> Thanks. Please, keep in mind that we changed the default to the correct > order in sssd 1.13.1. Therefore if you update sssd you will either have to > invert the order again or set sudo_inverse_order = true in [sudo] in > /etc/sssd/sssd.conf.
ok. I don't think there's an easy way to upgrade sssd right now with ubuntu 14.04. Is-it possible to set sudo_inverse_order = true with my current version, i.e. even if it is not yet recognized ? > > >> >> >> On Thu, Oct 8, 2015 at 5:26 PM, Pavel Březina <pbrez...@redhat.com> wrote: >>> >>> On 10/08/2015 04:26 PM, Karl Forner wrote: >>>> >>>> >>>> Hi, >>>> >>>> >>>>> you are prompted for password because (ALL) ALL rule is applied because >>>>> of last-match rule. > > > See: >>>>> http://www.sudo.ws/man/1.8.13/sudoers.ldap.man.html sudoOrder. >>>> >>>> >>>> >>>> Ok. I updated the rules to use a sudoorder attribute of 100 for the >>>> /usr/bin/less sudo rule. >>>> Now, if I type in a terminal: >>>> %sudo -l >>>> Matching Defaults entries for karl on midgard: >>>> env_reset, mail_badpass, >>>> >>>> >>>> secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin >>>> >>>> User karl may run the following commands on xxxx: >>>> (ALL) ALL >>>> (root) NOPASSWD: /usr/bin/git status, /usr/local/bin/git status >>>> (ALL) ALL >>>> (ALL) NOPASSWD: /usr/bin/less >>>> >>>> so my less rule is the last one. So far so good. >>>> >>>> %sudo -l less >>>> /usr/bin/less >>>> >>>> but if I type in a new terminal: >>>> %sudo less .bashrc >>>> [sudo] password for karl: >>>> >>>> I am prompted to type in a password. >>>> >>>> So there seems to be a problem, right ? >>>> >>>> Regards, >>>> Karl >>>> >>> >>> Hi, >>> we have a bug in sssd in versions prior 1.13.1: >>> https://fedorahosted.org/sssd/ticket/2682 >>> >>> where sudoOrder attribute is treated the other ways around. Please, try >>> inverting the order. What version of sssd do you use? >>> > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project