On Mon, Jun 13, 2016 at 06:06:00PM -0400, Rob Crittenden wrote:
> Nathan Peters wrote:
> > I have confirmed that on both CentOS 6.8 and CentOS 6.7 that if the group 
> > is a POSIX group, it can be used in sudo rules.
> > If the group is a 'normal' group it will fail when used in sudo rules.
> > 
> > This is really silly because in a previous version of CentOS (6.3) sudo 
> > rules would fail if the group was POSIX, and work if the group was 'normal'.
> > 
> > I'm not sure when this changed because we still have CentOS 6.7 machines 
> > that are working fine with the non posix groups.
> > I did notice that in sssd 1.13.3-22.el6 sudo fails with non posix groups
> > And with 1.12.4-47.el6_7.7 sudo works with non posix groups
> > 
> > So now FreeIPA exists in a really funky state where if you are below CentOS 
> > 6.4 you MUST use non POSIX groups and If you are on CentOS 6.7 and above, 
> > you must use POSIX groups.
> > 
> > So basically, you need to roll forward your entire infrastructure to CentOS 
> > 6.7 or above or else your old machines will suddently start failing sudo 
> > logins when you udate the groups or your new machines will simply fail with 
> > groups that worked on your old ones.
> > 
> > Can you please confirm what the intended behavior is because I would rather 
> > not go through the trouble of re-creating all our sudo / hbac rules and 
> > user groups...
> 
> Jakub already stated that this would be bug if it only worked with POSIX
> groups, so you've confirmed that.
> 
> If you have a Red Hat subscription I'd open a support case and ask to be
> added to bugzilla https://bugzilla.redhat.com/show_bug.cgi?id=1336548

Because that bug is private (sorry, there's some RH customer data there)
and because you also confirmed it's an issue, I cloned the bugzilla to
our upstream Trac:
    https://fedorahosted.org/sssd/ticket/3046

I'm sceptical we will have a fix this week, we're trying to meet a
deadline at the moment, but we will try to come up with a fix either late
next week or the one after.

I'm sorry about the inconvenience. I wonder if, as a temporary
workaround, you could point sssd to the compat tree using
ldap_sudo_search_base?

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to