[Freeipa-users] ubuntu 16.04 freeipa-client + sssd + sudo: "policy plugin returns 0"
Brian Candler
b.candler at pobox.com
Fri May 5 13:33:09 UTC 2017
On 03/05/2017 15:05, Brian Candler wrote:
> It turns out we had another 16.04 machine which was working fine. But
> as soon as I updated its sudo from 1.8.16-0ubuntu1.2 to
> 1.8.16-0ubuntu1.3, it stopped working too.
>
> So it looks like I have a reproducing case for this and I can
> investigate further
FYI, I finally got to the bottom of this issue.
(1) The groups referred to in the sudo rule had been created as
non-posix groups in FreeIPA
(2) It seems that the old sudo in Ubuntu wasn't checking groups at all,
and the new one did. But it could not see non-posix groups.
(3) I solved the problem by adding "objectClass: posixgroup" and
"gidNumber: NNNNNN" to the groups.
More details at:
https://bugs.launchpad.net/ubuntu/+source/sudo/+bug/1688034/comments/4
Aside: I discovered that the way to debug the sudoers plugin is like this:
Debug sudo /var/log/sudo-debug all at info
Debug sudoers.so /var/log/sudoers-debug all at info
(I had originally missed off the ".so" suffix)
It's a bit frightening that sudo+sssd was not enforcing policies
correctly, for who knows how long.
Regards,
Brian.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20170505/c1feb9c3/attachment.htm>
More information about the Freeipa-users
mailing list