[sudo-workers] Problem with matching group names with domain in sudoers

Tomas Sykora tosykora at redhat.com
Fri Mar 31 04:43:45 MDT 2017

The group is defined on an ipa server, it should be found through sssd.
So how should I define this rule in sudoers, if I want it to match the 
ipa server group and allow user to run sudo? I thought that %group at domain 
is the right definition.

----- Original Message -----
From: "Todd C. Miller" <Todd.Miller at courtesan.com>
To: "Tomas Sykora" <tosykora at redhat.com>
Cc: sudo-workers at sudo.ws
Sent: Friday, March 31, 2017 12:54:30 AM
Subject: Re: [sudo-workers] Problem with matching group names with domain in sudoers

On Thu, 30 Mar 2017 10:42:03 -0400, Tomas Sykora wrote:

> When there is a rule containing a group with a domain in sudoers, e.g.
> %test_group at domain ALL=(ALL) NOPASSWD:ALL
> sudo tries to match strcasecmp("test_group", test_group at domain) in user_in_gr
> oup (pwutil.c),

That's what I would expect it to do.  Unix groups don't really have
the concept of a domain so the @domain is treated literally.  Sudo
AD groups (with a domain) but only with a group provider plugin.

Or is this group part of an NIS domain?

 - todd


Tomas Sykora
Security Technologies, 
Red Hat Inc.

More information about the sudo-workers mailing list