Bug 1550192 - Document known issue with: IDM, AD Trust, RHEL6 client, sudo and default_domain_suffix
Summary: Document known issue with: IDM, AD Trust, RHEL6 client, sudo and default_doma...
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: doc-Identity_Management_Guide
Version: 6.9
Hardware: Unspecified
OS: Unspecified
Target Milestone: pre-dev-freeze
: ---
Assignee: Filip Hanzelka
QA Contact: ipa-qe
Filip Hanzelka
Keywords: Documentation
Depends On:
TreeView+ depends on / blocked
Reported: 2018-02-28 18:23 UTC by Andrea Perotti
Modified: 2018-11-22 18:28 UTC (History)
4 users (show)

AD users cannot use sudo on IdM hosts if "default_domain_suffix" is set

In a trust between Identity Management (IdM) and Active Directory (AD), AD users cannot run *sudo* commands on IdM hosts if the "default_domain_suffix" parameter in the `/etc/sssd/sssd.conf` file is set to the AD domain. To work around the problem, remove the "default_domain_suffix" parameter from the `/etc/sssd/sssd.conf` file. As a result, *sudo* policies work as expected both for AD and IdM users.

Note that after you remove the "default_domain_suffix" parameter, AD users must use `user_name@domain_name` instead of the short version of their user name to log in.
Clone Of:
Last Closed: 2018-11-22 18:28:01 UTC

Attachments (Terms of Use)

External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Knowledge Base (Solution) 2154701 None None None 2018-06-14 17:08 UTC

Description Andrea Perotti 2018-02-28 18:23:32 UTC
Document URL: 
Section Number and Name: Potential Behavior Issues with Active Directory Trust

Describe the issue: 
Among the various issues/limitation when a trust is established with AD, there's no wording about the fact that sudo for ad users will not work on rhel6, if default_domain_suffix is set.

the issue is tracked down in this solution, but since has been decided that a fix will not be implemented, is important to state it clearly in the official documentation:

Suggestions for improvement: 
Include the content of the article into a sub-chapter in this section

Additional information: 
A later discovery of that limitation can cause a lot of problems on customers, who will not be able to have a consistent experience in heterogeneous envs with rhel6/7 .

Comment 3 Aneta Šteflová Petrová 2018-03-01 06:55:14 UTC
Thanks for the report, Andrea.

From your comment and the solution you linked to, it seems this should be filed against the RHEL 6 book, so I'm changing the product version and the component.

Note You need to log in before you can comment on or make changes to this bug.