[Freeipa-users] Host groups not working with SUDO Rules
Megan .
nagemnna at gmail.com
Fri May 8 00:15:09 UTC 2015
Thank you for the link. I had the nisdomainname set to the hostname
of the directory server. I changed it to the domain (example.com
instead of dir1.example.com) and that seems to have corrected my
issue. Thank you so much!
I have it set in /etc/rc.d/rc.local so that it comes up on boot but i
was reading that setting NISDOMAIN in /etc/sysconfig/network might be
a better place for it. Are there any pros/cons?
On Thu, May 7, 2015 at 3:43 PM, Rob Crittenden <rcritten at redhat.com> wrote:
> Dmitri Pal wrote:
>> On 05/07/2015 03:07 PM, Megan . wrote:
>>> I'm having an issue where user's can't use sudo commands on ipa client
>>> hosts. I previously thought my issues with sudo were related to the
>>> type of commands, but I've narrowed it down to an issue with using
>>> host groups in the sudo rule access list instead of listing the hosts
>>> directly. When I use the host group with the host in it, my user
>>> cannot run the sudo commands on the host.
>>>
>>> I have multiple debugs on in my sssd.conf and I have a ton of log
>>> files but i'm not sure what will be useful in helping me troubleshoot.
>>>
>>> IPA client 3.0.0
>>> Centos 6.6
>>>
>>>
>>> To reproduce:
>>>
>>> Add in sudo command
>>> Create command group
>>> Create host group
>>> Add host into host group
>>> create sudo rule
>>> use user groups, host groups, and sudo command groups to create rule
>>>
>>> Go onto client server
>>> clear out /var/lib/sss/db
>>> restart sssd
>>> test sudo for a user in the user group
>>>
>>> Test will fail.
>>>
>>> If i do the same steps and just list the hosts for the sudo rule
>>> access, and not the host groups, the sudo commands works fine for the
>>> user.
>>>
>>>
>>> When i'm using host groups in the sssd_EXAMPLE.COM.log i see what
>>> looks like a successful check for the host in the host group. My
>>> hostgroup is uatcluster:
>>>
>>> (Thu May 7 18:57:02 2015) [sssd[be[EXAMPLE.COM]]]
>>> [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse
>>> domain SID from [(null)]
>>> (Thu May 7 18:57:02 2015) [sssd[be[EXAMPLE.COM]]]
>>> [sdap_attrs_get_sid_str] (0x0080): No [objectSIDString] attribute
>>> while id-mapping. [0][Success]
>>> (Thu May 7 18:57:02 2015) [sssd[be[EXAMPLE.COM]]]
>>> [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse
>>> domain SID from [(null)]
>>> (Thu May 7 18:57:02 2015) [sssd[be[EXAMPLE.COM]]] [acctinfo_callback]
>>> (0x0100): Request processed. Returned 0,0,Success
>>> (Thu May 7 18:57:02 2015) [sssd[be[EXAMPLE.COM]]]
>>> [be_get_account_info] (0x0100): Got request for
>>> [4100][1][name=uatcluster]
>>> (Thu May 7 18:57:02 2015) [sssd[be[EXAMPLE.COM]]] [acctinfo_callback]
>>> (0x0100): Request processed. Returned 0,0,Success
>>> (Thu May 7 18:57:09 2015) [sssd[be[EXAMPLE.COM]]] [cleanup_groups]
>>> (0x0200): Found 3 expired group entries!
>>>
>>>
>>> i tried to recreate all of my host groups, and uninstall and reinstall
>>> the ipa client on one of my hosts. Nothing seems to fix the issue.
>>> I'm not really sure where to go from here. It took me 4 days to
>>> figure get this far. I'm only mostly sure this is the issue.
>>>
>>>
>>> Thanks in advance for any help.
>>>
>>
>> What version are you using?
>> This sounds familiar. I vaguely remember a bug being fixed in this area
>> some time ago.
>>
>
> Make sure nisdomainname is set to your domain.
>
> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/sudo.html#sudo-nis
>
> rob
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
More information about the Freeipa-users
mailing list