[sudo-workers] Problem with matching group names with domain in sudoers
Todd C. Miller
Todd.Miller at courtesan.com
Mon Apr 3 09:18:18 MDT 2017
On Fri, 31 Mar 2017 06:43:45 -0400, Tomas Sykora wrote:
> The group is defined on an ipa server, it should be found through sssd.
> So how should I define this rule in sudoers, if I want it to match the
> ipa server group and allow user to run sudo? I thought that %group at domain
> is the right definition.
The problem is that sudo doesn't know what is an ipa group and what
is a local group. It just uses the standard group lookup functions.
I suppose sudo could have an option to determine the IPA domain(s)
by parsing /etc/sssd/sssd.conf but it still doesn't have a way of
looking up a group by domain. If you want this to be supported,
the proper way is to have a sudoers group plugin that talks to sssd
directly.
- todd
More information about the sudo-workers
mailing list