<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<p>This looks suspicious</p>
<blockquote>
<p><i>Aug 12 08:45:00 sudo[31732] val[0]=+office</i><i><br>
</i><i>Aug 12 08:45:00 sudo[31732] -> addr_matches @
/build/sudo-L2mAoN/sudo-1.8.16/plugins/sudoers/match_addr.c:195</i><i><br>
</i><i>Aug 12 08:45:00 sudo[31732] -> addr_matches_if @
/build/sudo-L2mAoN/sudo-1.8.16/plugins/sudoers/match_addr.c:56</i><i><br>
</i><i>Aug 12 08:45:00 sudo[31732] <- addr_matches_if @
/build/sudo-L2mAoN/sudo-1.8.16/plugins/sudoers/match_addr.c:66
:= false</i><i><br>
</i><i>Aug 12 08:45:00 sudo[31732] IP address +office matches
local host: false @ addr_matches()
/build/sudo-L2mAoN/sudo-1.8.16/plugins/sudoers/match_addr.c:206</i><i><br>
</i><i>Aug 12 08:45:00 sudo[31732] <- addr_matches @
/build/sudo-L2mAoN/sudo-1.8.16/plugins/sudoers/match_addr.c:207
:= false</i><i><br>
</i><i>Aug 12 08:45:00 sudo[31732] -> netgr_matches @
/build/sudo-L2mAoN/sudo-1.8.16/plugins/sudoers/match.c:1015</i><i><br>
</i><i>Aug 12 08:45:00 sudo[31732] -> sudo_getdomainname @
/build/sudo-L2mAoN/sudo-1.8.16/plugins/sudoers/match.c:953</i><i><br>
</i><i>Aug 12 08:45:00 sudo[31732] <- sudo_getdomainname @
/build/sudo-L2mAoN/sudo-1.8.16/plugins/sudoers/match.c:992 :=
(null)</i><i><br>
</i><i>Aug 12 08:45:00 sudo[31732] netgroup office matches (</i><i><a
href="http://docker-dev-01.internal.emerlyn.com">docker-dev-01.internal.emerlyn.com</a></i><i>|</i><i><a
href="http://docker-dev-01.internal.emerlyn.com">docker-dev-01.internal.emerlyn.com</a></i><i>,
jgoddard, ): false @ netgr_matches()
/build/sudo-L2mAoN/sudo-1.8.16/plugins/sudoers/match.c:1041</i><i><br>
</i><i>Aug 12 08:45:00 sudo[31732] <- netgr_matches @
/build/sudo-L2mAoN/sudo-1.8.16/plugins/sudoers/match.c:1044 :=
false</i><i><br>
</i><i>Aug 12 08:45:00 sudo[31732] -> hostname_matches @
/build/sudo-L2mAoN/sudo-1.8.16/plugins/sudoers/match.c:819</i><i><br>
</i><i>Aug 12 08:45:00 sudo[31732] host </i><i><a
href="http://docker-dev-01.internal.emerlyn.com">docker-dev-01.internal.emerlyn.com</a></i><i>
matches sudoers pattern +office: false @ hostname_matches()
/build/sudo-L2mAoN/sudo-1.8.16/plugins/sudoers/match.c:829</i><i><br>
</i><i>Aug 12 08:45:00 sudo[31732] <- hostname_matches @
/build/sudo-L2mAoN/sudo-1.8.16/plugins/sudoers/match.c:830 :=
false</i><i><br>
</i><i>Aug 12 08:45:00 sudo[31732] sssd/ldap sudoHost '+office'
... not</i><i><br>
</i><i>Aug 12 08:45:00 sudo[31732] <- sudo_sss_check_host @
/build/sudo-L2mAoN/sudo-1.8.16/plugins/sudoers/sssd.c:687 :=
false</i></p>
</blockquote>
It doesn't seem to find this host as part of the hostgroup, I
suspect the problem is because of this entry in nsswitch:<br>
<br>
netgroup: nis sss<br>
<br>
Could you try just 'sss' or 'files sss' ?<br>
<br>
A successful hostgroup match should look something like this
instead:<br>
<br>
<blockquote>
<blockquote><i>Aug 12 14:20:32 sudo[25075] val[0]=+nonproduction</i><i><br>
</i><i>Aug 12 14:20:32 sudo[25075] -> addr_matches @
./match_addr.c:190</i><i><br>
</i><i>Aug 12 14:20:32 sudo[25075] -> addr_matches_if @
./match_addr.c:62</i><i><br>
