On 08/26/2016 02:15 PM, Jeff Goddard wrote:
Pavel,
I appreciate that you're busy and thank you for taking time to look at
this. Here is the output:
[root@id-management-1 ~]# ipa sudorule-show
Rule name: all
Rule name: All
Description: Full sudo access for Developer group in office environment
Enabled: TRUE
Command category: all
RunAs User category: all
RunAs Group category: all
User Groups: developers
Host Groups: office
[root@id-management-1 ~]#
Hi,
unfortunately sudo 1.8.16 introduced a bug in sssd plugin. 1.8.16
contains a new option called netgroup_tuple, which tells whether a full
netgroup tuply is check or only the host/user part in host/user check.
However, the patch didn't make the sssd plugin to obey this option and
it always check both hostname and username.
It is fixed in 1.8.17 by this patch:
https://www.sudo.ws/repos/sudo/rev/2eab4070dcf7
Please, report bug against Ubuntu sudo to backport this patch or rebase
sudo.
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project