[Freeipa-users] Sudo works for full access, but not on a per command or host level.

Rich Megginson rmeggins at redhat.com
Wed Oct 17 15:53:07 UTC 2012 

On 10/17/2012 07:26 AM, Macklin, Jason wrote:
> Okay,
>
>    Rule name: test4
>    Enabled: TRUE
>    Command category: all
>    Users: asteinfeld
>    Hosts: dbduwdu062.dbr.roche.com
>    Host Groups: tempsudo
>
> Client dbduwdu062 is matched in the rule by both the hosts and groups entry.
>
> /etc/nsswitch.conf has:
>
> 	Netgroups: files sss
>
> Getent netgroup tempsudo returns:
>
> 	[jmacklin at dbduwdu062 Desktop]$ getent netgroup tempsudo
> 	tempsudo              (dbduwdu063.dbr.roche.com, -, dbr.roche.com) (dbduwdu062.dbr.roche.com, -, dbr.roche.com)
>
> To the previous ldapsearch request:
>
> 	[jmacklin at dbduwdu062 Desktop]$ ldapsearch -Y GSSAPI -H ldap://dbduvdu145.dbr.roche.com "ou=SUDOers,dc=dbr,dc=roche,dc=com"
> 	SASL/GSSAPI authentication started
> 	ldap_sasl_interactive_bind_s: Server is unwilling to perform (53)
> 	additional info: Entry permanently locked.
>
> I am still scratching my head on this one...

This means you cannot search using your kerberos ticket because the 
corresponding entry is locked.  Try using directory manager:

ldapsearch -x -D "cn=directory manager" -W -H 
ldap://dbduvdu145.dbr.roche.com "ou=SUDOers,dc=dbr,dc=roche,dc=com"


>
> Cheers,
> Jason
>
> If you look closely, the reason that your admin works is because it appears to be matching a sudo rule who has the "ALL" hosts value set.
>
> When you run the non working user, it is attempting to match the hostname/hostgroup to the rule and fails to do so.
>
> Try this. Type: getent netgroup hostgroupname<- your host's hostgroup goes there.
>
> ^ that command should return all of the hosts in your hostgroup. If it does not, then check /etc/nsswitch.conf and make sure that netgroup is set to use sss.
>
> You will also need to make sure that the output of: domainname or nisdomainname matches your expected domain.
>
> Let me know how things look after trying that.
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users

More information about the Freeipa-users mailing list