[Freeipa-users] Help understanding issue with CentOS freeipa sudo host groups

Rob Crittenden rcritten at redhat.com
Wed Nov 18 16:55:00 UTC 2015 

Sparks, Alan wrote:
> I still can’t find the problem after a lot of searching, can someone
> give me a little advice?   Assembling a POC of FreeIPA 4.1.0 server
> (stock CentOS-7 packages) and a CentOS 6.7 server with their stock 3.0.0
> packages.   Sudo version on the client is sudo-1.8.6p3. 
> 
>  
> 
> Have created a general sudo rule on the IPA server to grant access to a
> host group.   However it doesn’t allow access, just a “sparksa is not
> allowed to run sudo on als-centos0002”.    If I change the rule to not
> use host groups, and explicitly set the hosts, it works OK.
> 
>  
> 
> Have checked the stuff I’ve seen in general search, like the
> nisdomainname, values are set and look plausible.   The sudo debug logs
> seem to indicate vaguely that it can’t match the netgroup:
> 
>  
> 
> Nov 18 16:07:37 sudo[15713]   username=sparksa
> 
> Nov 18 16:07:37 sudo[15713] domainname=(null)
> 
> Nov 18 16:07:37 sudo[15713] Received 1 rule(s)
> 
> Nov 18 16:07:37 sudo[15713] sssd/ldap sudoHost '+opsauto' ... not
> 
> Nov 18 16:07:37 sudo[15713] Sorting the remaining entries using the
> sudoOrder attribute
> 
> Nov 18 16:07:37 sudo[15713] searching SSSD/LDAP for sudoers entries
> 
> Nov 18 16:07:37 sudo[15713] Done with LDAP searches
> 
> Nov 18 16:07:37 sudo[15713] keep
> HOSTNAME=als-centos0002.dakar.useast.hpcloud.net: YES
> 
> Nov 18 16:07:37 sudo[15713] sudo_putenv:
> HOSTNAME=als-centos0002.dakar.useast.hpcloud.net
> 
>  
> 
> The setup of the client used the normal ‘ipa-client-install’ script.   
> From questions asked before, some salient debugging info:
> 
>  
> 
> [root at als-centos0002 sys-ops]# nisdomainname
> 
> dakar.useast.hpcloud.net
> 
> [root at als-centos0002 sys-ops]# hostname
> 
> als-centos0002.dakar.useast.hpcloud.net
> 
> [root at als-centos0002 sys-ops]# getent netgroup opsauto
> 
> opsauto              
> (als-ubuntu0001.oa.ftc.hpelabs.net,-,eucalyptus.internal)
> (als-centos0002.dakar.useast.hpcloud.net,-,eucalyptus.internal)
> 
>  
> 
> Does anyone have any advice on what additional debug I should look at,
> just not sure what I’m missing.   Thanks in advance.

Your NIS domain name doesn't match. dakar.useast.hpcloud.net !=
eucalyptus.internal

rob

More information about the Freeipa-users mailing list