<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 TRANSITIONAL//EN"> <HTML> <HEAD> <META HTTP-EQUIV="Content-Type" CONTENT="text/html; CHARSET=UTF-8"> <META NAME="GENERATOR" CONTENT="GtkHTML/4.6.6"> </HEAD> <BODY> On Sat, 2014-05-03 at 12:36 +0200, Lukas Slebodnik wrote: <BLOCKQUOTE TYPE=CITE> <PRE> On (01/05/14 15:53), Dean Hunter wrote: >On Thu, 2014-05-01 at 16:32 -0400, Dmitri Pal wrote: >> On 05/01/2014 04:07 PM, Dean Hunter wrote: >> >> > >> > I just noticed that I had been incorrectly setting the NIS domain >> > name since upgrading to Fedora 20 and FreeIPA 3.3.4, yet I appear to >> > be successfully retrieving and using sudo rules from FreeIPA. Is >> > sudo still using NIS-style netgroups? Is there still a requirement >> > to set the NIS domain name? >> >> >> I think NIS domain is needed for netgroups. If you are not using >> netgroups in the sudo rules but just user groups you should be fine. >> Is this the case with you? >> If not please provide the logs and config. >> > >I am not aware of using netgroups, either the IPA object or any other >kind. I just remember that when I was first configuring sudo to >retrieve rules from IPA it would not work until I set nisdomainname >in /etc/rc.d/rc.local. Here is the quote from section 14.4 of the >manual: > > > Even though sudo uses NIS-style netgroups, it is not necessary > to have a NIS server installed. Netgroups require that a NIS > domain be named in their configuration, so sudo requires that a > NIS domain be named for netgroups. However, that NIS domain does > not actually need to exist. > > >With Fedora 20 I can no longer find the emulation of rc.local that >existed in Fedora 19. I did find fedora-domainname.service and started >and enabled it but neglected to configure /etc/sysconfig/network. Yet >IPA sudo rules appear to work. > Hope It helps you <A HREF="http://www.redhat.com/archives/freeipa-users/2014-April/msg00248.html">http://www.redhat.com/archives/freeipa-users/2014-April/msg00248.html</A> LS </PRE> </BLOCKQUOTE> Thank you. Now that you point it out, I remember that this thread is where I first learned about fedora-domainname.service. I see: <BLOCKQUOTE> You would also need to set NIS domain name, otherwise SUDO will not correctly recognize SUDO rules targeted on host groups, instead of hosts: </BLOCKQUOTE> which explains when sudo would need the NIS domain name. Since my sudo rules address user groups I guess there is no requirement for NIS domain name since they are working just fine: <BLOCKQUOTE> <TT>ipa sudorule-add desktop-admins --desc "Desktop Administrators"</TT> <TT>ipa sudorule-mod desktop-admins --cmdcat all</TT> <TT>ipa sudorule-add-host desktop-admins --hostgroups desktops</TT> <TT>ipa sudorule-add-option desktop-admins --sudooption "!authenticate"</TT> <TT>ipa sudorule-add-runasuser desktop-admins --users root </TT> <TT>ipa sudorule-add-runasgroup desktop-admins --groups root</TT> <TT>ipa sudorule-add-user desktop-admins --groups desktop-admins</TT> <TT>ipa sudorule-add server-admins --desc "Server Administrators"</TT> <TT>ipa sudorule-mod server-admins --cmdcat all</TT> <TT>ipa sudorule-add-host server-admins --hostgroups servers</TT> <TT>ipa sudorule-add-option server-admins --sudooption "!authenticate"</TT> <TT>ipa sudorule-add-runasuser server-admins --users root </TT> <TT>ipa sudorule-add-runasgroup server-admins --groups root</TT> <TT>ipa sudorule-add-user server-admins --groups server-admins</TT> </BLOCKQUOTE> However, I was really asking whether there had been a change in sssd/sudo behavior as it was my recollection that my sudo rules did not work at all in early IPA 3.n releases unless the NIS domain name was configured. </BODY> </HTML>