I just updated several machines to RHEL 6.7 and seem to have broken my sudo rules. I've tracked the problem down to having
Default_domain_suffix = ad.domain In the sssd.conf. If I remove that I can login using the fqn from AD and sudo rules are applied as configured. However I don't want to force my users to change to using their fqn to login, and due to having db2 in the environment our usernames are limited to 8 characters so we cannot use the fqn regardless. I tested adding a local sudo rule for %ad_domain_group@ipa.domain and it worked, but any IPA rules are not working. A rule in the sudoers would not work unless it was a fqn either which I expected with the default domain suffix set. Update installed sssd-1.12.4-47.el6.x86_64. Redhat wants me to test downgrading my sssd, which I'm not entirely opposed to in order to get things working, but there are some fixes in this release I kinda want to keep. -andy *** This communication may contain privileged and/or confidential information. It is intended solely for the use of the addressee. If you are not the intended recipient, you are strictly prohibited from disclosing, copying, distributing or using any of this information. If you received this communication in error, please contact the sender immediately and destroy the material in its entirety, whether electronic or hard copy. *** -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project *** This communication may contain privileged and/or confidential information. It is intended solely for the use of the addressee. If you are not the intended recipient, you are strictly prohibited from disclosing, copying, distributing or using any of this information. If you received this communication in error, please contact the sender immediately and destroy the material in its entirety, whether electronic or hard copy. *** -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project