[Freeipa-users] Host groups not working with SUDO Rules

Rob Crittenden rcritten at redhat.com
Fri May 8 02:25:43 UTC 2015 

Megan . wrote:
> Thank you for the link.  I had the nisdomainname set to the hostname
> of the directory server.  I changed it to the domain (example.com
> instead of dir1.example.com) and that seems to have corrected my
> issue.  Thank you so much!
> 
> I have it set in /etc/rc.d/rc.local so that it comes up on boot but i
> was reading that setting NISDOMAIN in  /etc/sysconfig/network might be
> a better place for it.  Are there any pros/cons?

/etc/sysconfig/network is probably the proper place to add it as other
tools that use NIS may look there (authconfig, for example).

I doubt, but can't guarantee, that rc.local would be just as effective
though. Given that there is already machinery to set it based on the
config file though, I'd lean towards that myself.

rob

> 
> 
> 
> On Thu, May 7, 2015 at 3:43 PM, Rob Crittenden <rcritten at redhat.com> wrote:
>> Dmitri Pal wrote:
>>> On 05/07/2015 03:07 PM, Megan . wrote:
>>>> I'm having an issue where user's can't use sudo commands on ipa client
>>>> hosts.  I previously thought my issues with sudo were related to the
>>>> type of commands, but I've narrowed it down to an issue with using
>>>> host groups in the sudo rule access list instead of listing the hosts
>>>> directly.  When I use the host group with the host in it, my user
>>>> cannot run the sudo commands on the host.
>>>>
>>>> I have multiple debugs on in my sssd.conf and I have a ton of log
>>>> files but i'm not sure what will be useful in helping me troubleshoot.
>>>>
>>>> IPA client 3.0.0
>>>> Centos 6.6
>>>>
>>>>
>>>> To reproduce:
>>>>
>>>> Add in sudo command
>>>> Create command group
>>>> Create host group
>>>> Add host into host group
>>>> create sudo rule
>>>> use user groups, host groups, and sudo command groups to create rule
>>>>
>>>> Go onto client server
>>>> clear out /var/lib/sss/db
>>>> restart sssd
>>>> test sudo for a user in the user group
>>>>
>>>> Test will fail.
>>>>
>>>> If i do the same steps and just list the hosts for the sudo rule
>>>> access, and not the host groups, the sudo commands works fine for the
>>>> user.
>>>>
>>>>
>>>> When i'm using host groups in the sssd_EXAMPLE.COM.log i see what
>>>> looks like a successful check for the host in the host group.  My
>>>> hostgroup is uatcluster:
>>>>
>>>> (Thu May  7 18:57:02 2015) [sssd[be[EXAMPLE.COM]]]
>>>> [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse
>>>> domain SID from [(null)]
>>>> (Thu May  7 18:57:02 2015) [sssd[be[EXAMPLE.COM]]]
>>>> [sdap_attrs_get_sid_str] (0x0080): No [objectSIDString] attribute
>>>> while id-mapping. [0][Success]
>>>> (Thu May  7 18:57:02 2015) [sssd[be[EXAMPLE.COM]]]
>>>> [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse
>>>> domain SID from [(null)]
>>>> (Thu May  7 18:57:02 2015) [sssd[be[EXAMPLE.COM]]] [acctinfo_callback]
>>>> (0x0100): Request processed. Returned 0,0,Success
>>>> (Thu May  7 18:57:02 2015) [sssd[be[EXAMPLE.COM]]]
>>>> [be_get_account_info] (0x0100): Got request for
>>>> [4100][1][name=uatcluster]
>>>> (Thu May  7 18:57:02 2015) [sssd[be[EXAMPLE.COM]]] [acctinfo_callback]
>>>> (0x0100): Request processed. Returned 0,0,Success
>>>> (Thu May  7 18:57:09 2015) [sssd[be[EXAMPLE.COM]]] [cleanup_groups]
>>>> (0x0200): Found 3 expired group entries!
>>>>
>>>>
>>>> i tried to recreate all of my host groups, and uninstall and reinstall
>>>> the ipa client on one of my hosts.  Nothing seems to fix the issue.
>>>> I'm not really sure where to go from here.  It took me 4 days to
>>>> figure get this far.  I'm only mostly sure this is the issue.
>>>>
>>>>
>>>> Thanks in advance for any help.
>>>>
>>>
>>> What version are you using?
>>> This sounds familiar. I vaguely remember a bug being fixed in this area
>>> some time ago.
>>>
>>
>> Make sure nisdomainname is set to your domain.
>>
>> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/sudo.html#sudo-nis
>>
>> rob
>>
>> --
>> Manage your subscription for the Freeipa-users mailing list:
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>> Go to http://freeipa.org for more info on the project

More information about the Freeipa-users mailing list