<div dir="ltr"><div>I made the edit as suggested - removing nis and just leaving sss - restarted sssd and then re-tried. I also tried with files sss. Still getting the same result.<br><br></div><div>Thanks,<br></div><div><br></div>Jeff<br><div class="gmail_extra"><br><div class="gmail_quote">On Fri, Aug 12, 2016 at 2:27 PM, Justin Stephenson <span dir="ltr"><<a href="mailto:jstephen@redhat.com" target="_blank">jstephen@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<p>This looks suspicious</p>
<blockquote>
<p><i>Aug 12 08:45:00 sudo[31732] val[0]=+office</i><i><br>
</i><i>Aug 12 08:45:00 sudo[31732] -> addr_matches @
/build/sudo-L2mAoN/sudo-1.8.<wbr>16/plugins/sudoers/match_addr.<wbr>c:195</i><i><br>
</i><i>Aug 12 08:45:00 sudo[31732] -> addr_matches_if @
/build/sudo-L2mAoN/sudo-1.8.<wbr>16/plugins/sudoers/match_addr.<wbr>c:56</i><i><br>
</i><i>Aug 12 08:45:00 sudo[31732] <- addr_matches_if @
/build/sudo-L2mAoN/sudo-1.8.<wbr>16/plugins/sudoers/match_addr.<wbr>c:66
:= false</i><i><br>
</i><i>Aug 12 08:45:00 sudo[31732] IP address +office matches
local host: false @ addr_matches()
/build/sudo-L2mAoN/sudo-1.8.<wbr>16/plugins/sudoers/match_addr.<wbr>c:206</i><i><br>
</i><i>Aug 12 08:45:00 sudo[31732] <- addr_matches @
/build/sudo-L2mAoN/sudo-1.8.<wbr>16/plugins/sudoers/match_addr.<wbr>c:207
:= false</i><i><br>
</i><i>Aug 12 08:45:00 sudo[31732] -> netgr_matches @
/build/sudo-L2mAoN/sudo-1.8.<wbr>16/plugins/sudoers/match.c:<wbr>1015</i><i><br>
</i><i>Aug 12 08:45:00 sudo[31732] -> sudo_getdomainname @
/build/sudo-L2mAoN/sudo-1.8.<wbr>16/plugins/sudoers/match.c:953</i><i><br>
</i><i>Aug 12 08:45:00 sudo[31732] <- sudo_getdomainname @
/build/sudo-L2mAoN/sudo-1.8.<wbr>16/plugins/sudoers/match.c:992 :=
(null)</i><i><br>
</i><i>Aug 12 08:45:00 sudo[31732] netgroup office matches (</i><i><a href="http://docker-dev-01.internal.emerlyn.com" target="_blank">docker-dev-01.internal.<wbr>emerlyn.com</a></i><i>|</i><i><a href="http://docker-dev-01.internal.emerlyn.com" target="_blank">docker-dev-01.<wbr>internal.emerlyn.com</a></i><i>,
jgoddard, ): false @ netgr_matches()
/build/sudo-L2mAoN/sudo-1.8.<wbr>16/plugins/sudoers/match.c:<wbr>1041</i><i><br>
</i><i>Aug 12 08:45:00 sudo[31732] <- netgr_matches @
/build/sudo-L2mAoN/sudo-1.8.<wbr>16/plugins/sudoers/match.c:<wbr>1044 :=
false</i><i><br>
</i><i>Aug 12 08:45:00 sudo[31732] -> hostname_matches @
/build/sudo-L2mAoN/sudo-1.8.<wbr>16/plugins/sudoers/match.c:819</i><i><br>
</i><i>Aug 12 08:45:00 sudo[31732] host </i><i><a href="http://docker-dev-01.internal.emerlyn.com" target="_blank">docker-dev-01.internal.<wbr>emerlyn.com</a></i><i>
matches sudoers pattern +office: false @ hostname_matches()
