On Tue, Dec 20, 2011 at 12:59:45PM -0900, Erinn Looney-Triggs wrote:
> I have been working through configuring sudo via IPA and ran into the
> following situation.
> There is a directive in the documentation to configure
> /etc/sssd/sssd.conf on the clients with something like the following:
> ldap_netgroup_search_base = cn=ng,cn=compat,dc=example,dc=com
> This is pulled from the docse here for reference:
> http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/example-configuring-sudo.html
> This is fine and causes no problems, however, when I mistakenly left it
> out on a few systems, sudo continued to function, so I am wondering what
> it is that this directive does? Does this get sssd into the loop to
> cache sudo rules for offline use?
> Any ideas?
> -Erinn

When sudo performs a lookup it does so in two iterations:
    1) Try to find a matching rule using ALL, username or any of group names
    2) if 1) does not match, search for all netgroups and look if user
       is a member of a netgroup with innetgr()

so I assume that your sudo lookups matched with the first iteration and
never actually needed to look up netgroup data.

Freeipa-users mailing list

Reply via email to