On Wed, Jul 06, 2016 at 03:23:26PM +0200, Jakub Hrozek wrote:
> On Wed, Jun 01, 2016 at 11:52:44AM +0200, Pavel Březina wrote:
> > On 05/31/2016 01:44 PM, Jakub Hrozek wrote:
> > > On Fri, May 27, 2016 at 11:54:20AM +0200, Pavel Březina wrote:
> > > > See commit message for details.
> > > >
> > > > Two configurations needs to be tested -- a domain with
> > > > use_fully_qualified_name = true and configuration with IPA-AD trusts
where
> > > > default_domain_suffix is set to AD domain.
> > >
> > > > From 25f8cb5101f824c53df526b2ab52b8c67dd72539 Mon Sep 17 00:00:00
2001
> > > > From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina(a)redhat.com>
> > > > Date: Thu, 26 May 2016 11:37:30 +0200
> > > > Subject: [PATCH] sudo: solve problems with fully qualified names
> > > >
> > > > sudo expects the same name in sudo rule as login name. Therefore
> > > > if fully qualified name is used or even enforced by setting
> > > > use_fully_qualified_names to true or by forcing default domain
> > > > with default_domain_suffix sssd is able to correctly return the
> > > > rules but sudo can't match the user with contect of sudoUser
> > > > attribute since it is not qualified.
> > > >
> > > > This patch changes the rules on the fly to avoid using names at all.
> > > > We do this in two steps:
> > > > 1. We fetch all rules that match current user name, id or groups and
> > > > replace sudoUser attribute with sudoUser: #uid.
> > > > 2. We fetch complementry rules that contain netgroups since it is
> > > > expected we don't have infromation about existing netgroups
in
> > > > cache, sudo still needs to evaluate it for us if needed.
> > > >
> > > > This patch also remove test for sysdb_get_sudo_filter since it
wasn't
> > > > sufficient anyway and I did not rewrite it since I don't thing
it
> > > > is a good thing to have filter tests that depends on exact filter
> > > > order.
> > > >
> > > > Resolves:
> > > >
https://fedorahosted.org/sssd/ticket/2919
> > >
> > > There still seems to be some issue in sysdb tests:
> > > FAIL: test_sysdb_sudo
> > > =====================
> > > [==========] Running 12 test(s).
> > > [ RUN ] test_store_sudo
> > > [ OK ] test_store_sudo
> > > [ RUN ] test_sudo_purge_by_filter
> > > [ OK ] test_sudo_purge_by_filter
> > > [ RUN ] test_sudo_purge_by_rules
> > > [ OK ] test_sudo_purge_by_rules
> > > [ RUN ] test_sudo_set_get_last_full_refresh
> > > [ OK ] test_sudo_set_get_last_full_refresh
> > > [ RUN ] test_get_sudo_user_info
> > > [ OK ] test_get_sudo_user_info
> > > [ RUN ] test_get_sudo_user_info_nogroup
> > > [ OK ] test_get_sudo_user_info_nogroup
> > > [ RUN ] test_get_sudo_nouser
> > > (Tue May 31 11:38:50:598671 2016) [sssd] [sysdb_get_sudo_user_info]
(0x0020): Error looking up user no_user
> > > [ OK ] test_get_sudo_nouser
> > > [ RUN ] test_set_sudo_rule_attr_add
> > > [ OK ] test_set_sudo_rule_attr_add
> > > [ RUN ] test_set_sudo_rule_attr_replace
> > > [ OK ] test_set_sudo_rule_attr_replace
> > > [ RUN ] test_set_sudo_rule_attr_delete
> > > [ OK ] test_set_sudo_rule_attr_delete
> > > [ RUN ] test_search_sudo_rules
> > > (Tue May 31 11:38:50:615209 2016) [sssd] [talloc_log_fn] (0x0010): Bad
talloc magic value - unknown value
> > > FAIL test_sysdb_sudo (exit status: 134)
> >
> > Sorry about that. It should be fixed now.
> >
>
> I did quite a bit of testing with this patch and it seems to work fine.
>
> ACK
btw I would prefer to push this patch together with my sysdb patchset