> On Thu, Sep 17, 2015 at 11:42:54AM +0000, Andy Thompson wrote:
> > I've narrowed it down a bit doing some testing. The sudo rules work when
> I remove the user group restriction from them. My sudo rules all have my ad
> groups in the rule
> > Rule name: ad_linux_admins
> > Enabled: TRUE
> > Host category: all
> > Command category: all
> > RunAs User category: all
> > RunAs Group category: all
> > User Groups: ad_linux_admins <- if I remove this then the rule gets
> Nice catch. Is the group visible after you login and run id?
> What is the exact IPA server version?
Ok I also figured out if I rename my AD groups to match my IPA groups then the
sudo rules are applied.
I tested a couple things though, if I put a rule in the local sudoers file on a
server running sssd 1.11
%<groupname>@<IPA domain> "sudo commands"
That rule was not applied. If I remove the <IPA domain> then the rule got
On a server running sssd 1.12 that rule works, but does not work if I remove
the <IPA domain>. And none of the IPA sudo rules work. So something changed
with the domain suffix between versions it would appear.
They key to making the IPA sudo rules work in 1.12 is to remove the
default_domain_suffix setting in the sssd.conf, but that's not an option in my
So all the moving parts together, it appears that having AD groups with a
different name than the IPA groups in conjunction with the
default_domain_suffix setting breaks things right now in 1.12. Appears since I
renamed the ad group to match then the rule without a domain suffix will get
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project