[Freeipa-users] sudo hostgroup sanity check, please?
JR Aquino
JR.Aquino at citrix.com
Tue Jul 10 22:45:38 UTC 2012
On Jul 10, 2012, at 12:28 PM, KodaK wrote:
> Further information:
>
> I do have:
>
> ldap_netgroup_search_base = cn=ng,cn=compat,dc=validdomain,dc=com
Go ahead and remove this line. Previous legacy versions of sssd required it. I believe it just gets in the way now.
You also want to run: $ domainanme
Make sure it comes back with your domain, if not, please set your domainname. (/etc/rc.local is currently the place recommended to set this value)
Netgroups will come back as a tuple like: (testhost.domain.com, -, domain.com)
Sudo will do the netgroup look up and wants to see that the hostname matches the hostname of the server, and that the domain also matches.
You can double-check this by doing: getent netgroup <hostgroup-name>
It should return a tuple like the one above.
If you are still having difficulty, you can add sudoers_debug 2 in your /etc/sudo-ldap.conf file then re-run your sudo command. IT should show the various tests it performs and the output of the FreeIPA server. It wants to match, user, host, and command.
> In /etc/sssd/sssd.conf
>
> Is cn=ng,cn=compat correct?
>
> --Jason
>
> On Tue, Jul 10, 2012 at 2:15 PM, KodaK <sakodak at gmail.com> wrote:
>> I'm running IPA 2.2.0 on RHEL6
>>
>> Server:
>>
>> [root at validserver ~]# rpm -qa | grep ipa
>> ipa-client-2.2.0-16.el6.x86_64
>> ipa-pki-common-theme-9.0.3-7.el6.noarch
>> libipa_hbac-python-1.8.0-32.el6.x86_64
>> ipa-python-2.2.0-16.el6.x86_64
>> ipa-server-2.2.0-16.el6.x86_64
>> ipa-server-selinux-2.2.0-16.el6.x86_64
>> ipa-pki-ca-theme-9.0.3-7.el6.noarch
>> python-iniparse-0.3.1-2.1.el6.noarch
>> libipa_hbac-1.8.0-32.el6.x86_64
>> ipa-admintools-2.2.0-16.el6.x86_64
>>
>> Client:
>>
>> [root at validhost ~]# rpm -qa | grep ipa
>> ipa-client-2.2.0-16.el6.x86_64
>> ipa-pki-common-theme-9.0.3-7.el6.noarch
>> libipa_hbac-python-1.8.0-32.el6.x86_64
>> ipa-python-2.2.0-16.el6.x86_64
>> ipa-server-2.2.0-16.el6.x86_64
>> ipa-server-selinux-2.2.0-16.el6.x86_64
>> ipa-pki-ca-theme-9.0.3-7.el6.noarch
>> python-iniparse-0.3.1-2.1.el6.noarch
>> libipa_hbac-1.8.0-32.el6.x86_64
>> ipa-admintools-2.2.0-16.el6.x86_64
>>
>> My sudo-ldap.conf file:
>>
>> binddn uid=sudo,cn=sysaccounts,cn=etc,dc=validserver,dc=com
>> bindpw validpassword
>>
>> ssl start_tls
>> tls_cacertfile /etc/ipa/ca.crt
>> tls_checkpeer yes
>>
>> bind_timelimit 5
>> timelimit 15
>>
>> uri ldap://validserver ldap://validserver2
>> sudoers_base ou=SUDOers,dc=unix,dc=magellanhealth,dc=com
>>
>> What I'm trying to do: I have a group of users that I'd like to have
>> restart apache on a group of hosts.
>>
>> What I've done: created a user group, created a group of hosts (in a
>> grouplist.)
>>
>> I can successfully run sudo in any configuration, *except* when using
>> a host group. When I try I get:
>>
>> Sorry, user validuser is not allowed to execute
>> '/etc/rc.d/init.d/httpd status' as root on validhost1.fqdn.com.
>>
>> I can edit the same rule, change the host group (that only contains
>> two hosts) and specify the two hosts directly and it works fine.
>>
>> Can someone else just try this and see if I've hit a bug? I'm certain
>> I couldn't have messed up creating the host group, but I suppose it's
>> possible.
>>
>> I get the same behavior when I try a simple "/bin/cat" command through
>> sudo, too.
>>
>> Is there a special config for using host groups? I suspect I may have
>> missed some obvious documentation.
>>
>> --
>> The government is going to read our mail anyway, might as well make it
>> tough for them. GPG Public key ID: B6A1A7C6
>
>
>
> --
> The government is going to read our mail anyway, might as well make it
> tough for them. GPG Public key ID: B6A1A7C6
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
More information about the Freeipa-users
mailing list