Sorry for not replying sooner, many of us were mostly offline last week.

I'll try to reproduce locally..

On Tue, Sep 15, 2015 at 12:24:45PM +0000, Andy Thompson wrote:
> I just updated several machines to RHEL 6.7 and seem to have broken my sudo 
> rules.  I've tracked the problem down to having
> 
> Default_domain_suffix = ad.domain
> 
> In the sssd.conf.  If I remove that I can login using the fqn from AD and 
> sudo rules are applied as configured.  However I don't want to force my users 
> to change to using their fqn to login, and due to having db2 in the 
> environment our usernames are limited to 8 characters so we cannot use the 
> fqn regardless.
> 
> I tested adding a local sudo rule for %ad_domain_group@ipa.domain and it 
> worked, but any IPA rules are not working.  A rule in the sudoers would not 
> work unless it was a fqn either which I expected with the default domain 
> suffix set.
> 
> Update installed sssd-1.12.4-47.el6.x86_64.  Redhat wants me to test 
> downgrading my sssd, which I'm not entirely opposed to in order to get things 
> working, but there are some fixes in this release I kinda want to keep.
> 
> -andy
> 
> 
> 
> *** This communication may contain privileged and/or confidential 
> information. It is intended solely for the use of the addressee. If you are 
> not the intended recipient, you are strictly prohibited from disclosing, 
> copying, distributing or using any of this information. If you received this 
> communication in error, please contact the sender immediately and destroy the 
> material in its entirety, whether electronic or hard copy. ***
> 
> 
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
> 
> 
> *** This communication may contain privileged and/or confidential 
> information. It is intended solely for the use of the addressee. If you are 
> not the intended recipient, you are strictly prohibited from disclosing, 
> copying, distributing or using any of this information. If you received this 
> communication in error, please contact the sender immediately and destroy the 
> material in its entirety, whether electronic or hard copy. ***
> 
> 
> -- 
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to