Loading...

Linking RHIVOS CVEs to...

Migration: Automation ...

Sync from "Extern...

XML

Word

Printable

Type: Bug
Resolution: Unresolved
Priority: Major
Fix Version/s: None
Affects Version/s: rhel-8.6.0
Component/s: sudo
Labels:

Regression:
None
Severity:
None
Epic Link:
RHEL-115442

AssignedTeam:
rhel-idm-sssd
Sub-System Group:

ssg_security

Story Points:
None
Blocked:
False
Ready:
False
Blocked Reason:

Hide

None

Show
None
Product Documentation Required:
None
Sprint:
None

Preliminary Testing:
None
Test Coverage:
None

Release Note Type:
If docs needed, set a value

Experience:
Architecture:

Unspecified
Bugzilla Bug:
RHBZ: 2121402

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

Planning:
None
Internal Target Milestone numeric:
0

Description of problem:
Sudo rule option SudoUser with group ID does not work via SSSD provider. But it works via LDAP.

Version-Release number of selected component (if applicable):
tested and failed on all RHEL8 and RHEL9

How reproducible:
Everytime

Steps to Reproduce:
1. setup sudo to use sssd, using this ldap data:

my-domain.com
dn: dc=my-domain,dc=com
objectClass: dcObject
objectClass: organization
dc: my-domain
o: Test server

Groups, my-domain.com
dn: ou=Groups,dc=my-domain,dc=com
objectClass: top
objectClass: organizationalunit
ou: Groups

People, my-domain.com
dn: ou=People,dc=my-domain,dc=com
objectClass: top
objectClass: organizationalunit
ou: People

admin, People, my-domain.com
dn: cn=admin,ou=People,dc=my-domain,dc=com
objectClass: top
objectClass: account
objectClass: posixAccount
cn: admin
uidNumber: 11001
gidNumber: 21001
homeDirectory: /home/admin
loginShell: /bin/bash
uid: admin
userPassword:: eA==

admin, Groups, my-domain.com
dn: cn=admin,ou=Groups,dc=my-domain,dc=com
gidNumber: 21001
objectClass: top
objectClass: posixGroup
cn: 21001
cn: admin

userallowed, People, my-domain.com
dn: cn=userallowed,ou=People,dc=my-domain,dc=com
objectClass: top
objectClass: account
objectClass: posixAccount
cn: userallowed
uidNumber: 10001
gidNumber: 20001
homeDirectory: /home/userallowed
loginShell: /bin/bash
uid: userallowed
userPassword:: eA==

groupallowed, Groups, my-domain.com
dn: cn=groupallowed,ou=Groups,dc=my-domain,dc=com
gidNumber: 20001
objectClass: top
objectClass: posixGroup
cn: groupallowed

usernotallowed, People, my-domain.com
dn: cn=usernotallowed,ou=People,dc=my-domain,dc=com
objectClass: top
objectClass: account
objectClass: posixAccount
cn: usernotallowed
uidNumber: 10002
gidNumber: 20002
homeDirectory: /home/usernotallowed
loginShell: /bin/bash
uid: usernotallowed
userPassword:: eA==

groupnotallowed, Groups, my-domain.com
dn: cn=groupnotallowed,ou=Groups,dc=my-domain,dc=com
gidNumber: 20002
objectClass: top
objectClass: posixGroup
cn: groupnotallowed

Sudoers, my-domain.com
dn: ou=Sudoers,dc=my-domain,dc=com
objectClass: top
objectClass: organizationalUnit
ou: Sudoers

defaults, Sudoers, my-domain.com
dn: cn=defaults,ou=Sudoers,dc=my-domain,dc=com
objectClass: top
objectClass: sudoRole
cn: defaults
sudoOption: !authenticate
sudoOption: !requiretty

rule1, Sudoers, my-domain.com
dn: cn=rule1,ou=Sudoers,dc=my-domain,dc=com
objectClass: top
objectClass: sudoRole
cn: rule1
sudoHost: ALL
sudoCommand: ALL
sudoUser: %#20001

2. check it with following command:

$ su - userallowed -c 'sudo true'

Actual results:
Gets generic error - exit status 1

Expected results:
userallowed is in the sudoers file - exit status 0

Additional info:

external trackers

Red Hat Issue Tracker RHELPLAN-132320

Red Hat Issue Tracker SECENGSP-4734

TCMS Test Case 613170

Assignee:: Alejandro Lopez

Reporter:: Natália Bubáková

Developer:: Alejandro Lopez

QA Contact:: SSG Security QE

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Created:: 2023/08/16 2:38 PM

Updated:: 2026/01/24 1:22 AM

Stale Date:: 2026/02/23