<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Word 14 (filtered medium)">
<!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p
{mso-style-priority:99;
margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
{mso-style-priority:99;
mso-style-link:"Balloon Text Char";
margin:0in;
margin-bottom:.0001pt;
font-size:8.0pt;
font-family:"Tahoma","sans-serif";}
span.BalloonTextChar
{mso-style-name:"Balloon Text Char";
mso-style-priority:99;
mso-style-link:"Balloon Text";
font-family:"Tahoma","sans-serif";}
p.msochpdefault, li.msochpdefault, div.msochpdefault
{mso-style-name:msochpdefault;
margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Calibri","sans-serif";}
span.emailstyle18
{mso-style-name:emailstyle18;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.balloontextchar0
{mso-style-name:balloontextchar;
font-family:"Tahoma","sans-serif";}
span.emailstyle22
{mso-style-name:emailstyle22;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.EmailStyle24
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;
font-family:"Calibri","sans-serif";}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> Okay, I stopped sssd on the client and deleted the cache files, removed the sudo rule, started sssd and verified that the rule was gone, stopped sssd and
deleted the files again, added the rule back in, restarted sssd, and still it does not work. One note, when I enter the hosts into the sudo rule in place of the host group, the effect is immediate; I do not need to restart sssd. And the opposite is true
too: if I put the host group back, the rule immediately stops working. I don’t think the issue is cache related; it seems to be something else. The serv_account that we are accessing with the sudo rule is external. I wouldn’t expect that to matter, but
perhaps it does?<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> I like your idea for the labels; they make sense. Right now we are just evaluating this to see if we want to go this route. So far we like it, but this
could be a problem because we have a several hundred hosts that we need to manage. Having to enter each one individually will be problematic.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> Thanks,<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> -Mark<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<div>
<p class="MsoNormal" style="text-autospace:none"><b><span lang="EN-GB" style="font-size:8.0pt;font-family:"Arial","sans-serif";color:gray"><o:p> </o:p></span></b></p>
<p class="MsoNormal" style="text-autospace:none"><b><span lang="EN-GB" style="font-size:8.0pt;font-family:"Arial","sans-serif";color:gray">________________________________________________________________<o:p></o:p></span></b></p>
<p class="MsoNormal" style="text-autospace:none"><b><span lang="EN-GB" style="font-size:8.0pt;font-family:"Arial","sans-serif";color:gray">Mark Tovey - UNIX Engineer | Service Strategy & Design<o:p></o:p></span></b></p>
<p class="MsoNormal" style="text-autospace:none"><span lang="EN-GB" style="font-size:7.5pt;font-family:"Arial","sans-serif";color:blue"><a href="http://www.go2uti.com/">UTi</a>
</span><span lang="EN-GB" style="font-size:7.5pt;font-family:"Arial","sans-serif";color:gray">| 400 SW Sixth Ave, Suite 1100 | Portland | Oregon | 97204 | USA<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span lang="EN-GB" style="font-size:7.5pt;font-family:"Arial","sans-serif";color:gray"><a href="mailto:MTovey@go2uti.com">MTovey@go2uti.com</a> | O / C +1 503 953-1389 | Skype: mark.tovey2</span><span lang="EN" style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p></o:p></span></p>
</div>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif""> Steven Jones [mailto:Steven.Jones@vuw.ac.nz]
<br>
<b>Sent:</b> Monday, July 15, 2013 4:44 PM<br>
<b>To:</b> Tovey, Mark; James Hogarth<br>
<b>Cc:</b> Freeipa-users@redhat.com<br>
<b>Subject:</b> RE: [Freeipa-users] sudo rules user and host group bugs?<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black">option b) delete the rule totally and redo it from scratch.<br>
<br>
I label rules like this,<br>
<br>
hb-xxxx for a hbac rule<br>
<br>
su-xxxx for a sudo rule<br>
<br>
sc-xxxx for a sudo command group<br>
<br>
ug-xxxx for a user group<br>
<br>
hg-xxxx for a host groups<br>
<br>
etc<br>
<br>
etc<br>
<br>
It makes the logic easier when you go into command line which I find easier to trace with than the gui at time.<o:p></o:p></span></p>
<div>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black"><o:p> </o:p></span></p>
<div>
<p><span style="color:black">regards<o:p></o:p></span></p>
<p><span style="color:black">Steven Jones<o:p></o:p></span></p>
<p><span style="color:black">Technical Specialist - Linux RHCE<o:p></o:p></span></p>
<p><span style="color:black">Victoria University, Wellington, NZ<o:p></o:p></span></p>
<p><span style="color:black">0064 4 463 6272<o:p></o:p></span></p>
</div>
</div>
<div>
<div class="MsoNormal" align="center" style="text-align:center"><span style="color:black">
<hr size="2" width="100%" align="center">
</span></div>
<div id="divRpF100876">
<p class="MsoNormal" style="margin-bottom:12.0pt"><b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black">From:</span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black"> Tovey, Mark [MTovey@go2uti.com]<br>
<b>Sent:</b> Tuesday, 16 July 2013 11:34 a.m.<br>
<b>To:</b> Steven Jones; James Hogarth<br>
<b>Cc:</b> <a href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a><br>
<b>Subject:</b> RE: [Freeipa-users] sudo rules user and host group bugs?</span><span style="color:black"><o:p></o:p></span></p>
</div>
<div>
<div>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> That didn’t work either. I set up the host group in my sudo rule, stopped sssd, renamed /var/lib/sss/db and created a new db directory, then restarted
