[Bug 1682104] [NEW] sudo rules based on group membership from freeipa does not work
Oscar Carlberg
canhasspace at gmail.com
Wed Apr 12 11:54:45 UTC 2017
Public bug reported:
When upgrading sudo package in xenial from version 1.8.16-0ubuntu1 to
1.8.16-0ubuntu1.3, our FreeIPA-based sudo rules suddenly stopped
working. We have setup a group in FreeIPA called ldap_nopass, and
configured hbac rules to allow users in this group to run sudo (without
password / nopasswd). This have been working fine up until now when we
upgraded the sudo package. Downgrading to 1.8.16-0ubuntu1 resolves the
issue. It also work with 1.8.16-0ubuntu1.3 if we set
use_fully_qualified_names = False in /etc/sssd/sssd.conf, but this is
not an option for us.
This led me to believe this issue is related to upstream bug:
https://bugzilla.sudo.ws/show_bug.cgi?id=757
And most likely is caused by the patchset from 1.3
https://launchpad.net/ubuntu/+source/sudo/1.8.16-0ubuntu1.3
Unfortunately, 1.8.16-0ubuntu1.2 binaries seems to be deleted from
mirrors, so I cannot try this version.
I've included the auth.log file showing the difference using sudo
1.8.16-0ubuntu1 vs 1.8.16-0ubuntu1.3. Real username and domain has been
redacted to user.name and example.com
Please let me know if any additional information is required.
** Affects: sudo (Ubuntu)
Importance: Undecided
Status: New
** Attachment added: "auth.log"
https://bugs.launchpad.net/bugs/1682104/+attachment/4860638/+files/auth.log
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to sudo in Ubuntu.
https://bugs.launchpad.net/bugs/1682104
Title:
sudo rules based on group membership from freeipa does not work
Status in sudo package in Ubuntu:
New
Bug description:
When upgrading sudo package in xenial from version 1.8.16-0ubuntu1 to
1.8.16-0ubuntu1.3, our FreeIPA-based sudo rules suddenly stopped
working. We have setup a group in FreeIPA called ldap_nopass, and
configured hbac rules to allow users in this group to run sudo
(without password / nopasswd). This have been working fine up until
now when we upgraded the sudo package. Downgrading to 1.8.16-0ubuntu1
resolves the issue. It also work with 1.8.16-0ubuntu1.3 if we set
use_fully_qualified_names = False in /etc/sssd/sssd.conf, but this is
not an option for us.
This led me to believe this issue is related to upstream bug:
https://bugzilla.sudo.ws/show_bug.cgi?id=757
And most likely is caused by the patchset from 1.3
https://launchpad.net/ubuntu/+source/sudo/1.8.16-0ubuntu1.3
Unfortunately, 1.8.16-0ubuntu1.2 binaries seems to be deleted from
mirrors, so I cannot try this version.
I've included the auth.log file showing the difference using sudo
1.8.16-0ubuntu1 vs 1.8.16-0ubuntu1.3. Real username and domain has
been redacted to user.name and example.com
Please let me know if any additional information is required.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/sudo/+bug/1682104/+subscriptions
More information about the foundations-bugs
mailing list