I just updated several machines to RHEL 6.7 and seem to have broken my sudo 
rules.  I've tracked the problem down to having

Default_domain_suffix = ad.domain

In the sssd.conf.  If I remove that I can login using the fqn from AD and sudo 
rules are applied as configured.  However I don't want to force my users to 
change to using their fqn to login, and due to having db2 in the environment 
our usernames are limited to 8 characters so we cannot use the fqn regardless.

I tested adding a local sudo rule for %ad_domain_group@ipa.domain and it 
worked, but any IPA rules are not working.  A rule in the sudoers would not 
work unless it was a fqn either which I expected with the default domain suffix 
set.

Update installed sssd-1.12.4-47.el6.x86_64.  Redhat wants me to test 
downgrading my sssd, which I'm not entirely opposed to in order to get things 
working, but there are some fixes in this release I kinda want to keep.

-andy



*** This communication may contain privileged and/or confidential information. 
It is intended solely for the use of the addressee. If you are not the intended 
recipient, you are strictly prohibited from disclosing, copying, distributing 
or using any of this information. If you received this communication in error, 
please contact the sender immediately and destroy the material in its entirety, 
whether electronic or hard copy. ***


--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project


*** This communication may contain privileged and/or confidential information. 
It is intended solely for the use of the addressee. If you are not the intended 
recipient, you are strictly prohibited from disclosing, copying, distributing 
or using any of this information. If you received this communication in error, 
please contact the sender immediately and destroy the material in its entirety, 
whether electronic or hard copy. ***


-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to