On Wed, Jul 06, 2016 at 06:20:00PM +0200, Jakub Hrozek wrote: > On Wed, Jul 06, 2016 at 03:23:26PM +0200, Jakub Hrozek wrote: > > On Wed, Jun 01, 2016 at 11:52:44AM +0200, Pavel Březina wrote: > > > On 05/31/2016 01:44 PM, Jakub Hrozek wrote: > > > > On Fri, May 27, 2016 at 11:54:20AM +0200, Pavel Březina wrote: > > > > > See commit message for details. > > > > > > > > > > Two configurations needs to be tested -- a domain with > > > > > use_fully_qualified_name = true and configuration with IPA-AD trusts > > > > > where > > > > > default_domain_suffix is set to AD domain. > > > > > > > > > From 25f8cb5101f824c53df526b2ab52b8c67dd72539 Mon Sep 17 00:00:00 > > > > > 2001 > > > > > From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrez...@redhat.com> > > > > > Date: Thu, 26 May 2016 11:37:30 +0200 > > > > > Subject: [PATCH] sudo: solve problems with fully qualified names > > > > > > > > > > sudo expects the same name in sudo rule as login name. Therefore > > > > > if fully qualified name is used or even enforced by setting > > > > > use_fully_qualified_names to true or by forcing default domain > > > > > with default_domain_suffix sssd is able to correctly return the > > > > > rules but sudo can't match the user with contect of sudoUser > > > > > attribute since it is not qualified. > > > > > > > > > > This patch changes the rules on the fly to avoid using names at all. > > > > > We do this in two steps: > > > > > 1. We fetch all rules that match current user name, id or groups and > > > > > replace sudoUser attribute with sudoUser: #uid. > > > > > 2. We fetch complementry rules that contain netgroups since it is > > > > > expected we don't have infromation about existing netgroups in > > > > > cache, sudo still needs to evaluate it for us if needed. > > > > > > > > > > This patch also remove test for sysdb_get_sudo_filter since it wasn't > > > > > sufficient anyway and I did not rewrite it since I don't thing it > > > > > is a good thing to have filter tests that depends on exact filter > > > > > order. > > > > > > > > > > Resolves: > > > > > https://fedorahosted.org/sssd/ticket/2919 > > > > > > > > There still seems to be some issue in sysdb tests: > > > > FAIL: test_sysdb_sudo > > > > ===================== > > > > [==========] Running 12 test(s). > > > > [ RUN ] test_store_sudo > > > > [ OK ] test_store_sudo > > > > [ RUN ] test_sudo_purge_by_filter > > > > [ OK ] test_sudo_purge_by_filter > > > > [ RUN ] test_sudo_purge_by_rules > > > > [ OK ] test_sudo_purge_by_rules > > > > [ RUN ] test_sudo_set_get_last_full_refresh > > > > [ OK ] test_sudo_set_get_last_full_refresh > > > > [ RUN ] test_get_sudo_user_info > > > > [ OK ] test_get_sudo_user_info > > > > [ RUN ] test_get_sudo_user_info_nogroup > > > > [ OK ] test_get_sudo_user_info_nogroup > > > > [ RUN ] test_get_sudo_nouser > > > > (Tue May 31 11:38:50:598671 2016) [sssd] [sysdb_get_sudo_user_info] > > > > (0x0020): Error looking up user no_user > > > > [ OK ] test_get_sudo_nouser > > > > [ RUN ] test_set_sudo_rule_attr_add > > > > [ OK ] test_set_sudo_rule_attr_add > > > > [ RUN ] test_set_sudo_rule_attr_replace > > > > [ OK ] test_set_sudo_rule_attr_replace > > > > [ RUN ] test_set_sudo_rule_attr_delete > > > > [ OK ] test_set_sudo_rule_attr_delete > > > > [ RUN ] test_search_sudo_rules > > > > (Tue May 31 11:38:50:615209 2016) [sssd] [talloc_log_fn] (0x0010): Bad > > > > talloc magic value - unknown value > > > > FAIL test_sysdb_sudo (exit status: 134) > > > > > > Sorry about that. It should be fixed now. > > > > > > > I did quite a bit of testing with this patch and it seems to work fine. > > > > ACK > > btw I would prefer to push this patch together with my sysdb patchset
* master: 61913b8f0d1ba54d82640500d7486fac5f72b030 _______________________________________________ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/sssd-devel@lists.fedorahosted.org