[sudo-users] Sudo + sssd + active directory + netgroup (nisNetgroupTriple) different behavior in different sudo versions

Thu Nov 10 03:58:33 MST 2016

Hi,

I set up authentication of our linux hosts against AD using SSSD. Then I also set up sudo in AD and it worked fine for RHEL6 and 7, centos6 and 7, ubuntu12 and 14 LTS.

But I ran into multiple issues with ubuntu16 LTS.

I generally create a sudorole object under SUDOers ou for each group of people, e.g. sudoRole_dev

In each of these object I specify sudohost as a netgroup, e.g. +netgroup-dev-servers

Then there is a netgroup ou containing these netgroups of nisNetgroup object class

Until I started with ubuntu16 I used to define nisNetgroup Triple as follows: (hostname, ,domain)

and it was working. In ubuntu 16 it doesn't work.

I set up debug for sudo and started to watch what happens. I realized that ubuntu16 when checking whether it matches the netgroup compares always FQDN, and it fails. Example:

root at zrh-sud-sark:~# sudo -l -U john.doer
User john.doer is not allowed to run sudo on zrh-sud-sark.

root at zrh-sud-sark:~# getent netgroup netgroup-1
netgroup-1            (zrh-sut-ubuntu1404, , qnective.net) (zrh-sut-sark, , qnective.net) (zrh-sut-rhel72, , qnective.net)

root at zrh-sud-sark:~# egrep 'netgroup|sark' /var/log/sudo_debug
Nov 10 11:41:14 sudo[29482] <- sudo_new_key_val_v1 @ /build/sudo-L2mAoN/sudo-1.8.16/lib/util/key_val.c:56 := host=zrh-sud-sark
Nov 10 11:41:14 sudo[29482] user_info: host=zrh-sud-sark
Nov 10 11:41:14 sudo[29482] host zrh-sud-sark.qnective.net, shost zrh-sud-sark, runhost zrh-sud-sark.qnective.net, srunhost zrh-sud-sark.qnective.net @ set_fqdn() /build/sudo-L2mAoN/sudo-1.8.16/plugins/sudoers/sudoers.c:1070
Nov 10 11:41:14 sudo[29482] val[0]=+netgroup-1
Nov 10 11:41:14 sudo[29482] IP address +netgroup-1 matches local host: false @ addr_matches() /build/sudo-L2mAoN/sudo-1.8.16/plugins/sudoers/match_addr.c:206
Nov 10 11:41:14 sudo[29482] netgroup netgroup-1 matches (zrh-sud-sark.qnective.net|zrh-sud-sark.qnective.net, john.doer, ): false @ netgr_matches() /build/sudo-L2mAoN/sudo-1.8.16/plugins/sudoers/match.c:1041
Nov 10 11:41:14 sudo[29482] host zrh-sud-sark.qnective.net matches sudoers pattern +netgroup-1: false @ hostname_matches() /build/sudo-L2mAoN/sudo-1.8.16/plugins/sudoers/match.c:829
Nov 10 11:41:14 sudo[29482] sssd/ldap sudoHost '+netgroup-1' ... not

For comparison the same user on ubuntu14 where it works:

root at zrh-sut-ubuntu1404:~# sudo -l -U john.doer
Matching Defaults entries for john.doer on zrh-sut-ubuntu1404:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User john.doer may run the following commands on zrh-sut-ubuntu1404:
    (root) ALL

root at zrh-sut-ubuntu1404:~# getent netgroup netgroup-1
netgroup-1            (zrh-sut-ubuntu1404, , qnective.net) (zrh-sut-sark, , qnective.net) (zrh-sut-rhel72, , qnective.net)