sssd. New files were created in the db directory, but it still refuses to work unless the hosts are directly specified in the sudo rule.</span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> Thanks,</span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> -Mark</span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span><span style="color:black"><o:p></o:p></span></p>
<div>
<p class="MsoNormal" style="text-autospace:none"><b><span lang="EN-GB" style="font-size:8.0pt;font-family:"Arial","sans-serif";color:gray"> </span></b><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><b><span lang="EN-GB" style="font-size:8.0pt;font-family:"Arial","sans-serif";color:gray">________________________________________________________________</span></b><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><b><span lang="EN-GB" style="font-size:8.0pt;font-family:"Arial","sans-serif";color:gray">Mark Tovey - UNIX Engineer | Service Strategy & Design</span></b><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span lang="EN-GB" style="font-size:7.5pt;font-family:"Arial","sans-serif";color:blue"><a href="http://www.go2uti.com/" target="_blank">UTi</a>
</span><span lang="EN-GB" style="font-size:7.5pt;font-family:"Arial","sans-serif";color:gray">| 400 SW Sixth Ave, Suite 1100 | Portland | Oregon | 97204 | USA</span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span lang="EN-GB" style="font-size:7.5pt;font-family:"Arial","sans-serif";color:gray"><a href="mailto:MTovey@go2uti.com" target="_blank">MTovey@go2uti.com</a> | O / C +1 503 953-1389 | Skype: mark.tovey2</span><span style="color:black"><o:p></o:p></span></p>
</div>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span><span style="color:black"><o:p></o:p></span></p>
<div>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black">From:</span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black"> Steven Jones [<a href="mailto:Steven.Jones@vuw.ac.nz">mailto:Steven.Jones@vuw.ac.nz</a>]
<br>
<b>Sent:</b> Monday, July 15, 2013 4:15 PM<br>
<b>To:</b> Tovey, Mark; James Hogarth<br>
<b>Cc:</b> <a href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a><br>
<b>Subject:</b> RE: [Freeipa-users] sudo rules user and host group bugs?</span><span style="color:black"><o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><span style="color:black"> <o:p></o:p></span></p>
<div>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black">Hi,<br>
<br>
This is a known issue Ive suffered a long time with. What would be interesting is adding another host to the host group could well work fine, that will really make you bang your head against the wall..<br>
<br>
2 possibilities, stop the sssd daemon on the problem host, delete its cache and start it, that might fix it.<br>
<br>
Otherwise best to, <br>
<br>
All RH support could come up with is delete the HBAC rule, sudo rule, user group and host group and re-do it, then it will probably work fine.</span><span style="color:black"><o:p></o:p></span></p>
<div>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black"> </span><span style="color:black"><o:p></o:p></span></p>
<div>
<p><span style="color:black">regards<o:p></o:p></span></p>
<p><span style="color:black">Steven Jones<o:p></o:p></span></p>
<p><span style="color:black">Technical Specialist - Linux RHCE<o:p></o:p></span></p>
<p><span style="color:black">Victoria University, Wellington, NZ<o:p></o:p></span></p>
<p><span style="color:black">0064 4 463 6272<o:p></o:p></span></p>
</div>
</div>
<div>
<div class="MsoNormal" align="center" style="text-align:center"><span style="color:black">
<hr size="2" width="100%" align="center">
</span></div>
<div id="divRpF323344">
<p class="MsoNormal" style="margin-bottom:12.0pt"><b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black">From:</span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black">
<a href="mailto:freeipa-users-bounces@redhat.com" target="_blank">freeipa-users-bounces@redhat.com</a> [freeipa-users-bounces@redhat.com] on behalf of Tovey, Mark [MTovey@go2uti.com]<br>
<b>Sent:</b> Tuesday, 16 July 2013 10:54 a.m.<br>
<b>To:</b> James Hogarth<br>
<b>Cc:</b> <a href="mailto:Freeipa-users@redhat.com" target="_blank">Freeipa-users@redhat.com</a><br>
<b>Subject:</b> Re: [Freeipa-users] sudo rules user and host group bugs?</span><span style="color:black"><o:p></o:p></span></p>
</div>
<div>
<div>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> I checked that and it is set correctly:</span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">[user1@host1 ~]$ nisdomainname</span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">my_domain.com</span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> If I try to run a command with the hosts specified indirectly through a host group, it fails:</span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">[user1@host1 ~]$ sudo -i -u serv_account</span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">LDAP Config Summary</span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">===================</span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">uri ldap://ipa_server.my_domain.com</span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">ldap_version 3</span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">sudoers_base ou=SUDOers,dc=my_domain,dc=com</span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">binddn uid=sudo,cn=sysaccounts,cn=etc,dc=my_domain,dc=com</span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">bindpw **********</span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">bind_timelimit 5000</span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">timelimit 15</span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">ssl start_tls</span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">tls_checkpeer (yes)</span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">tls_cacertfile /etc/ipa/ca.crt</span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">===================</span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">sudo: ldap_initialize(ld, ldap://ipa_server.my_domain.com)</span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">sudo: ldap_set_option: debug -> 0</span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">sudo: ldap_set_option: ldap_version -> 3</span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">sudo: ldap_set_option: tls_checkpeer -> 1</span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">sudo: ldap_set_option: tls_cacertfile -> /etc/ipa/ca.crt</span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">sudo: ldap_set_option: timelimit -> 15</span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">sudo: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT, 5)</span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">sudo: ldap_start_tls_s() ok</span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">sudo: ldap_sasl_bind_s() ok</span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">sudo: no default options found!