[Freeipa-users] SUDO and group lookup in AD trust

Troels Hansen th at casalogic.dk
Tue Aug 23 13:17:48 UTC 2016 

Running RHEL 7.2: 

ipa-client-4.2.0-15.el7_2.18 
sssd-ipa-1.13.0-40.el7_2.12.x86_64 
ipa-server-4.2.0-15.el7_2.18.x86_64 

I have a sudo rule where I try to give sudo access based on a AD group. 

# groups drextrha at net.dr.dk 
drextrha at net.dr.dk : drextrha at net.dr.dk ............... domain_users at linux.dr.dk 

I'm member of the group domain_users via AD. 

SUDO rule in LDAP: 

# guffe, sudoers, linux.dr.dk 
dn: cn=guffe,ou=sudoers,dc=linux,dc=dr,dc=dk 
sudoUser: %domain_users 
sudoRunAsGroup: ALL 
objectClass: sudoRole 
objectClass: top 
sudoCommand: /usr/bin/cat /var/log/messages 
sudoRunAsUser: ALL 
sudoHost: ALL 
cn: guffe 


sudo debug log shows: 
<cut> 
Aug 23 14:48:26 sudo[27307] Received 1 rule(s) 
</cut> 

<cut> 
Aug 23 14:48:26 sudo[27307] val[0]=%domain_users 
Aug 23 14:48:26 sudo[27307] -> usergr_matches @ ./match.c:802 
Aug 23 14:48:26 sudo[27307] -> user_in_group @ ./pwutil.c:940 
Aug 23 14:48:26 sudo[27307] -> sudo_get_grlist @ ./pwutil.c:877 
Aug 23 14:48:26 sudo[27307] -> rbfind @ ./redblack.c:273 
Aug 23 14:48:26 sudo[27307] <- rbfind @ ./redblack.c:277 := 0x7ff224cb31d0 
Aug 23 14:48:26 sudo[27307] <- sudo_get_grlist @ ./pwutil.c:930 := 0x7ff224cb3348 
Aug 23 14:48:26 sudo[27307] -> sudo_getgrnam @ ./pwutil.c:719 
Aug 23 14:48:26 sudo[27307] -> rbfind @ ./redblack.c:273 
Aug 23 14:48:26 sudo[27307] <- rbfind @ ./redblack.c:280 := (nil) 
Aug 23 14:48:26 sudo[27307] -> rbinsert @ ./redblack.c:181 
Aug 23 14:48:26 sudo[27307] <- rbinsert @ ./redblack.c:261 := (nil) 
Aug 23 14:48:26 sudo[27307] <- sudo_getgrnam @ ./pwutil.c:745 := (nil) 
Aug 23 14:48:26 sudo[27307] -> sudo_grlist_delref @ ./pwutil.c:816 
Aug 23 14:48:26 sudo[27307] -> sudo_grlist_delref_item @ ./pwutil.c:805 
Aug 23 14:48:26 sudo[27307] <- sudo_grlist_delref_item @ ./pwutil.c:810 
Aug 23 14:48:26 sudo[27307] <- sudo_grlist_delref @ ./pwutil.c:818 
Aug 23 14:48:26 sudo[27307] <- user_in_group @ ./pwutil.c:1010 := false 
Aug 23 14:48:26 sudo[27307] <- usergr_matches @ ./match.c:835 := false 
Aug 23 14:48:26 sudo[27307] <- sudo_sss_filter_sudoUser @ ./sssd.c:683 := false 
</cut> 

Soo, a rule is matched, but I'm not in the group? 



I have tried setting 
use_fully_qualified_names = true 

in sssd.conf, but no luck. The sudo is still denied. 

Am I missing something? 


-- 


Med venlig hilsen 

Troels Hansen 

Systemkonsulent 

Casalogic A/S 


T (+45) 70 20 10 63 

M (+45) 22 43 71 57 

Red Hat, SUSE, VMware, Citrix, Novell, Yellowfin BI, EnterpriseDB, Sophos og meget mere. 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160823/004db98b/attachment.htm>

More information about the Freeipa-users mailing list