<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">On 03/05/2017 15:05, Brian Candler
wrote:<br>
</div>
<blockquote
cite="mid:d1c29a26-df76-f5de-c6d8-b84ede977b51@pobox.com"
type="cite">It turns out we had another 16.04 machine which was
working fine. But as soon as I updated its sudo from
1.8.16-0ubuntu1.2 to 1.8.16-0ubuntu1.3, it stopped working too.
<br>
<br>
So it looks like I have a reproducing case for this and I can
investigate further
</blockquote>
<p>FYI, I finally got to the bottom of this issue.<br>
</p>
<p>(1) The groups referred to in the sudo rule had been created as
non-posix groups in FreeIPA<br>
</p>
(2) It seems that the old sudo in Ubuntu wasn't checking groups at
all, and the new one did. But it could not see non-posix groups.<br>
<br>
(3) I solved the problem by adding "objectClass: posixgroup" and
"gidNumber: NNNNNN" to the groups.<br>
<p>More details at:<br>
</p>
<p><a class="moz-txt-link-freetext" href="https://bugs.launchpad.net/ubuntu/+source/sudo/+bug/1688034/comments/4">https://bugs.launchpad.net/ubuntu/+source/sudo/+bug/1688034/comments/4</a></p>
<p>Aside: I discovered that the way to debug the sudoers plugin is
like this:<br>
</p>
<p>
<meta charset="utf-8">
</p>
<p style="margin: 0px 0px 0.8em; padding: 0px; width: auto;
max-width: 45em; color: rgb(51, 51, 51); font-family: monospace;
font-size: 12px; font-style: normal; font-variant-ligatures:
normal; font-variant-caps: normal; font-weight: normal;
letter-spacing: normal; orphans: 2; text-align: left; text-indent:
0px; text-transform: none; white-space: normal; widows: 2;
word-spacing: 0px; -webkit-text-stroke-width: 0px;
background-color: rgb(255, 255, 255); text-decoration-style:
initial; text-decoration-color: initial;">Debug sudo
/var/log/sudo-debug all@info<br>
Debug sudoers.so /var/log/<wbr>sudoers-<wbr>debug all@info</p>
<p>(I had originally missed off the ".so" suffix)</p>
<p>It's a bit frightening that sudo+sssd was not enforcing policies
correctly, for who knows how long.<br>
</p>
<p>Regards,</p>
<p>Brian.<br>
</p>
</body>
</html>