</span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">sudo: ldap search '(|(sudoUser=user1)(sudoUser=%user1)(sudoUser=%user1s)(sudoUser=ALL))'</span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">sudo: found:cn=my_sudo_rule,ou=sudoers,dc=my_domain,dc=com</span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D;background:yellow">sudo: ldap sudoHost '+hgroup1' ... not</span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">sudo: ldap search 'sudoUser=+*'</span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">sudo: user_matches=1</span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D;background:yellow">sudo: host_matches=0</span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">sudo: sudo_ldap_lookup(0)=0x40</span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">[sudo] password for user1:</span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Sorry, try again.</span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">[sudo] password for user1:</span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">sudo: 1 incorrect password attempt</span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> But if I remove the host group from the sudo rule and directly add the hosts that were in the host group, it works fine:</span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><snip></span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">sudo: ldap_start_tls_s() ok</span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">sudo: ldap_sasl_bind_s() ok</span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">sudo: no default options found!</span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">sudo: ldap search '(|(sudoUser=user1)(sudoUser=%user1)(sudoUser=%user1s)(sudoUser=ALL))'</span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">sudo: found:cn=my_sudo_rule,ou=sudoers,dc=my_domain,dc=com</span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D;background:yellow">sudo: ldap sudoHost 'host1.my_domain.com' ... MATCH!</span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">sudo: ldap sudoRunAsUser 'serv_account' ... MATCH!</span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">sudo: ldap sudoCommand 'ALL' ... MATCH!</span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">sudo: Command allowed</span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">sudo: user_matches=1</span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D;background:yellow">sudo: host_matches=1</span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">sudo: sudo_ldap_lookup(0)=0x02</span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">[sudo] password for user1:</span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">[serv_account@host1 ~]$</span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> So something isn’t lining up correctly with host groups in sudo rules somewhere. I just haven’t been able to track it down.</span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> Thanks,</span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> -Mark</span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><b><span lang="EN-GB" style="font-size:8.0pt;font-family:"Arial","sans-serif";color:gray"> </span></b><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><b><span lang="EN-GB" style="font-size:8.0pt;font-family:"Arial","sans-serif";color:gray">________________________________________________________________</span></b><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><b><span lang="EN-GB" style="font-size:8.0pt;font-family:"Arial","sans-serif";color:gray">Mark Tovey - UNIX Engineer | Service Strategy & Design</span></b><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span lang="EN-GB" style="font-size:7.5pt;font-family:"Arial","sans-serif";color:blue"><a href="http://www.go2uti.com/" target="_blank">UTi</a>
</span><span lang="EN-GB" style="font-size:7.5pt;font-family:"Arial","sans-serif";color:gray">| 400 SW Sixth Ave, Suite 1100 | Portland | Oregon | 97204 | USA</span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span lang="EN-GB" style="font-size:7.5pt;font-family:"Arial","sans-serif";color:gray"><a href="mailto:MTovey@go2uti.com" target="_blank">MTovey@go2uti.com</a> | O / C +1 503 953-1389 | Skype: mark.tovey2</span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black">From:</span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black"> James Hogarth [<a href="mailto:james.hogarth@gmail.com" target="_blank">mailto:james.hogarth@gmail.com</a>]
<br>
<b>Sent:</b> Monday, July 15, 2013 1:11 PM<br>
<b>To:</b> Tovey, Mark<br>
<b>Subject:</b> Re: [Freeipa-users] sudo rules user and host group bugs?</span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black"> <o:p></o:p></span></p>
<p><span style="color:black"><br>
> <br>
><br>
> Did anyone find a solution for this? I am having the same experience.<br>
><br>
> <br>
><o:p></o:p></span></p>
<p><span style="color:black">Wow that was a mess...<o:p></o:p></span></p>
<p><span style="color:black">To use hostgroups for sudo ensure nisdomainname is set on the hosts to the IPA domain.<o:p></o:p></span></p>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</body>
</html>