Public bug reported:

# Ubuntu 26.04: sudo-rs Default Breaks FreeIPA/SSSD sudo Policy

## Summary

On a fresh installation of Ubuntu 26.04 LTS (Resolute) enrolled into a
FreeIPA 4.13.1 domain, users can authenticate and log in via IPA, but
may be unable to use sudo permissions granted by FreeIPA.

The issue is caused by Ubuntu selecting `sudo-rs` as the active
implementation via `update-alternatives`. Switching back to the classic
sudo implementation (`sudo.ws`) immediately restores full compatibility
with FreeIPA/SSSD sudo rules without other configuration changes.

## Environment

- **Server:**
  - FreeIPA 4.13.1
  - Realm: EACHPATH.LOCAL
- **Client:**
  - Ubuntu 26.04 LTS (Resolute)
  - Joined via `ipa-client-install`
  - SSSD configured for IPA
  - Authentication working

## Expected behavior

A FreeIPA sudo rule allowing user `nyx` to execute all commands on host
`nyx-dev.eachpath.local` is honored on the client.

## Actual behavior (before fix)

- Authentication succeeds.
- SSH login succeeds.
- `sudo` denies with:

  - "Sorry, user nyx may not run sudo on nyx-dev.eachpath.local."

  even though the sudo rule exists and matches.

## Investigation

The issue was traced step-by-step to isolate the failure layer.

### 1. FreeIPA rule validation

Rule created:

- `ipa sudorule-add allow_nyx_sudo_nyx_dev`

Configured:

- user = nyx
- host = nyx-dev.eachpath.local
- command category = all
- runas category = all

Verified with:

- `ipa sudorule-show allow_nyx_sudo_nyx_dev --raw`

Confirmed:

- `cmdcategory: all`
- `ipasudorunasusercategory: all`
- `memberhost: fqdn=nyx-dev.eachpath.local`
- `memberuser: uid=nyx`

Rule correct → problem not in FreeIPA.

### 2. Client identity

Checked:

- `id`
- `getent passwd nyx`

Result:

- `uid=10001(nyx)`

IPA identity correctly resolved via SSSD.

### 3. SSSD configuration

Confirmed:

- `services = nss, pam, ssh, sudo`
- `sudoers: sss`

Domain status:

- `sssctl domain-status eachpath.local` → Online
- `sssctl config-check` → No issues

SSSD correctly configured and online.

### 4. SSSD sudo cache

Searched cache:

- `strings /var/lib/sss/db/cache_eachpath.local.ldb`
- `ldbsearch -H /var/lib/sss/db/cache_eachpath.local.ldb`

Found:

- `sudoCommand: ALL`
- `sudoHost: nyx-dev.eachpath.local`
- `sudoRunAsUser: ALL`
- `sudoUser: [email protected]`

Conclusion: FreeIPA exported the rule correctly; SSSD cached it.
Failure not in policy distribution.

### 5. sudo implementation

Ran:

- `sudo -V`

Got:

- `sudo-rs 0.2.13`

Further inspection:

- `readlink -f /etc/alternatives/sudo` → `/usr/lib/cargo/bin/sudo`
- `update-alternatives --list sudo` shows both `sudo-rs` and `sudo.ws`.

Active implementation was `sudo-rs`, which does not yet fully support
SSSD/FreeIPA sudo policy.

### 6. Resolution

Switched implementation:

- `sudo update-alternatives --config sudo`
- Selected: `/usr/bin/sudo.ws`

Verified:

- `sudo -V` → `Sudo version 1.9.17p2`

No other changes; immediately:

- `sudo -l` → correct FreeIPA rules honored.

## Conclusion

- FreeIPA rule: correct
- SSSD: correct
- Rule cached locally: yes
- Issue: `sudo-rs` selected as default, not fully compatible with SSSD/FreeIPA 
sudo policy

Switching to `sudo.ws` restores expected behavior.

## Notes / Recommendations

For Ubuntu 26.04 + FreeIPA/SSSD environments:

- Prefer `sudo.ws`:
  - `sudo update-alternatives --set sudo /usr/bin/sudo.ws`
- Until upstream `sudo-rs` fully integrates with SSSD-based sudo policies, 
treat this as a required step for IPA-joined machines.

## Version

Version: 1.0 | Created: 2026-06-30 | Updated: 2026-06-30 | Authors:
dafit, Nyx

** Affects: rust-sudo-rs (Ubuntu)
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2158700

Title:
  On a fresh installation of Ubuntu 26.04 LTS (Resolute) enrolled into a
  FreeIPA 4.13.1 domain, users can authenticate and log in via IPA, but
  may be unable to use sudo permissions granted by FreeIPA.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/rust-sudo-rs/+bug/2158700/+subscriptions


-- 
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Reply via email to