<html>
  <head>
    <meta content="text/html; charset=ISO-8859-1"
      http-equiv="Content-Type">
  </head>
  <body bgcolor="#FFFFFF" text="#000000">
    On 10/15/2012 04:46 PM, Dmitri Pal wrote:
    <blockquote cite="mid:507C761C.6040602@redhat.com" type="cite">
      <meta content="text/html; charset=ISO-8859-1"
        http-equiv="Content-Type">
      On 10/15/2012 04:34 PM, Macklin, Jason wrote:
      <blockquote
cite="mid:A3D24235A37CF1419E9568858A6AD93402F56C3CDF@RNUMSEM722.nala.roche.com"
        type="cite">
        <meta http-equiv="Content-Type" content="text/html;
          charset=ISO-8859-1">
        <meta name="Generator" content="Microsoft Word 14 (filtered
          medium)">
        <style><!--
/* Font Definitions */
@font-face
        {font-family:Calibri;
        panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
        {margin:0in;
        margin-bottom:.0001pt;
        font-size:11.0pt;
        font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
        {mso-style-priority:99;
        color:blue;
        text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
        {mso-style-priority:99;
        color:purple;
        text-decoration:underline;}
span.EmailStyle17
        {mso-style-type:personal-compose;
        font-family:"Arial","sans-serif";
        color:windowtext;}
.MsoChpDefault
        {mso-style-type:export-only;
        font-family:"Calibri","sans-serif";}
@page WordSection1
        {size:8.5in 11.0in;
        margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
        {page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif][if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
        <div class="WordSection1">
          <p class="MsoNormal"><span
style="font-size:10.0pt;font-family:"Arial","sans-serif"">Hi,<o:p></o:p></span></p>
          <p class="MsoNormal"><span
style="font-size:10.0pt;font-family:"Arial","sans-serif""><o:p> </o:p></span></p>
          <p class="MsoNormal"><span
style="font-size:10.0pt;font-family:"Arial","sans-serif"">I
              apologize up front if this is obvious, but I’m having
              issues configuring sudo privileges.  <o:p></o:p></span></p>
          <p class="MsoNormal"><span
style="font-size:10.0pt;font-family:"Arial","sans-serif""><o:p> </o:p></span></p>
          <p class="MsoNormal"><span
style="font-size:10.0pt;font-family:"Arial","sans-serif"">I
              currently have an IPA server running FreeIPA 2.2 with sudo
              configured for our administrators on all hosts.  This
              works fantastic!  As soon as I attempt to configure a more
              specific sudo rule it does not work.  In my
              troubleshooting, I have noticed that from the same host my
              admin level privileges work, but with another user account
              setup to just run one command, it fails.  I have turned on
              sudo debugging and the only thing I can find that looks
              out of sorts is the following:<o:p></o:p></span></p>
          <p class="MsoNormal"><span
style="font-size:10.0pt;font-family:"Arial","sans-serif""><o:p> </o:p></span></p>
          <p class="MsoNormal"><span
style="font-size:10.0pt;font-family:"Arial","sans-serif"">sudo:

              host_matches=0<o:p></o:p></span></p>
          <p class="MsoNormal"><span
style="font-size:10.0pt;font-family:"Arial","sans-serif""><o:p> </o:p></span></p>
          <p class="MsoNormal"><span
style="font-size:10.0pt;font-family:"Arial","sans-serif"">As

              soon as I move the user account that is failing into the
              admin group it starts to work. <o:p></o:p></span></p>
          <p class="MsoNormal"><span
style="font-size:10.0pt;font-family:"Arial","sans-serif""><o:p> </o:p></span></p>
          <p class="MsoNormal"><span
style="font-size:10.0pt;font-family:"Arial","sans-serif"">I
              have attempted every iteration of sudo configuration on
              the server that I can think of.  I have setup HBAC and
              given that a shot as well.  At this point I’m completely
              stumped and would appreciate any help that I can get!<o:p></o:p></span></p>
        </div>
      </blockquote>
      <br>
      What does sudo test return?<br>
    </blockquote>
    <br>
    Yes I meant HBAC. I might confused you and myself so let us start
    over.<br>
    <br>
    First we need to make sure that the authentication happens correctly
    so if HBAC is set to allow you should see in the SSSD log that
    access is granted. That will limit the problem to just SUDO. If you
    have the allow_all HBAC rule and no other rules then we can probably
    skip this step and move on to trying to solve the actual SUDO part.<br>
    <br>
    So with SUDO one of the known issues is the long vs short hostname.
    Do you by any chance use a short host name for that host?<br>
    If names are FQDN the next step would be to use ldapsearch from the
    client and see what LDAP entries the server would return.<br>
    <br>
    <blockquote cite="mid:507C761C.6040602@redhat.com" type="cite">
      <blockquote
cite="mid:A3D24235A37CF1419E9568858A6AD93402F56C3CDF@RNUMSEM722.nala.roche.com"
        type="cite">
        <div class="WordSection1">
          <p class="MsoNormal"><span
style="font-size:10.0pt;font-family:"Arial","sans-serif""><o:p> </o:p></span></p>
          <p class="MsoNormal"><span
style="font-size:10.0pt;font-family:"Arial","sans-serif"">Thank

              you in advance for your assistance,<o:p></o:p></span></p>
          <p class="MsoNormal"><span
style="font-size:10.0pt;font-family:"Arial","sans-serif"">Jason<o:p></o:p></span></p>
        </div>
        <br>
        <fieldset class="mimeAttachmentHeader"></fieldset>
        <br>
        <pre wrap="">_______________________________________________
Freeipa-users mailing list
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a>
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a></pre>
      </blockquote>
      <br>
      <br>
      <pre class="moz-signature" cols="72">-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="http://www.redhat.com/carveoutcosts/">www.redhat.com/carveoutcosts/</a>


</pre>
      <br>
      <fieldset class="mimeAttachmentHeader"></fieldset>
      <br>
      <pre wrap="">_______________________________________________
Freeipa-users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a>
<a class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a></pre>
    </blockquote>
    <br>
    <br>
    <pre class="moz-signature" cols="72">-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
<a class="moz-txt-link-abbreviated" href="http://www.redhat.com/carveoutcosts/">www.redhat.com/carveoutcosts/</a>


</pre>
  </body>
</html>