<html> <head> <meta content="text/html; charset=windows-1252" http-equiv="Content-Type"> </head> <body bgcolor="#FFFFFF" text="#000000"> This looks suspicious <blockquote> Aug 12 08:45:00 sudo[31732] val[0]=+office Aug 12 08:45:00 sudo[31732] -> addr_matches @ /build/sudo-L2mAoN/sudo-1.8.16/plugins/sudoers/match_addr.c:195 Aug 12 08:45:00 sudo[31732] -> addr_matches_if @ /build/sudo-L2mAoN/sudo-1.8.16/plugins/sudoers/match_addr.c:56 Aug 12 08:45:00 sudo[31732] <- addr_matches_if @ /build/sudo-L2mAoN/sudo-1.8.16/plugins/sudoers/match_addr.c:66 := false Aug 12 08:45:00 sudo[31732] IP address +office matches local host: false @ addr_matches() /build/sudo-L2mAoN/sudo-1.8.16/plugins/sudoers/match_addr.c:206 Aug 12 08:45:00 sudo[31732] <- addr_matches @ /build/sudo-L2mAoN/sudo-1.8.16/plugins/sudoers/match_addr.c:207 := false Aug 12 08:45:00 sudo[31732] -> netgr_matches @ /build/sudo-L2mAoN/sudo-1.8.16/plugins/sudoers/match.c:1015 Aug 12 08:45:00 sudo[31732] -> sudo_getdomainname @ /build/sudo-L2mAoN/sudo-1.8.16/plugins/sudoers/match.c:953 Aug 12 08:45:00 sudo[31732] <- sudo_getdomainname @ /build/sudo-L2mAoN/sudo-1.8.16/plugins/sudoers/match.c:992 := (null) Aug 12 08:45:00 sudo[31732] netgroup office matches (<a href="http://docker-dev-01.internal.emerlyn.com">docker-dev-01.internal.emerlyn.com</a>|<a href="http://docker-dev-01.internal.emerlyn.com">docker-dev-01.internal.emerlyn.com</a>, jgoddard, ): false @ netgr_matches() /build/sudo-L2mAoN/sudo-1.8.16/plugins/sudoers/match.c:1041 Aug 12 08:45:00 sudo[31732] <- netgr_matches @ /build/sudo-L2mAoN/sudo-1.8.16/plugins/sudoers/match.c:1044 := false Aug 12 08:45:00 sudo[31732] -> hostname_matches @ /build/sudo-L2mAoN/sudo-1.8.16/plugins/sudoers/match.c:819 Aug 12 08:45:00 sudo[31732] host <a href="http://docker-dev-01.internal.emerlyn.com">docker-dev-01.internal.emerlyn.com</a> matches sudoers pattern +office: false @ hostname_matches() /build/sudo-L2mAoN/sudo-1.8.16/plugins/sudoers/match.c:829 Aug 12 08:45:00 sudo[31732] <- hostname_matches @ /build/sudo-L2mAoN/sudo-1.8.16/plugins/sudoers/match.c:830 := false Aug 12 08:45:00 sudo[31732] sssd/ldap sudoHost '+office' ... not Aug 12 08:45:00 sudo[31732] <- sudo_sss_check_host @ /build/sudo-L2mAoN/sudo-1.8.16/plugins/sudoers/sssd.c:687 := false </blockquote> It doesn't seem to find this host as part of the hostgroup, I suspect the problem is because of this entry in nsswitch: 牋牋 netgroup:牋牋牋 nis sss Could you try just 'sss' or 'files sss' ? A successful hostgroup match should look something like this instead: <blockquote> <blockquote>Aug 12 14:20:32 sudo[25075] val[0]=+nonproduction Aug 12 14:20:32 sudo[25075] -> addr_matches @ ./match_addr.c:190 Aug 12 14:20:32 sudo[25075] -> addr_matches_if @ ./match_addr.c:62 Aug 12 14:20:32 sudo[25075] <- addr_matches_if @ ./match_addr.c:100 := false Aug 12 14:20:32 sudo[25075] <- addr_matches @ ./match_addr.c:200 := false Aug 12 14:20:32 sudo[25075] -> sudo_sss_ipa_hostname_matches @ ./sssd.c:558 Aug 12 14:20:32 sudo[25075] -> hostname_matches @ ./match.c:740 Aug 12 14:20:32 sudo[25075] <- hostname_matches @ ./match.c:751 := false Aug 12 14:20:32 sudo[25075] -> netgr_matches @ ./match.c:856 Aug 12 14:20:32 sudo[25075] (rhel7-ipa-client.example.com, *, example.com) found in netgroup nonproduction Aug 12 14:20:32 sudo[25075] <- netgr_matches @ ./match.c:909 := true Aug 12 14:20:32 sudo[25075] IPA hostname (rhel7-ipa-client.example.com) matches +nonproduction => true Aug 12 14:20:32 sudo[25075] <- sudo_sss_ipa_hostname_matches @ ./sssd.c:569 := true Aug 12 14:20:32 sudo[25075] sssd/ldap sudoHost '+nonproduction' ... MATCH! Aug 12 14:20:32 sudo[25075] <- sudo_sss_check_host @ ./sssd.c:614 := true </blockquote> </blockquote> Kind regards, Justin Stephenson <div class="moz-cite-prefix">On 08/12/2016 10:00 AM, Jeff Goddard wrote: </div> <blockquote cite="mid:CA+No-6HxaAkKLnhQFX5SkLv3me+fSYTNi0=VjYv3_t6zpV6HnA@mail.gmail.com" type="cite"> <div dir="ltr"> <div>The rule is defined that all members of the developer group have sudo access to all commands available on the machines in the office group. </div> Jeff </div> <div class="gmail_extra"> <div class="gmail_quote">On Fri, Aug 12, 2016 at 9:58 AM, Jakub Hrozek <<a moz-do-not-send="true" href="mailto:jhrozek@redhat.com" target="_blank">jhrozek@redhat.com</a>> wrote: <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">On Fri, Aug 12, 2016 at 08:53:53AM -0400, Jeff Goddard wrote: > Jakub, > > Here is the log file output: How is the sudorule defined? > Aug 12 08:45:00 sudo[31732] user_in_group: user jgoddard NOT in group admin > Aug 12 08:45:00 sudo[31732] <- user_in_group @ > /build/sudo-L2mAoN/sudo-1.8.16/plugins/sudoers/pwutil.c:855 := false > Aug 12 08:45:00 sudo[31732] user jgoddard matches group admin: false @ > usergr_matches() /build/sudo-L2mAoN/sudo-1.8.16/plugins/sudoers/match.c:940 > Aug 12 08:45:00 sudo[31732] <- usergr_matches @ Here it looks like sudo tried to match user's groups against the groups allowed to run sudo and admin didn't match. </blockquote> </div> -- <div class="gmail_signature" data-smartmail="gmail_signature"> <div dir="ltr"> <div> <div> <div>Jeff Goddard </div> Director of Information Technology </div> Emerlyn Technology Email: <a moz-do-not-send="true" href="mailto:jgoddard@emerlyn.com" target="_blank">jgoddard@emerlyn.com</a> Telephone: (603) 447-8571 Toll free: (888) 363-7596 ext. 108 Fax: (603) 356-3346 </div> </div> </div> </div> <fieldset class="mimeAttachmentHeader"></fieldset> </blockquote> </body> </html>