On 11/12/2012 03:05 PM, Dmitri Pal wrote:
On 11/12/2012 08:47 AM, Pavel Březina wrote:
On 11/11/2012 04:29 AM, Simo Sorce wrote:
On Fri, 2012-11-09 at 14:28 +0100, Pavel Březina wrote:
[PATCH 4/6]
solves 2
Hi,
Sorry, but I fail to understand why the sudo client needs to know about
sssd domains at all.
I am guilty of not having followed the original sudo patches submission
process, but without knowing if there is a valid reason it seem to me
that sudo should not know about domains at all.
Sudo is sending two subsequent requests to sssd:
- for a specific rule named cn=defaults, which contains global options
- for rules that match specific user
We need to ensure that both requests are served from the same cache.
Originally, we served cn=defaults request from the first cache
containing some sudo rules and then user-rules request from cache that
contains this user. This was obviously a security bug in multidomain
environment so we prohibited to use this protocol (version 0) at all.
Now (since version 1) we match user to domain during cn=defaults
request and send it back to sudo so we can match the user to the same
domain during the second request.
https://fedorahosted.org/sssd/ticket/1239
Also by looking at the code I see that you make wrong assumptions about
the format of a fully qualified name in sudo.
It seem you assume a fully qualified name is always username@domain, but
that's just the 'default' setting, the fully qualified name format is an
option that admins can change, and the sudo client have no way to know
what that is.
Yes, I realized that with this ticket and it is no longer an issue
with this patch. The domain name is now sent as a separate field.
I think before I allow to further change this protocol I need to
understand why it is transporting the domain name at all.
Simo.
_______________________________________________
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
It is generally a good idea to be able to get SUDO rules from two
different domains.
Think about a setup when SSSD is configured with two domains say AD and
IPA.
Both can serve SUDO via LDAP (or via GPO when we add them for AD). Users
from AD should use rules defined in AD while users in IPA should use
rules from IPA.
In this case we effectively have a machine that joins two different
domains, this should be doable.
Yes, this behaviour is expected and supported.
BTW I wonder if one can actually make the system join AD and IPA domain
at the same time and make one configuration not step on another.
Is it possible now? I hope so. If not we should file a ticket to make it
possible.
_______________________________________________
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
