[Freeipa-users] sudo hostgroup sanity check, please?
KodaK
sakodak at gmail.com
Tue Jul 10 19:28:15 UTC 2012
Further information:
I do have:
ldap_netgroup_search_base = cn=ng,cn=compat,dc=validdomain,dc=com
In /etc/sssd/sssd.conf
Is cn=ng,cn=compat correct?
--Jason
On Tue, Jul 10, 2012 at 2:15 PM, KodaK <sakodak at gmail.com> wrote:
> I'm running IPA 2.2.0 on RHEL6
>
> Server:
>
> [root at validserver ~]# rpm -qa | grep ipa
> ipa-client-2.2.0-16.el6.x86_64
> ipa-pki-common-theme-9.0.3-7.el6.noarch
> libipa_hbac-python-1.8.0-32.el6.x86_64
> ipa-python-2.2.0-16.el6.x86_64
> ipa-server-2.2.0-16.el6.x86_64
> ipa-server-selinux-2.2.0-16.el6.x86_64
> ipa-pki-ca-theme-9.0.3-7.el6.noarch
> python-iniparse-0.3.1-2.1.el6.noarch
> libipa_hbac-1.8.0-32.el6.x86_64
> ipa-admintools-2.2.0-16.el6.x86_64
>
> Client:
>
> [root at validhost ~]# rpm -qa | grep ipa
> ipa-client-2.2.0-16.el6.x86_64
> ipa-pki-common-theme-9.0.3-7.el6.noarch
> libipa_hbac-python-1.8.0-32.el6.x86_64
> ipa-python-2.2.0-16.el6.x86_64
> ipa-server-2.2.0-16.el6.x86_64
> ipa-server-selinux-2.2.0-16.el6.x86_64
> ipa-pki-ca-theme-9.0.3-7.el6.noarch
> python-iniparse-0.3.1-2.1.el6.noarch
> libipa_hbac-1.8.0-32.el6.x86_64
> ipa-admintools-2.2.0-16.el6.x86_64
>
> My sudo-ldap.conf file:
>
> binddn uid=sudo,cn=sysaccounts,cn=etc,dc=validserver,dc=com
> bindpw validpassword
>
> ssl start_tls
> tls_cacertfile /etc/ipa/ca.crt
> tls_checkpeer yes
>
> bind_timelimit 5
> timelimit 15
>
> uri ldap://validserver ldap://validserver2
> sudoers_base ou=SUDOers,dc=unix,dc=magellanhealth,dc=com
>
> What I'm trying to do: I have a group of users that I'd like to have
> restart apache on a group of hosts.
>
> What I've done: created a user group, created a group of hosts (in a
> grouplist.)
>
> I can successfully run sudo in any configuration, *except* when using
> a host group. When I try I get:
>
> Sorry, user validuser is not allowed to execute
> '/etc/rc.d/init.d/httpd status' as root on validhost1.fqdn.com.
>
> I can edit the same rule, change the host group (that only contains
> two hosts) and specify the two hosts directly and it works fine.
>
> Can someone else just try this and see if I've hit a bug? I'm certain
> I couldn't have messed up creating the host group, but I suppose it's
> possible.
>
> I get the same behavior when I try a simple "/bin/cat" command through
> sudo, too.
>
> Is there a special config for using host groups? I suspect I may have
> missed some obvious documentation.
>
> --
> The government is going to read our mail anyway, might as well make it
> tough for them. GPG Public key ID: B6A1A7C6
--
The government is going to read our mail anyway, might as well make it
tough for them. GPG Public key ID: B6A1A7C6
More information about the Freeipa-users
mailing list