[Freeipa-users] Host groups not working with SUDO Rules

Fri May 8 00:00:50 UTC 2015

On the server I am running CentOS release 6.6 (Final) with:

sssd-ipa-1.11.6-30.el6_6.4.x86_64
ipa-server-3.0.0-42.el6.centos.x86_64
sudo-1.8.6p3-15.el6.x86_64

On the clients I'm running CentOS release 6.6 (Final):

sssd-ipa-1.11.6-30.el6_6.4.x86_64
ipa-client-3.0.0-42.el6.centos.x86_64
sudo-1.8.6p3-15.el6.x86_64

On Thu, May 7, 2015 at 3:15 PM, Dmitri Pal <dpal at redhat.com> wrote:
> On 05/07/2015 03:07 PM, Megan . wrote:
>>
>> I'm having an issue where user's can't use sudo commands on ipa client
>> hosts.  I previously thought my issues with sudo were related to the
>> type of commands, but I've narrowed it down to an issue with using
>> host groups in the sudo rule access list instead of listing the hosts
>> directly.  When I use the host group with the host in it, my user
>> cannot run the sudo commands on the host.
>>
>> I have multiple debugs on in my sssd.conf and I have a ton of log
>> files but i'm not sure what will be useful in helping me troubleshoot.
>>
>> IPA client 3.0.0
>> Centos 6.6
>>
>>
>> To reproduce:
>>
>> Add in sudo command
>> Create command group
>> Create host group
>> Add host into host group
>> create sudo rule
>> use user groups, host groups, and sudo command groups to create rule
>>
>> Go onto client server
>> clear out /var/lib/sss/db
>> restart sssd
>> test sudo for a user in the user group
>>
>> Test will fail.
>>
>> If i do the same steps and just list the hosts for the sudo rule
>> access, and not the host groups, the sudo commands works fine for the
>> user.
>>
>>
>> When i'm using host groups in the sssd_EXAMPLE.COM.log i see what
>> looks like a successful check for the host in the host group.  My
>> hostgroup is uatcluster:
>>
>> (Thu May  7 18:57:02 2015) [sssd[be[EXAMPLE.COM]]]
>> [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse
>> domain SID from [(null)]
>> (Thu May  7 18:57:02 2015) [sssd[be[EXAMPLE.COM]]]
>> [sdap_attrs_get_sid_str] (0x0080): No [objectSIDString] attribute
>> while id-mapping. [0][Success]
>> (Thu May  7 18:57:02 2015) [sssd[be[EXAMPLE.COM]]]
>> [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse
>> domain SID from [(null)]
>> (Thu May  7 18:57:02 2015) [sssd[be[EXAMPLE.COM]]] [acctinfo_callback]
>> (0x0100): Request processed. Returned 0,0,Success
>> (Thu May  7 18:57:02 2015) [sssd[be[EXAMPLE.COM]]]
>> [be_get_account_info] (0x0100): Got request for
>> [4100][1][name=uatcluster]
>> (Thu May  7 18:57:02 2015) [sssd[be[EXAMPLE.COM]]] [acctinfo_callback]
>> (0x0100): Request processed. Returned 0,0,Success
>> (Thu May  7 18:57:09 2015) [sssd[be[EXAMPLE.COM]]] [cleanup_groups]
>> (0x0200): Found 3 expired group entries!
>>
>>
>> i tried to recreate all of my host groups, and uninstall and reinstall
>> the ipa client on one of my hosts.  Nothing seems to fix the issue.
>> I'm not really sure where to go from here.  It took me 4 days to
>> figure get this far.  I'm only mostly sure this is the issue.
>>
>>
>> Thanks in advance for any help.
>>
>
> What version are you using?
> This sounds familiar. I vaguely remember a bug being fixed in this area some
> time ago.
>
> --
> Thank you,
> Dmitri Pal
>
> Director of Engineering for IdM portfolio
> Red Hat, Inc.
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project