Hide Forgot
Description of problem: sudo with sssd doesn't work correctly with sudoOrder option. rule with the highest value in sudoOrder parameter should be used. dn: cn=rule_allow,ou=Sudoers,dc=my-domain,dc=com objectClass: top objectClass: sudoRole cn: rule_allow sudoHost: ALL sudoUser: userallowed sudoCommand: /usr/bin/true sudoOrder: 2 dn: cn=rule_deny,ou=Sudoers,dc=my-domain,dc=com objectClass: top objectClass: sudoRole cn: rule_deny sudoHost: ALL sudoUser: userallowed sudoCommand: !/usr/bin/true sudoCommand: ALL sudoOrder: 1 [test]su - userallowed -c 'sudo true'su: warning: cannot change directory to /home/userallowed: No such file or directory Sorry, user userallowed is not allowed to execute '/bin/true' as root on rhel7.example.com. Version-Release number of selected component (if applicable): sudo-1.8.6p7-11.el7 sssd-1.11.2-65.el7 How reproducible: always Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info:
I'm having the same problem, has anyone seen this before, sudoOrder is inverted for sssd which conflict with other non-RHEL server configured with sudo-ldap.
As a workaround we solve to change sudoers in nsswitch.conf file from sss to ldap and to configure the /etc/sudo-ldap.conf file and sudoOrder works as expected. The downside is that there is no offline cache, it requires maintenance of the sudo-ldap.conf file in case of changes and it expose the use of secret user/password for the sudo schema in the ldap server for anyone who has root access.
Pavel says the bug is in sssd. *** This bug has been marked as a duplicate of bug 1232950 ***