After upgrading from RHEL 6.7 to RHEL 6.8 , SSSD fails to apply sudo rules to all the members belongs to the member groups
Environment
- Red Hat Enterprise Linux 6.8
- sssd-1.13.3-22.el6_8.4.x86_64
Issue
After upgrading from RHEL 6.7 to RHEL 6.8 , SSSD fails to apply sudo rules to all the members belongs to the member groups.
All the RHEL 6.7 clients are working as expected.
However, sudo rules are applied as expected when we add users in to a posix group and by adding that posix group in to the sudo rule.
Resolution
There has been some design changes in sssd-1.13.3-22.el6_8.4.x86_64 which is causing this behaviour. Please refer to the Root Cause section for more details on the design change.
Red Hat recommends to configure groups referenced in sudo rules as POSIX groups.
However if you planning to use non-posix group within sudo rules , we can use the following workaround :
Workaround:
[domain/EXAMPLE]
...
ldap_sudo_search_base = ou=sudoers,dc=example,dc=com
Root Cause
In Red Hat Enterprise Linux versions prior 6.8, the System Security Services Daemon's (SSSD) slapi-nis plug-in stored members of non-POSIX groups in sudoUser attributes of the Identity Management (IdM) compat tree. However, only POSIX groups have direct members. As a consequence, the administrator was able to assign sudo rules to non-POSIX groups. This behavior has been removed and now SSSD uses the IdM LDAP tree as default.
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.
Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.