[Freeipa-users] rhel 6.7 upgrade - sssd/sudo
Andy Thompson
Andy.Thompson at e-tcc.com
Mon Sep 21 14:22:54 UTC 2015
>
> On Thu, Sep 17, 2015 at 11:42:54AM +0000, Andy Thompson wrote:
> > I've narrowed it down a bit doing some testing. The sudo rules work when
> I remove the user group restriction from them. My sudo rules all have my ad
> groups in the rule
> >
> > Rule name: ad_linux_admins
> > Enabled: TRUE
> > Host category: all
> > Command category: all
> > RunAs User category: all
> > RunAs Group category: all
> > User Groups: ad_linux_admins <- if I remove this then the rule gets
> applied
>
> Nice catch. Is the group visible after you login and run id?
>
> What is the exact IPA server version?
Ok I also figured out if I rename my AD groups to match my IPA groups then the sudo rules are applied.
I tested a couple things though, if I put a rule in the local sudoers file on a server running sssd 1.11
%<groupname>@<IPA domain> "sudo commands"
That rule was not applied. If I remove the <IPA domain> then the rule got applied.
On a server running sssd 1.12 that rule works, but does not work if I remove the <IPA domain>. And none of the IPA sudo rules work. So something changed with the domain suffix between versions it would appear.
They key to making the IPA sudo rules work in 1.12 is to remove the default_domain_suffix setting in the sssd.conf, but that's not an option in my environment.
So all the moving parts together, it appears that having AD groups with a different name than the IPA groups in conjunction with the default_domain_suffix setting breaks things right now in 1.12. Appears since I renamed the ad group to match then the rule without a domain suffix will get matched now
-andy
More information about the Freeipa-users
mailing list