[Freeipa-users] sudo rules are not active immediatly
Pavel Březina
pbrezina at redhat.com
Wed Feb 8 12:00:12 UTC 2017
On 02/08/2017 11:59 AM, Nathanaël Blanchet wrote:
> Hello,
> on latest IPA, when adding a command to a rule or a sudo option for
> example, the change is not active on the user session.
> For example, after removing !authenticate option, I still can execute
> sudo commands without password.
> I tried to logout and relogin, but nothing changes, but on a new vm
> where never logeed in before it wroks.
> Is there a cache or somting to do so as to commands to be immediatly
> available?
>
Hi,
sudo rules are cache on the client and refresh happens periodically. We
have several update mechanisms that deals with finding new rules,
deleting non-existent ones and updating expired but it cannot be
performed on desired at the moment. We have a ticket for that [1].
Please see 'man sssd-sudo' to get better understanding how it works.
It is possible to expired cached rules with sss_cache. This won't find
you newly added rules but it will fetch updated rules and removed
deleted ones.
[1] https://fedorahosted.org/sssd/ticket/2884
More information about the Freeipa-users
mailing list