<html><body><div style="font-family: arial,helvetica,sans-serif; font-size: 12pt; color: #000000"><div>Running RHEL 7.2:</div><div><br data-mce-bogus="1"></div><div>ipa-client-4.2.0-15.el7_2.18</div><div>sssd-ipa-1.13.0-40.el7_2.12.x86_64</div><div>ipa-server-4.2.0-15.el7_2.18.x86_64</div><div><br data-mce-bogus="1"></div><div>I have a sudo rule where I try to give sudo access based on a AD group.</div><div><br data-mce-bogus="1"></div><div># groups drextrha@net.dr.dk<br>drextrha@net.dr.dk : drextrha@net.dr.dk ............... domain_users@linux.dr.dk</div><div><br data-mce-bogus="1"></div><div>I'm member of the group domain_users via AD.</div><div><br data-mce-bogus="1"></div><div>SUDO rule in LDAP:</div><div><br data-mce-bogus="1"></div><div># guffe, sudoers, linux.dr.dk<br>dn: cn=guffe,ou=sudoers,dc=linux,dc=dr,dc=dk<br>sudoUser: %domain_users<br>sudoRunAsGroup: ALL<br>objectClass: sudoRole<br>objectClass: top<br>sudoCommand: /usr/bin/cat /var/log/messages<br>sudoRunAsUser: ALL<br>sudoHost: ALL<br>cn: guffe</div><div><br data-mce-bogus="1"></div><div><br data-mce-bogus="1"></div><div>sudo debug log shows:</div><div><cut></div><div>Aug 23 14:48:26 sudo[27307] Received 1 rule(s)</div><div></cut></div><div><br data-mce-bogus="1"></div><div><cut></div><div>Aug 23 14:48:26 sudo[27307] val[0]=%domain_users<br>Aug 23 14:48:26 sudo[27307] -> usergr_matches @ ./match.c:802<br>Aug 23 14:48:26 sudo[27307] -> user_in_group @ ./pwutil.c:940<br>Aug 23 14:48:26 sudo[27307] -> sudo_get_grlist @ ./pwutil.c:877<br>Aug 23 14:48:26 sudo[27307] -> rbfind @ ./redblack.c:273<br>Aug 23 14:48:26 sudo[27307] <- rbfind @ ./redblack.c:277 := 0x7ff224cb31d0<br>Aug 23 14:48:26 sudo[27307] <- sudo_get_grlist @ ./pwutil.c:930 := 0x7ff224cb3348<br>Aug 23 14:48:26 sudo[27307] -> sudo_getgrnam @ ./pwutil.c:719<br>Aug 23 14:48:26 sudo[27307] -> rbfind @ ./redblack.c:273<br>Aug 23 14:48:26 sudo[27307] <- rbfind @ ./redblack.c:280 := (nil)<br>Aug 23 14:48:26 sudo[27307] -> rbinsert @ ./redblack.c:181<br>Aug 23 14:48:26 sudo[27307] <- rbinsert @ ./redblack.c:261 := (nil)<br>Aug 23 14:48:26 sudo[27307] <- sudo_getgrnam @ ./pwutil.c:745 := (nil)<br>Aug 23 14:48:26 sudo[27307] -> sudo_grlist_delref @ ./pwutil.c:816<br>Aug 23 14:48:26 sudo[27307] -> sudo_grlist_delref_item @ ./pwutil.c:805<br>Aug 23 14:48:26 sudo[27307] <- sudo_grlist_delref_item @ ./pwutil.c:810<br>Aug 23 14:48:26 sudo[27307] <- sudo_grlist_delref @ ./pwutil.c:818<br>Aug 23 14:48:26 sudo[27307] <- user_in_group @ ./pwutil.c:1010 := false<br>Aug 23 14:48:26 sudo[27307] <- usergr_matches @ ./match.c:835 := false<br>Aug 23 14:48:26 sudo[27307] <- sudo_sss_filter_sudoUser @ ./sssd.c:683 := false<br></div><div></cut></div><div><br data-mce-bogus="1"></div><div>Soo, a rule is matched, but I'm not in the group?