Sudorules ad users #4792
Sudorules ad users #4792
Conversation
tiran
added
ipa-4-8
|
Azure Pipelines failed because https://bodhi.fedoraproject.org/updates/FEDORA-2020-ca8855e4de is currently being pushed to Fedora 32 updates stable and is not accessible in updates testing anymore. |
abbra
force-pushed
the
sudorules-ad-users
branch
4 times, most recently
from
23a602a
to
c5504b2
Compare
|
I had some progress on supporting AD groups via non-POSIX groups syntax in sudoers ( |
abbra
force-pushed
the
sudorules-ad-users
branch
from
c5504b2
to
5e1b846
Compare
|
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. |
|
this is not stale, it is contingent on the SSSD release which includes the fix. |
|
SSSD 2.3.1 is out and contains the fix. Also, our images are updated to include SSSD 2.3.1. I'll rebase the PR to get this working. |
abbra
force-pushed
the
sudorules-ad-users
branch
2 times, most recently
from
2d4cc06
to
571a189
Compare
|
I tested manually and the change works, including sudo actually accepting AD user in the rules. Somehow, the automated test still fails in PR CI and I need to investigate why that happens. |
abbra
force-pushed
the
sudorules-ad-users
branch
from
571a189
to
f17aed6
Compare
|
I think I figured out the issue -- the order of tests made sudo test to run within trust to AD with POSIX attributes expected to come from AD where they weren't, so resolving AD user was failing as it never had POSIX attributes. |
abbra
force-pushed
the
sudorules-ad-users
branch
from
f17aed6
to
a74f385
Compare
|
Ok, fixed, will submit an update soon. |
…d failures It was possible to add external members without any validation. Any object that was not found in IPA LDAP was considered an external object and a command such as sudorule could have added it to the list of values for externalUser attribute. With member validator support, real external members from trusted domains can be differentiated from the objects that were not found in IPA and in trusted domains. Use information from the ID Views plugin to treat external objects accordingly. Not found objects will be part of the error messaging instead. Fixes: https://pagure.io/freeipa/issue/3226 Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Register extended validator for users from trusted domains to be called through add_external_pre_callback() in sudorules and other plugins. The callbacks allow to validate user names as following: - if user name passes basic user name validator it is accepted, otherwise - if user name can be resolved to any user in IPA or in a trusted domain, it is accepted - otherwise the name is rejected Fixes: https://pagure.io/freeipa/issue/3226 Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
…omains directly Allow specifying AD users and groups from trusted Active Directory forests in `ipa sudorule-add/remove-user` family of commands. SSSD uses single attribute 'externalUser' for IPA to pull 'external' objects referenced in SUDO rules. This means both users and groups are represented within the same attribute, with groups prefixed with '%', as described in sudoers(5) man page. Add member type validators to 'ipa sudorule-add/remove-user' family commands and rely on member type validators from 'idviews' plugin to resolve trusted objects. Referencing fully qualified names for users and groups from trusted Active Directory domains in 'externalUser' attribute of SUDO rules is supported in SSSD 2.4 or later. RN: IPA now supports adding users and groups from trusted Active RN: Directory domains in SUDO rules without an intermediate non-POSIX RN: group membership Fixes: https://pagure.io/freeipa/issue/3226 Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
|
On the other hand, this will break a valid use case where a local system user or group is added to SUDO rule globally. We have a test for this in Should we keep this logic or not? |
abbra
force-pushed
the
sudorules-ad-users
branch
from
cbb994b
to
5c51595
Compare
|
I guess we have to keep the logic that adds whatever is provided to external attributes because otherwise we are totally broken for these use cases. A good chunk of tests in I'm going to refactor the check to allow an easier switch later but we'll keep those non-existing names permitted. |
|
|
abbra
force-pushed
the
sudorules-ad-users
branch
from
5c51595
to
7a4dc13
Compare
Totally agree, I wasn't aware that we allowed non-existing names for local system users. Since it's a feature and not a bug we can keep the behavior. |
abbra
force-pushed
the
sudorules-ad-users
branch
2 times, most recently
from
cb67415
to
a031d73
Compare
|
The latest changes fixed trust removal situation for all but one test. That one test is testing unreachable scenario. I think we need to restore the correct DNS zone before removing trust in it. |
…rectly Allow specifying AD users and groups from trusted Active Directory forests in `ipa sudorule-add/remove-runasuser/runasgroup` family of commands. IPA provides 'ipasudorunasextuser' and 'ipasudorunasextusergroup' LDAP attributes to record 'external' objects referenced in SUDO rules for specifying the target user and group to run the commands allowed in the SUDO rule. Use member type validators to 'ipa sudorule-add/remove-runasuser/runasgroup' family of commands and rely on member type validators from 'idviews' plugin to resolve trusted objects. Referencing fully qualified names for users and groups from trusted Active Directory domains in IPA SUDOERs schema attributes is supported in SSSD 2.4 or later. RN: IPA now supports users and groups from trusted Active Directory RN: domains in SUDO rules to specify runAsUser/runAsGroup properties RN: without an intermediate non-POSIX group membership Fixes: https://pagure.io/freeipa/issue/3226 Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Fixes: https://pagure.io/freeipa/issue/3226 Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
abbra
force-pushed
the
sudorules-ad-users
branch
from
a031d73
to
b5fa7d4
Compare
Tests test_integration/test_trust.py::TestTrust::test_sudorules_ad_* check that a user from a trusted AD domain can perform SUDO authentication without a password for any command based on a direct user reference or on indirect AD group reference. The test suite also ensures an AD user and group can be used for runAsUser/runAsGroup settings. Due to SSSD/sssd#5475 anything added to 'ipaSudoRunAsExtUserGroup' attribute will be prefixed with '%' and thus any relying on the value of this attribute displayed by 'sudo -l' command will fail. The test only validates that a proper group name appears in the 'sudo' output, so we handle both prefixes in the corresponding test check. It is not possible to differ by the SSSD version as a fix to the issue is only a patch on top of 2.4.0 in RHEL. Fixes: https://pagure.io/freeipa/issue/3226 Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
abbra
force-pushed
the
sudorules-ad-users
branch
2 times, most recently
from
ec74da1
to
d905229
Compare
|
Hi @abbra |
Samba 4.13+ in Fedora 33+ and RHEL 8.4+ defaults to Kerberos authentication. This means user name used for authentication must be mapped to a target realm. We have to remove trust on AD side first before removing it locally or otherwise MIT Kerberos might not be able to locate DCs from AD as removal of the trust information would cause SSSD to clear the details for a KDC locator plugin as well. For the test that modifies AD DNS zone on IPA side to inject unreachable DCs addresses, the configuration has to be reverted first, to allow plain 'kinit' during removal of trust to reach AD DCs directly. Fixes: https://pagure.io/freeipa/issue/8678 Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
…ernal attr IPA traditionally allowed to add names not found in IPA LDAP to external attributes. This is used to allow, for example, a local system user or group be present in a SUDO rule. With membership validator, we can actually check validity of the names against both IPA users/groups and users/groups from trusted domains. If in future we decide to reject a local system's objects, then all it would take is to switch reject_failures to True. Fixes: https://pagure.io/freeipa/issue/3226 Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
abbra
force-pushed
the
sudorules-ad-users
branch
from
d905229
to
7a07770
Compare
|
master:
|
No description provided.