[Freeipa-users] Host groups not working with SUDO Rules

Dmitri Pal dpal at redhat.com
Thu May 7 19:15:34 UTC 2015 

On 05/07/2015 03:07 PM, Megan . wrote:
> I'm having an issue where user's can't use sudo commands on ipa client
> hosts.  I previously thought my issues with sudo were related to the
> type of commands, but I've narrowed it down to an issue with using
> host groups in the sudo rule access list instead of listing the hosts
> directly.  When I use the host group with the host in it, my user
> cannot run the sudo commands on the host.
>
> I have multiple debugs on in my sssd.conf and I have a ton of log
> files but i'm not sure what will be useful in helping me troubleshoot.
>
> IPA client 3.0.0
> Centos 6.6
>
>
> To reproduce:
>
> Add in sudo command
> Create command group
> Create host group
> Add host into host group
> create sudo rule
> use user groups, host groups, and sudo command groups to create rule
>
> Go onto client server
> clear out /var/lib/sss/db
> restart sssd
> test sudo for a user in the user group
>
> Test will fail.
>
> If i do the same steps and just list the hosts for the sudo rule
> access, and not the host groups, the sudo commands works fine for the
> user.
>
>
> When i'm using host groups in the sssd_EXAMPLE.COM.log i see what
> looks like a successful check for the host in the host group.  My
> hostgroup is uatcluster:
>
> (Thu May  7 18:57:02 2015) [sssd[be[EXAMPLE.COM]]]
> [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse
> domain SID from [(null)]
> (Thu May  7 18:57:02 2015) [sssd[be[EXAMPLE.COM]]]
> [sdap_attrs_get_sid_str] (0x0080): No [objectSIDString] attribute
> while id-mapping. [0][Success]
> (Thu May  7 18:57:02 2015) [sssd[be[EXAMPLE.COM]]]
> [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse
> domain SID from [(null)]
> (Thu May  7 18:57:02 2015) [sssd[be[EXAMPLE.COM]]] [acctinfo_callback]
> (0x0100): Request processed. Returned 0,0,Success
> (Thu May  7 18:57:02 2015) [sssd[be[EXAMPLE.COM]]]
> [be_get_account_info] (0x0100): Got request for
> [4100][1][name=uatcluster]
> (Thu May  7 18:57:02 2015) [sssd[be[EXAMPLE.COM]]] [acctinfo_callback]
> (0x0100): Request processed. Returned 0,0,Success
> (Thu May  7 18:57:09 2015) [sssd[be[EXAMPLE.COM]]] [cleanup_groups]
> (0x0200): Found 3 expired group entries!
>
>
> i tried to recreate all of my host groups, and uninstall and reinstall
> the ipa client on one of my hosts.  Nothing seems to fix the issue.
> I'm not really sure where to go from here.  It took me 4 days to
> figure get this far.  I'm only mostly sure this is the issue.
>
>
> Thanks in advance for any help.
>

What version are you using?
This sounds familiar. I vaguely remember a bug being fixed in this area 
some time ago.

-- 
Thank you,
Dmitri Pal

Director of Engineering for IdM portfolio
Red Hat, Inc.

More information about the Freeipa-users mailing list