sudo access fails for domain user while using FQDN names in sudoers file after sudo is updated to sudo-1.9.5p2-1.el8_9.x86_64
Red Hat Lightspeed can detect this issue
Environment
-
Red Hat Enterprise Linux 8.9
-
sudo-1.9.5p2-1.el8_9.x86_64
Issue
-
After updating sudo to sudo-1.9.5p2-1.el8_9.x86_64 in RHEL 8.9, sudo access fails for the AD groups/users which are mapped with full name in /etc/sudoers (%domain\group or %group@domain).
-
Example entry in sudoers file :
%test_group@example.com ALL=(root) NOPASSWD: ALL
# sudo -ll -U testuser
User testuser is not allowed to run sudo on server01.
Resolution
-
There are two workarounds that can be applied in this situation. Either of it can be used to resolve it.
-
First workaround : Apply the shortname in /etc/sudoers :
%test_group ALL = (ALL) NOPASSWD:ALL
or
- Second workaround : Add the following line in /etc/sudoers :
Defaults match_group_by_gid
Diagnostic Steps
-
In RHEL 8.9 upgrade the sudo package to sudo-1.9.5p2-1.el8_9.x86_64
-
In /etc/sssd/sssd.conf set use_fully_qualified_names = False
-
In /etc/sudoers map, add the AD groups with full name (%domain\group or %group@domain)
%test_group@example.com ALL=(root) NOPASSWD: ALL
- And getent output for domain user:
getent group test_group@example.com
test_group:*:1065689:testuser, testuser1
- Now try to fetch the sudo rule.
# sudo -ll -U testuser
User testuser is not allowed to run sudo on server01.
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.
Comments