[ Not subscribed, please Cc in replies. ]
Hi,
we are usign sssd 1.15.0 on Debian stretch, for everything including sudo.
The following LDAP entry…
dn: cn=%supraadmin,ou=SUDOers,dc=teckids,dc=org objectClass: top objectClass: sudoRole cn: %supraadmin description: Allow everything for supraadmins sudoUser: %supraadmin sudoCommand: ALL sudoHost: ALL
…keeps rendering as this insudo…
User nik may run the following commands on ticdesk: (root) ALL
…even if I add sudoRunAsUser: ALL explicitly.
I already tried wiping the sss cache, with no success.
Any hints on why this happens:
Cheers, Nik
On Fri, Apr 20, 2018 at 01:20:50PM +0200, Dominik George wrote:
[ Not subscribed, please Cc in replies. ]
Hi,
we are usign sssd 1.15.0 on Debian stretch, for everything including sudo.
The following LDAP entry…
dn: cn=%supraadmin,ou=SUDOers,dc=teckids,dc=org objectClass: top objectClass: sudoRole cn: %supraadmin description: Allow everything for supraadmins sudoUser: %supraadmin sudoCommand: ALL sudoHost: ALL
…keeps rendering as this insudo…
User nik may run the following commands on ticdesk: (root) ALL
…even if I add sudoRunAsUser: ALL explicitly.
I already tried wiping the sss cache, with no success.
I'm sorry, but what should the desired output be here?
Any hints on why this happens:
Cheers, Nik
-- Dominik George (1. Vorstandsvorsitzender, pädagogischer Leiter) Teckids e.V. - Erkunden, Entdecken, Erfinden. https://www.teckids.org/
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
Hi,
(root) ALL
…even if I add sudoRunAsUser: ALL explicitly.
I already tried wiping the sss cache, with no success.
I'm sorry, but what should the desired output be here?
()ALL) ALL
-nik
On 20 Apr 2018, at 14:53, Dominik George dominik.george@teckids.org wrote:
Hi,
(root) ALL
…even if I add sudoRunAsUser: ALL explicitly.
I already tried wiping the sss cache, with no success.
I'm sorry, but what should the desired output be here?
()ALL) ALL
-nik
Ah, I see what you mean now, but I can’t reproduce the problem. I have an entry that in the cache looks like this:
n: name=admin_all,cn=sudorules,cn=custom,cn=ipa.test,cn=sysdb cn: admin_all dataExpireTimestamp: 1524480254 name: admin_all objectClass: sudoRule sudoCommand: ALL sudoHost: ALL sudoRunAsUser: ALL sudoUser: admin@ipa.test distinguishedName: name=admin_all,cn=sudorules,cn=custom,cn=ipa.test,cn=sysdb
Then sudo output gives me: User admin may run the following commands on unidirect: (root) /usr/bin/systemctl (ALL) ALL
The systemctl allowed command comes from another rule, but I do get the (all) all from the admin_all rule. How does your rule look like in the cache if you run: ldbsearch -H /var/lib/sss/db/cache_$yourdomain.ldb objectclass=sudorule
-- Dominik George (1. Vorstandsvorsitzender, pädagogischer Leiter) Teckids e.V. - Erkunden, Entdecken, Erfinden. https://www.teckids.org/ _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
sssd-users@lists.fedorahosted.org