[Freeipa-users] Host groups not working with SUDO Rules

Rob Crittenden rcritten at redhat.com
Thu May 7 19:43:01 UTC 2015 

Dmitri Pal wrote:
> On 05/07/2015 03:07 PM, Megan . wrote:
>> I'm having an issue where user's can't use sudo commands on ipa client
>> hosts.  I previously thought my issues with sudo were related to the
>> type of commands, but I've narrowed it down to an issue with using
>> host groups in the sudo rule access list instead of listing the hosts
>> directly.  When I use the host group with the host in it, my user
>> cannot run the sudo commands on the host.
>>
>> I have multiple debugs on in my sssd.conf and I have a ton of log
>> files but i'm not sure what will be useful in helping me troubleshoot.
>>
>> IPA client 3.0.0
>> Centos 6.6
>>
>>
>> To reproduce:
>>
>> Add in sudo command
>> Create command group
>> Create host group
>> Add host into host group
>> create sudo rule
>> use user groups, host groups, and sudo command groups to create rule
>>
>> Go onto client server
>> clear out /var/lib/sss/db
>> restart sssd
>> test sudo for a user in the user group
>>
>> Test will fail.
>>
>> If i do the same steps and just list the hosts for the sudo rule
>> access, and not the host groups, the sudo commands works fine for the
>> user.
>>
>>
>> When i'm using host groups in the sssd_EXAMPLE.COM.log i see what
>> looks like a successful check for the host in the host group.  My
>> hostgroup is uatcluster:
>>
>> (Thu May  7 18:57:02 2015) [sssd[be[EXAMPLE.COM]]]
>> [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse
>> domain SID from [(null)]
>> (Thu May  7 18:57:02 2015) [sssd[be[EXAMPLE.COM]]]
>> [sdap_attrs_get_sid_str] (0x0080): No [objectSIDString] attribute
>> while id-mapping. [0][Success]
>> (Thu May  7 18:57:02 2015) [sssd[be[EXAMPLE.COM]]]
>> [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse
>> domain SID from [(null)]
>> (Thu May  7 18:57:02 2015) [sssd[be[EXAMPLE.COM]]] [acctinfo_callback]
>> (0x0100): Request processed. Returned 0,0,Success
>> (Thu May  7 18:57:02 2015) [sssd[be[EXAMPLE.COM]]]
>> [be_get_account_info] (0x0100): Got request for
>> [4100][1][name=uatcluster]
>> (Thu May  7 18:57:02 2015) [sssd[be[EXAMPLE.COM]]] [acctinfo_callback]
>> (0x0100): Request processed. Returned 0,0,Success
>> (Thu May  7 18:57:09 2015) [sssd[be[EXAMPLE.COM]]] [cleanup_groups]
>> (0x0200): Found 3 expired group entries!
>>
>>
>> i tried to recreate all of my host groups, and uninstall and reinstall
>> the ipa client on one of my hosts.  Nothing seems to fix the issue.
>> I'm not really sure where to go from here.  It took me 4 days to
>> figure get this far.  I'm only mostly sure this is the issue.
>>
>>
>> Thanks in advance for any help.
>>
> 
> What version are you using?
> This sounds familiar. I vaguely remember a bug being fixed in this area
> some time ago.
> 

Make sure nisdomainname is set to your domain.

https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/sudo.html#sudo-nis

rob

More information about the Freeipa-users mailing list