Public bug reported: # Ubuntu 26.04: sudo-rs Default Breaks FreeIPA/SSSD sudo Policy
## Summary On a fresh installation of Ubuntu 26.04 LTS (Resolute) enrolled into a FreeIPA 4.13.1 domain, users can authenticate and log in via IPA, but may be unable to use sudo permissions granted by FreeIPA. The issue is caused by Ubuntu selecting `sudo-rs` as the active implementation via `update-alternatives`. Switching back to the classic sudo implementation (`sudo.ws`) immediately restores full compatibility with FreeIPA/SSSD sudo rules without other configuration changes. ## Environment - **Server:** - FreeIPA 4.13.1 - Realm: EACHPATH.LOCAL - **Client:** - Ubuntu 26.04 LTS (Resolute) - Joined via `ipa-client-install` - SSSD configured for IPA - Authentication working ## Expected behavior A FreeIPA sudo rule allowing user `nyx` to execute all commands on host `nyx-dev.eachpath.local` is honored on the client. ## Actual behavior (before fix) - Authentication succeeds. - SSH login succeeds. - `sudo` denies with: - "Sorry, user nyx may not run sudo on nyx-dev.eachpath.local." even though the sudo rule exists and matches. ## Investigation The issue was traced step-by-step to isolate the failure layer. ### 1. FreeIPA rule validation Rule created: - `ipa sudorule-add allow_nyx_sudo_nyx_dev` Configured: - user = nyx - host = nyx-dev.eachpath.local - command category = all - runas category = all Verified with: - `ipa sudorule-show allow_nyx_sudo_nyx_dev --raw` Confirmed: - `cmdcategory: all` - `ipasudorunasusercategory: all` - `memberhost: fqdn=nyx-dev.eachpath.local` - `memberuser: uid=nyx` Rule correct → problem not in FreeIPA. ### 2. Client identity Checked: - `id` - `getent passwd nyx` Result: - `uid=10001(nyx)` IPA identity correctly resolved via SSSD. ### 3. SSSD configuration Confirmed: - `services = nss, pam, ssh, sudo` - `sudoers: sss` Domain status: - `sssctl domain-status eachpath.local` → Online - `sssctl config-check` → No issues SSSD correctly configured and online. ### 4. SSSD sudo cache Searched cache: - `strings /var/lib/sss/db/cache_eachpath.local.ldb` - `ldbsearch -H /var/lib/sss/db/cache_eachpath.local.ldb` Found: - `sudoCommand: ALL` - `sudoHost: nyx-dev.eachpath.local` - `sudoRunAsUser: ALL` - `sudoUser: [email protected]` Conclusion: FreeIPA exported the rule correctly; SSSD cached it. Failure not in policy distribution. ### 5. sudo implementation Ran: - `sudo -V` Got: - `sudo-rs 0.2.13` Further inspection: - `readlink -f /etc/alternatives/sudo` → `/usr/lib/cargo/bin/sudo` - `update-alternatives --list sudo` shows both `sudo-rs` and `sudo.ws`. Active implementation was `sudo-rs`, which does not yet fully support SSSD/FreeIPA sudo policy. ### 6. Resolution Switched implementation: - `sudo update-alternatives --config sudo` - Selected: `/usr/bin/sudo.ws` Verified: - `sudo -V` → `Sudo version 1.9.17p2` No other changes; immediately: - `sudo -l` → correct FreeIPA rules honored. ## Conclusion - FreeIPA rule: correct - SSSD: correct - Rule cached locally: yes - Issue: `sudo-rs` selected as default, not fully compatible with SSSD/FreeIPA sudo policy Switching to `sudo.ws` restores expected behavior. ## Notes / Recommendations For Ubuntu 26.04 + FreeIPA/SSSD environments: - Prefer `sudo.ws`: - `sudo update-alternatives --set sudo /usr/bin/sudo.ws` - Until upstream `sudo-rs` fully integrates with SSSD-based sudo policies, treat this as a required step for IPA-joined machines. ## Version Version: 1.0 | Created: 2026-06-30 | Updated: 2026-06-30 | Authors: dafit, Nyx ** Affects: rust-sudo-rs (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2158700 Title: On a fresh installation of Ubuntu 26.04 LTS (Resolute) enrolled into a FreeIPA 4.13.1 domain, users can authenticate and log in via IPA, but may be unable to use sudo permissions granted by FreeIPA. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/rust-sudo-rs/+bug/2158700/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
