Re: [Freeipa-users] rhel 6.7 upgrade - sssd/sudo
> On 09/30/2015 09:04 PM, Andy Thompson wrote: > >> On Wed, Sep 30, 2015 at 12:17:22PM +, Andy Thompson wrote: > >>>> On 09/21/2015 10:42 PM, Andy Thompson wrote: > >>>>>> On Mon, Sep 21, 2015 at 07:39:01PM +, Andy Thompson wrote: > >>>>>>>> -Original Message- > >>>>>>>> From: Jakub Hrozek [mailto:jhro...@redhat.com] > >>>>>>>> Sent: Monday, September 21, 2015 3:29 PM > >>>>>>>> To: Andy Thompson <andy.thomp...@e-tcc.com> > >>>>>>>> Cc: freeipa-users@redhat.com; pbrez...@redhat.com > >>>>>>>> Subject: Re: [Freeipa-users] rhel 6.7 upgrade - sssd/sudo > >>>>>>>> > >>>>>>>> On Mon, Sep 21, 2015 at 02:22:54PM +, Andy Thompson > wrote: > >>>>>>>>>> > >>>>>>>>>> On Thu, Sep 17, 2015 at 11:42:54AM +, Andy Thompson > >> wrote: > >>>>>>>>>>> I've narrowed it down a bit doing some testing. The sudo > >>>>>>>>>>> rules work when > >>>>>>>>>> I remove the user group restriction from them. My sudo rules > >>>>>>>>>> all have my ad groups in the rule > >>>>>>>>>>> > >>>>>>>>>>> Rule name: ad_linux_admins > >>>>>>>>>>> Enabled: TRUE > >>>>>>>>>>> Host category: all > >>>>>>>>>>> Command category: all > >>>>>>>>>>> RunAs User category: all > >>>>>>>>>>> RunAs Group category: all > >>>>>>>>>>> User Groups: ad_linux_admins <- if I remove this then > >>>>>>>>>>> the rule gets > >>>>>>>>>> applied > >>>>>>>>>> > >>>>>>>>>> Nice catch. Is the group visible after you login and run id? > >>>>>>>>>> > >>>>>>>>>> What is the exact IPA server version? > >>>>>>>>> > >>>>>>>>> Ok I also figured out if I rename my AD groups to match my IPA > >>>>>>>>> groups then > >>>>>>>> the sudo rules are applied. > >>>>>>>>> > >>>>>>>>> I tested a couple things though, if I put a rule in the local > >>>>>>>>> sudoers file on a server running sssd 1.11 > >>>>>>>>> > >>>>>>>>> %@ "sudo commands" > >>>>>>>>> > >>>>>>>>> That rule was not applied. If I remove the then > >>>>>>>>> the rule got > >>>>>>>> applied. > >>>>>>>>> > >>>>>>>>> On a server running sssd 1.12 that rule works, but does not > >>>>>>>>> work if I > >>>>>>>> remove the . And none of the IPA sudo rules work. > >>>>>>>> So something changed with the domain suffix between versions it > >>>>>>>> would appear. > >>>>>>>>> > >>>>>>>>> They key to making the IPA sudo rules work in 1.12 is to > >>>>>>>>> remove the > >>>>>>>> default_domain_suffix setting in the sssd.conf, but that's not > >>>>>>>> an option in my environment. > >>>>>>>>> > >>>>>>>>> So all the moving parts together, it appears that having AD > >>>>>>>>> groups with a different name than the IPA groups in > >>>>>>>>> conjunction with the default_domain_suffix setting breaks > >>>>>>>>> things > >> right now in 1.12. > >>>>>>>>> Appears since I renamed the ad group to match then the rule > >>>>>>>>> without a domain suffix will get matched now > >>>>>>>> > >>>>>>>> Hello Andy, > >>>>>>>> > >>>>>>>> I'm sorry for the constant delays, but I was busy with some > >>>>>>>
Re: [Freeipa-users] rhel 6.7 upgrade - sssd/sudo
On 09/30/2015 09:04 PM, Andy Thompson wrote: On Wed, Sep 30, 2015 at 12:17:22PM +, Andy Thompson wrote: On 09/21/2015 10:42 PM, Andy Thompson wrote: On Mon, Sep 21, 2015 at 07:39:01PM +, Andy Thompson wrote: -Original Message- From: Jakub Hrozek [mailto:jhro...@redhat.com] Sent: Monday, September 21, 2015 3:29 PM To: Andy Thompson <andy.thomp...@e-tcc.com> Cc: freeipa-users@redhat.com; pbrez...@redhat.com Subject: Re: [Freeipa-users] rhel 6.7 upgrade - sssd/sudo On Mon, Sep 21, 2015 at 02:22:54PM +, Andy Thompson wrote: On Thu, Sep 17, 2015 at 11:42:54AM +, Andy Thompson wrote: I've narrowed it down a bit doing some testing. The sudo rules work when I remove the user group restriction from them. My sudo rules all have my ad groups in the rule Rule name: ad_linux_admins Enabled: TRUE Host category: all Command category: all RunAs User category: all RunAs Group category: all User Groups: ad_linux_admins <- if I remove this then the rule gets applied Nice catch. Is the group visible after you login and run id? What is the exact IPA server version? Ok I also figured out if I rename my AD groups to match my IPA groups then the sudo rules are applied. I tested a couple things though, if I put a rule in the local sudoers file on a server running sssd 1.11 %@ "sudo commands" That rule was not applied. If I remove the then the rule got applied. On a server running sssd 1.12 that rule works, but does not work if I remove the . And none of the IPA sudo rules work. So something changed with the domain suffix between versions it would appear. They key to making the IPA sudo rules work in 1.12 is to remove the default_domain_suffix setting in the sssd.conf, but that's not an option in my environment. So all the moving parts together, it appears that having AD groups with a different name than the IPA groups in conjunction with the default_domain_suffix setting breaks things right now in 1.12. Appears since I renamed the ad group to match then the rule without a domain suffix will get matched now Hello Andy, I'm sorry for the constant delays, but I was busy with some trust-related fixes lately. Did you have a chance to confirm that just swapping sssd /on the client/ while keeping the same version on the server fixes the issue for you? Pavel (CC), can you help me out here, please? I have the setup ready on my machine, so tomorrow we can take a look and experiment (I can give you access to my environment via tmate maybe..), but I wasn't able to reproduce the issue locally yet. It's fine I understand the backlog. I was not able to backrev the sssd due to dependency issues. I tried downgrading all the dependencies and got in a loop and stopped trying. Are there any tricks you can think of to downgrade the sssd cleanly? -andy What failures are you getting? I normally just download all \*sss\* packages and then downgrade with rpm -U --oldpackage. I'm just trying to use yum. If I yum downgrade sssd I get a ton of deps. If include all the deps it lists yum downgrade sssd sssd-proxy sssd-ipa sssd-common-pac sssd-krb5 sssd-krb5-common sssd-ldap sssd-ad libipa_hbac libipa_hbac-python python-sssdconfig I get multilib errors with libsss_idmap. Looks like my local repo doesn't have libsss_idmap 1.11 