On Fri, May 27, 2016 at 11:54:20AM +0200, Pavel Březina wrote:
See commit message for details.
Two configurations needs to be tested -- a domain with
use_fully_qualified_name = true and configuration with IPA-AD trusts where
default_domain_suffix is set to AD domain.
From 25f8cb5101f824c53df526b2ab52b8c67dd72539 Mon Sep 17 00:00:00
2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina(a)redhat.com>
Date: Thu, 26 May 2016 11:37:30 +0200
Subject: [PATCH] sudo: solve problems with fully qualified names
sudo expects the same name in sudo rule as login name. Therefore
if fully qualified name is used or even enforced by setting
use_fully_qualified_names to true or by forcing default domain
with default_domain_suffix sssd is able to correctly return the
rules but sudo can't match the user with contect of sudoUser
attribute since it is not qualified.
This patch changes the rules on the fly to avoid using names at all.
We do this in two steps:
1. We fetch all rules that match current user name, id or groups and
replace sudoUser attribute with sudoUser: #uid.
2. We fetch complementry rules that contain netgroups since it is
expected we don't have infromation about existing netgroups in
cache, sudo still needs to evaluate it for us if needed.
This patch also remove test for sysdb_get_sudo_filter since it wasn't
sufficient anyway and I did not rewrite it since I don't thing it
is a good thing to have filter tests that depends on exact filter
order.
Resolves:
https://fedorahosted.org/sssd/ticket/2919
There still seems to be some issue in sysdb tests:
FAIL: test_sysdb_sudo
=====================
[==========] Running 12 test(s).
[ RUN ] test_store_sudo
[ OK ] test_store_sudo
[ RUN ] test_sudo_purge_by_filter
[ OK ] test_sudo_purge_by_filter
[ RUN ] test_sudo_purge_by_rules
[ OK ] test_sudo_purge_by_rules
[ RUN ] test_sudo_set_get_last_full_refresh
[ OK ] test_sudo_set_get_last_full_refresh
[ RUN ] test_get_sudo_user_info
[ OK ] test_get_sudo_user_info
[ RUN ] test_get_sudo_user_info_nogroup
[ OK ] test_get_sudo_user_info_nogroup
[ RUN ] test_get_sudo_nouser
(Tue May 31 11:38:50:598671 2016) [sssd] [sysdb_get_sudo_user_info] (0x0020): Error
looking up user no_user
[ OK ] test_get_sudo_nouser
[ RUN ] test_set_sudo_rule_attr_add
[ OK ] test_set_sudo_rule_attr_add
[ RUN ] test_set_sudo_rule_attr_replace
[ OK ] test_set_sudo_rule_attr_replace
[ RUN ] test_set_sudo_rule_attr_delete
[ OK ] test_set_sudo_rule_attr_delete
[ RUN ] test_search_sudo_rules
(Tue May 31 11:38:50:615209 2016) [sssd] [talloc_log_fn] (0x0010): Bad talloc magic value
- unknown value
FAIL test_sysdb_sudo (exit status: 134)