On ti, 23 marras 2021, Nathanaël Blanchet via FreeIPA-users wrote:
Hello,
I'm running a 4.9 server.
I added an AD as an external group in a sudo rule following:
ipa sudorule-add-user "admins" --groups "admins du
[1]domaine(a)levant.abes.fr"
I notice two kinds of comportment on the guests:
* el8 with 4.9 client can successfully sudo
* el7 with 4.6 client are not allowed to perform sudo (no rule matching
in the logs)
Now, if I use the old way to do, i.e:
* create a non POSIX external group containing "admins du
[2]domaine(a)levant.abes.fr"
* and add that group to a POSIX group
ipa sudorule-add-user "admins" --groups ad_admins_external
I can perform sudo in any case.
My deduction is that there is something not backported in the el7 4.6
client that does exist int el8 4.9 client.
I suppose there shouldn't be any restriction to make the 4.6 client work
in this case. So is this a bug?
Second question: I've been looking for a long time a way to get the el7
4.9 client, but it doesn't seem to exist (maybe compile from sources). Why
is this client not packaged for el7 ?
https://pagure.io/freeipa/issue/3226 references this commit
https://pagure.io/freeipa/c/054a068f4705cd715789ceda75fa709404d5f884
which tells that
----
SSSD uses single attribute 'externalUser' for IPA to pull 'external'
objects referenced in SUDO rules. This means both users and groups are
represented within the same attribute, with groups prefixed with '%',
as described in sudoers(5) man page.
....
Referencing fully qualified names for users and groups from trusted
Active Directory domains in 'externalUser' attribute of SUDO rules is
supported in SSSD 2.4 or later.
----
So you need to have SSSD 2.4 or later to have fully qualified AD users
and groups in 'externalUser' attribute.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland