Hello..
I've got sssd 1.11.5 running on ubuntu trusty and I'm seeing some behavior that I'd like to change. When local service account users run sudo commands the sssd sudo module is triggering ldap lookups. For NSS data I'm suppressing these with filter_users/filter_groups but there does not seem to be a way of doing that for the sudo module. This is despite the fact that in nsswitch files comes before sss.
I've gone through the docs and the list archive but couldn't find anything on point for this. Any help is appreciated.
Thanks,
Jared
On (29/04/16 20:08), Jared Watkins wrote:
Hello..
I've got sssd 1.11.5 running on ubuntu trusty and I'm seeing some behavior that I'd like to change. When local service account users run sudo commands the sssd sudo module is triggering ldap lookups. For NSS data I'm suppressing these with filter_users/filter_groups but there does not seem to be a way of doing that for the sudo module. This is despite the fact that in nsswitch files comes before sss.
I've gone through the docs and the list archive but couldn't find anything on point for this. Any help is appreciated.
filter_users/filter_grups shoudl work with sudo responder in sssd-1.13.0+ https://fedorahosted.org/sssd/ticket/2625
LS
On (29/04/16 22:12), Lukas Slebodnik wrote:
On (29/04/16 20:08), Jared Watkins wrote:
Hello..
I've got sssd 1.11.5 running on ubuntu trusty and I'm seeing some behavior that I'd like to change. When local service account users run sudo commands the sssd sudo module is triggering ldap lookups. For NSS data I'm suppressing these with filter_users/filter_groups but there does not seem to be a way of doing that for the sudo module. This is despite the fact that in nsswitch files comes before sss.
I've gone through the docs and the list archive but couldn't find anything on point for this. Any help is appreciated.
filter_users/filter_grups shoudl work with sudo responder in sssd-1.13.0+ https://fedorahosted.org/sssd/ticket/2625
Actually, ticket was fixed even in 1.12.5 https://git.fedorahosted.org/cgit/sssd.git/commit/?id=d008c239c62ab6a4675591...
LS
Excellent! That's the fix I was looking for... thanks for the quick reply.
I was able to apply that patch to the 1.11.7 version and validate the change in behavior.
-Jared
________________________________________ From: Lukas Slebodnik lslebodn@redhat.com Sent: Friday, April 29, 2016 1:16 PM To: End-user discussions about the System Security Services Daemon Subject: [SSSD-users] Re: Prevent sudo queries to ldap for service accounts
On (29/04/16 22:12), Lukas Slebodnik wrote:
On (29/04/16 20:08), Jared Watkins wrote:
Hello..
I've got sssd 1.11.5 running on ubuntu trusty and I'm seeing some behavior that I'd like to change. When local service account users run sudo commands the sssd sudo module is triggering ldap lookups. For NSS data I'm suppressing these with filter_users/filter_groups but there does not seem to be a way of doing that for the sudo module. This is despite the fact that in nsswitch files comes before sss.
I've gone through the docs and the list archive but couldn't find anything on point for this. Any help is appreciated.
filter_users/filter_grups shoudl work with sudo responder in sssd-1.13.0+ https://fedorahosted.org/sssd/ticket/2625
Actually, ticket was fixed even in 1.12.5 https://git.fedorahosted.org/cgit/sssd.git/commit/?id=d008c239c62ab6a4675591...
LS _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org
sssd-users@lists.fedorahosted.org