On Tue, Aug 23, 2016 at 03:17:48PM +0200, Troels Hansen wrote: > Running RHEL 7.2: > > ipa-client-4.2.0-15.el7_2.18 > sssd-ipa-1.13.0-40.el7_2.12.x86_64 > ipa-server-4.2.0-15.el7_2.18.x86_64 > > I have a sudo rule where I try to give sudo access based on a AD group. > > # groups [email protected] > [email protected] : [email protected] ............... > [email protected] > > I'm member of the group domain_users via AD. > > SUDO rule in LDAP: > > # guffe, sudoers, linux.dr.dk > dn: cn=guffe,ou=sudoers,dc=linux,dc=dr,dc=dk > sudoUser: %domain_users > sudoRunAsGroup: ALL > objectClass: sudoRole > objectClass: top > sudoCommand: /usr/bin/cat /var/log/messages > sudoRunAsUser: ALL > sudoHost: ALL > cn: guffe
domain_users != [email protected] I'm also curious why sssd qualifies the IPA group name (domain_users is an IPA group name right?) do you set use_fully_qualified_names=true by chance in the config file? -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
