On 03/05/2017 15:05, Brian Candler wrote:
It turns out we had another 16.04 machine which was working fine. But as soon as I updated its sudo from 1.8.16-0ubuntu1.2 to 1.8.16-0ubuntu1.3, it stopped working too.

So it looks like I have a reproducing case for this and I can investigate further

FYI, I finally got to the bottom of this issue.

(1) The groups referred to in the sudo rule had been created as non-posix groups in FreeIPA

(2) It seems that the old sudo in Ubuntu wasn't checking groups at all, and the new one did. But it could not see non-posix groups.

(3) I solved the problem by adding "objectClass: posixgroup" and "gidNumber: NNNNNN" to the groups.

More details at:

https://bugs.launchpad.net/ubuntu/+source/sudo/+bug/1688034/comments/4

Aside: I discovered that the way to debug the sudoers plugin is like this:

Debug sudo /var/log/sudo-debug all@info
Debug sudoers.so /var/log/sudoers-debug all@info

(I had originally missed off the ".so" suffix)

It's a bit frightening that sudo+sssd was not enforcing policies correctly, for who knows how long.

Regards,

Brian.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to