</div><div><br></div><div><br></div><div><br data-mce-bogus="1"></div><div>I have tried setting </div><div>use_fully_qualified_names = true<br></div><div><br data-mce-bogus="1"></div><div>in sssd.conf, but no luck. The sudo is still denied.</div><div><br data-mce-bogus="1"></div><div>Am I missing something?</div><div><br data-mce-bogus="1"></div><div><br data-mce-bogus="1"></div><div data-marker="__SIG_POST__">-- <br></div><div><p style="MARGIN: 5px 0px 0px; FONT-FAMILY: arial,verdana,sans-serif; FONT-SIZE: 12px" data-mce-style="margin: 5px 0px 0px; font-family: arial,verdana,sans-serif; font-size: 12px;">Med venlig hilsen</p><p style="MARGIN: 10px 0px 0px; FONT-FAMILY: arial,verdana,sans-serif; FONT-SIZE: 14px" data-mce-style="margin: 10px 0px 0px; font-family: arial,verdana,sans-serif; font-size: 14px;"><b>Troels Hansen</b></p><p style="MARGIN: 3px 0px 0px; FONT-FAMILY: arial,verdana,sans-serif; FONT-SIZE: 12px" data-mce-style="margin: 3px 0px 0px; font-family: arial,verdana,sans-serif; font-size: 12px;">Systemkonsulent</p><p style="MARGIN: 4px 2px 0px 0px; FONT-FAMILY: arial,verdana,sans-serif; COLOR: #4c4c4c; FONT-SIZE: 14px; FONT-WEIGHT: bold" data-mce-style="margin: 4px 2px 0px 0px; font-family: arial,verdana,sans-serif; color: #4c4c4c; font-size: 14px; font-weight: bold;">Casalogic A/S</p><div><img src="http://www.casalogic.dk/signatur/casalogic_green_spacer_line.png" data-mce-src="http://www.casalogic.dk/signatur/casalogic_green_spacer_line.png" border="0"></div><p style="MARGIN: 5px 0px 0px; FONT-FAMILY: arial,verdana,sans-serif; FONT-SIZE: 12px" data-mce-style="margin: 5px 0px 0px; font-family: arial,verdana,sans-serif; font-size: 12px;">T  (+45) 70 20 10 63</p><p style="MARGIN: 5px 0px 0px; FONT-FAMILY: arial,verdana,sans-serif; FONT-SIZE: 12px" data-mce-style="margin: 5px 0px 0px; font-family: arial,verdana,sans-serif; font-size: 12px;">M (+45) 22 43 71 57</p><div><a title="Download vCard" href="http://www.casalogic.dk/signatur/th.vcf" data-mce-href="http://www.casalogic.dk/signatur/th.vcf"><img src="http://www.casalogic.dk/signatur/vcard_download_small.png" data-mce-src="http://www.casalogic.dk/signatur/vcard_download_small.png" border="0"></a> <a title="Follow us on LinkedIn" href="http://www.linkedin.com/company/67524" data-mce-href="http://www.linkedin.com/company/67524"><img src="http://www.casalogic.dk/signatur/linkedin_logo_20x20.png" data-mce-src="http://www.casalogic.dk/signatur/linkedin_logo_20x20.png" border="0"></a> <a title="Follow us on Twitter" href="http://twitter.com/casalogic" data-mce-href="http://twitter.com/casalogic"><img src="http://www.casalogic.dk/signatur/twitter_logo_20x20.png" data-mce-src="http://www.casalogic.dk/signatur/twitter_logo_20x20.png" border="0"></a><br></div><div>Red Hat, SUSE, VMware, Citrix, Novell, Yellowfin BI, EnterpriseDB, Sophos og meget mere.<br></div></div></div></body></html>