<html> <head> <meta content="text/html; charset=utf-8" http-equiv="Content-Type"> </head> <body bgcolor="#FFFFFF" text="#000000"> <div class="moz-cite-prefix">On 03/05/2017 15:05, Brian Candler wrote: </div> <blockquote cite="mid:d1c29a26-df76-f5de-c6d8-b84ede977b51@pobox.com" type="cite">It turns out we had another 16.04 machine which was working fine. But as soon as I updated its sudo from 1.8.16-0ubuntu1.2 to 1.8.16-0ubuntu1.3, it stopped working too. So it looks like I have a reproducing case for this and I can investigate further </blockquote> FYI, I finally got to the bottom of this issue. (1) The groups referred to in the sudo rule had been created as non-posix groups in FreeIPA (2) It seems that the old sudo in Ubuntu wasn't checking groups at all, and the new one did. But it could not see non-posix groups. (3) I solved the problem by adding "objectClass: posixgroup" and "gidNumber: NNNNNN" to the groups. More details at: <a class="moz-txt-link-freetext" href="https://bugs.launchpad.net/ubuntu/+source/sudo/+bug/1688034/comments/4">https://bugs.launchpad.net/ubuntu/+source/sudo/+bug/1688034/comments/4</a> Aside: I discovered that the way to debug the sudoers plugin is like this: <meta charset="utf-8"> <p style="margin: 0px 0px 0.8em; padding: 0px; width: auto; max-width: 45em; color: rgb(51, 51, 51); font-family: monospace; font-size: 12px; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; orphans: 2; text-align: left; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; background-color: rgb(255, 255, 255); text-decoration-style: initial; text-decoration-color: initial;">Debug sudo /var/log/sudo-debug all@info Debug sudoers.so /var/log/sudoers-debug all@info (I had originally missed off the ".so" suffix) It's a bit frightening that sudo+sssd was not enforcing policies correctly, for who knows how long. Regards, Brian. </body> </html>