Bug 1659457
Summary: | sssd-sudo does not resolve a group SID with the AD sudo provider | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 8 | Reporter: | Jakub Hrozek <jhrozek> |
Component: | sssd | Assignee: | SSSD Maintainers <sssd-maint> |
Status: | CLOSED WONTFIX | QA Contact: | sssd-qe <sssd-qe> |
Severity: | unspecified | Docs Contact: | Vendula Ferschmannova <vferschm> |
Priority: | unspecified | ||
Version: | 8.0 | CC: | dbula, grajaiya, igkioka, jhrozek, lslebodn, mzidek, pbrezina, sgoveas, thalman, tscherf, vferschm |
Target Milestone: | rc | ||
Target Release: | 8.0 | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | sync-to-jira | ||
Fixed In Version: | Doc Type: | Known Issue | |
Doc Text: |
.Sudo rules might not work with `id_provider=ad` if sudo rules reference group names
System Security Services Daemon (SSSD) does not resolve Active Directory group names during the `initgroups` operation because of an optimization of communication between AD and SSSD by using a cache. The cache entry contains only a Security Identifiers (SID) and not group names until the group is requested by name or ID. Therefore, sudo rules do not match the AD group unless the groups are fully resolved prior to running sudo.
To work around this problem, you need to disable the optimization: Open the `/etc/sssd/sssd.conf` file and add the `ldap_use_tokengroups = false` parameter in the `[domain/example.com]` section.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2020-04-24 11:14:10 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1682305 | ||
Bug Blocks: |
Description
Jakub Hrozek
2018-12-14 13:01:40 UTC
Upstream ticket: https://pagure.io/SSSD/sssd/issue/3457 Due to out limited capacity we are closing this BZ. |