[sudo-workers] Problem with matching group names with domain in sudoers

Pavel Březina pbrezina at redhat.com
Tue Apr 4 02:49:53 MDT 2017

On 04/03/2017 05:18 PM, Todd C. Miller wrote:
> On Fri, 31 Mar 2017 06:43:45 -0400, Tomas Sykora wrote:
>> The group is defined on an ipa server, it should be found through sssd.
>> So how should I define this rule in sudoers, if I want it to match the
>> ipa server group and allow user to run sudo? I thought that %group at domain
>> is the right definition.
> The problem is that sudo doesn't know what is an ipa group and what
> is a local group.  It just uses the standard group lookup functions.
> I suppose sudo could have an option to determine the IPA domain(s)
> by parsing /etc/sssd/sssd.conf but it still doesn't have a way of
> looking up a group by domain.  If you want this to be supported,
> the proper way is to have a sudoers group plugin that talks to sssd
> directly.

SSSD also provides a D-Bus API that can be used to fetch groups or 
domain names. Todd, I'm not sure how much you care about dependencies, 
would this be something sudo can use?

SSSD 1.15.1 can also manage local users and groups, this *may* solve the 
issue as well.

More information about the sudo-workers mailing list