You need to have 'files' first in all nsswitch.conf databases. If 'sudo' doesn't respect this then this is a bug in 'sudo.
On Wed, Nov 30, 2022 at 5:59 PM Kevin Vasko <[email protected]> wrote: > So for example. > > machine1 enrolled in FreeIPA also has userid: > user1 - locally (e.g. useradd) > user1 on machine1 has a defined sudoers of NOPASSWD > > FreeIPA also has user1 defined in it. > > machine2 enrolled in FreeIPA: > does not have any local accounts. > if user1 logs in, machine2 uses sssd to allow it from freeIPA. > > What I want is on machine1 I want it to use _all_ locally configured > settings for user1. I effectively want machine1 to ignore FreeIPA for > user1. > > With that being said, I think this is a bug or some weird caching is > happening. > > This is a series of even that happened: > > * user1 was on machine1 prior to freeIPA and being enrolled into FreeIPA. > * user1 is a local account and has a NOPASSWD defined for it locally. > * 1 year passes > * freeIPA implemented, user1 account created in FreeIPA > * machine1 enrolled into domain > * user1 and NOPASSWD still working on machine1 > * Upgrade Ubuntu from 18.04 to 20.04 > * user1 no longer respects local sudoers file NOPASSWD on machine1 and > falls back to IPA > * user1 account deleted from FreeIPA > * user1 starts respects sudoers NOPASSWD file on machine1 > * user1 account added back to FreeIPA > * user1 still respects sudoers NOPASSWD file on machine1. > > So it was working, upgraded to 20.04, stops working, removed account from > FreeIPA, starts working, added account back to FreeIPA (expecting it to > start failing again) but it’s still working as to how it did prior to 20.04 > upgrade. > > -Kevin > > > On Nov 30, 2022, at 8:34 AM, Pavel Březina <[email protected]> wrote: > > > > On 11/29/22 15:43, Kevin Vasko wrote: > >> passwd: compat systemd sss > >> group: compat systemd sss > >> I changed it to be > >> passwd: files compat systemd sss > >> group: files compat systemd sss > >> and still had the same problem. > >> id_provider=ipa > >> Yes Ubuntu. > >> sssd 2.2.3-3ubuntu0.9 > >> This same named user that was created local is also in our IPA server > but want this local account and settings on this machine to override that. > >> -Kevin > >>>> On Nov 29, 2022, at 3:03 AM, Alexey Tikhonov <[email protected]> > wrote: > >>> > >>> > >>> Hi, > >>> > >>>> On Tue, Nov 29, 2022 at 1:10 AM Kevin Vasko <[email protected] > <mailto:[email protected]>> wrote: > >>> > >>> We have a local user that has an entry in sudoers for a “NOPASSWD”. > >>> > >>> In /etc/nsswitch.conf we have: > >>> > >>> sudoers: files sss > >>> > >>> > >>> What is in 'passwd:' and 'group:'? > >>> Do you use 'id_provider=files' in 'sssd.conf'? > >>> > >>> > >>> For some reason sssd is falling back to sssd even though we have > >>> the “files” entry first and is checking our FreeIPA instance and > >>> rejecting it and prompts for password. > >>> > >>> if I make it > >>> > >>> sudoers: files > >>> > >>> It works. > >>> > >>> This was working without issue on 18.04, we upgraded to 20.04 and > >>> now see the problem. > >>> > >>> > >>> I guess this is Ubuntu version? > >>> Could you please specify SSSD package versions? > >>> > >>> > >>> Is there a way to make it prioritize the local sudoers and stop > >>> looking on sssd? > > > > In general, SSSD does not support name collisions. You should make the > ipa domain to require fully qualified names. > > > > Depending on the problem, there might be a way to solve it. However, I > must admit, I do not fully understand your issue. Can you be more > descriptive and provide some examples? > > > > Thank you, > > Pavel > > > > > _______________________________________________ > sssd-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue >
_______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
