[Freeipa-users] sudo hostgroup sanity check, please?

[KodaK]

Further information:

I do have:

ldap_netgroup_search_base = cn=ng,cn=compat,dc=validdomain,dc=com

In /etc/sssd/sssd.conf

Is cn=ng,cn=compat correct?

--Jason

On Tue, Jul 10, 2012 at 2:15 PM, KodaK <sakodak at gmail.com> wrote:
> I'm running IPA 2.2.0 on RHEL6
>
> Server:
>
> [root at validserver ~]# rpm -qa | grep ipa
> ipa-client-2.2.0-16.el6.x86_64
> ipa-pki-common-theme-9.0.3-7.el6.noarch
> libipa_hbac-python-1.8.0-32.el6.x86_64
> ipa-python-2.2.0-16.el6.x86_64
> ipa-server-2.2.0-16.el6.x86_64
> ipa-server-selinux-2.2.0-16.el6.x86_64
> ipa-pki-ca-theme-9.0.3-7.el6.noarch
> python-iniparse-0.3.1-2.1.el6.noarch
> libipa_hbac-1.8.0-32.el6.x86_64
> ipa-admintools-2.2.0-16.el6.x86_64
>
> Client:
>
> [root at validhost ~]# rpm -qa | grep ipa
> ipa-client-2.2.0-16.el6.x86_64
> ipa-pki-common-theme-9.0.3-7.el6.noarch
> libipa_hbac-python-1.8.0-32.el6.x86_64
> ipa-python-2.2.0-16.el6.x86_64
> ipa-server-2.2.0-16.el6.x86_64
> ipa-server-selinux-2.2.0-16.el6.x86_64
> ipa-pki-ca-theme-9.0.3-7.el6.noarch
> python-iniparse-0.3.1-2.1.el6.noarch
> libipa_hbac-1.8.0-32.el6.x86_64
> ipa-admintools-2.2.0-16.el6.x86_64
>
> My sudo-ldap.conf file:
>
> binddn uid=sudo,cn=sysaccounts,cn=etc,dc=validserver,dc=com
> bindpw validpassword
>
> ssl start_tls
> tls_cacertfile /etc/ipa/ca.crt
> tls_checkpeer yes
>
> bind_timelimit 5
> timelimit 15
>
> uri ldap://validserver ldap://validserver2
> sudoers_base ou=SUDOers,dc=unix,dc=magellanhealth,dc=com
>
> What I'm trying to do:  I have a group of users that I'd like to have
> restart apache on a group of hosts.
>
> What I've done:  created a user group, created a group of hosts (in a
> grouplist.)
>
> I can successfully run sudo in any configuration, *except* when using
> a host group.  When I try I get:
>
> Sorry, user validuser is not allowed to execute
> '/etc/rc.d/init.d/httpd status' as root on validhost1.fqdn.com.
>
> I can edit the same rule, change the host group (that only contains
> two hosts) and specify the two hosts directly and it works fine.
>
> Can someone else just try this and see if I've hit a bug?  I'm certain
> I couldn't have messed up creating the host group, but I suppose it's
> possible.
>
> I get the same behavior when I try a simple "/bin/cat" command through
> sudo, too.
>
> Is there a special config for using host groups?  I suspect I may have
> missed some obvious documentation.
>
> --
> The government is going to read our mail anyway, might as well make it
> tough for them.  GPG Public key ID:  B6A1A7C6



-- 
The government is going to read our mail anyway, might as well make it
tough for them.  GPG Public key ID:  B6A1A7C6