Bug 1550192

Summary: Document known issue with: IDM, AD Trust, RHEL6 client, sudo and default_domain_suffix
Product: Red Hat Enterprise Linux 6 Reporter: Andrea Perotti <aperotti>
Component: doc-Identity_Management_GuideAssignee: Filip Hanzelka <fhanzelk>
Status: CLOSED CURRENTRELEASE QA Contact: ipa-qe <ipa-qe>
Severity: high Docs Contact: Filip Hanzelka <fhanzelk>
Priority: high    
Version: 6.9CC: apetrova, jhrozek, rhel-docs, tscherf
Target Milestone: pre-dev-freezeKeywords: Documentation
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Known Issue
Doc Text:
AD users cannot use sudo on IdM hosts if "default_domain_suffix" is set In a trust between Identity Management (IdM) and Active Directory (AD), AD users cannot run *sudo* commands on IdM hosts if the "default_domain_suffix" parameter in the `/etc/sssd/sssd.conf` file is set to the AD domain. To work around the problem, remove the "default_domain_suffix" parameter from the `/etc/sssd/sssd.conf` file. As a result, *sudo* policies work as expected both for AD and IdM users. Note that after you remove the "default_domain_suffix" parameter, AD users must use `user_name@domain_name` instead of the short version of their user name to log in.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2018-11-22 18:28:01 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Andrea Perotti 2018-02-28 18:23:32 UTC 
Document URL: 
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/windows_integration_guide/trust-during#trust-issues
Section Number and Name: 
5.2.3.1. Potential Behavior Issues with Active Directory Trust

Describe the issue: 
Among the various issues/limitation when a trust is established with AD, there's no wording about the fact that sudo for ad users will not work on rhel6, if default_domain_suffix is set.

the issue is tracked down in this solution, but since has been decided that a fix will not be implemented, is important to state it clearly in the official documentation:
https://access.redhat.com/solutions/2154701

Suggestions for improvement: 
Include the content of the article into a sub-chapter in this section

Additional information: 
A later discovery of that limitation can cause a lot of problems on customers, who will not be able to have a consistent experience in heterogeneous envs with rhel6/7 .
Comment 3 Aneta Šteflová Petrová 2018-03-01 06:55:14 UTC 
Thanks for the report, Andrea.

From your comment and the solution you linked to, it seems this should be filed against the RHEL 6 book, so I'm changing the product version and the component.
Comment 11 Filip Hanzelka 2018-11-22 18:28:01 UTC 
Link to the Release Note:

https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html-single/6.10_release_notes/#known_issues_authentication_and_interoperability