[Freeipa-users] sudo rules question on ubuntu 16.0.1

Jeff Goddard jgoddard at emerlyn.com
Fri Aug 12 18:35:08 UTC 2016 

I made the edit as suggested - removing nis and just leaving sss -
restarted sssd and then re-tried. I also tried with files sss. Still
getting the same result.

Thanks,

Jeff

On Fri, Aug 12, 2016 at 2:27 PM, Justin Stephenson <jstephen at redhat.com>
wrote:

> This looks suspicious
>
> *Aug 12 08:45:00 sudo[31732] val[0]=+office*
> *Aug 12 08:45:00 sudo[31732] -> addr_matches @
> /build/sudo-L2mAoN/sudo-1.8.16/plugins/sudoers/match_addr.c:195*
> *Aug 12 08:45:00 sudo[31732] -> addr_matches_if @
> /build/sudo-L2mAoN/sudo-1.8.16/plugins/sudoers/match_addr.c:56*
> *Aug 12 08:45:00 sudo[31732] <- addr_matches_if @
> /build/sudo-L2mAoN/sudo-1.8.16/plugins/sudoers/match_addr.c:66 := false*
> *Aug 12 08:45:00 sudo[31732] IP address +office matches local host: false
> @ addr_matches()
> /build/sudo-L2mAoN/sudo-1.8.16/plugins/sudoers/match_addr.c:206*
> *Aug 12 08:45:00 sudo[31732] <- addr_matches @
> /build/sudo-L2mAoN/sudo-1.8.16/plugins/sudoers/match_addr.c:207 := false*
> *Aug 12 08:45:00 sudo[31732] -> netgr_matches @
> /build/sudo-L2mAoN/sudo-1.8.16/plugins/sudoers/match.c:1015*
> *Aug 12 08:45:00 sudo[31732] -> sudo_getdomainname @
> /build/sudo-L2mAoN/sudo-1.8.16/plugins/sudoers/match.c:953*
> *Aug 12 08:45:00 sudo[31732] <- sudo_getdomainname @
> /build/sudo-L2mAoN/sudo-1.8.16/plugins/sudoers/match.c:992 := (null)*
> *Aug 12 08:45:00 sudo[31732] netgroup office matches (**docker-dev-01.internal.emerlyn.com
> <http://docker-dev-01.internal.emerlyn.com>**|**docker-dev-01.internal.emerlyn.com
> <http://docker-dev-01.internal.emerlyn.com>**, jgoddard, ): false @
> netgr_matches() /build/sudo-L2mAoN/sudo-1.8.16/plugins/sudoers/match.c:1041*
> *Aug 12 08:45:00 sudo[31732] <- netgr_matches @
> /build/sudo-L2mAoN/sudo-1.8.16/plugins/sudoers/match.c:1044 := false*
> *Aug 12 08:45:00 sudo[31732] -> hostname_matches @
> /build/sudo-L2mAoN/sudo-1.8.16/plugins/sudoers/match.c:819*
> *Aug 12 08:45:00 sudo[31732] host **docker-dev-01.internal.emerlyn.com
> <http://docker-dev-01.internal.emerlyn.com>** matches sudoers pattern
> +office: false @ hostname_matches()
> /build/sudo-L2mAoN/sudo-1.8.16/plugins/sudoers/match.c:829*
> *Aug 12 08:45:00 sudo[31732] <- hostname_matches @
> /build/sudo-L2mAoN/sudo-1.8.16/plugins/sudoers/match.c:830 := false*
> *Aug 12 08:45:00 sudo[31732] sssd/ldap sudoHost '+office' ... not*
> *Aug 12 08:45:00 sudo[31732] <- sudo_sss_check_host @
> /build/sudo-L2mAoN/sudo-1.8.16/plugins/sudoers/sssd.c:687 := false*
>
> It doesn't seem to find this host as part of the hostgroup, I suspect the
> problem is because of this entry in nsswitch:
>
>      netgroup:       nis sss
>
> Could you try just 'sss' or 'files sss' ?
>
> A successful hostgroup match should look something like this instead:
>
> *Aug 12 14:20:32 sudo[25075] val[0]=+nonproduction*
> *Aug 12 14:20:32 sudo[25075] -> addr_matches @ ./match_addr.c:190*
> *Aug 12 14:20:32 sudo[25075] -> addr_matches_if @ ./match_addr.c:62*
> *Aug 12 14:20:32 sudo[25075] <- addr_matches_if @ ./match_addr.c:100 :=
> false*
> *Aug 12 14:20:32 sudo[25075] <- addr_matches @ ./match_addr.c:200 := false*
> *Aug 12 14:20:32 sudo[25075] -> sudo_sss_ipa_hostname_matches @
> ./sssd.c:558*
> *Aug 12 14:20:32 sudo[25075] -> hostname_matches @ ./match.c:740*
> *Aug 12 14:20:32 sudo[25075] <- hostname_matches @ ./match.c:751 := false*
> *Aug 12 14:20:32 sudo[25075] -> netgr_matches @ ./match.c:856*
> *Aug 12 14:20:32 sudo[25075] (rhel7-ipa-client.example.com
> <http://rhel7-ipa-client.example.com>, *, example.com <http://example.com>)
> found in netgroup nonproduction*
> *Aug 12 14:20:32 sudo[25075] <- netgr_matches @ ./match.c:909 := true*
> *Aug 12 14:20:32 sudo[25075] IPA hostname (rhel7-ipa-client.example.com
> <http://rhel7-ipa-client.example.com>) matches +nonproduction => true*
> *Aug 12 14:20:32 sudo[25075] <- sudo_sss_ipa_hostname_matches @
> ./sssd.c:569 := true*
> *Aug 12 14:20:32 sudo[25075] sssd/ldap sudoHost '+nonproduction' ...
> MATCH!*
> *Aug 12 14:20:32 sudo[25075] <- sudo_sss_check_host @ ./sssd.c:614 := true*
>
> Kind regards,
> Justin Stephenson
>
>
>
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160812/d0169eb8/attachment.htm>

More information about the Freeipa-users mailing list