[sudo-users] sudo change is behavior between RHEL6.5 and RHEL 6.6
Todd C. Miller
Todd.Miller at courtesan.com
Thu May 26 13:53:24 MDT 2016
On Thu, 26 May 2016 19:06:51 -0000, "SERIEYE, Yan" wrote:
> I'd like to refactor my implementation be "official sudo" compatible.
>
> That why I wanted to know what my options are :
> - transforming my users group into users netgroup
> - keep my non unix users group and find a way to make it work ( may be with
> group_plugin but i don't clearly understand how it work) ?
> - other idea ?
It should be possible to use your non-unix groups, how are they
managed? Do they show up when you run the "id" command?
In /etc/sudo.conf, try adding the following line:
Debug sudo /var/log/sudo.debug sssd at debug,nss at debug,plugin at debug
That will log a log of sssd-specific info as well as the info sent
from the sudo front end to the sudoers plugin. You should see
a line similar to:
May 17 07:40:39 sudo[36259] user_info: groups=20,0,5,9,13,62,67,97,117,544,662,1002,1004
which lists the group IDs sudo thinks the invoking user belongs to.
Sudo 1.8.7 and higher has a setting to control how the group list
is determined which may help. The sudo.conf setting:
Set group_source dynamic
will cause sudo to determine the user's groups itself instead of
just using the group list from the kernel. You should be able to
use the RedHat 6 packages for sudo 1.8.16 from
https://www.sudo.ws/download.html#binary if you want to try this
out.
- todd
More information about the sudo-users
mailing list