On Tue, May 24, 2016 at 07:19:31PM +0000, Mote, Todd wrote: > So I've extended my AD and created a sudoRole in an OU, and can get it to > work for a single user. I can't however get it to work with an AD group. > > I've tried %<adgroupname>, <adgroupname>, and +<adgroupname> all in the > sudoUser attribute on the object, but cannot get it to use the group. Getent > group <adgroupname> returns members. Reading the Sudoers LDAP Manual has > this to say for sudoUser:
Does id $user report the user as member of that group? > > "A user name, user ID (prefixed with '#'), Unix group name or ID (prefixed > with '%' or '%#' respectively), user netgroup (prefixed with '+'), or > non-Unix group name or ID (prefixed with '%:' or '%:#' respectively). User > netgroups are matched using the user and domain members only; the host member > is not used when matching. Non-Unix group support is only available when an > appropriate group_plugin is defined in the global defaults sudoRole object." > > So is it reasonable to assume the last sentence is tripping this up? Does a > group_plugin need to be defined in defaults? What group_plugin needs to be > defined in defaults? It all works fine with just a single user in the > sudoUser attribute. Once I replace it with %<adgroupname>, the same way I > put it in the sudoers file manually, it fails to match the rule. That shouldn't be necessary. > > From sssd_sudo.log > > When just my user is listed specifically in the sudoUser attribute in the > sudoRole object in AD: > > [sudosrv_get_sudorules_query_cache] (0x0200):Searching sysdb with > [(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=myaduser)(sudoUser=#1165)(sudoUser=%Domain\20Users)(sudoUser=%<adgroupname1>)(sudoUser=%<adgroupname2>)(sudoUser=%<adgroupnameiwanttouse>) > ... > [sort_sudo_rules] (0x0400): Sorting rules with higher-wins logic > [sudosrv_get_sudorules_from_cache] (0x0400): Returning 1 rules for > [[email protected]] > > When a group my user is in, is in the sudoUser attribute in the sudoRole > object in AD: > > [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with > [(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=myaduser)(sudoUser=#1165)(sudoUser=%Domain\20Users)(sudoUser=%<adgroupname1>)(sudoUser=%<adgroupname2>)(sudoUser=%<adgroupnameiwanttouse>) > ... > [sudosrv_get_sudorules_from_cache] (0x0400): Returning 0 rules for > [[email protected]] Please note that his an internal cache filter, not an LDAP filter. You can with it with: ldbsearch -H /var/lib/sss/db/cache_$yourdomain.ldb $filter In general, this upstream wiki page can pinpoint what went wrong, usually the sudo logs are quite interesting: https://fedorahosted.org/sssd/wiki/HOWTO_Troubleshoot_SUDO > > I've tried matching case with the filter that's in sssd_sudo.log, I've tried > matching case from id $user, nothing seems to work but listing my user > account specifically. Is there some magic to getting AD groups to work with > SUDO LDAP objects? > > Todd > > > > _______________________________________________ > sssd-users mailing list > [email protected] > https://lists.fedorahosted.org/admin/lists/[email protected] _______________________________________________ sssd-users mailing list [email protected] https://lists.fedorahosted.org/admin/lists/[email protected]
