AD users cannot use sudo on IdM hosts if "default_domain_suffix" is set
In a trust between Identity Management (IdM) and Active Directory (AD), AD users cannot run *sudo* commands on IdM hosts if the "default_domain_suffix" parameter in the `/etc/sssd/sssd.conf` file is set to the AD domain. To work around the problem, remove the "default_domain_suffix" parameter from the `/etc/sssd/sssd.conf` file. As a result, *sudo* policies work as expected both for AD and IdM users.
Note that after you remove the "default_domain_suffix" parameter, AD users must use `user_name@domain_name` instead of the short version of their user name to log in.
Section Number and Name:
188.8.131.52. Potential Behavior Issues with Active Directory Trust
Describe the issue:
Among the various issues/limitation when a trust is established with AD, there's no wording about the fact that sudo for ad users will not work on rhel6, if default_domain_suffix is set.
the issue is tracked down in this solution, but since has been decided that a fix will not be implemented, is important to state it clearly in the official documentation:
Suggestions for improvement:
Include the content of the article into a sub-chapter in this section
A later discovery of that limitation can cause a lot of problems on customers, who will not be able to have a consistent experience in heterogeneous envs with rhel6/7 .
Thanks for the report, Andrea.
From your comment and the solution you linked to, it seems this should be filed against the RHEL 6 book, so I'm changing the product version and the component.
Link to the Release Note: