On 03/05/2017 15:05, Brian Candler wrote:
It turns out we had another 16.04 machine which was working fine. But
as soon as I updated its sudo from 1.8.16-0ubuntu1.2 to
1.8.16-0ubuntu1.3, it stopped working too.
So it looks like I have a reproducing case for this and I can
investigate further
FYI, I finally got to the bottom of this issue.
(1) The groups referred to in the sudo rule had been created as
non-posix groups in FreeIPA
(2) It seems that the old sudo in Ubuntu wasn't checking groups at all,
and the new one did. But it could not see non-posix groups.
(3) I solved the problem by adding "objectClass: posixgroup" and
"gidNumber: NNNNNN" to the groups.
More details at:
https://bugs.launchpad.net/ubuntu/+source/sudo/+bug/1688034/comments/4
Aside: I discovered that the way to debug the sudoers plugin is like this:
Debug sudo /var/log/sudo-debug all@info
Debug sudoers.so /var/log/sudoers-debug all@info
(I had originally missed off the ".so" suffix)
It's a bit frightening that sudo+sssd was not enforcing policies
correctly, for who knows how long.
Regards,
Brian.
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project