[Freeipa-users] Sudo entry not found by sssd in the cache db

Tue Sep 15 13:59:52 UTC 2015

On 09/15/2015 01:37 PM, Jakub Hrozek wrote:
>On Tue, Sep 15, 2015 at 01:58:07PM +0300, Alexander Bokovoy wrote:

>>On Tue, 15 Sep 2015, Molnár Domokos wrote:

>>>>#hostnamectl set-hostname nappali.silva on modern systems.

>>>>>doma at nappali:/home/doma> hostname --fqdn nappali.szilva

>>>doma at nappali:/home/doma> su Password: nappali:/home/doma # hostnamectl set-hostname nappali.szilva nappali:/home/doma # hostname nappali.szilva nappali:/home/doma # hostname --fqdn nappali.szilvanappali:/home/doma # su doma sh-4.2$ sudo ls doma's password: 20140921.ZIP Oracle_VM_VirtualBox_Extension_Pack-4.3.26-98988.vbox-extpack 42646515_eb8d7dcabe416247463f1bc8652adced.pdf Now it works, the rule is matched.I'm not sure this is the intended way especially seeing the fqdn mechanism in the sudo code but I'll just keep it that way.Thank you.

>>sudo doesn't do normalization and IPA's way of exposing host names is by using by default fqdn. So sudo compares local hostname with fqdn-based one, guess which way it will succeed? You theoretically could have every hostname in IPA registered non-fqdn but what you cannot have is a mix between fqdn- and non-fqdn names.

>You can have registered a different hostname with IPA than what hostname(1) reports, we have an ipa_hostname parameter for that. But there's no way for sudo to learn about it..
You may well be right but I still think this is a bug in sudo/sssd plugin. Here's why I think so:

@line  582 in sssd.c when calling hostname_matches it is a clear intention of the code that the hostname matching is done both against the fqdn and the naked hostname.

@lines 773-790 the implementation of hostname_matches(..) is done correctly. It guesses intelligently and chooses to match either against the fqdn or the naked hostname based on the format of the hostname provided by IPA. If there is a '.' in the IPA provided hostname name then the hostname compared to the fqdn otherwise it is compared to the bare hostname.

@line 805 in sudoers.c in set_fqdn the fqdn is correctly retrieved for the host during initialization - so sudo is indeed aware of both host name versions. I tested this part it it works OK.

The bug - I think - is that the information correctly retrieved during init through set_fqdn in sudoers.c somehow does not make its way to line 582 in sssd.c. There both user_shost and user_host seem to contain the naked hostname unless the bare hostaname contains the fqdn itself.

I do not have enough time to find out why this happens but the above evidence suggests that there is a bug somewhere in the process.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150915/1fb10017/attachment.htm>