On Tue, Aug 23, 2016 at 03:17:48PM +0200, Troels Hansen wrote:
> Running RHEL 7.2: 
> 
> ipa-client-4.2.0-15.el7_2.18 
> sssd-ipa-1.13.0-40.el7_2.12.x86_64 
> ipa-server-4.2.0-15.el7_2.18.x86_64 
> 
> I have a sudo rule where I try to give sudo access based on a AD group. 
> 
> # groups drext...@net.dr.dk 
> drext...@net.dr.dk : drext...@net.dr.dk ............... 
> domain_us...@linux.dr.dk 
> 
> I'm member of the group domain_users via AD. 
> 
> SUDO rule in LDAP: 
> 
> # guffe, sudoers, linux.dr.dk 
> dn: cn=guffe,ou=sudoers,dc=linux,dc=dr,dc=dk 
> sudoUser: %domain_users 
> sudoRunAsGroup: ALL 
> objectClass: sudoRole 
> objectClass: top 
> sudoCommand: /usr/bin/cat /var/log/messages 
> sudoRunAsUser: ALL 
> sudoHost: ALL 
> cn: guffe 

domain_users != domain_us...@linux.dr.dk

I'm also curious why sssd qualifies the IPA group name (domain_users is
an IPA group name right?)

do you set use_fully_qualified_names=true by chance in the config file?

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to