/build/sudo-L2mAoN/sudo-1.8.<wbr>16/plugins/sudoers/match.c:829</i><i><br>
</i><i>Aug 12 08:45:00 sudo[31732] <- hostname_matches @
/build/sudo-L2mAoN/sudo-1.8.<wbr>16/plugins/sudoers/match.c:830 :=
false</i><i><br>
</i><i>Aug 12 08:45:00 sudo[31732] sssd/ldap sudoHost '+office'
... not</i><i><br>
</i><i>Aug 12 08:45:00 sudo[31732] <- sudo_sss_check_host @
/build/sudo-L2mAoN/sudo-1.8.<wbr>16/plugins/sudoers/sssd.c:687 :=
false</i></p>
</blockquote>
It doesn't seem to find this host as part of the hostgroup, I
suspect the problem is because of this entry in nsswitch:<br>
<br>
netgroup: nis sss<br>
<br>
Could you try just 'sss' or 'files sss' ?<br>
<br>
A successful hostgroup match should look something like this
instead:<br>
<br>
<blockquote>
<blockquote><i>Aug 12 14:20:32 sudo[25075] val[0]=+nonproduction</i><i><br>
</i><i>Aug 12 14:20:32 sudo[25075] -> addr_matches @
./match_addr.c:190</i><i><br>
</i><i>Aug 12 14:20:32 sudo[25075] -> addr_matches_if @
./match_addr.c:62</i><i><br>
</i><i>Aug 12 14:20:32 sudo[25075] <- addr_matches_if @
./match_addr.c:100 := false</i><i><br>
</i><i>Aug 12 14:20:32 sudo[25075] <- addr_matches @
./match_addr.c:200 := false</i><i><br>
</i><i>Aug 12 14:20:32 sudo[25075] ->
sudo_sss_ipa_hostname_matches @ ./sssd.c:558</i><i><br>
</i><i>Aug 12 14:20:32 sudo[25075] -> hostname_matches @
./match.c:740</i><i><br>
</i><i>Aug 12 14:20:32 sudo[25075] <- hostname_matches @
./match.c:751 := false</i><i><br>
</i><i>Aug 12 14:20:32 sudo[25075] -> netgr_matches @
./match.c:856</i><i><br>
</i><i>Aug 12 14:20:32 sudo[25075]
(<a href="http://rhel7-ipa-client.example.com" target="_blank">rhel7-ipa-client.example.com</a>, *, <a href="http://example.com" target="_blank">example.com</a>) found in
netgroup nonproduction</i><i><br>
</i><i>Aug 12 14:20:32 sudo[25075] <- netgr_matches @
./match.c:909 := true</i><i><br>
</i><i>Aug 12 14:20:32 sudo[25075] IPA hostname
(<a href="http://rhel7-ipa-client.example.com" target="_blank">rhel7-ipa-client.example.com</a>) matches +nonproduction =>
true</i><i><br>
</i><i>Aug 12 14:20:32 sudo[25075] <-
sudo_sss_ipa_hostname_matches @ ./sssd.c:569 := true</i><i><br>
</i><i>Aug 12 14:20:32 sudo[25075] sssd/ldap sudoHost
'+nonproduction' ... MATCH!</i><i><br>
</i><i>Aug 12 14:20:32 sudo[25075] <- sudo_sss_check_host @
./sssd.c:614 := true</i><br>
</blockquote>
</blockquote>
Kind regards,<br>
Justin Stephenson<br>
<br><blockquote type="cite"><div class="gmail_extra"><span class="HOEnZb"><font color="#888888"><div data-smartmail="gmail_signature"><div dir="ltr"><div><br>
</div>
<br>
</div>
</div>
</font></span></div><span class="HOEnZb"><font color="#888888">
<br>
<fieldset></fieldset>
<br>
</font></span></blockquote>
<br>
</div>
</blockquote></div><br><br></div></div>