Why does sudo not work with IdM if default_domain_suffix is set in Red Hat (IPA) Identity Management
Issue
- Client is part of IdM domain that has a trust to Active Directory.
- Sudo rule is set up for a user group that contains an external user group which contains users from AD.
- On the host SSSD is configured with
default_domain_suffix
set to the AD domain.
[testuser@ad.example.com@ipaclient ~]$ sudo -l
[sudo] password for testuser@ad.example.com:
Sorry, user testuser@ad.example.com may not run sudo on ipaclient.
With default_domain_suffix unset, sudo works as expected:
- With the
default_domain_suffix
option removed, sudo works as expected
Environment
- Red Hat Enterprise Linux 7
- Red Hat Enterprise Linux 6
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.