[Freeipa-users] sudo rules question on ubuntu 16.0.1
Jakub Hrozek
jhrozek at redhat.com
Sun Aug 14 18:16:18 UTC 2016
Hi Pavel, can you help us with this thread?
> On 12 Aug 2016, at 21:57, Jeff Goddard <jgoddard at emerlyn.com> wrote:
>
>
>
> On Fri, Aug 12, 2016 at 3:53 PM, Justin Stephenson <jstephen at redhat.com> wrote:
> In the CentOS/RHEL 7 version of sssd, a NIS netgroup is created automatically in the IPA compat tree under 'cn=ng,cn=compat,$suffix' because sudo has no understanding of hostgroups.
>
> You should be able to query this on a client with
> # getent netgroup office
>
> This should return nisNetgroupTriple for each host in the hostgroup
> (ipa-client-1.example.com,-,example.com) (ipa-client-2.example.com,-,example.com)
>
> I would check this in your environment between working and non-working systems.
> I believe in later versions of sssd they added IPA sudo schema support to eliminate the need for the compat tree so this could be related to the issue if newer ubuntu clients are not working but CentOS is working.
>
> What version of sssd are you running?
> Kind regards,
>
> Justin Stephenson
> On 08/12/2016 02:35 PM, Jeff Goddard wrote:
>> I made the edit as suggested - removing nis and just leaving sss - restarted sssd and then re-tried. I also tried with files sss. Still getting the same result.
>>
>> Thanks,
>>
>> Jeff
> The query returns the expect results:
>
> getent netgroup office
> office (docker-dev-01.internal.emerlyn.com,-,internal.emerlyn.com) (docker-dev-02.internal.emerlyn.com,-,internal.emerlyn.com) (docker-dev-03.internal.emerlyn.com,-,internal.emerlyn.com) [more hosts]
>
> sssd version is 1.13.4
>
> Jeff
>
>
>
More information about the Freeipa-users
mailing list