[sudo-workers] Problem with matching group names with domain in sudoers

Todd C. Miller Todd.Miller at courtesan.com
Mon Apr 3 09:18:18 MDT 2017

On Fri, 31 Mar 2017 06:43:45 -0400, Tomas Sykora wrote:

> The group is defined on an ipa server, it should be found through sssd.
> So how should I define this rule in sudoers, if I want it to match the 
> ipa server group and allow user to run sudo? I thought that %group at domain 
> is the right definition.

The problem is that sudo doesn't know what is an ipa group and what
is a local group.  It just uses the standard group lookup functions.

I suppose sudo could have an option to determine the IPA domain(s)
by parsing /etc/sssd/sssd.conf but it still doesn't have a way of
looking up a group by domain.  If you want this to be supported,
the proper way is to have a sudoers group plugin that talks to sssd

 - todd

More information about the sudo-workers mailing list