[sudo-users] Sudo + sssd + active directory + netgroup (nisNetgroupTriple) different behavior in different sudo versions

Jan Rendos jan.rendos at qnective.com
Thu Nov 10 08:40:22 MST 2016


It might be the same bug.

but when I edit the SUDOrole object and add !fqdn to sudoOption it has no effect. It still tries to compare FQDN with the nisNetgroupTriple.


And what about the other issue that sudo tries to compare the user in the triple as well? I think it should match when the user part of triple is empty since the user matches the SUDOrole already.


Thanks,


Jan

________________________________
From: Todd C. Miller <Todd.Miller at courtesan.com>
Sent: 10 November 2016 14:52
To: Jan Rendos
Cc: sudo-users at sudo.ws
Subject: Re: [sudo-users] Sudo + sssd + active directory + netgroup (nisNetgroupTriple) different behavior in different sudo versions

That sounds like this bug: https://bugzilla.sudo.ws/show_bug.cgi?id=757
It was fixed in sudo 1.8.18 but Ubuntu 16.06 ships with sudo 1.8.16.

As a workaround you can disable the fqdn option.  For example:

dn: cn=defaults,ou=SUDOers,dc=example,dc=com
objectClass: top
objectClass: sudoRole
cn: defaults
description: Default sudoOption's go here
sudoOption: !fqdn


More information about the sudo-users mailing list