Public bug reported:

After upgrading from 14.04 LTS to 16.04 LTS, we noticed that LDAP-based
sudo roles stopped working, meaning users that were able to use sudo in
the past, are rejected now.

After investigation, it turned out to be a known upstream bug:

which was introduced somewhere between 14.04 and 16.04 timelines.

To cut the long story short, the code is trying to match FQDN host name
(eg. "") against host name pattern provided in LDAP
(eg. "sudoHost: thehost") using strcmpi, which will - obviously - fail.

The fix is a single line change patch which found its way into sudo
version 1.8.18:

Unfortunately both 16.04 and 16.10 seem to only use 1.8.16 (17.04 seemed
to have jumped to 1.8.19) so will need to carry the patch mentioned
above. Tested it locally and the re-built package with the patch added
works file. My debian/patches/series looks like this now:

.../sudo-1.8.16$ cat debian/patches/series 

.../sudo-1.8.16$ cat debian/patches/ldap-hostname.diff 
# HG changeset patch
# User Todd C. Miller <>
# Date 1473459982 21600
# Node ID 605c03afc80f4c3f55bfae62fcf4974f18cd77e8
# Parent  017866310d2486566cbde9f93486e788d0c046a8
Fix typo that broke short host name matching when the fqdn
flag is enabled.  Bug #757

diff -r 017866310d24 -r 605c03afc80f plugins/sudoers/sudoers.c
--- a/plugins/sudoers/sudoers.c Thu Sep 08 16:38:08 2016 -0600
+++ b/plugins/sudoers/sudoers.c Fri Sep 09 16:26:22 2016 -0600
@@ -1069,7 +1069,7 @@
        /* Not remote, just use user_host. */
        if ((lhost = strdup(user_host)) != NULL) {
            if (user_shost != user_host)
-               shost = strdup(lhost);
+               shost = strdup(user_shost);
                shost = lhost;

** Affects: sudo (Ubuntu)
     Importance: Undecided
         Status: New

You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.

  LDAP-based sudo roles stopped working in 16.04

To manage notifications about this bug go to:

ubuntu-bugs mailing list

Reply via email to