</i><i>Aug 12 14:20:32 sudo[25075] <- addr_matches_if @
./match_addr.c:100 := false</i><i><br>
</i><i>Aug 12 14:20:32 sudo[25075] <- addr_matches @
./match_addr.c:200 := false</i><i><br>
</i><i>Aug 12 14:20:32 sudo[25075] ->
sudo_sss_ipa_hostname_matches @ ./sssd.c:558</i><i><br>
</i><i>Aug 12 14:20:32 sudo[25075] -> hostname_matches @
./match.c:740</i><i><br>
</i><i>Aug 12 14:20:32 sudo[25075] <- hostname_matches @
./match.c:751 := false</i><i><br>
</i><i>Aug 12 14:20:32 sudo[25075] -> netgr_matches @
./match.c:856</i><i><br>
</i><i>Aug 12 14:20:32 sudo[25075]
(rhel7-ipa-client.example.com, *, example.com) found in
netgroup nonproduction</i><i><br>
</i><i>Aug 12 14:20:32 sudo[25075] <- netgr_matches @
./match.c:909 := true</i><i><br>
</i><i>Aug 12 14:20:32 sudo[25075] IPA hostname
(rhel7-ipa-client.example.com) matches +nonproduction =>
true</i><i><br>
</i><i>Aug 12 14:20:32 sudo[25075] <-
sudo_sss_ipa_hostname_matches @ ./sssd.c:569 := true</i><i><br>
</i><i>Aug 12 14:20:32 sudo[25075] sssd/ldap sudoHost
'+nonproduction' ... MATCH!</i><i><br>
</i><i>Aug 12 14:20:32 sudo[25075] <- sudo_sss_check_host @
./sssd.c:614 := true</i><br>
</blockquote>
</blockquote>
Kind regards,<br>
Justin Stephenson<br>
<br>
<div class="moz-cite-prefix">On 08/12/2016 10:00 AM, Jeff Goddard
wrote:<br>
</div>
<blockquote
cite="mid:CA+No-6HxaAkKLnhQFX5SkLv3me+fSYTNi0=VjYv3_t6zpV6HnA@mail.gmail.com"
type="cite">
<div dir="ltr">
<div>The rule is defined that all members of the developer group
have sudo access to all commands available on the machines in
the office group.<br>
<br>
</div>
Jeff<br>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Fri, Aug 12, 2016 at 9:58 AM, Jakub
Hrozek <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:jhrozek@redhat.com" target="_blank">jhrozek@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">On Fri,
Aug 12, 2016 at 08:53:53AM -0400, Jeff Goddard wrote:<br>
> Jakub,<br>
><br>
> Here is the log file output:<br>
<br>
How is the sudorule defined?<br>
<br>
> Aug 12 08:45:00 sudo[31732] user_in_group: user
jgoddard NOT in group admin<br>
> Aug 12 08:45:00 sudo[31732] <- user_in_group @<br>
> /build/sudo-L2mAoN/sudo-1.8.<wbr>16/plugins/sudoers/pwutil.c:<wbr>855
:= false<br>
> Aug 12 08:45:00 sudo[31732] user jgoddard matches group
admin: false @<br>
> usergr_matches() /build/sudo-L2mAoN/sudo-1.8.<wbr>16/plugins/sudoers/match.c:940<br>
> Aug 12 08:45:00 sudo[31732] <- usergr_matches @<br>
<br>
Here it looks like sudo tried to match user's groups against
the groups<br>
allowed to run sudo and admin didn't match.<br>
</blockquote>
</div>
<br>
<br clear="all">
<br>
-- <br>
<div class="gmail_signature" data-smartmail="gmail_signature">
<div dir="ltr">
<div>
<div>
<div>Jeff Goddard<br>
</div>
Director of Information Technology<br>
</div>
Emerlyn Technology<br>
<br>
Email: <a moz-do-not-send="true"
href="mailto:jgoddard@emerlyn.com" target="_blank">jgoddard@emerlyn.com</a><br>
Telephone: (603) 447-8571<br>
Toll free: (888) 363-7596 ext. 108<br>
Fax: (603) 356-3346<br>
</div>
<br>
</div>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
</blockquote>
<br>
</body>
</html>