[Freeipa-users] sudo rules question on ubuntu 16.0.1
Pavel Březina
pbrezina at redhat.com
Tue Aug 30 09:55:26 UTC 2016
On 08/26/2016 02:15 PM, Jeff Goddard wrote:
> Pavel,
>
> I appreciate that you're busy and thank you for taking time to look at
> this. Here is the output:
>
> [root at id-management-1 ~]# ipa sudorule-show
> Rule name: all
> Rule name: All
> Description: Full sudo access for Developer group in office environment
> Enabled: TRUE
> Command category: all
> RunAs User category: all
> RunAs Group category: all
> User Groups: developers
> Host Groups: office
> [root at id-management-1 ~]#
Hi,
unfortunately sudo 1.8.16 introduced a bug in sssd plugin. 1.8.16
contains a new option called netgroup_tuple, which tells whether a full
netgroup tuply is check or only the host/user part in host/user check.
However, the patch didn't make the sssd plugin to obey this option and
it always check both hostname and username.
It is fixed in 1.8.17 by this patch:
https://www.sudo.ws/repos/sudo/rev/2eab4070dcf7
Please, report bug against Ubuntu sudo to backport this patch or rebase
sudo.
More information about the Freeipa-users
mailing list