diff --git a/0020-IPA-Qualify-the-externalUser-sudo-attribute.patch b/0020-IPA-Qualify-the-externalUser-sudo-attribute.patch new file mode 100644 index 0000000..dd7e1a0 --- /dev/null +++ b/0020-IPA-Qualify-the-externalUser-sudo-attribute.patch @@ -0,0 +1,70 @@ +From 999420ed67439bb662e92b47792a06310d173c53 Mon Sep 17 00:00:00 2001 +From: Jakub Hrozek +Date: Mon, 26 Mar 2018 11:36:00 +0200 +Subject: [PATCH] IPA: Qualify the externalUser sudo attribute +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +We broke the externalUser support with the introduction of the fully +qualified attributes, because the provider was saving the data verbatim, +but the sudo responder expects a fully qualified name. + +Reproducer: + on the server: + ipa sudocmd-add --desc='For reading log files' /usr/bin/less + ipa sudorule-add readfiles + ipa sudorule-add-user --users=lcluser + ipa sudorule-mod --hostcat=all readfiles + + then on the client: + configure sssd with: + id_provider = files + sudo_provider = ipa + ipa_domain = ipa.test + + run: + sudo useradd lcluser + sudo passwd lcluser + su - lcluser + sudo -l + +Reviewed-by: Fabiano Fidêncio +Reviewed-by: Pavel Březina +(cherry picked from commit 0f6b5b02afb35caae774ff4d52854a844d49f52e) +--- + src/providers/ipa/ipa_sudo_conversion.c | 11 ++++++++++- + 1 file changed, 10 insertions(+), 1 deletion(-) + +diff --git a/src/providers/ipa/ipa_sudo_conversion.c b/src/providers/ipa/ipa_sudo_conversion.c +index a96ae3447..bfa66b2c6 100644 +--- a/src/providers/ipa/ipa_sudo_conversion.c ++++ b/src/providers/ipa/ipa_sudo_conversion.c +@@ -873,6 +873,15 @@ convert_user_fqdn(TALLOC_CTX *mem_ctx, + return fqdn; + } + ++static const char * ++convert_ext_user(TALLOC_CTX *mem_ctx, ++ struct ipa_sudo_conv *conv, ++ const char *value, ++ bool *skip_entry) ++{ ++ return sss_create_internal_fqname(mem_ctx, value, conv->dom->name); ++} ++ + static const char * + convert_group(TALLOC_CTX *mem_ctx, + struct ipa_sudo_conv *conv, +@@ -959,7 +968,7 @@ convert_attributes(struct ipa_sudo_conv *conv, + {SYSDB_IPA_SUDORULE_RUNASEXTUSER, SYSDB_SUDO_CACHE_AT_RUNASUSER , NULL}, + {SYSDB_IPA_SUDORULE_RUNASEXTGROUP, SYSDB_SUDO_CACHE_AT_RUNASGROUP , NULL}, + {SYSDB_IPA_SUDORULE_RUNASEXTUSERGROUP, SYSDB_SUDO_CACHE_AT_RUNASUSER , convert_runasextusergroup}, +- {SYSDB_IPA_SUDORULE_EXTUSER, SYSDB_SUDO_CACHE_AT_USER , NULL}, ++ {SYSDB_IPA_SUDORULE_EXTUSER, SYSDB_SUDO_CACHE_AT_USER , convert_ext_user}, + {SYSDB_IPA_SUDORULE_ALLOWCMD, SYSDB_IPA_SUDORULE_ORIGCMD , NULL}, + {SYSDB_IPA_SUDORULE_DENYCMD, SYSDB_IPA_SUDORULE_ORIGCMD , NULL}, + {NULL, NULL, NULL}}; +-- +2.14.3 + diff --git a/sssd.spec b/sssd.spec index c7aa1af..6177c8f 100644 --- a/sssd.spec +++ b/sssd.spec @@ -60,6 +60,7 @@ Patch0016: 0016-SYSDB-When-marking-an-entry-as-expired-also-set-the-.patch Patch0017: 0017-sudo-ldap-do-not-store-rules-without-sudoHost-attrib.patch Patch0018: 0018-sysdb-custom-completely-replace-old-object-instead-o.patch Patch0019: 0019-SERVER-Tone-down-shutdown-messages-for-socket-activa.patch +Patch0020: 0020-IPA-Qualify-the-externalUser-sudo-attribute.patch Patch0500: 0500-Revert-libwbclient-sssd-update-interface-to-version-.patch Patch0502: 0502-SYSTEMD-Use-capabilities.patch @@ -1261,6 +1262,7 @@ fi change - Resolves: upstream#3558 - sudo: report error when two rules share cn - Tone down shutdown messages for socket activated responders +- IPA: Qualify the externalUser sudo attribute * Fri Mar 30 2018 Fabiano Fidêncio - 1.16.1-2 - Resolves: upstream#3573 - sssd won't show netgroups with blank domain