Running RHEL 7.2: ipa-client-4.2.0-15.el7_2.18 sssd-ipa-1.13.0-40.el7_2.12.x86_64 ipa-server-4.2.0-15.el7_2.18.x86_64
I have a sudo rule where I try to give sudo access based on a AD group. # groups drext...@net.dr.dk drext...@net.dr.dk : drext...@net.dr.dk ............... domain_us...@linux.dr.dk I'm member of the group domain_users via AD. SUDO rule in LDAP: # guffe, sudoers, linux.dr.dk dn: cn=guffe,ou=sudoers,dc=linux,dc=dr,dc=dk sudoUser: %domain_users sudoRunAsGroup: ALL objectClass: sudoRole objectClass: top sudoCommand: /usr/bin/cat /var/log/messages sudoRunAsUser: ALL sudoHost: ALL cn: guffe sudo debug log shows: <cut> Aug 23 14:48:26 sudo[27307] Received 1 rule(s) </cut> <cut> Aug 23 14:48:26 sudo[27307] val[0]=%domain_users Aug 23 14:48:26 sudo[27307] -> usergr_matches @ ./match.c:802 Aug 23 14:48:26 sudo[27307] -> user_in_group @ ./pwutil.c:940 Aug 23 14:48:26 sudo[27307] -> sudo_get_grlist @ ./pwutil.c:877 Aug 23 14:48:26 sudo[27307] -> rbfind @ ./redblack.c:273 Aug 23 14:48:26 sudo[27307] <- rbfind @ ./redblack.c:277 := 0x7ff224cb31d0 Aug 23 14:48:26 sudo[27307] <- sudo_get_grlist @ ./pwutil.c:930 := 0x7ff224cb3348 Aug 23 14:48:26 sudo[27307] -> sudo_getgrnam @ ./pwutil.c:719 Aug 23 14:48:26 sudo[27307] -> rbfind @ ./redblack.c:273 Aug 23 14:48:26 sudo[27307] <- rbfind @ ./redblack.c:280 := (nil) Aug 23 14:48:26 sudo[27307] -> rbinsert @ ./redblack.c:181 Aug 23 14:48:26 sudo[27307] <- rbinsert @ ./redblack.c:261 := (nil) Aug 23 14:48:26 sudo[27307] <- sudo_getgrnam @ ./pwutil.c:745 := (nil) Aug 23 14:48:26 sudo[27307] -> sudo_grlist_delref @ ./pwutil.c:816 Aug 23 14:48:26 sudo[27307] -> sudo_grlist_delref_item @ ./pwutil.c:805 Aug 23 14:48:26 sudo[27307] <- sudo_grlist_delref_item @ ./pwutil.c:810 Aug 23 14:48:26 sudo[27307] <- sudo_grlist_delref @ ./pwutil.c:818 Aug 23 14:48:26 sudo[27307] <- user_in_group @ ./pwutil.c:1010 := false Aug 23 14:48:26 sudo[27307] <- usergr_matches @ ./match.c:835 := false Aug 23 14:48:26 sudo[27307] <- sudo_sss_filter_sudoUser @ ./sssd.c:683 := false </cut> Soo, a rule is matched, but I'm not in the group? I have tried setting use_fully_qualified_names = true in sssd.conf, but no luck. The sudo is still denied. Am I missing something? -- Med venlig hilsen Troels Hansen Systemkonsulent Casalogic A/S T (+45) 70 20 10 63 M (+45) 22 43 71 57 Red Hat, SUSE, VMware, Citrix, Novell, Yellowfin BI, EnterpriseDB, Sophos og meget mere.
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project