On 11/12/2012 08:47 AM, Pavel Březina wrote: > On 11/11/2012 04:29 AM, Simo Sorce wrote: >> On Fri, 2012-11-09 at 14:28 +0100, Pavel Březina wrote: >>> [PATCH 4/6] >>> solves 2 >>> > > Hi, > >> Sorry, but I fail to understand why the sudo client needs to know about >> sssd domains at all. >> I am guilty of not having followed the original sudo patches submission >> process, but without knowing if there is a valid reason it seem to me >> that sudo should not know about domains at all. > > Sudo is sending two subsequent requests to sssd: > - for a specific rule named cn=defaults, which contains global options > - for rules that match specific user > > We need to ensure that both requests are served from the same cache. > > Originally, we served cn=defaults request from the first cache > containing some sudo rules and then user-rules request from cache that > contains this user. This was obviously a security bug in multidomain > environment so we prohibited to use this protocol (version 0) at all. > > Now (since version 1) we match user to domain during cn=defaults > request and send it back to sudo so we can match the user to the same > domain during the second request. > > https://fedorahosted.org/sssd/ticket/1239 > >> Also by looking at the code I see that you make wrong assumptions about >> the format of a fully qualified name in sudo. >> It seem you assume a fully qualified name is always username@domain, but >> that's just the 'default' setting, the fully qualified name format is an >> option that admins can change, and the sudo client have no way to know >> what that is. > > Yes, I realized that with this ticket and it is no longer an issue > with this patch. The domain name is now sent as a separate field. > >> >> I think before I allow to further change this protocol I need to >> understand why it is transporting the domain name at all. >> >> Simo. >> > > _______________________________________________ > sssd-devel mailing list > sssd-devel@lists.fedorahosted.org > https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
It is generally a good idea to be able to get SUDO rules from two different domains. Think about a setup when SSSD is configured with two domains say AD and IPA. Both can serve SUDO via LDAP (or via GPO when we add them for AD). Users from AD should use rules defined in AD while users in IPA should use rules from IPA. In this case we effectively have a machine that joins two different domains, this should be doable. BTW I wonder if one can actually make the system join AD and IPA domain at the same time and make one configuration not step on another. Is it possible now? I hope so. If not we should file a ticket to make it possible. -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ _______________________________________________ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