available. Let me look into that and see what repo it sits in and see if I can figure out why it's not pulling in. -andy Hi, since none of us is able to reproduce this in house, can you give us more precise steps how to reproduce and more information? What I have in mind at this moment is: 1) How is membership defined? I suspect it goes as AD-USER -> AD-GROUP -> IPA->GROUP, right? What types of groups are used? I have AD user->AD group->external IPA group->IPA group 2) sssd.conf might also turn out to be useful 3) Remove SSSD and sudo logs, reproduce and send us all the logs please with the commands to reproduce. Not just snippets. I can gather this up and get it over to you. Actually I just realized I have two other environments and this is working without issue in those environments. I haven't done a full sudo rollout in those environments yet so I didn't think to check those, but the admins rule is working correctly and I haven't renamed any ad groups to match my IPA groups. Could it be something in a sudo rule or something in AD that's interfering with this working correctly? I would first try to find the difference in the environment. Are sssd versions the same on the clients and servers? Are sudo versions the same? ...etc. Pavel has a sudo troubleshooting guide in the works, maybe it would help.. All updates are controlled from the same repo so versions are all the same between the environments, that's why I'm wondering if something in AD could cause this. Can't imagine what it would be though. Groups are all mapped in the same way. >Sudo is s
Re: [Freeipa-users] rhel 6.7 upgrade - sssd/sudo
> On Wed, Sep 30, 2015 at 12:17:22PM +, Andy Thompson wrote: > > > On 09/21/2015 10:42 PM, Andy Thompson wrote: > > > >> On Mon, Sep 21, 2015 at 07:39:01PM +, Andy Thompson wrote: > > > >>>> -Original Message- > > > >>>> From: Jakub Hrozek [mailto:jhro...@redhat.com] > > > >>>> Sent: Monday, September 21, 2015 3:29 PM > > > >>>> To: Andy Thompson <andy.thomp...@e-tcc.com> > > > >>>> Cc: freeipa-users@redhat.com; pbrez...@redhat.com > > > >>>> Subject: Re: [Freeipa-users] rhel 6.7 upgrade - sssd/sudo > > > >>>> > > > >>>> On Mon, Sep 21, 2015 at 02:22:54PM +, Andy Thompson wrote: > > > >>>>>> > > > >>>>>> On Thu, Sep 17, 2015 at 11:42:54AM +, Andy Thompson > wrote: > > > >>>>>>> I've narrowed it down a bit doing some testing. The sudo > > > >>>>>>> rules work when > > > >>>>>> I remove the user group restriction from them. My sudo rules > > > >>>>>> all have my ad groups in the rule > > > >>>>>>> > > > >>>>>>>Rule name: ad_linux_admins > > > >>>>>>>Enabled: TRUE > > > >>>>>>>Host category: all > > > >>>>>>>Command category: all > > > >>>>>>>RunAs User category: all > > > >>>>>>>RunAs Group category: all > > > >>>>>>>User Groups: ad_linux_admins <- if I remove this then > > > >>>>>>> the rule gets > > > >>>>>> applied > > > >>>>>> > > > >>>>>> Nice catch. Is the group visible after you login and run id? > > > >>>>>> > > > >>>>>> What is the exact IPA server version? > > > >>>>> > > > >>>>> Ok I also figured out if I rename my AD groups to match my IPA > > > >>>>> groups then > > > >>>> the sudo rules are applied. > > > >>>>> > > > >>>>> I tested a couple things though, if I put a rule in the local > > > >>>>> sudoers file on a server running sssd 1.11 > > > >>>>> > > > >>>>> %@ "sudo commands" > > > >>>>> > > > >>>>> That rule was not applied. If I remove the then > > > >>>>> the rule got > > > >>>> applied. > > > >>>>> > > > >>>>> On a server running sssd 1.12 that rule works, but does not > > > >>>>> work if I > > > >>>> remove the . And none of the IPA sudo rules work. > > > >>>> So something changed with the domain suffix between versions it > > > >>>> would appear. > > > >>>>> > > > >>>>> They key to making the IPA sudo rules work in 1.12 is to > > > >>>>> remove the > > > >>>> default_domain_suffix setting in the sssd.conf, but that's not > > > >>>> an option in my environment. > > > >>>>> > > > >>>>> So all the moving parts together, it appears that having AD > > > >>>>> groups with a different name than the IPA groups in > > > >>>>> conjunction with the default_domain_suffix setting breaks things > right now in 1.12. > > > >>>>> Appears since I renamed the ad group to match then the rule > > > >>>>> without a domain suffix will get matched now > > > >>>> > > > >>>> Hello Andy, > > > >>>> > > > >>>> I'm sorry for the constant delays, but I was busy with some > > > >>>> trust-related fixes lately. > > > >>>> > > > >>>> Did you have a chance to confirm that just swapping sssd /on > > > >>>> the client/ while keeping the same version on the server fixes > > > >>>> the issue for > > > >> you? > > > >>>> > > > >>>> Pavel (CC), can you help me out here, please? I have the setup > > > >>>> ready on my machine, so tomor
Re: [Freeipa-users] rhel 6.7 upgrade - sssd/sudo
> On 09/21/2015 10:42 PM, Andy Thompson wrote: > >> On Mon, Sep 21, 2015 at 07:39:01PM +, Andy Thompson wrote: > >>>> -Original Message- > >>>> From: Jakub Hrozek [mailto:jhro...@redhat.com] > >>>> Sent: Monday, September 21, 2015 3:29 PM > >>>> To: Andy Thompson <andy.thomp...@e-tcc.com> > >>>> Cc: freeipa-users@redhat.com; pbrez...@redhat.com > >>>> Subject: Re: [Freeipa-users] rhel 6.7 upgrade - sssd/sudo > >>>> > >>>> On Mon, Sep 21, 2015 at 02:22:54PM +, Andy Thompson wrote: > >>>>>> > >>>>>> On Thu, Sep 17, 2015 at 11:42:54AM +, Andy Thompson wrote: > >>>>>>> I've narrowed it down a bit doing some testing. The sudo rules > >>>>>>> work when > >>>>>> I remove the user group restriction from them. My sudo rules all > >>>>>> have my ad groups in the rule > >>>>>>> > >>>>>>>Rule name: ad_linux_admins > >>>>>>>Enabled: TRUE > >>>>>>>Host category: all > >>>>>>>Command category: all > >>>>>>>RunAs User category: all > >>>>>>>RunAs Group category: all > >>>>>>>User Groups: ad_linux_admins <- if I remove this then the > >>>>>>> rule gets > >>>>>> applied > >>>>>> > >>>>>> Nice catch. Is the group visible after you login and run id? > >>>>>> > >>>>>> What is the exact IPA server version? > >>>>> > >>>>> Ok I also figured out if I rename my AD groups to match my IPA > >>>>> groups then > >>>> the sudo rules are applied. > >>>>> > >>>>> I tested a couple things