SSSD / sssd

Clone

#3934 SUDO doesn't work for AD users on IPA clients after applying ID Views for them in IPA server
Closed: cloned-to-github 5 years ago by pbrezina. Opened 6 years ago by ulicar.

Closed: cloned-to-github
Reopen Issue

99% similar issue as here: https://pagure.io/SSSD/sssd/issue/3488

But my user comes from trusted domain (Active Directory).

  1. IPA.DOMAIN trusts AD.DOMAIN
  2. localuser has sudo rights to do ALL: ALL (ALL) on ipa-server.IPA.DOMAIN
    - tested and works
  3. domainuser@AD.DOMAIN has sudo rigths to do ALL: ALL (ALL) on ipa-server.IPA.DOMAIN
    - tested and works
  4. Create view (IDViewOverride) for domain user, for the purpuse of migrating local users to domain users:
    - same UID/GID, home folder, shell, etc...
  5. Login to ipa-server.IPA.DOMAIN as domainuser@AD.DOMAIN
    - login is successful as expected
    - command "whoami" shows localuser as expected
    - UID/GID shows localuser as expected
    - command "id" shows domain groups as expected
    - "sudo ls" fails <-- not expected
    --> message: "localuser is not in sudoers. This incident will be reported."
    --> /var/log/sssd/sssd_sudo.log shows a search only for non-existent localuser@IPA.DOMAIN

Does your system still contain localuser in /etc/passwd addition to domainuser?

Does whoami report back a fully qualified or a short name?

Yes, localuser is present in /etc/passwd, domain user is not present in
/etc/passwd. (Not sure if I get what you are really asking here).
whoami reports short name.

FYI: localuser and domain user share the same name.
e.g. John Doe --> jdoe is a localuser, and a domain user is jdoe@AD.DOMAIN.

I'll attach you the logs from sssd_sudo.log in the morning.

uto, 29. sij 2019. u 20:46 Jakub Hrozek pagure@pagure.io napisao je:

jhrozek added a new comment to an issue you are following:
``
Does your system still contain localuser in /etc/passwd addition to
domainuser?

Does whoami report back a fully qualified or a short name?

``

To reply, visit the link below or just reply to this email
https://pagure.io/SSSD/sssd/issue/3934

Metadata Update from @pbrezina:
- Issue tagged with: Future milestone
5 years ago

SSSD is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in SSSD's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/SSSD/sssd/issues/4914

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Metadata Update from @pbrezina:
- Issue close_status updated to: cloned-to-github
- Issue status updated to: Closed (was: Open)
5 years ago

Log in to comment on this ticket.

Metadata
None

Future milestone

None
None
minor
None
None
None
None
None
None
None
None
None
None
None
None
None
None
None
None
None
None
None
None
Attachments 1
freeipa_sudo_domainuser_fail.txt
Attached 6 years ago View Comment
Powered by Pagure 5.14.1
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.