Seems like we broke sudo with non-POSIX groups in the 1.13 update. See:
Linked to Bugzilla bug: https://bugzilla.redhat.com/show_bug.cgi?id=1336548 (Red Hat Enterprise Linux 6)
rhbz: => [https://bugzilla.redhat.com/show_bug.cgi?id=1336548 1336548]
milestone: NEEDS_TRIAGE => SSSD 1.13.5
In sssd-1.13.4, we switched to IPA sudo rules schema stored at cn=sudo instead of the sudo schema used by sudo itself which is generated by compat plugin and stored at ou=sudoers. Setting the option ldap_sudo_search_base to ou=sudoers switch the processing back to pre-1.13.4 version.
owner: somebody => pbrezina
status: new => assigned
We do not want to support non-POSIX groups in sudo rule definition. Either switch to the compat tree container "ou=sudoers,dc=example,dc=com" or alter your rules so that the non-POSIX group is included by a POSIX one which is referenced by sudo as "sudorule ---> posix group <--- non-posix group".
resolution: => wontfix
status: assigned => closed
Metadata Update from @jhrozek:
- Issue assigned to pbrezina
- Issue set to the milestone: SSSD 1.13.5
to comment on this ticket.
Copyright © 2014-2018 Red Hat
4.0.4 — Documentation