<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 TRANSITIONAL//EN"> <HTML> <HEAD> <META HTTP-EQUIV="Content-Type" CONTENT="text/html; CHARSET=UTF-8"> <META NAME="GENERATOR" CONTENT="GtkHTML/4.6.6"> </HEAD> <BODY> On Mon, 2013-09-09 at 11:35 +0200, Pavel Březina wrote: <BLOCKQUOTE TYPE=CITE> <PRE> On 09/09/2013 12:26 AM, Dean Hunter wrote: > On Sun, 2013-09-08 at 23:11 +0200, Jakub Hrozek wrote: >> On Sun, Sep 08, 2013 at 03:42:16PM -0500, Dean Hunter wrote: >> > On Sat, 2013-09-07 at 19:35 -0400, Dmitri Pal wrote: >> > >> > > On 09/07/2013 02:11 PM, Christian Horn wrote: >> > > > On Sat, Sep 07, 2013 at 12:06:37PM -0500, Dean Hunter wrote: >> > > >> Are [1] and[2] still the current and best sources of information for >> > > >> configuring sudo for use with the current release of FreeIPA on Fedora >> > > >> 19? >> > > >> >> > > >> 1. >> > > >><A HREF="http://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/sudo.html">http://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/sudo.html</A> >> > > >> 2. >> > > >><A HREF="http://www.freeipa.org/images/7/77/Freeipa30_SSSD_SUDO_Integration.pdf">http://www.freeipa.org/images/7/77/Freeipa30_SSSD_SUDO_Integration.pdf</A> >> > > > There is also the Identity_Management_Guide as part of the RHEL >> > > > product documentation: >> > > ><A HREF="https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html-single/Identity_Management_Guide/index.html">https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html-single/Identity_Management_Guide/index.html</A> >> > > This and the pdf above are the latest word in this area. >> > > >> > > > Christian >> > > > >> > > > _______________________________________________ >> > > > Freeipa-users mailing list >> > > ><A HREF="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</A> <<A HREF="mailto:Freeipa-users@redhat.com">mailto:Freeipa-users@redhat.com</A>> >> > > ><A HREF="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</A> >> > > >> > > >> > >> > Some sudo rules are causing: >> > >> > [dean@desktop2 ~]$ sudo id >> > sudo: internal error, tried to erealloc3(0) >> >> This is a known bug: >> <A HREF="https://bugzilla.redhat.com/show_bug.cgi?id=1000389">https://bugzilla.redhat.com/show_bug.cgi?id=1000389</A> >> >> I think the sudo rules are just missing the sudoHost attribute. >> >> > >> > , but others do not. In the trial and error process of determining >> > which rule specifications are causing the error, I have been restarting >> > the virtual machine I am using as the sudo client between tests. Is >> > there a better way to clear the SSSD cache between trials to make sure I >> > am testing the most recent rule change? >> >> Unfortunately right now the only way is to rm the sssd cache which would >> also remove any cached credentials. I thought there was an RFE open to >> track the enhancement to make sss_cache invalidate and refresh sudo >> rules, but I can't find it now in the SSSD trac, so I filed another one: >> <A HREF="https://fedorahosted.org/sssd/ticket/2081">https://fedorahosted.org/sssd/ticket/2081</A> >> >> Worst case, we mark it as a duplicate. >> >> _______________________________________________ >> Freeipa-users mailing list >> <A HREF="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</A> <<A HREF="mailto:Freeipa-users@redhat.com">mailto:Freeipa-users@redhat.com</A>> >> <A HREF="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</A> > > I saw bug report 1000389, but I could not understand it or whether it > applied to me. > > I discovered that sudo rules for which I specified a host group caused > the error. Rules with a host category of "all" instead of the host > group did not cause the error. Is this what 1000389 says? > > ipa sudorule-add server-admins --desc "Server Administrators" > ipa sudorule-mod server-admins --cmdcat all > # ipa sudorule-add-host server-admins --hostgroups servers > ipa sudorule-mod server-admins --hostcat all > ipa sudorule-add-option server-admins --sudooption '!authenticate' > ipa sudorule-add-runasuser server-admins --users root > ipa sudorule-add-runasgroup server-admins --groups root > ipa sudorule-add-user server-admins --groups server-admins Does the machine where sudo prints this error belongs to the hostgroup 'servers'? If the answer is *no* then you are hitting 1000389. </PRE> </BLOCKQUOTE> Yes, the virtual machine where the sudo internal error occurs is a member of the hostgroup. So I guess this is a new error and should be reported? <BLOCKQUOTE TYPE=CITE> <PRE> > This problem exists with the latest updates on both Fedora 18 and Fedora 19. > > I also discovered that libsss_sudo.so is missing from Fedora 18 > installations. It needs to be installed separately by installing libsss_sudo package. </PRE> </BLOCKQUOTE> Yes, I did find the package and installed it. <BLOCKQUOTE TYPE=CITE> <PRE> _______________________________________________ Freeipa-users mailing list <A HREF="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</A> <A HREF="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</A> </PRE> </BLOCKQUOTE> </BODY> </HTML>