[Freeipa-users] sudo hostgroup sanity check, please?

JR Aquino JR.Aquino at citrix.com
Tue Jul 10 22:45:38 UTC 2012 

On Jul 10, 2012, at 12:28 PM, KodaK wrote:

> Further information:
> 
> I do have:
> 
> ldap_netgroup_search_base = cn=ng,cn=compat,dc=validdomain,dc=com

Go ahead and remove this line.  Previous legacy versions of sssd required it.  I believe it just gets in the way now.

You also want to run: $ domainanme

Make sure it comes back with your domain, if not, please set your domainname.  (/etc/rc.local is currently the place recommended to set this value)

Netgroups will come back as a tuple like: (testhost.domain.com, -, domain.com)  

Sudo will do the netgroup look up and wants to see that the hostname matches the hostname of the server, and that the domain also matches.

You can double-check this by doing: getent netgroup <hostgroup-name>

It should return a tuple like the one above.

If you are still having difficulty, you can add sudoers_debug 2 in your /etc/sudo-ldap.conf file then re-run your sudo command.  IT should show the various tests it performs and the output of the FreeIPA server.  It wants to match, user, host, and command.


> In /etc/sssd/sssd.conf
> 
> Is cn=ng,cn=compat correct?
> 
> --Jason
> 
> On Tue, Jul 10, 2012 at 2:15 PM, KodaK <sakodak at gmail.com> wrote:
>> I'm running IPA 2.2.0 on RHEL6
>> 
>> Server:
>> 
>> [root at validserver ~]# rpm -qa | grep ipa
>> ipa-client-2.2.0-16.el6.x86_64
>> ipa-pki-common-theme-9.0.3-7.el6.noarch
>> libipa_hbac-python-1.8.0-32.el6.x86_64
>> ipa-python-2.2.0-16.el6.x86_64
>> ipa-server-2.2.0-16.el6.x86_64
>> ipa-server-selinux-2.2.0-16.el6.x86_64
>> ipa-pki-ca-theme-9.0.3-7.el6.noarch
>> python-iniparse-0.3.1-2.1.el6.noarch
>> libipa_hbac-1.8.0-32.el6.x86_64
>> ipa-admintools-2.2.0-16.el6.x86_64
>> 
>> Client:
>> 
>> [root at validhost ~]# rpm -qa | grep ipa
>> ipa-client-2.2.0-16.el6.x86_64
>> ipa-pki-common-theme-9.0.3-7.el6.noarch
>> libipa_hbac-python-1.8.0-32.el6.x86_64
>> ipa-python-2.2.0-16.el6.x86_64
>> ipa-server-2.2.0-16.el6.x86_64
>> ipa-server-selinux-2.2.0-16.el6.x86_64
>> ipa-pki-ca-theme-9.0.3-7.el6.noarch
>> python-iniparse-0.3.1-2.1.el6.noarch
>> libipa_hbac-1.8.0-32.el6.x86_64
>> ipa-admintools-2.2.0-16.el6.x86_64
>> 
>> My sudo-ldap.conf file:
>> 
>> binddn uid=sudo,cn=sysaccounts,cn=etc,dc=validserver,dc=com
>> bindpw validpassword
>> 
>> ssl start_tls
>> tls_cacertfile /etc/ipa/ca.crt
>> tls_checkpeer yes
>> 
>> bind_timelimit 5
>> timelimit 15
>> 
>> uri ldap://validserver ldap://validserver2
>> sudoers_base ou=SUDOers,dc=unix,dc=magellanhealth,dc=com
>> 
>> What I'm trying to do:  I have a group of users that I'd like to have
>> restart apache on a group of hosts.
>> 
>> What I've done:  created a user group, created a group of hosts (in a
>> grouplist.)
>> 
>> I can successfully run sudo in any configuration, *except* when using
>> a host group.  When I try I get:
>> 
>> Sorry, user validuser is not allowed to execute
>> '/etc/rc.d/init.d/httpd status' as root on validhost1.fqdn.com.
>> 
>> I can edit the same rule, change the host group (that only contains
>> two hosts) and specify the two hosts directly and it works fine.
>> 
>> Can someone else just try this and see if I've hit a bug?  I'm certain
>> I couldn't have messed up creating the host group, but I suppose it's
>> possible.
>> 
>> I get the same behavior when I try a simple "/bin/cat" command through
>> sudo, too.
>> 
>> Is there a special config for using host groups?  I suspect I may have
>> missed some obvious documentation.
>> 
>> --
>> The government is going to read our mail anyway, might as well make it
>> tough for them.  GPG Public key ID:  B6A1A7C6
> 
> 
> 
> -- 
> The government is going to read our mail anyway, might as well make it
> tough for them.  GPG Public key ID:  B6A1A7C6
> 
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users

More information about the Freeipa-users mailing list