though, if I put a rule in the local > >>>>> sudoers file on a server running sssd 1.11 > >>>>> > >>>>> %@ "sudo commands" > >>>>> > >>>>> That rule was not applied. If I remove the then the > >>>>> rule got > >>>> applied. > >>>>> > >>>>> On a server running sssd 1.12 that rule works, but does not work > >>>>> if I > >>>> remove the . And none of the IPA sudo rules work. So > >>>> something changed with the domain suffix between versions it would > >>>> appear. > >>>>> > >>>>> They key to making the IPA sudo rules work in 1.12 is to remove > >>>>> the > >>>> default_domain_suffix setting in the sssd.conf, but that's not an > >>>> option in my environment. > >>>>> > >>>>> So all the moving parts together, it appears that having AD groups > >>>>> with a different name than the IPA groups in conjunction with the > >>>>> default_domain_suffix setting breaks things right now in 1.12. > >>>>> Appears since I renamed the ad group to match then the rule > >>>>> without a domain suffix will get matched now > >>>> > >>>> Hello Andy, > >>>> > >>>> I'm sorry for the constant delays, but I was busy with some > >>>> trust-related fixes lately. > >>>> > >>>> Did you have a chance to confirm that just swapping sssd /on the > >>>> client/ while keeping the same version on the server fixes the > >>>> issue for > >> you? > >>>> > >>>> Pavel (CC), can you help me out here, please? I have the setup > >>>> ready on my machine, so tomorrow we can take a look and experiment > >>>> (I can give you access to my environment via tmate maybe..), but I > >>>> wasn't able to reproduce the issue locally yet. > >>> > >>> It's fine I understand the backlog. > >>> > >>> I was not able to backrev the sssd due to dependency issues. I > >>> tried > >> downgrading all the dependencies and got in a loop and stopped > >> trying. Are there any tricks you can think of to downgrade the sssd > cleanly? > >>> > >>> -andy > >>> > >> > >> What failures are you getting? I normally just download all \*sss\* > >> packages and then downgrade with rpm -U --oldpackage. > > > >
Re: [Freeipa-users] rhel 6.7 upgrade - sssd/sudo
On Wed, Sep 30, 2015 at 12:17:22PM +, Andy Thompson wrote: > > On 09/21/2015 10:42 PM, Andy Thompson wrote: > > >> On Mon, Sep 21, 2015 at 07:39:01PM +, Andy Thompson wrote: > > >>>> -Original Message- > > >>>> From: Jakub Hrozek [mailto:jhro...@redhat.com] > > >>>> Sent: Monday, September 21, 2015 3:29 PM > > >>>> To: Andy Thompson <andy.thomp...@e-tcc.com> > > >>>> Cc: freeipa-users@redhat.com; pbrez...@redhat.com > > >>>> Subject: Re: [Freeipa-users] rhel 6.7 upgrade - sssd/sudo > > >>>> > > >>>> On Mon, Sep 21, 2015 at 02:22:54PM +, Andy Thompson wrote: > > >>>>>> > > >>>>>> On Thu, Sep 17, 2015 at 11:42:54AM +, Andy Thompson wrote: > > >>>>>>> I've narrowed it down a bit doing some testing. The sudo rules > > >>>>>>> work when > > >>>>>> I remove the user group restriction from them. My sudo rules all > > >>>>>> have my ad groups in the rule > > >>>>>>> > > >>>>>>>Rule name: ad_linux_admins > > >>>>>>>Enabled: TRUE > > >>>>>>>Host category: all > > >>>>>>>Command category: all > > >>>>>>>RunAs User category: all > > >>>>>>>RunAs Group category: all > > >>>>>>>User Groups: ad_linux_admins <- if I remove this then the > > >>>>>>> rule gets > > >>>>>> applied > > >>>>>> > > >>>>>> Nice catch. Is the group visible after you login and run id? > > >>>>>> > > >>>>>> What is the exact IPA server version? > > >>>>> > > >>>>> Ok I also figured out if I rename my AD groups to match my IPA > > >>>>> groups then > > >>>> the sudo rules are applied. > > >>>>> > > >>>>> I tested a couple things though, if I put a rule in the local > > >>>>> sudoers file on a server running sssd 1.11 > > >>>>> > > >>>>> %@ "sudo commands" > > >>>>> > > >>>>> That rule was not applied. If I remove the then the > > >>>>> rule got > > >>>> applied. > > >>>>> > > >>>>> On a server running sssd 1.12 that rule works, but does not work > > >>>>> if I > > >>>> remove the . And none of the IPA sudo rules work. So > > >>>> something changed with the domain suffix between versions it would > > >>>> appear. > > >>>>> > > >>>>> They key to making the IPA sudo rules work in 1.12 is to remove > > >>>>> the > > >>>> default_domain_suffix setting in the sssd.conf, but that's not an > > >>>> option in my environment. > > >>>>> > > >>>>> So all the moving parts together, it appears that having AD groups > > >>>>> with a different name than the IPA groups in conjunction with the > > >>>>> default_domain_suffix setting breaks things right now in 1.12. > > >>>>> Appears since I renamed the ad group to match then the rule > > >>>>> without a domain suffix will get matched now > > >>>> > > >>>> Hello Andy, > > >>>> > > >>>> I'm sorry for the constant delays, but I was busy with some > > >>>> trust-related fixes lately. > > >>>> > > >>>> Did you have a chance to confirm that just swapping sssd /on the > > >>>> client/ while keeping the same version on the server fixes the > > >>>> issue for > > >> you? > > >>>> > > >>>> Pavel (CC), can you help me out here, please? I have the setup > > >>>> ready on my machine, so tomorrow we can take a look and experiment > > >>>> (I can give you access to my environment via tmate maybe..), but I > > >>>> wasn't able to reproduce the issue locally yet. > > >>> > > >>> It's fine I understand the backlog. > > >>> > > >>> I was not able to backrev the sssd due to depen
Re: [Freeipa-users] rhel 6.7 upgrade - sssd/sudo
