-
Bug
-
Resolution: Obsolete
-
Critical
-
None
-
rhel-9.7
-
None
-
Yes
-
Important
-
1
-
rhel-idm-sssd
-
5
-
False
-
False
-
-
None
-
2025-IDM-SSSD-S1
-
None
-
None
-
Unspecified
-
Unspecified
-
Unspecified
-
None
Steps to reproduce:
On ipa server :
echo Secret123|kinit admin
ipa group-add --desc=0 hbacgroup_external --external
ipa group-add --desc=0 hbacgroup
ipa group-add-member hbacgroup --groups=hbacgroup_external
ipa group-add-member hbacgroup_external --external='nonposixuser@hbacnew.test' --users='' --groups=''
ipa hbacrule-add hbacrule_11 --hostcat=all
ipa hbacrule-add-service hbacrule_11 --hbacsvcs=sudo
ipa hbacrule-add-user hbacrule_11 --groups=hbacgroup
ipa sudorule-add sudorule_11 --hostcat=all --cmdcat=all
ipa sudorule-add-user sudorule_11 --groups=hbacgroup
ipa hbacrule-disable allow_all
systemctl stop sssd; rm -rf /var/lib/sss/
Verify On ipa-client:
systemctl stop sssd; rm -rf /var/lib/sss/{db,mc}
/*; systemctl start sssd ; sleep 160
su nonposixuser@hbacnew.test -c "echo 'Secret123' | sudo -S id"
ipa: ERROR: stderr:
We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:
#1) Respect the privacy of others.
#2) Think before you type.
#3) With great power comes great responsibility.
[sudo] password for nonposixuser@ad-1wjf.test: nonposixuser@ad-1wjf.test is not allowed to run sudo on client1. This incident will be reported.
Note: This was working using : sssd-ipa-2.9.7-2.el9.x86_64
Started failing with : sssd-ipa-2.9.7-3.el9.x86_64
amore@fedora:/tmp$ diff /tmp/hbac_new /tmp/hbac_old | grep 389-ds-base-2
< 389-ds-base-2.7.0-4.el9.x86_64
> 389-ds-base-2.7.0-2.el9.x86_64
amore@fedora:/tmp$ diff /tmp/hbac_new /tmp/hbac_old | grep ipa-server-4
< ipa-server-4.12.2-19.el9.x86_64
> ipa-server-4.12.2-18.el9.x86_64
amore@fedora:/tmp$ diff /tmp/h
bac_new /tmp/hbac_old | grep sssd-ipa
< sssd-ipa-2.9.7-3.el9.x86_64
> sssd-ipa-2.9.7-2.el9.x86_64
