[Freeipa-users] Sudo works for full access, but not on a per command or host level.

Mon Oct 15 21:58:11 UTC 2012

On 10/15/2012 04:46 PM, Dmitri Pal wrote:
> On 10/15/2012 04:34 PM, Macklin, Jason wrote:
>>
>> Hi,
>>
>>  
>>
>> I apologize up front if this is obvious, but I'm having issues
>> configuring sudo privileges. 
>>
>>  
>>
>> I currently have an IPA server running FreeIPA 2.2 with sudo
>> configured for our administrators on all hosts.  This works
>> fantastic!  As soon as I attempt to configure a more specific sudo
>> rule it does not work.  In my troubleshooting, I have noticed that
>> from the same host my admin level privileges work, but with another
>> user account setup to just run one command, it fails.  I have turned
>> on sudo debugging and the only thing I can find that looks out of
>> sorts is the following:
>>
>>  
>>
>> sudo: host_matches=0
>>
>>  
>>
>> As soon as I move the user account that is failing into the admin
>> group it starts to work.
>>
>>  
>>
>> I have attempted every iteration of sudo configuration on the server
>> that I can think of.  I have setup HBAC and given that a shot as
>> well.  At this point I'm completely stumped and would appreciate any
>> help that I can get!
>>
>
> What does sudo test return?

Yes I meant HBAC. I might confused you and myself so let us start over.

First we need to make sure that the authentication happens correctly so
if HBAC is set to allow you should see in the SSSD log that access is
granted. That will limit the problem to just SUDO. If you have the
allow_all HBAC rule and no other rules then we can probably skip this
step and move on to trying to solve the actual SUDO part.

So with SUDO one of the known issues is the long vs short hostname. Do
you by any chance use a short host name for that host?
If names are FQDN the next step would be to use ldapsearch from the
client and see what LDAP entries the server would return.

>>  
>>
>> Thank you in advance for your assistance,
>>
>> Jason
>>
>>
>>
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
> -- 
> Thank you,
> Dmitri Pal
>
> Sr. Engineering Manager for IdM portfolio
> Red Hat Inc.
>
>
> -------------------------------
> Looking to carve out IT costs?
> www.redhat.com/carveoutcosts/
>
>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users

-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.

-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20121015/0124a260/attachment.htm>