Yes and no.... Have tried setting it to both true and false, but doesn't make a huge difference.
Current result with "use_fully_qualified_names = false" LDAP search from sssd_sudo.log shows SSSD finding a sudo rule... (Thu Aug 25 08:15:27 2016) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(sudoUser=ALL)([email protected])(sudoUser=#1349938498) ....... (sudoUser=%domain_users)(sudoUser=+*)))] (Thu Aug 25 08:15:27 2016) [sssd[sudo]] [sort_sudo_rules] (0x0400): Sorting rules with higher-wins logic (Thu Aug 25 08:15:27 2016) [sssd[sudo]] [sudosrv_get_sudorules_from_cache] (0x0400): Returning 1 rules for [[email protected]] SSSD cache shows the sudo rule: # ldbsearch -H /var/lib/sss/db/cache_linux.dr.dk.ldb -b cn=sysdb '(objectClass=sudoRule)' asq: Unable to register control with rootdse! # record 1 dn: name=guffe,cn=sudorules,cn=custom,cn=linux.dr.dk,cn=sysdb cn: guffe dataExpireTimestamp: 1472110940 entryUSN: 325878 name: guffe objectClass: sudoRule originalDN: cn=guffe,ou=sudoers,dc=linux,dc=dr,dc=dk sudoCommand: /usr/bin/cat /var/log/messages sudoHost: ALL sudoRunAsGroup: ALL sudoRunAsUser: ALL sudoUser: %domain_users distinguishedName: name=guffe,cn=sudorules,cn=custom,cn=linux.dr.dk,cn=sysdb But still sudo debug log says: Aug 25 08:29:55 sudo[2392] -> user_in_group @ ./pwutil.c:940 Aug 25 08:29:55 sudo[2392] -> sudo_get_grlist @ ./pwutil.c:877 Aug 25 08:29:55 sudo[2392] -> rbfind @ ./redblack.c:273 Aug 25 08:29:55 sudo[2392] <- rbfind @ ./redblack.c:277 := 0x7f877f45d1d0 Aug 25 08:29:55 sudo[2392] <- sudo_get_grlist @ ./pwutil.c:930 := 0x7f877f45d348 Aug 25 08:29:55 sudo[2392] -> sudo_getgrnam @ ./pwutil.c:719 Aug 25 08:29:55 sudo[2392] -> rbfind @ ./redblack.c:273 Aug 25 08:29:55 sudo[2392] <- rbfind @ ./redblack.c:280 := (nil) Aug 25 08:29:55 sudo[2392] -> make_gritem @ ./pwutil.c:474 Aug 25 08:29:55 sudo[2392] <- make_gritem @ ./pwutil.c:524 := 0x7f877f44ef20 Aug 25 08:29:55 sudo[2392] -> rbinsert @ ./redblack.c:181 Aug 25 08:29:55 sudo[2392] <- rbinsert @ ./redblack.c:261 := (nil) Aug 25 08:29:55 sudo[2392] <- sudo_getgrnam @ ./pwutil.c:745 := 0x7f877f44ef38 Aug 25 08:29:55 sudo[2392] -> sudo_grlist_delref @ ./pwutil.c:816 Aug 25 08:29:55 sudo[2392] -> sudo_grlist_delref_item @ ./pwutil.c:805 Aug 25 08:29:55 sudo[2392] <- sudo_grlist_delref_item @ ./pwutil.c:810 Aug 25 08:29:55 sudo[2392] <- sudo_grlist_delref @ ./pwutil.c:818 Aug 25 08:29:55 sudo[2392] <- user_in_group @ ./pwutil.c:1010 := false I'm quite lost on how to debug further on this..... ----- On Aug 24, 2016, at 9:50 AM, Jakub Hrozek [email protected] wrote: > On Tue, Aug 23, 2016 at 03:17:48PM +0200, Troels Hansen wrote: >> Running RHEL 7.2: >> >> ipa-client-4.2.0-15.el7_2.18 >> sssd-ipa-1.13.0-40.el7_2.12.x86_64 >> ipa-server-4.2.0-15.el7_2.18.x86_64 >> >> I have a sudo rule where I try to give sudo access based on a AD group. >> >> # groups [email protected] >> [email protected] : [email protected] ............... >> [email protected] >> >> I'm member of the group domain_users via AD. >> >> SUDO rule in LDAP: >> >> # guffe, sudoers, linux.dr.dk >> dn: cn=guffe,ou=sudoers,dc=linux,dc=dr,dc=dk >> sudoUser: %domain_users >> sudoRunAsGroup: ALL >> objectClass: sudoRole >> objectClass: top >> sudoCommand: /usr/bin/cat /var/log/messages >> sudoRunAsUser: ALL >> sudoHost: ALL >> cn: guffe > > domain_users != [email protected] > > I'm also curious why sssd qualifies the IPA group name (domain_users is > an IPA group name right?) > > do you set use_fully_qualified_names=true by chance in the config file? > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project -- Med venlig hilsen Troels Hansen Systemkonsulent Casalogic A/S T (+45) 70 20 10 63 M (+45) 22 43 71 57 Red Hat, SUSE, VMware, Citrix, Novell, Yellowfin BI, EnterpriseDB, Sophos og meget mere. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
