<html> <head> <meta content="text/html; charset=utf-8" http-equiv="Content-Type"> </head> <body bgcolor="#FFFFFF" text="#000000"> In the CentOS/RHEL 7 version of sssd, a NIS netgroup is created automatically in the IPA compat tree under 'cn=ng,cn=compat,$suffix' because sudo has no understanding of hostgroups. You should be able to query this on a client with # getent netgroup office This should return nisNetgroupTriple for each host in the hostgroup (ipa-client-1.example.com,-,example.com) (ipa-client-2.example.com,-,example.com) I would check this in your environment between working and non-working systems. I believe in later versions of sssd they added IPA sudo schema support to eliminate the need for the compat tree so this could be related to the issue if newer ubuntu clients are not working but CentOS is working. What version of sssd are you running? Kind regards, Justin Stephenson <div class="moz-cite-prefix">On 08/12/2016 02:35 PM, Jeff Goddard wrote: </div> <blockquote cite="mid:CA+No-6H02BvAP6Br+ApZ+9SDfFuK-hXcp0Jjk+FuN=AWKHx_zQ@mail.gmail.com" type="cite"> <div dir="ltr"> <div>I made the edit as suggested - removing nis and just leaving sss - restarted sssd and then re-tried. I also tried with files sss. Still getting the same result. </div> <div>Thanks, </div> <div> </div> Jeff <div class="gmail_extra"> <div class="gmail_quote">On Fri, Aug 12, 2016 at 2:27 PM, Justin Stephenson <<a moz-do-not-send="true" href="mailto:jstephen@redhat.com" target="_blank">jstephen@redhat.com</a>> wrote: <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> <div bgcolor="#FFFFFF" text="#000000"> This looks suspicious <blockquote> Aug 12 08:45:00 sudo[31732] val[0]=+office Aug 12 08:45:00 sudo[31732] -> addr_matches @ /build/sudo-L2mAoN/sudo-1.8.16/plugins/sudoers/match_addr.c:195 Aug 12 08:45:00 sudo[31732] -> addr_matches_if @ /build/sudo-L2mAoN/sudo-1.8.16/plugins/sudoers/match_addr.c:56 Aug 12 08:45:00 sudo[31732] <- addr_matches_if @ /build/sudo-L2mAoN/sudo-1.8.16/plugins/sudoers/match_addr.c:66 := false Aug 12 08:45:00 sudo[31732] IP address +office matches local host: false @ addr_matches() /build/sudo-L2mAoN/sudo-1.8.16/plugins/sudoers/match_addr.c:206 Aug 12 08:45:00 sudo[31732] <- addr_matches @ /build/sudo-L2mAoN/sudo-1.8.16/plugins/sudoers/match_addr.c:207 := false Aug 12 08:45:00 sudo[31732] -> netgr_matches @ /build/sudo-L2mAoN/sudo-1.8.16/plugins/sudoers/match.c:1015 Aug 12 08:45:00 sudo[31732] -> sudo_getdomainname @ /build/sudo-L2mAoN/sudo-1.8.16/plugins/sudoers/match.c:953 Aug 12 08:45:00 sudo[31732] <- sudo_getdomainname @ /build/sudo-L2mAoN/sudo-1.8.16/plugins/sudoers/match.c:992 := (null) Aug 12 08:45:00 sudo[31732] netgroup office matches (<a moz-do-not-send="true" href="http://docker-dev-01.internal.emerlyn.com" target="_blank">docker-dev-01.internal.emerlyn.com</a>|<a moz-do-not-send="true" href="http://docker-dev-01.internal.emerlyn.com" target="_blank">docker-dev-01.internal.emerlyn.com</a>, jgoddard, ): false @ netgr_matches() /build/sudo-L2mAoN/sudo-1.8.16/plugins/sudoers/match.c:1041 Aug 12 08:45:00 sudo[31732] <- netgr_matches @ /build/sudo-L2mAoN/sudo-1.8.16/plugins/sudoers/match.c:1044 := false Aug 12 08:45:00 sudo[31732] -> hostname_matches @ /build/sudo-L2mAoN/sudo-1.8.16/plugins/sudoers/match.c:819 Aug 12 08:45:00 sudo[31732] host <a moz-do-not-send="true" href="http://docker-dev-01.internal.emerlyn.com" target="_blank">docker-dev-01.internal.emerlyn.com</a> matches sudoers pattern +office: false @ hostname_matches() /build/sudo-L2mAoN/sudo-1.8.16/plugins/sudoers/match.c:829 Aug 12 08:45:00 sudo[31732] <- hostname_matches @ /build/sudo-L2mAoN/sudo-1.8.16/plugins/sudoers/match.c:830 := false Aug 12 08:45:00 sudo[31732] sssd/ldap sudoHost '+office' ... not Aug 12 08:45:00 sudo[31732] <- sudo_sss_check_host @ /build/sudo-L2mAoN/sudo-1.8.16/plugins/sudoers/sssd.c:687 := false </blockquote> It doesn't seem to find this host as part of the hostgroup, I suspect the problem is because of this entry in nsswitch: netgroup: nis sss Could you try just 'sss' or 'files sss' ? A successful hostgroup match should look something like this instead: <blockquote> <blockquote>Aug 12 14:20:32 sudo[25075] val[0]=+nonproduction Aug 12 14:20:32 sudo[25075] -> addr_matches @ ./match_addr.c:190 Aug 12 14:20:32 sudo[25075] -> addr_matches_if @ ./match_addr.c:62 Aug 12 14:20:32 sudo[25075] <- addr_matches_if @ ./match_addr.c:100 := false Aug 12 14:20:32 sudo[25075] <- addr_matches @ ./match_addr.c:200 := false Aug 12 14:20:32 sudo[25075] -> sudo_sss_ipa_hostname_matches @ ./sssd.c:558 Aug 12 14:20:32 sudo[25075] -> hostname_matches @ ./match.c:740 Aug 12 14:20:32 sudo[25075] <- hostname_matches @ ./match.c:751 := false Aug 12 14:20:32 sudo[25075] -> netgr_matches @ ./match.c:856 Aug 12 14:20:32 sudo[25075] (<a moz-do-not-send="true" href="http://rhel7-ipa-client.example.com" target="_blank">rhel7-ipa-client.example.com</a>, *, <a moz-do-not-send="true" href="http://example.com" target="_blank">example.com</a>) found in netgroup nonproduction Aug 12 14:20:32 sudo[25075] <- netgr_matches @ ./match.c:909 := true Aug 12 14:20:32 sudo[25075] IPA hostname (<a moz-do-not-send="true" href="http://rhel7-ipa-client.example.com" target="_blank">rhel7-ipa-client.example.com</a>) matches +nonproduction => true Aug 12 14:20:32 sudo[25075] <- sudo_sss_ipa_hostname_matches @ ./sssd.c:569 := true Aug 12 14:20:32 sudo[25075] sssd/ldap sudoHost '+nonproduction' ... MATCH! Aug 12 14:20:32 sudo[25075] <- sudo_sss_check_host @ ./sssd.c:614 := true </blockquote> </blockquote> Kind regards, Justin Stephenson <blockquote type="cite"> <div class="gmail_extra"> <div data-smartmail="gmail_signature"> <div dir="ltr"> <div> </div> </div> </div> </div> <fieldset></fieldset> </blockquote> </div> </blockquote> </div> </div> </div> </blockquote> </body> </html>