When host groups are used with sudorules in IPA - any update is not picked up by sssd until sssd is restarted and the sssd cache cleared on the client. Note that user groups update immediately as do hostgroups in HBAC rules.
This poses a potential security risk as if you remove hosts from the hostgroup sssd on the clients still allows them to run the sudo commands.
- Red Hat Enterprise Linux
- SSSD 1.8.0-32.el6.x86_64
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase of over 48,000 articles and solutions.