On 09/21/2015 10:42 PM, Andy Thompson wrote: On Mon, Sep 21, 2015 at 07:39:01PM +, Andy Thompson wrote: -Original Message- From: Jakub Hrozek [mailto:jhro...@redhat.com] Sent: Monday, September 21, 2015 3:29 PM To: Andy Thompson <andy.thomp...@e-tcc.com> Cc: freeipa-users@redhat.com; pbrez...@redhat.com Subject: Re: [Freeipa-users] rhel 6.7 upgrade - sssd/sudo On Mon, Sep 21, 2015 at 02:22:54PM +, Andy Thompson wrote: On Thu, Sep 17, 2015 at 11:42:54AM +, Andy Thompson wrote: I've narrowed it down a bit doing some testing. The sudo rules work when I remove the user group restriction from them. My sudo rules all have my ad groups in the rule Rule name: ad_linux_admins Enabled: TRUE Host category: all Command category: all RunAs User category: all RunAs Group category: all User Groups: ad_linux_admins <- if I remove this then the rule gets applied Nice catch. Is the group visible after you login and run id? What is the exact IPA server version? Ok I also figured out if I rename my AD groups to match my IPA groups then the sudo rules are applied. I tested a couple things though, if I put a rule in the local sudoers file on a server running sssd 1.11 %@ "sudo commands" That rule was not applied. If I remove the then the rule got applied. On a server running sssd 1.12 that rule works, but does not work if I remove the . And none of the IPA sudo rules work. So something changed with the domain suffix between versions it would appear. They key to making the IPA sudo rules work in 1.12 is to remove the default_domain_suffix setting in the sssd.conf, but that's not an option in my environment. So all the moving parts together, it appears that having AD groups with a different name than the IPA groups in conjunction with the default_domain_suffix setting breaks things right now in 1.12. Appears since I renamed the ad group to match then the rule without a domain suffix will get matched now Hello Andy, I'm sorry for the constant delays, but I was busy with some trust-related fixes lately. Did you have a chance to confirm that just swapping sssd /on the client/ while keeping the same version on the server fixes the issue for you? Pavel (CC), can you help me out here, please? I have the setup ready on my machine, so tomorrow we can take a look and experiment (I can give you access to my environment via tmate maybe..), but I wasn't able to reproduce the issue locally yet. It's fine I understand the backlog. I was not able to backrev the sssd due to dependency issues. I tried downgrading all the dependencies and got in a loop and stopped trying. Are there any tricks you can think of to downgrade the sssd cleanly? -andy What failures are you getting? I normally just download all \*sss\* packages and then downgrade with rpm -U --oldpackage. I'm just trying to use yum. If I yum downgrade sssd I get a ton of deps. If include all the deps it lists yum downgrade sssd sssd-proxy sssd-ipa sssd-common-pac sssd-krb5 sssd-krb5-common sssd-ldap sssd-ad libipa_hbac libipa_hbac-python python-sssdconfig I get multilib errors with libsss_idmap. Looks like my local repo doesn't have libsss_idmap 1.11 available. Let me look into that and see what repo it sits in and see if I can figure out why it's not pulling in. -andy Hi, since none of us is able to reproduce this in house, can you give us more precise steps how to reproduce and more information? What I have in mind at this moment is: 1) How is membership defined? I suspect it goes as AD-USER -> AD-GROUP -> IPA->GROUP, right? What types of groups are used? 2) sssd.conf might also turn out to be useful 3) Remove SSSD and sudo logs, reproduce and send us all the logs please with the commands to reproduce. Not just snippets. Do you have any test machine we can ssh to? Thank you! -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] rhel 6.7 upgrade - sssd/sudo
Hello Andy, I understand that you run sssd-1.12.4-47.el6.x86_64 on ipa client, right? What version of SSSD do you run on ipa server? -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] rhel 6.7 upgrade - sssd/sudo
On 09/24/2015 02:50 PM, Andy Thompson wrote: -Original Message- From: freeipa-users-boun...@redhat.com [mailto:freeipa-users- boun...@redhat.com] On Behalf Of Pavel Reichl Sent: Thursday, September 24, 2015 5:18 AM To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] rhel 6.7 upgrade - sssd/sudo Hello Andy, I understand that you run sssd-1.12.4-47.el6.x86_64 on ipa client, right? What version of SSSD do you run on ipa server? The servers are running sssd-1.12.2-58.el7_1.14.x86_64 -andy Thanks, I prepared a scratch build containing patches for https://fedorahosted.org/sssd/ticket/2633 that could be fix your problems. Please consider installing the build on you ipa server but please avoid using it in production environment. Thanks! https://copr.fedoraproject.org/coprs/preichl/fix_ext_grp/ -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] rhel 6.7 upgrade - sssd/sudo
> -Original Message- > From: freeipa-users-boun...@redhat.com [mailto:freeipa-users- > boun...@redhat.com] On Behalf Of Pavel Reichl > Sent: Thursday, September 24, 2015 5:18 AM > To: freeipa-users@redhat.com > Subject: Re: [Freeipa-users] rhel 6.7 upgrade - sssd/sudo > > Hello Andy, > > I understand that you run sssd-1.12.4-47.el6.x86_64 on ipa client, right? > > What version of SSSD do you run on ipa server? > The servers are running sssd-1.12.2-58.el7_1.14.x86_64 -andy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] rhel 6.7 upgrade - sssd/sudo
Ok it will take me a while to get my test environment setup to match what I have in prod currently and I can do some testing at that point in time. -andy From: Pavel Reichl <prei...@redhat.com> Sent: Thursday, September 24, 2015 9:43 AM To: Andy Thompson; freeipa-users@redhat.com Subject: Re: [Freeipa-users] rhel 6.7 upgrade - sssd/sudo On 09/24/2015 02:50 PM, Andy Thompson wrote: >> -Original Message- >> From: freeipa-users-boun...@redhat.com [mailto:freeipa-users- >> boun...@redhat.com] On Behalf Of Pavel Reichl >> Sent: Thursday, September 24, 2015 5:18 AM >> To: freeipa-users@redhat.com >> Subject: Re: [Freeipa-users] rhel 6.7 upgrade - sssd/sudo >> >> Hello Andy, >> >> I understand that you run sssd-1.12.4-47.el6.x86_64 on ipa client, right? >> >> What version of SSSD do you run on ipa server? >> > > The servers are running > > sssd-1.12.2-58.el7_1.14.x86_64 > > -andy > Thanks, I prepared a scratch build containing patches for https://fedorahosted.org/sssd/ticket/2633 that could be fix your problems. Please consider installing the build on you ipa server but please avoid using it in production environment. Thanks! https://copr.fedoraproject.org/coprs/preichl/fix_ext_grp/ -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] rhel 6.7 upgrade - sssd/sudo
