I found out how to enable debugging for sudoers:
Debug sudo /var/log/sudo-debug all@info Debug sudoers.so /var/log/sudoers-debug all@info
With the *new* sudo I get the following logged matching 'sssd':
May 5 12:40:06 sudo[17912] sssd/ldap sudoHost 'ALL' ... MATCH! May 5 12:40:06 sudo[17912] sssd/ldap sudoUser '%system_administrators' ... not (brian.candler) May 5 12:40:06 sudo[17912] sssd/ldap sudoUser '%security_administrators' ... not (brian.candler)
But with the *old* sudo I get:
May 5 12:41:48 sudo[18384] sssd/ldap sudoHost 'ALL' ... MATCH! May 5 12:41:48 sudo[18384] sssd/ldap sudoRunAsUser 'ALL' ... MATCH! May 5 12:41:48 sudo[18384] sssd/ldap sudoCommand 'ALL' ... MATCH!
It seems to be a behaviour change with group checking.
The 'brian.candler' user *is* a member of one of those groups in IPA; but those groups are not posix groups so they are not visible using (e.g.) "id"
I was able to solve the problem by adding
objectClass: posixgroup gidNumber: NNNNNNNN
to those group objects. After this, the sudoers log shows:
May 5 13:11:50 sudo[19545] sssd/ldap sudoHost 'ALL' ... MATCH! May 5 13:11:50 sudo[19545] sssd/ldap sudoUser '%system_administrators' ... not (brian.candler) May 5 13:11:50 sudo[19545] sssd/ldap sudoUser '%security_administrators' ... MATCH! (brian.candler) May 5 13:11:50 sudo[19545] sssd/ldap sudoRunAsUser 'ALL' ... MATCH! May 5 13:11:50 sudo[19545] sssd/ldap sudoCommand 'ALL' ... MATCH!
So: arguably this is not a bug, but a bug fix. Still, it would be nice if the release notes explained the potential for regression.
I found out how to enable debugging for sudoers:
Debug sudo /var/log/sudo-debug all@info sudoers- debug all@info
Debug sudoers.so /var/log/
With the *new* sudo I get the following logged matching 'sssd':
May 5 12:40:06 sudo[17912] sssd/ldap sudoHost 'ALL' ... MATCH! administrators' ... not (brian.candler) administrators' ... not (brian.candler)
May 5 12:40:06 sudo[17912] sssd/ldap sudoUser '%system_
May 5 12:40:06 sudo[17912] sssd/ldap sudoUser '%security_
But with the *old* sudo I get:
May 5 12:41:48 sudo[18384] sssd/ldap sudoHost 'ALL' ... MATCH!
May 5 12:41:48 sudo[18384] sssd/ldap sudoRunAsUser 'ALL' ... MATCH!
May 5 12:41:48 sudo[18384] sssd/ldap sudoCommand 'ALL' ... MATCH!
It seems to be a behaviour change with group checking.
The 'brian.candler' user *is* a member of one of those groups in IPA; but those groups are not posix groups so they are not visible using (e.g.) "id"
I was able to solve the problem by adding
objectClass: posixgroup
gidNumber: NNNNNNNN
to those group objects. After this, the sudoers log shows:
May 5 13:11:50 sudo[19545] sssd/ldap sudoHost 'ALL' ... MATCH! administrators' ... not (brian.candler) administrators' ... MATCH! (brian.candler)
May 5 13:11:50 sudo[19545] sssd/ldap sudoUser '%system_
May 5 13:11:50 sudo[19545] sssd/ldap sudoUser '%security_
May 5 13:11:50 sudo[19545] sssd/ldap sudoRunAsUser 'ALL' ... MATCH!
May 5 13:11:50 sudo[19545] sssd/ldap sudoCommand 'ALL' ... MATCH!
So: arguably this is not a bug, but a bug fix. Still, it would be nice if the release notes explained the potential for regression.