Bug ID | 1208452 |
---|---|
Summary | SSSD configured with ldap cannot disable sudoers lookup |
Classification | openSUSE |
Product | openSUSE Distribution |
Version | Leap 15.4 |
Hardware | Other |
OS | Other |
Status | NEW |
Severity | Normal |
Priority | P5 - None |
Component | Security |
Assignee | security-team@suse.de |
Reporter | opensuse@1.opensuse.bgcomp.co.uk |
QA Contact | qa-bugs@suse.de |
Found By | --- |
Blocker | --- |
Using sssd with a 389DS/ldap backend. 389DS/ldap is configure to reject anonymous connections Configured sssd.conf with "sudo_provider = none". sssd works as expected handling ldap authentication etc. Have also configured /etc/nsswitch.conf with "sudoers: files" as per the man page. Regardless though, sssd_be continues to attempt anonymous connections to the ldap server every few minutes means that the logs are filling up with garbage. Trying the same exact same configuration with a tumbleweed client, we do not see any anonymous sudo lookup attempts. Versions: sssd-2.5.2-150400.4.11.1.x86_64 sssd-common-2.5.2-150400.4.11.1.x86_64 sssd-dbus-2.5.2-150400.4.11.1.x86_64 sssd-kcm-2.5.2-150400.4.11.1.x86_64 sssd-krb5-2.5.2-150400.4.11.1.x86_64 sssd-krb5-common-2.5.2-150400.4.11.1.x86_64 sssd-ldap-2.5.2-150400.4.11.1.x86_64 sssd-tools-2.5.2-150400.4.11.1.x86_64 eth6:~ # systemctl status sssd ��������� sssd.service - System Security Services Daemon Loaded: loaded (/usr/lib/systemd/system/sssd.service; enabled; vendor preset: disabled) Active: active (running) since Sat 2023-02-18 15:06:36 GMT; 31min ago Main PID: 14005 (sssd) Tasks: 6 (limit: 4915) CGroup: /system.slice/sssd.service ������������������ 14005 /usr/sbin/sssd -i --logger=files ������������������ 14006 /usr/lib/sssd/sssd_be --domain bgcomp.co.uk --uid 0 --gid 0 --logger=files ������������������ 14007 /usr/lib/sssd/sssd_nss --uid 0 --gid 0 --logger=files ������������������ 14008 /usr/lib/sssd/sssd_pam --uid 0 --gid 0 --logger=files ������������������ 14009 /usr/lib/sssd/sssd_ssh --uid 0 --gid 0 --logger=files ������������������ 14010 /usr/lib/sssd/sssd_autofs --uid 0 --gid 0 --logger=files Feb 18 15:06:36 eth6 systemd[1]: Starting System Security Services Daemon... Feb 18 15:06:36 eth6 sssd[14005]: Starting up Feb 18 15:06:36 eth6 sssd_be[14006]: Starting up Feb 18 15:06:36 eth6 sssd_pam[14008]: Starting up Feb 18 15:06:36 eth6 sssd_autofs[14010]: Starting up Feb 18 15:06:36 eth6 sssd_nss[14007]: Starting up Feb 18 15:06:36 eth6 sssd_ssh[14009]: Starting up Feb 18 15:06:36 eth6 systemd[1]: Started System Security Services Daemon. Feb 18 15:08:49 eth6 sssd_be[14006]: Backend is online Typical... timestamps do not matter, with anonymous connections allowed... [17/Feb/2023:11:49:22.640010889 +0000] conn=6 fd=65 slot=65 SSL connection from 2001:XXXX:XX:6::fd to 2001:XXXX:XX:6::fd [17/Feb/2023:11:49:22.656292467 +0000] conn=6 TLS1.2 128-bit AES-GCM [17/Feb/2023:11:49:22.656444285 +0000] conn=6 op=0 SRCH base="" scope=0 filter="(objectClass=*)" attrs="* altServer namingContexts supportedControl supportedExtension supportedFeatures supportedLDAPVersion supportedSASLMechanisms domaincontrollerfuncti onality defaultnamingcontext lastusn highestcommittedusn aci" [17/Feb/2023:11:49:22.657051142 +0000] conn=6 op=0 RESULT err=0 tag=101 nentries=1 wtime=0.016220939 optime=0.000609257 etime=0.016829074 [17/Feb/2023:11:49:22.657703691 +0000] conn=6 op=1 SRCH base="dc=example,dc=co,dc=uk" scope=2 filter="(&(objectClass=sudoRole)(|(&(!(sudoHost=*))(cn=defaults))(sudoHost=ALL)(sudoHost=eth6)(sudoHost=host.example.bgcomp.co.uk)(sudoHost=10.0.0.1)(sudoHost=10.0.0.0/24)(sudoHost=10.0.0.2)(sudoHost=10.0.0.0/24)(sudoHost=2001:XXXX:XX:6::fd)(sudoHost=2001:XXXX:XX:6::/64)(sudoHost=fe80::XXXX:XXXX:XXXX:XXXX)(sudoHost=fe80::/64)(sudoHost=2001:XXXX:XXXX:9::fd)(sudoHost=2001:XXXX:XX:9::/64)(sudoHost=2001:XXXX:XX:f0ad::fd)(sudoHost=2001:XXXX:XXXX:f0ad::/64)(sudoHost=fe80::XXXX)(sudoHost=fe80::/64)(sudoH..." attrs="objectClass objectClass cn sudoCommand sudoHost sudoUser sudoOption sudoRunAs sudoRunAsUser sudoRunAsGroup sudoNotBefore sudoNotAfter sudoOrder modifyTimestamp" [17/Feb/2023:11:49:22.657859857 +0000] conn=6 op=1 RESULT err=0 tag=101 nentries=0 wtime=0.000109246 optime=0.000146980 etime=0.000254724 notes=P details="Paged Search" pr_idx=0 pr_cookie=-1 [17/Feb/2023:11:49:24.006504472 +0000] conn=4 op=2 UNBIND [17/Feb/2023:11:49:24.006522045 +0000] conn=4 op=2 fd=66 closed error - U1 Typical... timestamps do not matter, with anonymous connections rejected... [18/Feb/2023:15:46:39.186981182 +0000] conn=425 fd=65 slot=65 SSL connection from 2001:XXXX:XXXX:6::fd to 2001:XXXX:XXXX:6::fd [18/Feb/2023:15:46:39.214496081 +0000] conn=425 TLS1.2 128-bit AES-GCM [18/Feb/2023:15:46:39.223371696 +0000] conn=425 op=0 UNPROCESSED OPERATION - Anonymous access not allowed [18/Feb/2023:15:46:39.232238473 +0000] conn=425 op=0 RESULT err=48 tag=101 nentries=0 wtime=0.027612313 optime=0.008867303 etime=0.036473744 [18/Feb/2023:15:46:39.232501278 +0000] conn=425 op=1 UNPROCESSED OPERATION - Anonymous access not allowed [18/Feb/2023:15:46:39.249763372 +0000] conn=425 op=1 RESULT err=48 tag=101 nentries=0 wtime=0.000047701 optime=0.017259941 etime=0.017302107 [18/Feb/2023:15:46:39.249980031 +0000] conn=425 op=2 UNBIND [18/Feb/2023:15:46:39.267415523 +0000] conn=425 op=2 fd=65 closed error - U1 Does not matter if client is local or remote to the 389DS/ldap server.