Can you check the sudo rule that sssd cached?
Something like:
# ldbsearch -H /var/lib/sss/db/cache_ipa.example.com.ldb -s base -b
name=test,cn=sudorules,cn=custom,cn=ipa.example.com,cn=sysdb
If you can't find it, you can dump all sudo rules with:
# ldbsearch -H /var/lib/sss/db/cache_ipa.example.com.ldb -s one -b
cn=sudorules,cn=custom,cn=ipa.example.com,cn=sysdb
I may be seeing the same problem as you; I've configured a sudo rule:
$ ipa sudorule-show 'sam ext test' --raw
cn: sam ext test
description: Rule to test application to external users
ipaenabledflag: TRUE
externaluser: samtest
memberhost:
fqdn=myhost.ipa.example.com,cn=computers,cn=accounts,dc=ipa,dc=example,dc=com
ipasudorunas: uid=user5,cn=users,cn=accounts,dc=ipa,dc=example,dc=com
... and in the SSSD cache I see:
# record 1
dn: name=sam ext test,cn=sudorules,cn=custom,cn=ipa.example.com,cn=sysdb
cn: sam ext test
dataExpireTimestamp: 1621359827
name: sam ext test
objectClass: sudoRule
sudoHost: myhost.ipa.example.com
sudoRunAsUser: [email protected]
sudoUser: [email protected]
distinguishedName: name=sam ext
test,cn=sudorules,cn=custom,cn=ipa.example.com,cn=sysdb
It looks like FreeIPA (or maybe just sssd?) is qualifying the name of the
external user 'ext' to '[email protected]'. This is not desired, because the
name of the user on the local system is simply 'ext'; there's no such user
'[email protected]'.
--
Sam Morris <https://robots.org.uk/>
PGP: rsa4096/CAAA AA1A CA69 A83A 892B 1855 D20B 4202 5CDA 27B9
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
