> On Thu, Sep 17, 2015 at 11:42:54AM +0000, Andy Thompson wrote:
> > I've narrowed it down a bit doing some testing.  The sudo rules work when
> I remove the user group restriction from them.  My sudo rules all have my ad
> groups in the rule
> >
> >   Rule name: ad_linux_admins
> >   Enabled: TRUE
> >   Host category: all
> >   Command category: all
> >   RunAs User category: all
> >   RunAs Group category: all
> >   User Groups: ad_linux_admins  <- if I remove this then the rule gets
> applied
> Nice catch. Is the group visible after you login and run id?
> What is the exact IPA server version?

Ok I also figured out if I rename my AD groups to match my IPA groups then the 
sudo rules are applied.  

I tested a couple things though, if I put a rule in the local sudoers file on a 
server running sssd 1.11 

%<groupname>@<IPA domain>   "sudo commands"

That rule was not applied.  If I remove the <IPA domain> then the rule got 

On a server running sssd 1.12 that rule works, but does not work if I remove 
the <IPA domain>.  And none of the IPA sudo rules work.  So something changed 
with the domain suffix between versions it would appear.

They key to making the IPA sudo rules work in 1.12 is to remove the 
default_domain_suffix setting in the sssd.conf, but that's not an option in my 

So all the moving parts together, it appears that having AD groups with a 
different name than the IPA groups in conjunction with the 
default_domain_suffix setting breaks things right now in 1.12.  Appears since I 
renamed the ad group to match then the rule without a domain suffix will get 
matched now


Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to