[Freeipa-users] [FreeIPA 4.3.0] CentOS 6.8 sudo fails
Jakub Hrozek
jhrozek at redhat.com
Tue Jun 14 06:56:40 UTC 2016
On Mon, Jun 13, 2016 at 06:06:00PM -0400, Rob Crittenden wrote:
> Nathan Peters wrote:
> > I have confirmed that on both CentOS 6.8 and CentOS 6.7 that if the group is a POSIX group, it can be used in sudo rules.
> > If the group is a 'normal' group it will fail when used in sudo rules.
> >
> > This is really silly because in a previous version of CentOS (6.3) sudo rules would fail if the group was POSIX, and work if the group was 'normal'.
> >
> > I'm not sure when this changed because we still have CentOS 6.7 machines that are working fine with the non posix groups.
> > I did notice that in sssd 1.13.3-22.el6 sudo fails with non posix groups
> > And with 1.12.4-47.el6_7.7 sudo works with non posix groups
> >
> > So now FreeIPA exists in a really funky state where if you are below CentOS 6.4 you MUST use non POSIX groups and If you are on CentOS 6.7 and above, you must use POSIX groups.
> >
> > So basically, you need to roll forward your entire infrastructure to CentOS 6.7 or above or else your old machines will suddently start failing sudo logins when you udate the groups or your new machines will simply fail with groups that worked on your old ones.
> >
> > Can you please confirm what the intended behavior is because I would rather not go through the trouble of re-creating all our sudo / hbac rules and user groups...
>
> Jakub already stated that this would be bug if it only worked with POSIX
> groups, so you've confirmed that.
>
> If you have a Red Hat subscription I'd open a support case and ask to be
> added to bugzilla https://bugzilla.redhat.com/show_bug.cgi?id=1336548
Because that bug is private (sorry, there's some RH customer data there)
and because you also confirmed it's an issue, I cloned the bugzilla to
our upstream Trac:
https://fedorahosted.org/sssd/ticket/3046
I'm sceptical we will have a fix this week, we're trying to meet a
deadline at the moment, but we will try to come up with a fix either late
next week or the one after.
I'm sorry about the inconvenience. I wonder if, as a temporary
workaround, you could point sssd to the compat tree using
ldap_sudo_search_base?
More information about the Freeipa-users
mailing list