#3046 IPA-managed sudo no longer works with non-POSIX groups
Closed: Invalid None Opened 7 years ago by jhrozek.

Seems like we broke sudo with non-POSIX groups in the 1.13 update. See:
https://www.redhat.com/archives/freeipa-users/2016-June/msg00256.html


Fields changed

milestone: NEEDS_TRIAGE => SSSD 1.13.5

In sssd-1.13.4, we switched to IPA sudo rules schema stored at cn=sudo instead of the sudo schema used by sudo itself which is generated by compat plugin and stored at ou=sudoers. Setting the option ldap_sudo_search_base to ou=sudoers switch the processing back to pre-1.13.4 version.

Fields changed

owner: somebody => pbrezina
status: new => assigned

We do not want to support non-POSIX groups in sudo rule definition. Either switch to the compat tree container "ou=sudoers,dc=example,dc=com" or alter your rules so that the non-POSIX group is included by a POSIX one which is referenced by sudo as "sudorule ---> posix group <--- non-posix group".

resolution: => wontfix
status: assigned => closed

Metadata Update from @jhrozek:
- Issue assigned to pbrezina
- Issue set to the milestone: SSSD 1.13.5

7 years ago

SSSD is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in SSSD's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/SSSD/sssd/issues/4079

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Login to comment on this ticket.

Metadata