#3046 IPA-managed sudo no longer works with non-POSIX groups
Closed: Invalid None Opened 3 years ago by jhrozek.

Seems like we broke sudo with non-POSIX groups in the 1.13 update. See:

Fields changed

milestone: NEEDS_TRIAGE => SSSD 1.13.5

In sssd-1.13.4, we switched to IPA sudo rules schema stored at cn=sudo instead of the sudo schema used by sudo itself which is generated by compat plugin and stored at ou=sudoers. Setting the option ldap_sudo_search_base to ou=sudoers switch the processing back to pre-1.13.4 version.

Fields changed

owner: somebody => pbrezina
status: new => assigned

We do not want to support non-POSIX groups in sudo rule definition. Either switch to the compat tree container "ou=sudoers,dc=example,dc=com" or alter your rules so that the non-POSIX group is included by a POSIX one which is referenced by sudo as "sudorule ---> posix group <--- non-posix group".

resolution: => wontfix
status: assigned => closed

Metadata Update from @jhrozek:
- Issue assigned to pbrezina
- Issue set to the milestone: SSSD 1.13.5

2 years ago

Login to comment on this ticket.