On 10/09/2015 01:40 PM, Karl Forner wrote:
Thanks. Please, keep in mind that we changed the default to the correct
order in sssd 1.13.1. Therefore if you update sssd you will either have to
invert the order again or set sudo_inverse_order = true in [sudo] in
/etc/sssd/sssd.conf.
ok. I don't think there's an easy way to upgrade sssd right now with
ubuntu 14.04.
Is-it possible to set sudo_inverse_order = true with my current
version, i.e. even if it is not yet recognized ?
SSSD will run but some tools that touch sssd.conf may have problems (for
example I think authconfig will fail).
On Thu, Oct 8, 2015 at 5:26 PM, Pavel Březina <pbrez...@redhat.com> wrote:
On 10/08/2015 04:26 PM, Karl Forner wrote:
Hi,
you are prompted for password because (ALL) ALL rule is applied because
of last-match rule. > > > See:
http://www.sudo.ws/man/1.8.13/sudoers.ldap.man.html sudoOrder.
Ok. I updated the rules to use a sudoorder attribute of 100 for the
/usr/bin/less sudo rule.
Now, if I type in a terminal:
%sudo -l
Matching Defaults entries for karl on midgard:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User karl may run the following commands on xxxx:
(ALL) ALL
(root) NOPASSWD: /usr/bin/git status, /usr/local/bin/git status
(ALL) ALL
(ALL) NOPASSWD: /usr/bin/less
so my less rule is the last one. So far so good.
%sudo -l less
/usr/bin/less
but if I type in a new terminal:
%sudo less .bashrc
[sudo] password for karl:
I am prompted to type in a password.
So there seems to be a problem, right ?
Regards,
Karl
Hi,
we have a bug in sssd in versions prior 1.13.1:
https://fedorahosted.org/sssd/ticket/2682
where sudoOrder attribute is treated the other ways around. Please, try
inverting the order. What version of sssd do you use?
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