> > On Thu, Sep 17, 2015 at 11:42:54AM +, Andy Thompson wrote: > > I've narrowed it down a bit doing some testing. The sudo rules work when > I remove the user group restriction from them. My sudo rules all have my ad > groups in the rule > > > > Rule name: ad_linux_admins > > Enabled: TRUE > > Host category: all > > Command category: all > > RunAs User category: all > > RunAs Group category: all > > User Groups: ad_linux_admins <- if I remove this then the rule gets > applied > > Nice catch. Is the group visible after you login and run id? > > What is the exact IPA server version? Ok I also figured out if I rename my AD groups to match my IPA groups then the sudo rules are applied. I tested a couple things though, if I put a rule in the local sudoers file on a server running sssd 1.11 %@ "sudo commands" That rule was not applied. If I remove the then the rule got applied. On a server running sssd 1.12 that rule works, but does not work if I remove the . And none of the IPA sudo rules work. So something changed with the domain suffix between versions it would appear. They key to making the IPA sudo rules work in 1.12 is to remove the default_domain_suffix setting in the sssd.conf, but that's not an option in my environment. So all the moving parts together, it appears that having AD groups with a different name than the IPA groups in conjunction with the default_domain_suffix setting breaks things right now in 1.12. Appears since I renamed the ad group to match then the rule without a domain suffix will get matched now -andy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] rhel 6.7 upgrade - sssd/sudo
> -Original Message- > From: Jakub Hrozek [mailto:jhro...@redhat.com] > Sent: Monday, September 21, 2015 3:29 PM > To: Andy Thompson <andy.thomp...@e-tcc.com> > Cc: freeipa-users@redhat.com; pbrez...@redhat.com > Subject: Re: [Freeipa-users] rhel 6.7 upgrade - sssd/sudo > > On Mon, Sep 21, 2015 at 02:22:54PM +, Andy Thompson wrote: > > > > > > On Thu, Sep 17, 2015 at 11:42:54AM +, Andy Thompson wrote: > > > > I've narrowed it down a bit doing some testing. The sudo rules > > > > work when > > > I remove the user group restriction from them. My sudo rules all > > > have my ad groups in the rule > > > > > > > > Rule name: ad_linux_admins > > > > Enabled: TRUE > > > > Host category: all > > > > Command category: all > > > > RunAs User category: all > > > > RunAs Group category: all > > > > User Groups: ad_linux_admins <- if I remove this then the rule > > > > gets > > > applied > > > > > > Nice catch. Is the group visible after you login and run id? > > > > > > What is the exact IPA server version? > > > > Ok I also figured out if I rename my AD groups to match my IPA groups then > the sudo rules are applied. > > > > I tested a couple things though, if I put a rule in the local sudoers > > file on a server running sssd 1.11 > > > > %@ "sudo commands" > > > > That rule was not applied. If I remove the then the rule got > applied. > > > > On a server running sssd 1.12 that rule works, but does not work if I > remove the . And none of the IPA sudo rules work. So > something changed with the domain suffix between versions it would > appear. > > > > They key to making the IPA sudo rules work in 1.12 is to remove the > default_domain_suffix setting in the sssd.conf, but that's not an option in my > environment. > > > > So all the moving parts together, it appears that having AD groups > > with a different name than the IPA groups in conjunction with the > > default_domain_suffix setting breaks things right now in 1.12. > > Appears since I renamed the ad group to match then the rule without a > > domain suffix will get matched now > > Hello Andy, > > I'm sorry for the constant delays, but I was busy with some trust-related > fixes > lately. > > Did you have a chance to confirm that just swapping sssd /on the client/ > while keeping the same version on the server fixes the issue for you? > > Pavel (CC), can you help me out here, please? I have the setup ready on my > machine, so tomorrow we can take a look and experiment (I can give you > access to my environment via tmate maybe..), but I wasn't able to reproduce > the issue locally yet. It's fine I understand the backlog. I was not able to backrev the sssd due to dependency issues. I tried downgrading all the dependencies and got in a loop and stopped trying. Are there any tricks you can think of to downgrade the sssd cleanly? -andy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] rhel 6.7 upgrade - sssd/sudo
On Mon, Sep 21, 2015 at 07:39:01PM +, Andy Thompson wrote: > > -Original Message- > > From: Jakub Hrozek [mailto:jhro...@redhat.com] > > Sent: Monday, September 21, 2015 3:29 PM > > To: Andy Thompson <andy.thomp...@e-tcc.com> > > Cc: freeipa-users@redhat.com; pbrez...@redhat.com > > Subject: Re: [Freeipa-users] rhel 6.7 upgrade - sssd/sudo > > > > On Mon, Sep 21, 2015 at 02:22:54PM +, Andy Thompson wrote: > > > > > > > > On Thu, Sep 17, 2015 at 11:42:54AM +, Andy Thompson wrote: > > > > > I've narrowed it down a bit doing some testing. The sudo rules > > > > > work when > > > > I remove the user group restriction from them. My sudo rules all > > > > have my ad groups in the rule > > > > > > > > > > Rule name: ad_linux_admins > > > > > Enabled: TRUE > > > > > Host category: all > > > > > Command category: all > > > > > RunAs User category: all > > > > > RunAs Group category: all > > > > > User Groups: ad_linux_admins <- if I remove this then the rule > > > > > gets > > > > applied > > > > > > > > Nice catch. Is the group visible after you login and run id? > > > > > > > > What is the exact IPA server version? > > > > > > Ok I also figured out if I rename my AD groups to match my IPA groups then > > the sudo rules are applied. > > > > > > I tested a couple things though, if I put a rule in the local sudoers > > > file on a server running sssd 1.11 > > > > > > %@ "sudo commands" > > > > > > That rule was not applied. If I remove the then the rule got > > applied. > > > > > > On a server running sssd 1.12 that rule works, but does not work if I > > remove the . And none of the IPA sudo rules work. So > > something changed with the domain suffix between versions it would > > appear. > > > > > > They key to making the IPA sudo rules work in 1.12 is to remove the > > default_domain_suffix setting in the sssd.conf, but that's not an option in > > my > > environment. > > > > > > So all the moving parts together, it appears that having AD groups > > > with a different name than the IPA groups in conjunction with the > > > default_domain_suffix setting breaks things right now in 1.12. > > > Appears since I renamed the ad group to match then the rule without a > > > domain suffix will get matched now > > > > Hello Andy, > > > > I'm sorry for the constant delays, but I was busy with some trust-related > > fixes > > lately. > > > > Did you have a chance to confirm that just swapping sssd /on the client/ > > while keeping the same version on the server fixes the issue for you? > > > > Pavel (CC), can you help me out here, please? I have the setup ready on my > > machine, so tomorrow we can take a look and experiment (I can give you > > access to my environment via tmate maybe..), but I wasn't able to reproduce > > the issue locally yet. > > It's fine I understand the backlog. > > I was not able to backrev the sssd due to dependency issues. I tried > downgrading all the dependencies and got in a loop and stopped trying. Are > there any tricks you can think of to downgrade the sssd cleanly? > > -andy > What failures are you getting? I normally just download all \*sss\* packages and then downgrade with rpm -U --oldpackage. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] rhel 6.7 upgrade - sssd/sudo
> On Mon, Sep 21, 2015 at 07:39:01PM +, Andy Thompson wrote: > > > -Original Message- > > > From: Jakub Hrozek [mailto:jhro...@redhat.com] > > > Sent: Monday, September 21, 2015 3:29 PM > > > To: Andy Thompson <andy.thomp...@e-tcc.com> > > > Cc: freeipa-users@redhat.com; pbrez...@redhat.com > > > Subject: Re: [Freeipa-users] rhel 6.7 upgrade - sssd/sudo > > > > > > On Mon, Sep 21, 2015 at 02:22:54PM +, Andy Thompson wrote: > > > > > > > > > > On Thu, Sep 17, 2015 at 11:42:54AM +, Andy Thompson wrote: > > > > > > I've narrowed it down a bit doing some testing. The sudo > > > > > > rules work when > > > > > I remove the user group restriction from them. My sudo rules > > > > > all have my ad groups in the rule > > > > > > > > > > > > Rule name: ad_linux_admins > > > > > > Enabled: TRUE > > > > > > Host category: all > > > > > > Command category: all > > > > > > RunAs User category: all > > > > > > RunAs Group category: all > > > > > > User Groups: ad_linux_admins <- if I remove this then the > > > > > > rule gets > > > > > applied > > > > > > > > > > Nice catch. Is the group visible after you login and run id? > > > > > > > > > > What is the exact IPA server version? > > > > > > > > Ok I also figured out if I rename my AD groups to match my IPA > > > > groups then > > > the sudo rules are applied. > > > > > > > > I tested a couple things though, if I put a rule in the local > > > > sudoers file on a server running sssd 1.11 > > > > > > > > %@ "sudo commands" > > > > > > > > That rule was not applied. If I remove the then the > > > > rule got > > > applied. > > > > > > > > On a server running sssd 1.12 that rule works, but does not work > > > > if I > > > remove the . And none of the IPA sudo rules work. So > > > something changed with the domain suffix between versions it would > > > appear. > > > > > > > > They key to making the IPA sudo rules work in 1.12 is to remove > > > > the > > > default_domain_suffix setting in the sssd.conf, but that's not an > > > option in my environment. > > > > > > > > So all the moving parts together, it appears that having AD groups > > > > with a different name than the IPA groups in conjunction with the > > > > default_domain_suffix setting breaks things right now in 1.12. > > > > Appears since I renamed the ad group to match then the rule > > > > without a domain suffix will get matched now > > > > > > Hello Andy, > > > > > > I'm sorry for the constant delays, but I was busy with some > > > trust-related fixes lately. > > > > > > Did you have a chance to confirm that just swapping sssd /on the > > > client/ while keeping the same version on the server fixes the issue for > you? > > > > > > Pavel (CC), can you help me out here, please? I have the setup ready > > > on my machine, so tomorrow we can take a look and experiment (I can > > > give you access to my environment via tmate maybe..), but I wasn't > > > able to reproduce the issue locally yet. > > > > It's fine I understand the backlog. > > > > I was not able to backrev the sssd due to dependency issues. I tried > downgrading all the dependencies and got in a loop and stopped trying. Are > there any tricks you can think of to downgrade the sssd cleanly? > > > > -andy > > > > What failures are you getting? I normally just download all \*sss\* packages > and then downgrade with rpm -U --oldpackage. I'm just trying to use yum. If I yum downgrade sssd I get a ton of deps. If include all the deps it lists yum downgrade sssd sssd-proxy sssd-ipa sssd-common-pac sssd-krb5 sssd-krb5-common sssd-ldap sssd-ad libipa_hbac libipa_hbac-python python-sssdconfig I get multilib errors with libsss_idmap. Looks like my local repo doesn't have libsss_idmap 1.11 available. Let me look into that and see what repo it sits in and see if I can figure out why it's not pulling in. -andy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] rhel 6.7 upgrade - sssd/sudo
On Mon, Sep 21, 2015 at 02:22:54PM +, Andy Thompson wrote: > > > > On Thu, Sep 17, 2015 at 11:42:54AM +, Andy Thompson wrote: > > > I've narrowed it down a bit doing some testing. The sudo rules work when > > I remove the user group restriction from them. My sudo rules all have my ad > > groups in the rule > > > > > > Rule name: ad_linux_admins > > > Enabled: TRUE > > > Host category: all > > > Command category: all > > > RunAs User category: all > > > RunAs Group category: all > > > User Groups: ad_linux_admins <- if I remove this then the rule gets > > applied > > > > Nice catch. Is the group visible after you login and run id? > > > > What is the exact IPA server version? > > Ok I also figured out if I rename my AD groups to match my IPA groups then > the sudo rules are applied. > > I tested a couple things though, if I put a rule in the local sudoers file on > a server running sssd 1.11 > > %@ "sudo commands" > > That rule was not applied. If I