On 08/26/2016 02:15 PM, Jeff Goddard wrote:

I appreciate that you're busy and thank you for taking time to look at
this. Here is the output:

[root@id-management-1 ~]# ipa sudorule-show
Rule name: all
   Rule name: All
   Description: Full sudo access for Developer group in office environment
   Enabled: TRUE
   Command category: all
   RunAs User category: all
   RunAs Group category: all
   User Groups: developers
   Host Groups: office
[root@id-management-1 ~]#

unfortunately sudo 1.8.16 introduced a bug in sssd plugin. 1.8.16 contains a new option called netgroup_tuple, which tells whether a full netgroup tuply is check or only the host/user part in host/user check. However, the patch didn't make the sssd plugin to obey this option and it always check both hostname and username.

It is fixed in 1.8.17 by this patch:

Please, report bug against Ubuntu sudo to backport this patch or rebase sudo.

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to