#3046 IPA-managed sudo no longer works with non-POSIX groups

Created 2 years ago by jhrozek
Modified a year ago

Seems like we broke sudo with non-POSIX groups in the 1.13 update. See:
https://www.redhat.com/archives/freeipa-users/2016-June/msg00256.html

Fields changed

milestone: NEEDS_TRIAGE => SSSD 1.13.5

In sssd-1.13.4, we switched to IPA sudo rules schema stored at cn=sudo instead of the sudo schema used by sudo itself which is generated by compat plugin and stored at ou=sudoers. Setting the option ldap_sudo_search_base to ou=sudoers switch the processing back to pre-1.13.4 version.

Fields changed

owner: somebody => pbrezina
status: new => assigned

We do not want to support non-POSIX groups in sudo rule definition. Either switch to the compat tree container "ou=sudoers,dc=example,dc=com" or alter your rules so that the non-POSIX group is included by a POSIX one which is referenced by sudo as "sudorule ---> posix group <--- non-posix group".

resolution: => wontfix
status: assigned => closed

a year ago

Metadata Update from @jhrozek:
- Issue assigned to pbrezina
- Issue set to the milestone: SSSD 1.13.5

Login to comment on this ticket.

defect

SSSD

1.13.3

0

0

https://bugzilla.redhat.com/show_bug.cgi?id=1336548

0

0

0

0

cancel