root at zrh-sut-ubuntu1404:~# egrep 'netgroup|ubuntu14' /var/log/sudo_debug
Nov 10 11:41:40 sudo[15899] <- fmt_string @ /build/sudo-f7qPzC/sudo-1.8.9p5/common/fmt_string.c:65 := host=zrh-sut-ubuntu1404.qnective.net
Nov 10 11:41:40 sudo[15899] user_info: host=zrh-sut-ubuntu1404.qnective.net
Nov 10 11:41:40 sudo[15899] val[0]=+netgroup-1
Nov 10 11:41:40 sudo[15899] IP address +netgroup-1 matches local host: false @ addr_matches() /build/sudo-f7qPzC/sudo-1.8.9p5/plugins/sudoers/match_addr.c:211
Nov 10 11:41:40 sudo[15899] netgroup netgroup-1 matches (zrh-sut-ubuntu1404.qnective.net|zrh-sut-ubuntu1404, , ): true @ netgr_matches() /build/sudo-f7qPzC/sudo-1.8.9p5/plugins/sudoers/match.c:966
Nov 10 11:41:40 sudo[15899] sssd/ldap sudoHost '+netgroup-1' ... MATCH!
Nov 10 11:41:40 sudo[15899] -> sudo_sss_filter_user_netgroup @ /build/sudo-f7qPzC/sudo-1.8.9p5/plugins/sudoers/sssd.c:608
Nov 10 11:41:40 sudo[15899] netgroup group1 has no leading '+'
Nov 10 11:41:40 sudo[15899] <- sudo_sss_filter_user_netgroup @ /build/sudo-f7qPzC/sudo-1.8.9p5/plugins/sudoers/sssd.c:640 := true

ubuntu14 runs sudo 1.8.9p5-1ubuntu1.2

ubuntu16 runs sudo 1.8.16-0ubuntu1.1

AS you see the ubuntu16 compares the FQDN with the host in triple and it also includes user name. The only way I managed to change the behavior was that I had to add records for the host to the local /etc/hosts file e.g.:

127.0.1.1       zrh-sud-sark

which then starts to compare the short hostname :

root at zrh-sud-sark:~# tail -F /var/log/sudo_debug | egrep --line-buffered 'netgroup|sark'
Nov 10 11:51:41 sudo[29526] <- sudo_new_key_val_v1 @ /build/sudo-L2mAoN/sudo-1.8.16/lib/util/key_val.c:56 := host=zrh-sud-sark
Nov 10 11:51:41 sudo[29526] user_info: host=zrh-sud-sark
Nov 10 11:51:41 sudo[29526] host zrh-sud-sark, shost zrh-sud-sark, runhost zrh-sud-sark, srunhost zrh-sud-sark @ set_fqdn() /build/sudo-L2mAoN/sudo-1.8.16/plugins/sudoers/sudoers.c:1070
Nov 10 11:51:42 sudo[29526] val[0]=+netgroup-1
Nov 10 11:51:42 sudo[29526] IP address +netgroup-1 matches local host: false @ addr_matches() /build/sudo-L2mAoN/sudo-1.8.16/plugins/sudoers/match_addr.c:206
Nov 10 11:51:42 sudo[29526] netgroup netgroup-1 matches (zrh-sud-sark|zrh-sud-sark, john.doer, ): false @ netgr_matches() /build/sudo-L2mAoN/sudo-1.8.16/plugins/sudoers/match.c:1041
Nov 10 11:51:42 sudo[29526] host zrh-sud-sark matches sudoers pattern +netgroup-1: false @ hostname_matches() /build/sudo-L2mAoN/sudo-1.8.16/plugins/sudoers/match.c:829
Nov 10 11:51:42 sudo[29526] sssd/ldap sudoHost '+netgroup-1' ... not

1. And it still includes the user name in the netgroup check. Is this intended behavior ?

If yes that it makes no sense to create SUDOroles with groups.

2. DO I have to now add now record to each local /etc/hosts file to make it work? I think that it should still compare both the short and full hostname as it does in ubuntu14 or rhel6 and 7.

--

Qnective

Jan Rendos

IT architect

Thurgauerstrasse 54 | 8050 Zürich | Switzerland
Mobile +41 79 342 71 14
www.qnective.com<http://www.qnective.com> | <mailto:jan.rendos at qnective.com> jan.rendos at qnective.com<mailto:jan.rendos at qnective.com><mailto:jan.rendos at qnective.com>