Comment 4 for bug 1688034

I found out how to enable debugging for sudoers:

Debug sudo /var/log/sudo-debug all@info
Debug sudoers.so /var/log/sudoers-debug all@info

With the *new* sudo I get the following logged matching 'sssd':

May 5 12:40:06 sudo[17912] sssd/ldap sudoHost 'ALL' ... MATCH!
May 5 12:40:06 sudo[17912] sssd/ldap sudoUser '%system_administrators' ... not (brian.candler)
May 5 12:40:06 sudo[17912] sssd/ldap sudoUser '%security_administrators' ... not (brian.candler)

But with the *old* sudo I get:

May 5 12:41:48 sudo[18384] sssd/ldap sudoHost 'ALL' ... MATCH!
May 5 12:41:48 sudo[18384] sssd/ldap sudoRunAsUser 'ALL' ... MATCH!
May 5 12:41:48 sudo[18384] sssd/ldap sudoCommand 'ALL' ... MATCH!

It seems to be a behaviour change with group checking.

The 'brian.candler' user *is* a member of one of those groups in IPA; but those groups are not posix groups so they are not visible using (e.g.) "id"

I was able to solve the problem by adding

objectClass: posixgroup
gidNumber: NNNNNNNN

to those group objects. After this, the sudoers log shows:

May 5 13:11:50 sudo[19545] sssd/ldap sudoHost 'ALL' ... MATCH!
May 5 13:11:50 sudo[19545] sssd/ldap sudoUser '%system_administrators' ... not (brian.candler)
May 5 13:11:50 sudo[19545] sssd/ldap sudoUser '%security_administrators' ... MATCH! (brian.candler)
May 5 13:11:50 sudo[19545] sssd/ldap sudoRunAsUser 'ALL' ... MATCH!
May 5 13:11:50 sudo[19545] sssd/ldap sudoCommand 'ALL' ... MATCH!

So: arguably this is not a bug, but a bug fix. Still, it would be nice if the release notes explained the potential for regression.