[Freeipa-users] SUDO and group lookup in AD trust
Troels Hansen
th at casalogic.dk
Tue Aug 23 13:17:48 UTC 2016
Running RHEL 7.2:
ipa-client-4.2.0-15.el7_2.18
sssd-ipa-1.13.0-40.el7_2.12.x86_64
ipa-server-4.2.0-15.el7_2.18.x86_64
I have a sudo rule where I try to give sudo access based on a AD group.
# groups drextrha at net.dr.dk
drextrha at net.dr.dk : drextrha at net.dr.dk ............... domain_users at linux.dr.dk
I'm member of the group domain_users via AD.
SUDO rule in LDAP:
# guffe, sudoers, linux.dr.dk
dn: cn=guffe,ou=sudoers,dc=linux,dc=dr,dc=dk
sudoUser: %domain_users
sudoRunAsGroup: ALL
objectClass: sudoRole
objectClass: top
sudoCommand: /usr/bin/cat /var/log/messages
sudoRunAsUser: ALL
sudoHost: ALL
cn: guffe
sudo debug log shows:
<cut>
Aug 23 14:48:26 sudo[27307] Received 1 rule(s)
</cut>
<cut>
Aug 23 14:48:26 sudo[27307] val[0]=%domain_users
Aug 23 14:48:26 sudo[27307] -> usergr_matches @ ./match.c:802
Aug 23 14:48:26 sudo[27307] -> user_in_group @ ./pwutil.c:940
Aug 23 14:48:26 sudo[27307] -> sudo_get_grlist @ ./pwutil.c:877
Aug 23 14:48:26 sudo[27307] -> rbfind @ ./redblack.c:273
Aug 23 14:48:26 sudo[27307] <- rbfind @ ./redblack.c:277 := 0x7ff224cb31d0
Aug 23 14:48:26 sudo[27307] <- sudo_get_grlist @ ./pwutil.c:930 := 0x7ff224cb3348
Aug 23 14:48:26 sudo[27307] -> sudo_getgrnam @ ./pwutil.c:719
Aug 23 14:48:26 sudo[27307] -> rbfind @ ./redblack.c:273
Aug 23 14:48:26 sudo[27307] <- rbfind @ ./redblack.c:280 := (nil)
Aug 23 14:48:26 sudo[27307] -> rbinsert @ ./redblack.c:181
Aug 23 14:48:26 sudo[27307] <- rbinsert @ ./redblack.c:261 := (nil)
Aug 23 14:48:26 sudo[27307] <- sudo_getgrnam @ ./pwutil.c:745 := (nil)
Aug 23 14:48:26 sudo[27307] -> sudo_grlist_delref @ ./pwutil.c:816
Aug 23 14:48:26 sudo[27307] -> sudo_grlist_delref_item @ ./pwutil.c:805
Aug 23 14:48:26 sudo[27307] <- sudo_grlist_delref_item @ ./pwutil.c:810
Aug 23 14:48:26 sudo[27307] <- sudo_grlist_delref @ ./pwutil.c:818
Aug 23 14:48:26 sudo[27307] <- user_in_group @ ./pwutil.c:1010 := false
Aug 23 14:48:26 sudo[27307] <- usergr_matches @ ./match.c:835 := false
Aug 23 14:48:26 sudo[27307] <- sudo_sss_filter_sudoUser @ ./sssd.c:683 := false
</cut>
Soo, a rule is matched, but I'm not in the group?
I have tried setting
use_fully_qualified_names = true
in sssd.conf, but no luck. The sudo is still denied.
Am I missing something?
--
Med venlig hilsen
Troels Hansen
Systemkonsulent
Casalogic A/S
T (+45) 70 20 10 63
M (+45) 22 43 71 57
Red Hat, SUSE, VMware, Citrix, Novell, Yellowfin BI, EnterpriseDB, Sophos og meget mere.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160823/004db98b/attachment.htm>
More information about the Freeipa-users
mailing list