remove the then the rule got > applied. > > On a server running sssd 1.12 that rule works, but does not work if I remove > the . And none of the IPA sudo rules work. So something changed > with the domain suffix between versions it would appear. > > They key to making the IPA sudo rules work in 1.12 is to remove the > default_domain_suffix setting in the sssd.conf, but that's not an option in > my environment. > > So all the moving parts together, it appears that having AD groups with a > different name than the IPA groups in conjunction with the > default_domain_suffix setting breaks things right now in 1.12. Appears since > I renamed the ad group to match then the rule without a domain suffix will > get matched now Hello Andy, I'm sorry for the constant delays, but I was busy with some trust-related fixes lately. Did you have a chance to confirm that just swapping sssd /on the client/ while keeping the same version on the server fixes the issue for you? Pavel (CC), can you help me out here, please? I have the setup ready on my machine, so tomorrow we can take a look and experiment (I can give you access to my environment via tmate maybe..), but I wasn't able to reproduce the issue locally yet. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] rhel 6.7 upgrade - sssd/sudo
> > On Mon, Sep 21, 2015 at 07:39:01PM +, Andy Thompson wrote: > > > > -Original Message- > > > > From: Jakub Hrozek [mailto:jhro...@redhat.com] > > > > Sent: Monday, September 21, 2015 3:29 PM > > > > To: Andy Thompson <andy.thomp...@e-tcc.com> > > > > Cc: freeipa-users@redhat.com; pbrez...@redhat.com > > > > Subject: Re: [Freeipa-users] rhel 6.7 upgrade - sssd/sudo > > > > > > > > On Mon, Sep 21, 2015 at 02:22:54PM +, Andy Thompson wrote: > > > > > > > > > > > > On Thu, Sep 17, 2015 at 11:42:54AM +, Andy Thompson wrote: > > > > > > > I've narrowed it down a bit doing some testing. The sudo > > > > > > > rules work when > > > > > > I remove the user group restriction from them. My sudo rules > > > > > > all have my ad groups in the rule > > > > > > > > > > > > > > Rule name: ad_linux_admins > > > > > > > Enabled: TRUE > > > > > > > Host category: all > > > > > > > Command category: all > > > > > > > RunAs User category: all > > > > > > > RunAs Group category: all > > > > > > > User Groups: ad_linux_admins <- if I remove this then the > > > > > > > rule gets > > > > > > applied > > > > > > > > > > > > Nice catch. Is the group visible after you login and run id? > > > > > > > > > > > > What is the exact IPA server version? > > > > > > > > > > Ok I also figured out if I rename my AD groups to match my IPA > > > > > groups then > > > > the sudo rules are applied. > > > > > > > > > > I tested a couple things though, if I put a rule in the local > > > > > sudoers file on a server running sssd 1.11 > > > > > > > > > > %@ "sudo commands" > > > > > > > > > > That rule was not applied. If I remove the then > > > > > the rule got > > > > applied. > > > > > > > > > > On a server running sssd 1.12 that rule works, but does not work > > > > > if I > > > > remove the . And none of the IPA sudo rules work. So > > > > something changed with the domain suffix between versions it would > > > > appear. > > > > > > > > > > They key to making the IPA sudo rules work in 1.12 is to remove > > > > > the > > > > default_domain_suffix setting in the sssd.conf, but that's not an > > > > option in my environment. > > > > > > > > > > So all the moving parts together, it appears that having AD > > > > > groups with a different name than the IPA groups in conjunction > > > > > with the default_domain_suffix setting breaks things right now in > 1.12. > > > > > Appears since I renamed the ad group to match then the rule > > > > > without a domain suffix will get matched now > > > > > > > > Hello Andy, > > > > > > > > I'm sorry for the constant delays, but I was busy with some > > > > trust-related fixes lately. > > > > > > > > Did you have a chance to confirm that just swapping sssd /on the > > > > client/ while keeping the same version on the server fixes the > > > > issue for > > you? > > > > > > > > Pavel (CC), can you help me out here, please? I have the setup > > > > ready on my machine, so tomorrow we can take a look and experiment > > > > (I can give you access to my environment via tmate maybe..), but I > > > > wasn't able to reproduce the issue locally yet. > > > > > > It's fine I understand the backlog. > > > > > > I was not able to backrev the sssd due to dependency issues. I > > > tried > > downgrading all the dependencies and got in a loop and stopped trying. > > Are there any tricks you can think of to downgrade the sssd cleanly? > > > > > > -andy > > > > > > > What failures are you getting? I normally just download all \*sss\* > > packages and then downgrade with rpm -U --oldpackage. > > > I'm just trying to use yum. If I yum downgrade sssd I get a ton of deps. If > include all the deps it lists > > yum downgrade sssd sssd-proxy sssd-ipa sssd-common-pac
Re: [Freeipa-users] rhel 6.7 upgrade - sssd/sudo
On Thu, Sep 17, 2015 at 11:42:54AM +, Andy Thompson wrote: > I've narrowed it down a bit doing some testing. The sudo rules work when I > remove the user group restriction from them. My sudo rules all have my ad > groups in the rule > > Rule name: ad_linux_admins > Enabled: TRUE > Host category: all > Command category: all > RunAs User category: all > RunAs Group category: all > User Groups: ad_linux_admins <- if I remove this then the rule gets applied Nice catch. Is the group visible after you login and run id? What is the exact IPA server version? -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] rhel 6.7 upgrade - sssd/sudo
