> -----Original Message----- > From: Jakub Hrozek [mailto:jhro...@redhat.com] > Sent: Monday, September 21, 2015 3:29 PM > To: Andy Thompson <andy.thomp...@e-tcc.com> > Cc: firstname.lastname@example.org; pbrez...@redhat.com > Subject: Re: [Freeipa-users] rhel 6.7 upgrade - sssd/sudo > > On Mon, Sep 21, 2015 at 02:22:54PM +0000, Andy Thompson wrote: > > > > > > On Thu, Sep 17, 2015 at 11:42:54AM +0000, Andy Thompson wrote: > > > > I've narrowed it down a bit doing some testing. The sudo rules > > > > work when > > > I remove the user group restriction from them. My sudo rules all > > > have my ad groups in the rule > > > > > > > > Rule name: ad_linux_admins > > > > Enabled: TRUE > > > > Host category: all > > > > Command category: all > > > > RunAs User category: all > > > > RunAs Group category: all > > > > User Groups: ad_linux_admins <- if I remove this then the rule > > > > gets > > > applied > > > > > > Nice catch. Is the group visible after you login and run id? > > > > > > What is the exact IPA server version? > > > > Ok I also figured out if I rename my AD groups to match my IPA groups then > the sudo rules are applied. > > > > I tested a couple things though, if I put a rule in the local sudoers > > file on a server running sssd 1.11 > > > > %<groupname>@<IPA domain> "sudo commands" > > > > That rule was not applied. If I remove the <IPA domain> then the rule got > applied. > > > > On a server running sssd 1.12 that rule works, but does not work if I > remove the <IPA domain>. And none of the IPA sudo rules work. So > something changed with the domain suffix between versions it would > appear. > > > > They key to making the IPA sudo rules work in 1.12 is to remove the > default_domain_suffix setting in the sssd.conf, but that's not an option in my > environment. > > > > So all the moving parts together, it appears that having AD groups > > with a different name than the IPA groups in conjunction with the > > default_domain_suffix setting breaks things right now in 1.12. > > Appears since I renamed the ad group to match then the rule without a > > domain suffix will get matched now > > Hello Andy, > > I'm sorry for the constant delays, but I was busy with some trust-related > fixes > lately. > > Did you have a chance to confirm that just swapping sssd /on the client/ > while keeping the same version on the server fixes the issue for you? > > Pavel (CC), can you help me out here, please? I have the setup ready on my > machine, so tomorrow we can take a look and experiment (I can give you > access to my environment via tmate maybe..), but I wasn't able to reproduce > the issue locally yet.
It's fine I understand the backlog. I was not able to backrev the sssd due to dependency issues. I tried downgrading all the dependencies and got in a loop and stopped trying. Are there any tricks you can think of to downgrade the sssd cleanly? -andy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project