[sudo-workers] Problem with matching group names with domain in sudoers
Tomas Sykora
tosykora at redhat.com
Fri Mar 31 04:43:45 MDT 2017
The group is defined on an ipa server, it should be found through sssd.
So how should I define this rule in sudoers, if I want it to match the
ipa server group and allow user to run sudo? I thought that %group at domain
is the right definition.
----- Original Message -----
From: "Todd C. Miller" <Todd.Miller at courtesan.com>
To: "Tomas Sykora" <tosykora at redhat.com>
Cc: sudo-workers at sudo.ws
Sent: Friday, March 31, 2017 12:54:30 AM
Subject: Re: [sudo-workers] Problem with matching group names with domain in sudoers
On Thu, 30 Mar 2017 10:42:03 -0400, Tomas Sykora wrote:
> When there is a rule containing a group with a domain in sudoers, e.g.
>
> %test_group at domain ALL=(ALL) NOPASSWD:ALL
>
> sudo tries to match strcasecmp("test_group", test_group at domain) in user_in_gr
> oup (pwutil.c),
That's what I would expect it to do. Unix groups don't really have
the concept of a domain so the @domain is treated literally. Sudo
AD groups (with a domain) but only with a group provider plugin.
Or is this group part of an NIS domain?
- todd
--
Tomas Sykora
Security Technologies,
Red Hat Inc.
More information about the sudo-workers
mailing list