ -2,7 +2,7 @@
 
 Name:           sudo
 Version:        1.8.18p1
-Release:        %mkrel 1
+Release:        %mkrel 2
 Epoch:          1
 Summary:        Allows command execution as root for specified users
 License:        GPLv2+
@@ -75,6 +75,7 @@
         --with-ldap \
         --with-ldap-conf-file=%{_sysconfdir}/nslcd.conf \
         --with-ldap-secret-file=%{_sysconfdir}/nslcd.conf \
+        --with-sssd \
         --with-secure-path="/sbin:%{_sbindir}:/bin:%{_bindir}:/usr/local/bin:/usr/local/sbin" \
         --with-passprompt="[sudo] password for %p: " \
         --with-plugindir=%{_libdir}/sudo


# urpmi libsss_sudo

# grep sudo /etc/nsswitch.conf 
sudoers:        sss

o /etc/sssd/sssd.conf
[sssd]
...
services = nss, pam, sudo

[domain/HOME]
...
sudo_provider = ldap
ldap_sudo_search_base = ou=sudo,ou=services,dc=home,dc=network
...

CC: (none) => rod.emerson

Comment 3 Zombie Ryushu 2017-06-12 07:43:28 CEST 
This is on Mageia 6. I'll check things again. I didn't want to post too much config info to bugzilla.
Comment 4 Zombie Ryushu 2017-06-12 07:58:00 CEST 
[sssd]
config_file_version = 2
services = nss, pam, sudo

[domain/NETWORK]
sudo_provider = ldap
ldap_sudo_search_base = ou=sudoers,ou=System,dc=network
Comment 5 Zombie Ryushu 2017-06-12 07:59:53 CEST 
in /etc/nsswitch.conf
sudoers:        sss files
Rod Emerson 2017-06-12 11:02:24 CEST

See Also: (none) => https://bugs.mageia.org/show_bug.cgi?id=21076

Rod Emerson 2017-06-12 11:13:13 CEST

See Also: (none) => https://bugs.mageia.org/show_bug.cgi?id=21077