I've narrowed it down a bit doing some testing. The sudo rules work when I remove the user group restriction from them. My sudo rules all have my ad groups in the rule
Rule name: ad_linux_admins Enabled: TRUE Host category: all Command category: all RunAs User category: all RunAs Group category: all User Groups: ad_linux_admins <- if I remove this then the rule gets applied Sudo Option: !authenticate -andy > -----Original Message----- > From: freeipa-users-boun...@redhat.com [mailto:freeipa-users- > boun...@redhat.com] On Behalf Of Jakub Hrozek > Sent: Tuesday, September 15, 2015 8:37 AM > To: freeipa-users@redhat.com > Subject: Re: [Freeipa-users] rhel 6.7 upgrade - sssd/sudo > > Sorry for not replying sooner, many of us were mostly offline last week. > > I'll try to reproduce locally.. > > On Tue, Sep 15, 2015 at 12:24:45PM +0000, Andy Thompson wrote: > > I just updated several machines to RHEL 6.7 and seem to have broken my > sudo rules. I've tracked the problem down to having > > > > Default_domain_suffix = ad.domain > > > > In the sssd.conf. If I remove that I can login using the fqn from AD and > sudo rules are applied as configured. However I don't want to force my users > to change to using their fqn to login, and due to having db2 in the > environment our usernames are limited to 8 characters so we cannot use the > fqn regardless. > > > > I tested adding a local sudo rule for %ad_domain_group@ipa.domain and it > worked, but any IPA rules are not working. A rule in the sudoers would not > work unless it was a fqn either which I expected with the default domain > suffix set. > > > > Update installed sssd-1.12.4-47.el6.x86_64. Redhat wants me to test > downgrading my sssd, which I'm not entirely opposed to in order to get > things working, but there are some fixes in this release I kinda want to keep. > > > > -andy > > > > > > > > *** This communication may contain privileged and/or confidential > information. It is intended solely for the use of the addressee. If you are > not > the intended recipient, you are strictly prohibited from disclosing, copying, > distributing or using any of this information. If you received this > communication in error, please contact the sender immediately and destroy > the material in its entirety, whether electronic or hard copy. *** > > > > > > -- > > Manage your subscription for the Freeipa-users mailing list: > > https://www.redhat.com/mailman/listinfo/freeipa-users > > Go to http://freeipa.org for more info on the project > > > > > > *** This communication may contain privileged and/or confidential > information. It is intended solely for the use of the addressee. If you are > not > the intended recipient, you are strictly prohibited from disclosing, copying, > distributing or using any of this information. If you received this > communication in error, please contact the sender immediately and destroy > the material in its entirety, whether electronic or hard copy. *** > > > > > > -- > > Manage your subscription for the Freeipa-users mailing list: > > https://www.redhat.com/mailman/listinfo/freeipa-users > > Go to http://freeipa.org for more info on the project > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
