Active Directory stored sudo rule is not available to group members
Issue
Active Directory stored sudo rule is not available to group members
- SSSD joins AD directly 1
- Active Directory Schema for sudo configuration (sudoers) has been applied 2
- sudo is configured to pull rules from AD server 3
- User
bob
is a member ofsudoGroup
in AD -
Below sudo rule is defined in AD:
# sudo rule dn: cn=%sudoGroup,ou=sudoers,dc=example,dc=com objectClass: top objectClass: sudoRole cn: %sudoGroup sudoUser: %sudoGroup sudoHost: ALL sudoCommand: ALL
This is equivalent to below rule in
sudoers
%sudoGroup ALL=(ALL) ALL
-
The rule is not listed until
id bob
is executed:# sudo -l -U bob User bob is not allowed to run sudo on host1. # id bob uid=225401104(bob) gid=225400513(domain users) groups=225400513(domain users),225401105(sudogroup) # sudo -l -U bob Matching Defaults entries for bob on host1: !visiblepw, always_set_home, match_group_by_gid, always_query_group_plugin, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin User bob may run the following commands on host1: (root) ALL
Environment
- Red Hat Enterprise Linux 7
- Red Hat Enterprise Linux 8
- System Security Services Daemon (SSSD)
- sudo
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.