Public bug reported: When upgrading sudo package in xenial from version 1.8.16-0ubuntu1 to 1.8.16-0ubuntu1.3, our FreeIPA-based sudo rules suddenly stopped working. We have setup a group in FreeIPA called ldap_nopass, and configured hbac rules to allow users in this group to run sudo (without password / nopasswd). This have been working fine up until now when we upgraded the sudo package. Downgrading to 1.8.16-0ubuntu1 resolves the issue. It also work with 1.8.16-0ubuntu1.3 if we set use_fully_qualified_names = False in /etc/sssd/sssd.conf, but this is not an option for us.
This led me to believe this issue is related to upstream bug: https://bugzilla.sudo.ws/show_bug.cgi?id=757 And most likely is caused by the patchset from 1.3 https://launchpad.net/ubuntu/+source/sudo/1.8.16-0ubuntu1.3 Unfortunately, 1.8.16-0ubuntu1.2 binaries seems to be deleted from mirrors, so I cannot try this version. I've included the auth.log file showing the difference using sudo 1.8.16-0ubuntu1 vs 1.8.16-0ubuntu1.3. Real username and domain has been redacted to user.name and example.com Please let me know if any additional information is required. ** Affects: sudo (Ubuntu) Importance: Undecided Status: New ** Attachment added: "auth.log" https://bugs.launchpad.net/bugs/1682104/+attachment/4860638/+files/auth.log -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to sudo in Ubuntu. https://bugs.launchpad.net/bugs/1682104 Title: sudo rules based on group membership from freeipa does not work Status in sudo package in Ubuntu: New Bug description: When upgrading sudo package in xenial from version 1.8.16-0ubuntu1 to 1.8.16-0ubuntu1.3, our FreeIPA-based sudo rules suddenly stopped working. We have setup a group in FreeIPA called ldap_nopass, and configured hbac rules to allow users in this group to run sudo (without password / nopasswd). This have been working fine up until now when we upgraded the sudo package. Downgrading to 1.8.16-0ubuntu1 resolves the issue. It also work with 1.8.16-0ubuntu1.3 if we set use_fully_qualified_names = False in /etc/sssd/sssd.conf, but this is not an option for us. This led me to believe this issue is related to upstream bug: https://bugzilla.sudo.ws/show_bug.cgi?id=757 And most likely is caused by the patchset from 1.3 https://launchpad.net/ubuntu/+source/sudo/1.8.16-0ubuntu1.3 Unfortunately, 1.8.16-0ubuntu1.2 binaries seems to be deleted from mirrors, so I cannot try this version. I've included the auth.log file showing the difference using sudo 1.8.16-0ubuntu1 vs 1.8.16-0ubuntu1.3. Real username and domain has been redacted to user.name and example.com Please let me know if any additional information is required. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/sudo/+bug/1682104/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
