[Freeipa-users] rhel 6.7 upgrade - sssd/sudo

Andy Thompson Andy.Thompson at e-tcc.com
Thu Sep 17 11:42:54 UTC 2015 

I've narrowed it down a bit doing some testing.  The sudo rules work when I remove the user group restriction from them.  My sudo rules all have my ad groups in the rule

  Rule name: ad_linux_admins
  Enabled: TRUE
  Host category: all
  Command category: all
  RunAs User category: all
  RunAs Group category: all
  User Groups: ad_linux_admins  <- if I remove this then the rule gets applied
  Sudo Option: !authenticate

-andy

> -----Original Message-----
> From: freeipa-users-bounces at redhat.com [mailto:freeipa-users-
> bounces at redhat.com] On Behalf Of Jakub Hrozek
> Sent: Tuesday, September 15, 2015 8:37 AM
> To: freeipa-users at redhat.com
> Subject: Re: [Freeipa-users] rhel 6.7 upgrade - sssd/sudo
> 
> Sorry for not replying sooner, many of us were mostly offline last week.
> 
> I'll try to reproduce locally..
> 
> On Tue, Sep 15, 2015 at 12:24:45PM +0000, Andy Thompson wrote:
> > I just updated several machines to RHEL 6.7 and seem to have broken my
> sudo rules.  I've tracked the problem down to having
> >
> > Default_domain_suffix = ad.domain
> >
> > In the sssd.conf.  If I remove that I can login using the fqn from AD and
> sudo rules are applied as configured.  However I don't want to force my users
> to change to using their fqn to login, and due to having db2 in the
> environment our usernames are limited to 8 characters so we cannot use the
> fqn regardless.
> >
> > I tested adding a local sudo rule for %ad_domain_group at ipa.domain and it
> worked, but any IPA rules are not working.  A rule in the sudoers would not
> work unless it was a fqn either which I expected with the default domain
> suffix set.
> >
> > Update installed sssd-1.12.4-47.el6.x86_64.  Redhat wants me to test
> downgrading my sssd, which I'm not entirely opposed to in order to get
> things working, but there are some fixes in this release I kinda want to keep.
> >
> > -andy
> >
> >
> >
> > *** This communication may contain privileged and/or confidential
> information. It is intended solely for the use of the addressee. If you are not
> the intended recipient, you are strictly prohibited from disclosing, copying,
> distributing or using any of this information. If you received this
> communication in error, please contact the sender immediately and destroy
> the material in its entirety, whether electronic or hard copy. ***
> >
> >
> > --
> > Manage your subscription for the Freeipa-users mailing list:
> > https://www.redhat.com/mailman/listinfo/freeipa-users
> > Go to http://freeipa.org for more info on the project
> >
> >
> > *** This communication may contain privileged and/or confidential
> information. It is intended solely for the use of the addressee. If you are not
> the intended recipient, you are strictly prohibited from disclosing, copying,
> distributing or using any of this information. If you received this
> communication in error, please contact the sender immediately and destroy
> the material in its entirety, whether electronic or hard copy. ***
> >
> >
> > --
> > Manage your subscription for the Freeipa-users mailing list:
> > https://www.redhat.com/mailman/listinfo/freeipa-users
> > Go to http://freeipa.org for more info on the project
> 
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project

More information about the Freeipa-users mailing list