On 10/09/2015 01:40 PM, Karl Forner wrote:
Thanks. Please, keep in mind that we changed the default to the correct
order in sssd 1.13.1. Therefore if you update sssd you will either have to
invert the order again or set sudo_inverse_order = true in [sudo] in

ok. I don't think there's an easy way to upgrade sssd right now with
ubuntu 14.04.
Is-it possible to set sudo_inverse_order = true with my current
version, i.e. even if it is not yet recognized ?

SSSD will run but some tools that touch sssd.conf may have problems (for example I think authconfig will fail).

On Thu, Oct 8, 2015 at 5:26 PM, Pavel Březina <pbrez...@redhat.com> wrote:

On 10/08/2015 04:26 PM, Karl Forner wrote:


you are prompted for password because (ALL) ALL rule is applied because
of last-match rule. > > > See:
http://www.sudo.ws/man/1.8.13/sudoers.ldap.man.html sudoOrder.

Ok. I updated the rules to use a sudoorder attribute of 100 for the
/usr/bin/less sudo rule.
Now, if I type in a terminal:
%sudo -l
Matching Defaults entries for karl on midgard:
       env_reset, mail_badpass,


User karl may run the following commands on xxxx:
       (ALL) ALL
       (root) NOPASSWD: /usr/bin/git status, /usr/local/bin/git status
       (ALL) ALL
       (ALL) NOPASSWD: /usr/bin/less

so my less rule is the last one. So far so good.

%sudo -l less

but if I type in a new terminal:
%sudo less .bashrc
[sudo] password for karl:

I am prompted to type in a password.

So there seems to be a problem, right ?


we have a bug in sssd in versions prior 1.13.1:

where sudoOrder attribute is treated the other ways around. Please, try
inverting the order. What version of sssd do you use?

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to