[Freeipa-users] sudo rules question on ubuntu 16.0.1
Jeff Goddard
jgoddard at emerlyn.com
Fri Aug 12 19:57:49 UTC 2016
On Fri, Aug 12, 2016 at 3:53 PM, Justin Stephenson <jstephen at redhat.com>
wrote:
> In the CentOS/RHEL 7 version of sssd, a NIS netgroup is created
> automatically in the IPA compat tree under 'cn=ng,cn=compat,$suffix'
> because sudo has no understanding of hostgroups.
>
> You should be able to query this on a client with
>
> # getent netgroup office
>
> This should return nisNetgroupTriple for each host in the hostgroup
>
> (ipa-client-1.example.com,-,example.com) (ipa-client-2.example.com,-,
> example.com)
>
> I would check this in your environment between working and non-working
> systems.
>
> I believe in later versions of sssd they added IPA sudo schema support to
> eliminate the need for the compat tree so this could be related to the
> issue if newer ubuntu clients are not working but CentOS is working.
>
> What version of sssd are you running?
>
> Kind regards,
>
> Justin Stephenson
> On 08/12/2016 02:35 PM, Jeff Goddard wrote:
>
> I made the edit as suggested - removing nis and just leaving sss -
> restarted sssd and then re-tried. I also tried with files sss. Still
> getting the same result.
>
> Thanks,
>
> Jeff
>
> The query returns the expect results:
getent netgroup office
office (docker-dev-01.internal.emerlyn.com,-,
internal.emerlyn.com) (docker-dev-02.internal.emerlyn.com,-,
internal.emerlyn.com) (docker-dev-03.internal.emerlyn.com,-,
internal.emerlyn.com) [more hosts]
sssd version is 1.13.4
Jeff
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160812/4ce47b9a/attachment.htm>
More information about the Freeipa-users
mailing list