Why does sudo not work with IdM if default_domain_suffix is set in Red Hat (IPA) Identity Management

Solution Verified - Updated -

Issue

  • Client is part of IdM domain that has a trust to Active Directory.
  • Sudo rule is set up for a user group that contains an external user group which contains users from AD.
  • On the host SSSD is configured with default_domain_suffix set to the AD domain.
[testuser@ad.example.com@ipaclient ~]$ sudo -l
[sudo] password for testuser@ad.example.com:
Sorry, user testuser@ad.example.com may not run sudo on ipaclient.

With default_domain_suffix unset, sudo works as expected:
  • With the default_domain_suffix option removed, sudo works as expected

Environment

  • Red Hat Enterprise Linux 7
  • Red Hat Enterprise Linux 6

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content