[Freeipa-users] EL5 sudo and IdM
Rob Crittenden
rcritten at redhat.com
Tue May 2 01:50:10 UTC 2017
Z D wrote:
> Hi, we've been using the IdM server 4.4.0 but still have some EL5 (build
> system) we'd like to be ipa-clients. The ipa-client v2.1.3 has been
> installed, that works well.
>
> And I believe that with EL5, there is no sssd support for sudo, hence
> it's configured via /etc/ldap.conf
>
>
> The situation I see is that sudo rule is successful only when using ALL
> for hosts, the example of debug message is:
>
> sudo: ldap sudoHost 'ALL' ... MATCH!
>
>
> Otherwise, it doesn't work and the message is:
>
> sudo: ldap sudoHost '+hostg_build' ... not
>
>
> The "hostg_build" is IPA host group, and if I read "man sudoers.ldap"
> correctly, sudoHost expects host netgroup (prefixed with a |'+'|).
A netgroup is created for every hostgroup automatically. Make sure you
have your NIS domain set and the netgroup is resolvable using getent
netgroup foo
rob
More information about the Freeipa-users
mailing list