> -Original Message- > From: Jakub Hrozek [mailto:jhro...@redhat.com] > Sent: Friday, September 18, 2015 4:42 AM > To: Andy Thompson <andy.thomp...@e-tcc.com> > Cc: freeipa-users@redhat.com > Subject: Re: [Freeipa-users] rhel 6.7 upgrade - sssd/sudo > > On Thu, Sep 17, 2015 at 11:42:54AM +, Andy Thompson wrote: > > I've narrowed it down a bit doing some testing. The sudo rules work when > I remove the user group restriction from them. My sudo rules all have my ad > groups in the rule > > > > Rule name: ad_linux_admins > > Enabled: TRUE > > Host category: all > > Command category: all > > RunAs User category: all > > RunAs Group category: all > > User Groups: ad_linux_admins <- if I remove this then the rule gets > applied > > Nice catch. Is the group visible after you login and run id? Ya the groups show up for the users using id [athompson@mhbenp.local@mdhixuatsmtp01 ~]$ id uid=1506401106(athompson@mhbenp.local) gid=1506401106(athompson@mhbenp.local) groups=1506401106(athompson@mhbenp.local),124910(ad_linux_admins),1506400512(domain admins@mhbenp.local),1506400513(domain users@mhbenp.local),1506401124(admin vpn users@mhbenp.local),1506401239(linux admins@mhbenp.local) > > What is the exact IPA server version? Installed Packages ipa-server.x86_64 4.1.0-18.el7_1.4 thanks -andy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] rhel 6.7 upgrade - sssd/sudo
I've narrowed it down a bit doing some testing. The sudo rules work when I remove the user group restriction from them. My sudo rules all have my ad groups in the rule Rule name: ad_linux_admins Enabled: TRUE Host category: all Command category: all RunAs User category: all RunAs Group category: all User Groups: ad_linux_admins <- if I remove this then the rule gets applied Sudo Option: !authenticate -andy > -Original Message- > From: freeipa-users-boun...@redhat.com [mailto:freeipa-users- > boun...@redhat.com] On Behalf Of Jakub Hrozek > Sent: Tuesday, September 15, 2015 8:37 AM > To: freeipa-users@redhat.com > Subject: Re: [Freeipa-users] rhel 6.7 upgrade - sssd/sudo > > Sorry for not replying sooner, many of us were mostly offline last week. > > I'll try to reproduce locally.. > > On Tue, Sep 15, 2015 at 12:24:45PM +, Andy Thompson wrote: > > I just updated several machines to RHEL 6.7 and seem to have broken my > sudo rules. I've tracked the problem down to having > > > > Default_domain_suffix = ad.domain > > > > In the sssd.conf. If I remove that I can login using the fqn from AD and > sudo rules are applied as configured. However I don't want to force my users > to change to using their fqn to login, and due to having db2 in the > environment our usernames are limited to 8 characters so we cannot use the > fqn regardless. > > > > I tested adding a local sudo rule for %ad_domain_group@ipa.domain and it > worked, but any IPA rules are not working. A rule in the sudoers would not > work unless it was a fqn either which I expected with the default domain > suffix set. > > > > Update installed sssd-1.12.4-47.el6.x86_64. Redhat wants me to test > downgrading my sssd, which I'm not entirely opposed to in order to get > things working, but there are some fixes in this release I kinda want to keep. > > > > -andy > > > > > > > > *** This communication may contain privileged and/or confidential > information. It is intended solely for the use of the addressee. If you are > not > the intended recipient, you are strictly prohibited from disclosing, copying, > distributing or using any of this information. If you received this > communication in error, please contact the sender immediately and destroy > the material in its entirety, whether electronic or hard copy. *** > > > > > > -- > > Manage your subscription for the Freeipa-users mailing list: > > https://www.redhat.com/mailman/listinfo/freeipa-users > > Go to http://freeipa.org for more info on the project > > > > > > *** This communication may contain privileged and/or confidential > information. It is intended solely for the use of the addressee. If you are > not > the intended recipient, you are strictly prohibited from disclosing, copying, > distributing or using any of this information. If you received this > communication in error, please contact the sender immediately and destroy > the material in its entirety, whether electronic or hard copy. *** > > > > > > -- > > Manage your subscription for the Freeipa-users mailing list: > > https://www.redhat.com/mailman/listinfo/freeipa-users > > Go to http://freeipa.org for more info on the project > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] rhel 6.7 upgrade - sssd/sudo
Sorry for not replying sooner, many of us were mostly offline last week. I'll try to reproduce locally.. On Tue, Sep 15, 2015 at 12:24:45PM +, Andy Thompson wrote: > I just updated several machines to RHEL 6.7 and seem to have broken my sudo > rules. I've tracked the problem down to having > > Default_domain_suffix = ad.domain > > In the sssd.conf. If I remove that I can login using the fqn from AD and > sudo rules are applied as configured. However I don't want to force my users > to change to using their fqn to login, and due to having db2 in the > environment our usernames are limited to 8 characters so we cannot use the > fqn regardless. > > I tested adding a local sudo rule for %ad_domain_group@ipa.domain and it > worked, but any IPA rules are not working. A rule in the sudoers would not > work unless it was a fqn either which I expected with the default domain > suffix set. > > Update installed sssd-1.12.4-47.el6.x86_64. Redhat wants me to test > downgrading my sssd, which I'm not entirely opposed to in order to get things > working, but there are some fixes in this release I kinda want to keep. > > -andy > > > > *** This communication may contain privileged and/or confidential > information. It is intended solely for the use of the addressee. If you are > not the intended recipient, you are strictly prohibited from disclosing, > copying, distributing or using any of this information. If you received this > communication in error, please contact the sender immediately and destroy the > material in its entirety, whether electronic or hard copy. *** > > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > > > *** This communication may contain privileged and/or confidential > information. It is intended solely for the use of the addressee. If you are > not the intended recipient, you are strictly prohibited from disclosing, > copying, distributing or using any of this information. If you received this > communication in error, please contact the sender immediately and destroy the > material in its entirety, whether electronic or hard copy. *** > > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project